draft-ietf-oauth-json-web-token-16.txt   draft-ietf-oauth-json-web-token-17.txt 
OAuth Working Group M. Jones OAuth Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track J. Bradley Intended status: Standards Track J. Bradley
Expires: August 18, 2014 Ping Identity Expires: September 3, 2014 Ping Identity
N. Sakimura N. Sakimura
NRI NRI
February 14, 2014 March 2, 2014
JSON Web Token (JWT) JSON Web Token (JWT)
draft-ietf-oauth-json-web-token-16 draft-ietf-oauth-json-web-token-17
Abstract Abstract
JSON Web Token (JWT) is a compact URL-safe means of representing JSON Web Token (JWT) is a compact URL-safe means of representing
claims to be transferred between two parties. The claims in a JWT claims to be transferred between two parties. The claims in a JWT
are encoded as a JavaScript Object Notation (JSON) object that is are encoded as a JavaScript Object Notation (JSON) object that is
used as the payload of a JSON Web Signature (JWS) structure or as the used as the payload of a JSON Web Signature (JWS) structure or as the
plaintext of a JSON Web Encryption (JWE) structure, enabling the plaintext of a JSON Web Encryption (JWE) structure, enabling the
claims to be digitally signed or MACed and/or encrypted. claims to be digitally signed or MACed and/or encrypted.
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 18, 2014. This Internet-Draft will expire on September 3, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 19 skipping to change at page 2, line 19
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 4 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 4
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. JSON Web Token (JWT) Overview . . . . . . . . . . . . . . . . 6 3. JSON Web Token (JWT) Overview . . . . . . . . . . . . . . . . 6
3.1. Example JWT . . . . . . . . . . . . . . . . . . . . . . . 6 3.1. Example JWT . . . . . . . . . . . . . . . . . . . . . . . 6
4. JWT Claims . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4. JWT Claims . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.1. Registered Claim Names . . . . . . . . . . . . . . . . . . 8 4.1. Registered Claim Names . . . . . . . . . . . . . . . . . . 8
4.1.1. "iss" (Issuer) Claim . . . . . . . . . . . . . . . . . 8 4.1.1. "iss" (Issuer) Claim . . . . . . . . . . . . . . . . . 8
4.1.2. "sub" (Subject) Claim . . . . . . . . . . . . . . . . 8 4.1.2. "sub" (Subject) Claim . . . . . . . . . . . . . . . . 9
4.1.3. "aud" (Audience) Claim . . . . . . . . . . . . . . . . 8 4.1.3. "aud" (Audience) Claim . . . . . . . . . . . . . . . . 9
4.1.4. "exp" (Expiration Time) Claim . . . . . . . . . . . . 9 4.1.4. "exp" (Expiration Time) Claim . . . . . . . . . . . . 9
4.1.5. "nbf" (Not Before) Claim . . . . . . . . . . . . . . . 9 4.1.5. "nbf" (Not Before) Claim . . . . . . . . . . . . . . . 9
4.1.6. "iat" (Issued At) Claim . . . . . . . . . . . . . . . 9 4.1.6. "iat" (Issued At) Claim . . . . . . . . . . . . . . . 9
4.1.7. "jti" (JWT ID) Claim . . . . . . . . . . . . . . . . . 9 4.1.7. "jti" (JWT ID) Claim . . . . . . . . . . . . . . . . . 10
4.2. Public Claim Names . . . . . . . . . . . . . . . . . . . . 9 4.2. Public Claim Names . . . . . . . . . . . . . . . . . . . . 10
4.3. Private Claim Names . . . . . . . . . . . . . . . . . . . 10 4.3. Private Claim Names . . . . . . . . . . . . . . . . . . . 10
5. JWT Header . . . . . . . . . . . . . . . . . . . . . . . . . . 10 5. JWT Header . . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.1. "typ" (Type) Header Parameter . . . . . . . . . . . . . . 10 5.1. "typ" (Type) Header Parameter . . . . . . . . . . . . . . 11
5.2. "cty" (Content Type) Header Parameter . . . . . . . . . . 10 5.2. "cty" (Content Type) Header Parameter . . . . . . . . . . 11
5.3. Replicating Claims as Header Parameters . . . . . . . . . 11 5.3. Replicating Claims as Header Parameters . . . . . . . . . 11
6. Plaintext JWTs . . . . . . . . . . . . . . . . . . . . . . . . 11 6. Plaintext JWTs . . . . . . . . . . . . . . . . . . . . . . . . 12
6.1. Example Plaintext JWT . . . . . . . . . . . . . . . . . . 11 6.1. Example Plaintext JWT . . . . . . . . . . . . . . . . . . 12
7. Rules for Creating and Validating a JWT . . . . . . . . . . . 12 7. Rules for Creating and Validating a JWT . . . . . . . . . . . 13
7.1. String Comparison Rules . . . . . . . . . . . . . . . . . 14 7.1. String Comparison Rules . . . . . . . . . . . . . . . . . 14
8. Cryptographic Algorithms . . . . . . . . . . . . . . . . . . . 14 8. Cryptographic Algorithms . . . . . . . . . . . . . . . . . . . 15
9. URI for Declaring that Content is a JWT . . . . . . . . . . . 15 9. URI for Declaring that Content is a JWT . . . . . . . . . . . 15
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
