draft-ietf-oauth-json-web-token-04.txt   draft-ietf-oauth-json-web-token-05.txt 
OAuth Working Group M. Jones OAuth Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track J. Bradley Intended status: Standards Track J. Bradley
Expires: April 18, 2013 Ping Identity Expires: May 10, 2013 Ping Identity
N. Sakimura N. Sakimura
NRI NRI
October 15, 2012 November 6, 2012
JSON Web Token (JWT) JSON Web Token (JWT)
draft-ietf-oauth-json-web-token-04 draft-ietf-oauth-json-web-token-05
Abstract Abstract
JSON Web Token (JWT) is a means of representing claims to be JSON Web Token (JWT) is a means of representing claims to be
transferred between two parties. The claims in a JWT are encoded as transferred between two parties. The claims in a JWT are encoded as
a JavaScript Object Notation (JSON) object that is digitally signed a JavaScript Object Notation (JSON) object that is digitally signed
or MACed using JSON Web Signature (JWS) and/or encrypted using JSON or MACed using JSON Web Signature (JWS) and/or encrypted using JSON
Web Encryption (JWE). Web Encryption (JWE).
The suggested pronunciation of JWT is the same as the English word The suggested pronunciation of JWT is the same as the English word
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 18, 2013. This Internet-Draft will expire on May 10, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 18, line 40 skipping to change at page 18, line 40
All the security considerations in the JWS specification also apply All the security considerations in the JWS specification also apply
to JWT, as do the JWE security considerations when encryption is to JWT, as do the JWE security considerations when encryption is
employed. In particular, the JWS JSON Security Considerations and employed. In particular, the JWS JSON Security Considerations and
Unicode Comparison Security Considerations apply equally to the JWT Unicode Comparison Security Considerations apply equally to the JWT
Claims Set in the same manner that they do to the JWS Header. Claims Set in the same manner that they do to the JWS Header.
11. References 11. References
11.1. Normative References 11.1. Normative References
[JWA] Jones, M., "JSON Web Algorithms (JWA)", October 2012. [JWA] Jones, M., "JSON Web Algorithms (JWA)", November 2012.
[JWE] Jones, M., Rescorla, E., and J. Hildebrand, "JSON Web [JWE] Jones, M., Rescorla, E., and J. Hildebrand, "JSON Web
Encryption (JWE)", October 2012. Encryption (JWE)", November 2012.
[JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", October 2012. Signature (JWS)", November 2012.
[RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part Two: Media Types", RFC 2046, Extensions (MIME) Part Two: Media Types", RFC 2046,
November 1996. November 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3339] Klyne, G., Ed. and C. Newman, "Date and Time on the [RFC3339] Klyne, G., Ed. and C. Newman, "Date and Time on the
Internet: Timestamps", RFC 3339, July 2002. Internet: Timestamps", RFC 3339, July 2002.
skipping to change at page 21, line 6 skipping to change at page 21, line 6
Other than using the bytes of the UTF-8 representation of the JSON Other than using the bytes of the UTF-8 representation of the JSON
Claims Set from Section 3.1 as the plaintext value, the computation Claims Set from Section 3.1 as the plaintext value, the computation
of this JWT is identical to the computation of the JWE in Appendix of this JWT is identical to the computation of the JWE in Appendix
A.2 of [JWE], including the keys used. A.2 of [JWE], including the keys used.
The final result in this example (with line breaks for display The final result in this example (with line breaks for display
purposes only) is: purposes only) is:
eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDK0hTMjU2In0. eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDK0hTMjU2In0.
