draft-ietf-oauth-json-web-token-14.txt   draft-ietf-oauth-json-web-token-15.txt 
OAuth Working Group M. Jones OAuth Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track J. Bradley Intended status: Standards Track J. Bradley
Expires: July 2, 2014 Ping Identity Expires: July 24, 2014 Ping Identity
N. Sakimura N. Sakimura
NRI NRI
December 29, 2013 January 20, 2014
JSON Web Token (JWT) JSON Web Token (JWT)
draft-ietf-oauth-json-web-token-14 draft-ietf-oauth-json-web-token-15
Abstract Abstract
JSON Web Token (JWT) is a compact URL-safe means of representing JSON Web Token (JWT) is a compact URL-safe means of representing
claims to be transferred between two parties. The claims in a JWT claims to be transferred between two parties. The claims in a JWT
are encoded as a JavaScript Object Notation (JSON) object that is are encoded as a JavaScript Object Notation (JSON) object that is
used as the payload of a JSON Web Signature (JWS) structure or as the used as the payload of a JSON Web Signature (JWS) structure or as the
plaintext of a JSON Web Encryption (JWE) structure, enabling the plaintext of a JSON Web Encryption (JWE) structure, enabling the
claims to be digitally signed or MACed and/or encrypted. claims to be digitally signed or MACed and/or encrypted.
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 2, 2014. This Internet-Draft will expire on July 24, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 4, line 10 skipping to change at page 4, line 10
Appendix C. Relationship of JWTs to Simple Web Tokens (SWTs) . . 25 Appendix C. Relationship of JWTs to Simple Web Tokens (SWTs) . . 25
Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 25 Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 25
Appendix E. Document History . . . . . . . . . . . . . . . . . . 25 Appendix E. Document History . . . . . . . . . . . . . . . . . . 25
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 29 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 29
1. Introduction 1. Introduction
JSON Web Token (JWT) is a compact claims representation format JSON Web Token (JWT) is a compact claims representation format
intended for space constrained environments such as HTTP intended for space constrained environments such as HTTP
Authorization headers and URI query parameters. JWTs encode claims Authorization headers and URI query parameters. JWTs encode claims
to be transmitted as a JavaScript Object Notation (JSON) [RFC4627] to be transmitted as a JavaScript Object Notation (JSON)
object that is used as the payload of a JSON Web Signature (JWS) [I-D.ietf-json-rfc4627bis] object that is used as the payload of a
[JWS] structure or as the plaintext of a JSON Web Encryption (JWE) JSON Web Signature (JWS) [JWS] structure or as the plaintext of a
[JWE] structure, enabling the claims to be digitally signed or MACed JSON Web Encryption (JWE) [JWE] structure, enabling the claims to be
and/or encrypted. JWTs are always represented using the JWS Compact digitally signed or MACed and/or encrypted. JWTs are always
Serialization or the JWE Compact Serialization. represented using the JWS Compact Serialization or the JWE Compact
Serialization.
The suggested pronunciation of JWT is the same as the English word The suggested pronunciation of JWT is the same as the English word
"jot". "jot".
1.1. Notational Conventions 1.1. Notational Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in Key words for use in document are to be interpreted as described in Key words for use in
RFCs to Indicate Requirement Levels [RFC2119]. If these words are RFCs to Indicate Requirement Levels [RFC2119]. If these words are
skipping to change at page 6, line 9 skipping to change at page 6, line 9
IntDate A JSON numeric value representing the number of seconds from IntDate A JSON numeric value representing the number of seconds from
1970-01-01T0:0:0Z UTC until the specified UTC date/time. See RFC 1970-01-01T0:0:0Z UTC until the specified UTC date/time. See RFC
3339 [RFC3339] for details regarding date/times in general and UTC 3339 [RFC3339] for details regarding date/times in general and UTC
in particular. in particular.
3. JSON Web Token (JWT) Overview 3. JSON Web Token (JWT) Overview
JWTs represent a set of claims as a JSON object that is encoded in a JWTs represent a set of claims as a JSON object that is encoded in a
JWS and/or JWE structure. This JSON object is the JWT Claims Set. As JWS and/or JWE structure. This JSON object is the JWT Claims Set. As
per RFC 4627 [RFC4627] Section 2.2, the JSON object consists of zero per Section 4 of [I-D.ietf-json-rfc4627bis], the JSON object consists
or more name/value pairs (or members), where the names are strings of zero or more name/value pairs (or members), where the names are
and the values are arbitrary JSON values. These members are the strings and the values are arbitrary JSON values. These members are
claims represented by the JWT. the claims represented by the JWT.
The member names within the JWT Claims Set are referred to as Claim The member names within the JWT Claims Set are referred to as Claim
Names. The corresponding values are referred to as Claim Values. Names. The corresponding values are referred to as Claim Values.