10.1. JSON Web Token Claims Registry . . . . . . . . . . . . . . 15 10.1. JSON Web Token Claims Registry . . . . . . . . . . . . . . 15
10.1.1. Registration Template . . . . . . . . . . . . . . . . 16 10.1.1. Registration Template . . . . . . . . . . . . . . . . 16
10.1.2. Initial Registry Contents . . . . . . . . . . . . . . 17 10.1.2. Initial Registry Contents . . . . . . . . . . . . . . 17
10.2. Sub-Namespace Registration of 10.2. Sub-Namespace Registration of
urn:ietf:params:oauth:token-type:jwt . . . . . . . . . . . 17 urn:ietf:params:oauth:token-type:jwt . . . . . . . . . . . 18
10.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 17 10.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 18
10.3. Media Type Registration . . . . . . . . . . . . . . . . . 18 10.3. Media Type Registration . . . . . . . . . . . . . . . . . 18
10.3.1. Registry Contents . . . . . . . . . . . . . . . . . . 18 10.3.1. Registry Contents . . . . . . . . . . . . . . . . . . 18
10.4. Registration of JWE Header Parameter Names . . . . . . . . 18 10.4. Registration of JWE Header Parameter Names . . . . . . . . 19
10.4.1. Registry Contents . . . . . . . . . . . . . . . . . . 18 10.4.1. Registry Contents . . . . . . . . . . . . . . . . . . 19
11. Security Considerations . . . . . . . . . . . . . . . . . . . 19 11. Security Considerations . . . . . . . . . . . . . . . . . . . 19
12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20
12.1. Normative References . . . . . . . . . . . . . . . . . . . 20 12.1. Normative References . . . . . . . . . . . . . . . . . . . 20
12.2. Informative References . . . . . . . . . . . . . . . . . . 21 12.2. Informative References . . . . . . . . . . . . . . . . . . 21
Appendix A. JWT Examples . . . . . . . . . . . . . . . . . . . . 22 Appendix A. JWT Examples . . . . . . . . . . . . . . . . . . . . 22
A.1. Example Encrypted JWT . . . . . . . . . . . . . . . . . . 22 A.1. Example Encrypted JWT . . . . . . . . . . . . . . . . . . 22
A.2. Example Nested JWT . . . . . . . . . . . . . . . . . . . . 22 A.2. Example Nested JWT . . . . . . . . . . . . . . . . . . . . 23
Appendix B. Relationship of JWTs to SAML Assertions . . . . . . . 24 Appendix B. Relationship of JWTs to SAML Assertions . . . . . . . 24
Appendix C. Relationship of JWTs to Simple Web Tokens (SWTs) . . 25 Appendix C. Relationship of JWTs to Simple Web Tokens (SWTs) . . 25
Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 25 Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 25
Appendix E. Document History . . . . . . . . . . . . . . . . . . 25 Appendix E. Document History . . . . . . . . . . . . . . . . . . 26
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 29 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 30
1. Introduction 1. Introduction
JSON Web Token (JWT) is a compact claims representation format JSON Web Token (JWT) is a compact claims representation format
intended for space constrained environments such as HTTP intended for space constrained environments such as HTTP
Authorization headers and URI query parameters. JWTs encode claims Authorization headers and URI query parameters. JWTs encode claims
to be transmitted as a JavaScript Object Notation (JSON) to be transmitted as a JavaScript Object Notation (JSON) [RFC7158]
[I-D.ietf-json-rfc4627bis] object that is used as the payload of a object that is used as the payload of a JSON Web Signature (JWS)
JSON Web Signature (JWS) [JWS] structure or as the plaintext of a [JWS] structure or as the plaintext of a JSON Web Encryption (JWE)
JSON Web Encryption (JWE) [JWE] structure, enabling the claims to be [JWE] structure, enabling the claims to be digitally signed or MACed
digitally signed or MACed and/or encrypted. JWTs are always and/or encrypted. JWTs are always represented using the JWS Compact
represented using the JWS Compact Serialization or the JWE Compact Serialization or the JWE Compact Serialization.
Serialization.
The suggested pronunciation of JWT is the same as the English word The suggested pronunciation of JWT is the same as the English word
"jot". "jot".
1.1. Notational Conventions 1.1. Notational Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
document are to be interpreted as described in Key words for use in "OPTIONAL" in this document are to be interpreted as described in Key
RFCs to Indicate Requirement Levels [RFC2119]. If these words are words for use in RFCs to Indicate Requirement Levels [RFC2119]. If
used without being spelled in uppercase then they are to be these words are used without being spelled in uppercase then they are
interpreted with their normal natural language meanings. to be interpreted with their normal natural language meanings.
