< draft-yusef-oauth-nested-jwt-00.txt   draft-yusef-oauth-nested-jwt-01.txt >
ACME Working Group R. Shekh-Yusef OAuth Working Group R. Shekh-Yusef
Internet-Draft Avaya Internet-Draft Avaya
Intended status: Standards Track March 11, 2019 Intended status: Standards Track July 8, 2019
Expires: September 12, 2019 Expires: January 9, 2020
Nested JSON Web Token (JWT) Nested JSON Web Token (JWT)
draft-yusef-oauth-nested-jwt-00 draft-yusef-oauth-nested-jwt-01
Abstract Abstract
This specification extends the scope of the Nested JSON Web Token This specification extends the scope of the Nested JSON Web Token
(JWT) to allow the enclosing JWT to contain its own Claims Set in (JWT) to allow the enclosing JWT to contain its own Claims Set in
addition to the enclosed JWT. addition to the enclosed JWT.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 32 skipping to change at page 1, line 32
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 12, 2019. This Internet-Draft will expire on January 9, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 22 skipping to change at page 2, line 22
outside the IETF Standards Process, and derivative works of it may outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 2
2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. JWT Content Type Header Parameter . . . . . . . . . . . . . . 3 3. Use Case . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. JWT Content . . . . . . . . . . . . . . . . . . . . . . . . . 3 4. JWT Content Type Header Parameter . . . . . . . . . . . . . . 3
5. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 5. JWT Content . . . . . . . . . . . . . . . . . . . . . . . . . 4
6. Security Considerations . . . . . . . . . . . . . . . . . . . 4 6. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 7. Security Considerations . . . . . . . . . . . . . . . . . . . 4
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 4 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4
9. Normative References . . . . . . . . . . . . . . . . . . . . 4 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 4
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 4 10. Normative References . . . . . . . . . . . . . . . . . . . . 5
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 5
1. Introduction 1. Introduction
JSON Web Token (JWT) is a mechanism that is used to transfer claims JSON Web Token (JWT) is a mechanism that is used to transfer claims
between two parties across security domains. Nested JWT is a JWT in between two parties across security domains. Nested JWT is a JWT in
which the payload is another JWT. The current specification does not which the payload is another JWT. The current specification does not
define a means by which the enclosing JWT could have its own Claims define a means by which the enclosing JWT could have its own Claims
Set, only the enclosed JWT would have claims. Set, only the enclosed JWT would have claims.
This specification extends the scope of the Nested JWT to allow the This specification extends the scope of the Nested JWT to allow the
skipping to change at page 3, line 22 skipping to change at page 3, line 22
To indicate that the payload of an enclosing JWT is yet another JWT, To indicate that the payload of an enclosing JWT is yet another JWT,
the value of the Content Type Parameter of the JOSE header, i.e. the value of the Content Type Parameter of the JOSE header, i.e.
"cty", must be set to "JWT", which means that the enclosing JWT "cty", must be set to "JWT", which means that the enclosing JWT
cannot have its own claims. cannot have its own claims.
This document updates the enclosing JWT content to allow it to This document updates the enclosing JWT content to allow it to
represent a Claims Set and an enclosed JWT, using JSON data represent a Claims Set and an enclosed JWT, using JSON data
structures, and updates the Content Type to indicate this new nested structures, and updates the Content Type to indicate this new nested
content. content.
3. JWT Content Type Header Parameter 3. Use Case
The use case is for a telephony application that is based on the
"Native Apps Using the Browser" flow defined in RFC8252. The Native
App needs access to a telephony and non-telephony services that are
controlled by different authorization servers, where the Native App
can validate tokens issued by only one of these authorization
servers.
The Native App starts the process by interacting with a Client that
requires the user to authenticate itself using a Browser. The
Browser starts by contacting an AS, which redirects it to an OP. The
user authenticates to the OP and obtains a Code, and then gets
redirected back to AS. The Native App gets access to the Code, then
sends the Code to the AS, which then interacts with the OP to
exchange the Code for an ID Token and OP Access Token. Since the
Native App has no way of validating the OP Access Token, when the AS
creates an AS Access Token, it embeds the OP Access Token inside the
AS Access Token, and returns it back to the Native App. The Native
App gets the AS Access Token and is able to validate it and extract
the OP Access Token, and access the different services protected with
these tokens.
4. JWT Content Type Header Parameter
The JOSE Header contains an optional parameter that could be used to The JOSE Header contains an optional parameter that could be used to
indicate the type of the payload of a JWT. With a typical Nested indicate the type of the payload of a JWT. With a typical Nested
JWT, the value of the "cty" header must be "JWT". To indicate that JWT, the value of the "cty" header must be "JWT". To indicate that
the payload contains a Claims Set in addition to the JWT, the value the payload contains a Claims Set in addition to the JWT, the value
of the "cty" header must be "NJWT". of the "cty" header must be "NJWT".
4. JWT Content 5. JWT Content
The payload of the enclosing JWT is JSON object that contains the The payload of the enclosing JWT is JSON object that contains the
Claims Set, and one new claim that is used to hold the enclosed JWT. Claims Set, and one new claim that is used to hold the enclosed JWT.
This document defines a new claim, "njwt", that is used to contain This document defines a new claim, "njwt", that is used to contain
the enclosed JWT. the enclosed JWT.
5. Example 6. Example
{ {
"alg": "HS256", "alg": "HS256",
"typ": "JWT", "typ": "JWT",
"cty": "NJWT" "cty": "NJWT"
} }
{ {
"sub": "1234567890", "sub": "1234567890",
"name": "John Doe", "name": "John Doe",
"iat": 1516239022, "iat": 1516239022,
"njwt": "<njwt>" "njwt": "<njwt>"
} }
6. Security Considerations 7. Security Considerations
TODO TODO
7. IANA Considerations 8. IANA Considerations
TODO TODO
8. Acknowledgments 9. Acknowledgments
TODO TODO
9. Normative References 10. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997. Requirement Levels", RFC 2119, March 1997.
Author's Address Author's Address
Rifaat Shekh-Yusef Rifaat Shekh-Yusef
Avaya Avaya
250 Sidney Street 425 Legget Drive
Belleville, Ontario Ottawa, Ontario
Canada Canada
Phone: +1-613-967-5176 Phone: +1-613-595-9106
EMail: rifaat.ietf@gmail.com EMail: rifaat.ietf@gmail.com
 End of changes. 14 change blocks. 
23 lines changed or deleted 47 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/