The contents of the JWT Header describe the cryptographic operations The contents of the JWT Header describe the cryptographic operations
applied to the JWT Claims Set. If the JWT Header is a JWS Header, the applied to the JWT Claims Set. If the JWT Header is a JWS Header, the
JWT is represented as a JWS, and the claims are digitally signed or JWT is represented as a JWS, and the claims are digitally signed or
MACed, with the JWT Claims Set being the JWS Payload. If the JWT MACed, with the JWT Claims Set being the JWS Payload. If the JWT
Header is a JWE Header, the JWT is represented as a JWE, and the Header is a JWE Header, the JWT is represented as a JWE, and the
claims are encrypted, with the JWT Claims Set being the input claims are encrypted, with the JWT Claims Set being the input
skipping to change at page 13, line 42 skipping to change at page 13, line 42
1. The JWT MUST contain at least one period ('.') character. 1. The JWT MUST contain at least one period ('.') character.
2. Let the Encoded JWT Header be the portion of the JWT before the 2. Let the Encoded JWT Header be the portion of the JWT before the
first period ('.') character. first period ('.') character.
3. The Encoded JWT Header MUST be successfully base64url decoded 3. The Encoded JWT Header MUST be successfully base64url decoded
following the restriction given in this specification that no following the restriction given in this specification that no
padding characters have been used. padding characters have been used.
4. The resulting JWT Header MUST be completely valid JSON syntax 4. The resulting JWT Header MUST be completely valid JSON syntax
conforming to RFC 4627 [RFC4627]. conforming to [I-D.ietf-json-rfc4627bis].
5. The resulting JWT Header MUST be validated to only include 5. The resulting JWT Header MUST be validated to only include
parameters and values whose syntax and semantics are both parameters and values whose syntax and semantics are both
understood and supported or that are specified as being ignored understood and supported or that are specified as being ignored
when not understood. when not understood.
6. Determine whether the JWT is a JWS or a JWE using any of the 6. Determine whether the JWT is a JWS or a JWE using any of the
methods described in Section 9 of [JWE]. methods described in Section 9 of [JWE].
7. Depending upon whether the JWT is a JWS or JWE, there are two 7. Depending upon whether the JWT is a JWS or JWE, there are two
skipping to change at page 14, line 24 skipping to change at page 14, line 24
JWE Plaintext. JWE Plaintext.
8. If the JWT Header contains a "cty" (content type) value of 8. If the JWT Header contains a "cty" (content type) value of
"JWT", then the Message is a JWT that was the subject of nested "JWT", then the Message is a JWT that was the subject of nested
signing or encryption operations. In this case, return to Step signing or encryption operations. In this case, return to Step
1, using the Message as the JWT. 1, using the Message as the JWT.
9. Otherwise, let the JWT Claims Set be the Message. 9. Otherwise, let the JWT Claims Set be the Message.
10. The JWT Claims Set MUST be completely valid JSON syntax 10. The JWT Claims Set MUST be completely valid JSON syntax
conforming to RFC 4627 [RFC4627]. conforming to [I-D.ietf-json-rfc4627bis].
7.1. String Comparison Rules 7.1. String Comparison Rules
Processing a JWT inevitably requires comparing known strings to Processing a JWT inevitably requires comparing known strings to
values in JSON objects. For example, in checking what the algorithm values in JSON objects. For example, in checking what the algorithm
is, the Unicode string encoding "alg" will be checked against the is, the Unicode string encoding "alg" will be checked against the
member names in the JWT Header to see if there is a matching Header member names in the JWT Header to see if there is a matching Header
Parameter Name. Parameter Name.
Comparisons between JSON strings and other Unicode strings MUST be Comparisons between JSON strings and other Unicode strings MUST be
skipping to change at page 20, line 13 skipping to change at page 20, line 13
specification. specification.
12. References 12. References
12.1. Normative References 12.1. Normative References
[ECMAScript] [ECMAScript]
Ecma International, "ECMAScript Language Specification, Ecma International, "ECMAScript Language Specification,
5.1 Edition", ECMA 262, June 2011. 5.1 Edition", ECMA 262, June 2011.
[I-D.ietf-json-rfc4627bis]
Bray, T., "The JSON Data Interchange Format",
draft-ietf-json-rfc4627bis-10 (work in progress),
December 2013.
[IANA.MediaTypes] [IANA.MediaTypes]
Internet Assigned Numbers Authority (IANA), "MIME Media Internet Assigned Numbers Authority (IANA), "MIME Media
Types", 2005. Types", 2005.
[JWA] Jones, M., "JSON Web Algorithms (JWA)", [JWA] Jones, M., "JSON Web Algorithms (JWA)",
draft-ietf-jose-json-web-algorithms (work in progress), draft-ietf-jose-json-web-algorithms (work in progress),
December 2013. January 2014.
[JWE] Jones, M., Rescorla, E., and J. Hildebrand, "JSON Web [JWE] Jones, M., Rescorla, E., and J. Hildebrand, "JSON Web
Encryption (JWE)", draft-ietf-jose-json-web-encryption Encryption (JWE)", draft-ietf-jose-json-web-encryption
(work in progress), December 2013. (work in progress), January 2014.