W_LXELSzOoofu8FGRt4WwXiTGfvC50hiiSV4DcgkUIY1nOnkJ4tHW4LiioZFvvLD pwaFh7yJPivLjjPkzC-GeAyHuy7AinGcS51AZ7TXnwkC80Ow1aW47kcT_UV54ubo
ohAnuHs1K_29TMx8VQl8kLCxFgn6xxg5q5-UZzbcASgJIAupo7r5mzENbIrjK3bx nONbeArwOVuR7shveXnwPmucwrk_3OCcHrCbE1HR-Jfme2mF_WR3zUMcwqmU0RlH
H8aXSKJQ0icN-sEC54M8rKz2VYdPjZTpGcTHCI2suobyhA0Jwr3OJ7JBZiDJ1GSN kwx9txo_sKRasjlXc8RYP-evLCmT1XRXKjtY5l44Gnh0A84hGvVfMxMfCWXh38hi
O310isBrQcZQXKsMC9ne8P5jJEZSD3IHcTag502P0Rp8BxFV0Ld5OdfU_NmS69RD 2h8JMjQHGQ3mivVui5lbf-zzb3qXXxNO1ZYoWgs5tP1-T54QYc9Bi9wodFPWNPKB
DxCZC6nV8Zz_n97nLE9vFrSOjXMyJoyqeORdvWGsiXPmD7fkE8a6BOw3-efYqeCj kY-BgewG-Vmc59JqFeprk1O08qhKQeOGCWc0WPC_n_LIpGWH6spRm7KGuYdgDMkQ
5elo-kKrNcirBHxH96u-sw. bd4uuB0uPPLx_euVCdrVrA.
AxY8DCtDaGlsbGljb3RoZQ. AxY8DCtDaGlsbGljb3RoZQ.
Wcyp1X4AaobxcNcVOqmLftbfg-t6yIy6yvxi0dNoWLroCbgUowHs8WeLWNj_ktrT 7MI2lRCaoyYx1HclVXkr8DhmDoikTmOp3IdEmm4qgBThFkqFqOs3ivXLJTku4M0f
lL3xL_cz3a2-DioHF5deqNmvyByjVR7Xc4QXBYcn0nE. laMAbGG_X6K8_B-0E-7ak-Olm_-_V03oBUUGTAc-F0A.
tEkhyWYGI_VHL1WoDO23nPRC8w3LG53KaCm5HmavnA0 OwWNxnC-BMEie-GkFHzVWiNiaV3zUHf6fCOGTwbRckU
Appendix B. Relationship of JWTs to SAML Tokens Appendix B. Relationship of JWTs to SAML Tokens
SAML 2.0 [OASIS.saml-core-2.0-os] provides a standard for creating SAML 2.0 [OASIS.saml-core-2.0-os] provides a standard for creating
tokens with much greater expressivity and more security options than tokens with much greater expressivity and more security options than
supported by JWTs. However, the cost of this flexibility and supported by JWTs. However, the cost of this flexibility and
expressiveness is both size and complexity. In addition, SAML's use expressiveness is both size and complexity. In addition, SAML's use
of XML [W3C.CR-xml11-20021015] and XML DSIG [RFC3275] only of XML [W3C.CR-xml11-20021015] and XML DSIG [RFC3275] only
contributes to the size of SAML tokens. contributes to the size of SAML tokens.
skipping to change at page 22, line 30 skipping to change at page 22, line 30
[[ to be removed by the RFC editor before publication as an RFC ]] [[ to be removed by the RFC editor before publication as an RFC ]]
The following items remain to be considered or done in this draft: The following items remain to be considered or done in this draft:
o Track changes to the underlying JOSE specifications. o Track changes to the underlying JOSE specifications.
Appendix F. Document History Appendix F. Document History
[[ to be removed by the RFC editor before publication as an RFC ]] [[ to be removed by the RFC editor before publication as an RFC ]]
-05
o Updated values for example AES CBC calculations.
-04 -04
o Promoted Initialization Vector from being a header parameter to o Promoted Initialization Vector from being a header parameter to
being a top-level JWE element. This saves approximately 16 bytes being a top-level JWE element. This saves approximately 16 bytes
in the compact serialization, which is a significant savings for in the compact serialization, which is a significant savings for
some use cases. Promoting the Initialization Vector out of the some use cases. Promoting the Initialization Vector out of the
header also avoids repeating this shared value in the JSON header also avoids repeating this shared value in the JSON
serialization. serialization.
o Applied changes made by the RFC Editor to RFC 6749's registry o Applied changes made by the RFC Editor to RFC 6749's registry
 End of changes. 10 change blocks. 
16 lines changed or deleted 20 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/