[JWK] Jones, M., "JSON Web Key (JWK)", [JWK] Jones, M., "JSON Web Key (JWK)",
draft-ietf-jose-json-web-key (work in progress), draft-ietf-jose-json-web-key (work in progress),
December 2013. January 2014.
[JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", draft-ietf-jose-json-web-signature (work Signature (JWS)", draft-ietf-jose-json-web-signature (work
in progress), December 2013. in progress), January 2014.
[RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part Two: Media Types", RFC 2046, Extensions (MIME) Part Two: Media Types", RFC 2046,
November 1996. November 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3339] Klyne, G., Ed. and C. Newman, "Date and Time on the [RFC3339] Klyne, G., Ed. and C. Newman, "Date and Time on the
Internet: Timestamps", RFC 3339, July 2002. Internet: Timestamps", RFC 3339, July 2002.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, January 2005. RFC 3986, January 2005.
[RFC4627] Crockford, D., "The application/json Media Type for
JavaScript Object Notation (JSON)", RFC 4627, July 2006.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, October 2006. Encodings", RFC 4648, October 2006.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226, IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008. May 2008.
[RFC6755] Campbell, B. and H. Tschofenig, "An IETF URN Sub-Namespace [RFC6755] Campbell, B. and H. Tschofenig, "An IETF URN Sub-Namespace
for OAuth", RFC 6755, October 2012. for OAuth", RFC 6755, October 2012.
skipping to change at page 24, line 40 skipping to change at page 24, line 40
than supported by JWTs. However, the cost of this flexibility and than supported by JWTs. However, the cost of this flexibility and
expressiveness is both size and complexity. SAML's use of XML expressiveness is both size and complexity. SAML's use of XML
[W3C.CR-xml11-20021015] and XML DSIG [RFC3275] contributes to the [W3C.CR-xml11-20021015] and XML DSIG [RFC3275] contributes to the
size of SAML assertions; its use of XML and especially XML size of SAML assertions; its use of XML and especially XML
Canonicalization [W3C.REC-xml-c14n-20010315] contributes to their Canonicalization [W3C.REC-xml-c14n-20010315] contributes to their
complexity. complexity.
JWTs are intended to provide a simple security token format that is JWTs are intended to provide a simple security token format that is
small enough to fit into HTTP headers and query arguments in URIs. small enough to fit into HTTP headers and query arguments in URIs.
It does this by supporting a much simpler token model than SAML and It does this by supporting a much simpler token model than SAML and
using the JSON [RFC4627] object encoding syntax. It also supports using the JSON [I-D.ietf-json-rfc4627bis] object encoding syntax. It
securing tokens using Message Authentication Codes (MACs) and digital also supports securing tokens using Message Authentication Codes
signatures using a smaller (and less flexible) format than XML DSIG. (MACs) and digital signatures using a smaller (and less flexible)
format than XML DSIG.
Therefore, while JWTs can do some of the things SAML assertions do, Therefore, while JWTs can do some of the things SAML assertions do,
JWTs are not intended as a full replacement for SAML assertions, but JWTs are not intended as a full replacement for SAML assertions, but
rather as a token format to be used when ease of implementation or rather as a token format to be used when ease of implementation or
compactness are considerations. compactness are considerations.
SAML Assertions are always statements made by an entity about a SAML Assertions are always statements made by an entity about a
subject. JWTs are often used in the same manner, with the entity subject. JWTs are often used in the same manner, with the entity
making the statements being represented by the "iss" (issuer) claim, making the statements being represented by the "iss" (issuer) claim,
and the subject being represented by the "sub" (subject) claim. and the subject being represented by the "sub" (subject) claim.
skipping to change at page 25, line 47 skipping to change at page 26, line 4
John Panzer, Emmanuel Raviart, David Recordon, Eric Rescorla, Jim John Panzer, Emmanuel Raviart, David Recordon, Eric Rescorla, Jim
Schaad, Paul Tarjan, Hannes Tschofenig, and Sean Turner. Schaad, Paul Tarjan, Hannes Tschofenig, and Sean Turner.
Hannes Tschofenig and Derek Atkins chaired the OAuth working group Hannes Tschofenig and Derek Atkins chaired the OAuth working group
and Sean Turner and Stephen Farrell served as Security area directors and Sean Turner and Stephen Farrell served as Security area directors
during the creation of this specification. during the creation of this specification.
Appendix E. Document History Appendix E. Document History
[[ to be removed by the RFC Editor before publication as an RFC ]] [[ to be removed by the RFC Editor before publication as an RFC ]]
-15
o Replaced references to RFC 4627 with draft-ietf-json-rfc4627bis.
-14 -14
o Referenced the JWE section on Distinguishing between JWS and JWE o Referenced the JWE section on Distinguishing between JWS and JWE
Objects. Objects.
-13 -13
o Added Claim Description registry field. o Added Claim Description registry field.
o Used Header Parameter Description registry field. o Used Header Parameter Description registry field.
o Removed the phrases "JWA signing algorithms" and "JWA encryption o Removed the phrases "JWA signing algorithms" and "JWA encryption
 End of changes. 18 change blocks. 
27 lines changed or deleted 35 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/