2. Terminology 2. Terminology
JSON Web Token (JWT) A string representing a set of claims as a JSON JSON Web Token (JWT)
object that is encoded in a JWS or JWE, enabling the claims to be A string representing a set of claims as a JSON object that is
digitally signed or MACed and/or encrypted. encoded in a JWS or JWE, enabling the claims to be digitally
signed or MACed and/or encrypted.
Base64url Encoding Base64 encoding using the URL- and filename-safe Base64url Encoding
character set defined in Section 5 of RFC 4648 [RFC4648], with all Base64 encoding using the URL- and filename-safe character set
trailing '=' characters omitted (as permitted by Section 3.2). defined in Section 5 of RFC 4648 [RFC4648], with all trailing '='
(See Appendix C of [JWS] for notes on implementing base64url characters omitted (as permitted by Section 3.2). (See Appendix C
encoding without padding.) of [JWS] for notes on implementing base64url encoding without
padding.)
JWT Header A JSON object that describes the cryptographic operations JWT Header
applied to the JWT. When the JWT is digitally signed or MACed, A JSON object that describes the cryptographic operations applied
the JWT Header is a JWS Header. When the JWT is encrypted, the to the JWT. When the JWT is digitally signed or MACed, the JWT
JWT Header is a JWE Header. Header is a JWS Header. When the JWT is encrypted, the JWT Header
is a JWE Header.
Header Parameter A name/value pair that is member of the JWT Header. Header Parameter
A name/value pair that is member of the JWT Header.
Header Parameter Name The name of a member of the JWT Header. Header Parameter Name
The name of a member of the JWT Header.
Header Parameter Value The value of a member of the JWT Header. Header Parameter Value
The value of a member of the JWT Header.
JWT Claims Set A JSON object that contains the Claims conveyed by JWT Claims Set
the JWT. A JSON object that contains the Claims conveyed by the JWT.
Claim A piece of information asserted about a subject. A Claim is Claim
A piece of information asserted about a subject. A Claim is
represented as a name/value pair consisting of a Claim Name and a represented as a name/value pair consisting of a Claim Name and a
Claim Value. Claim Value.
Claim Name The name portion of a Claim representation. A Claim Name Claim Name
is always a string. The name portion of a Claim representation. A Claim Name is
always a string.
Claim Value The value portion of a Claim representation. A Claim Claim Value
Value can be any JSON value. The value portion of a Claim representation. A Claim Value can be
any JSON value.
Encoded JWT Header Base64url encoding of the JWT Header. Encoded JWT Header
Base64url encoding of the JWT Header.
Nested JWT A JWT in which nested signing and/or encryption are Nested JWT
employed. In nested JWTs, a JWT is used as the payload or A JWT in which nested signing and/or encryption are employed. In
plaintext value of an enclosing JWS or JWE structure, nested JWTs, a JWT is used as the payload or plaintext value of an
respectively. enclosing JWS or JWE structure, respectively.
Plaintext JWT A JWT whose Claims are not integrity protected or Plaintext JWT
encrypted. A JWT whose Claims are not integrity protected or encrypted.
Collision-Resistant Name A name in a namespace that enables names to Collision-Resistant Name
be allocated in a manner such that they are highly unlikely to A name in a namespace that enables names to be allocated in a
collide with other names. Examples of collision-resistant manner such that they are highly unlikely to collide with other
namespaces include: Domain Names, Object Identifiers (OIDs) as names. Examples of collision-resistant namespaces include: Domain
defined in the ITU-T X.660 and X.670 Recommendation series, and Names, Object Identifiers (OIDs) as defined in the ITU-T X.660 and
Universally Unique IDentifiers (UUIDs) [RFC4122]. When using an X.670 Recommendation series, and Universally Unique IDentifiers
administratively delegated namespace, the definer of a name needs (UUIDs) [RFC4122]. When using an administratively delegated
to take reasonable precautions to ensure they are in control of namespace, the definer of a name needs to take reasonable
the portion of the namespace they use to define the name. precautions to ensure they are in control of the portion of the
namespace they use to define the name.
StringOrURI A JSON string value, with the additional requirement StringOrURI
that while arbitrary string values MAY be used, any value A JSON string value, with the additional requirement that while
containing a ":" character MUST be a URI [RFC3986]. StringOrURI arbitrary string values MAY be used, any value containing a ":"
values are compared as case-sensitive strings with no character MUST be a URI [RFC3986]. StringOrURI values are
transformations or canonicalizations applied. compared as case-sensitive strings with no transformations or
canonicalizations applied.
IntDate A JSON numeric value representing the number of seconds from IntDate
1970-01-01T0:0:0Z UTC until the specified UTC date/time. See RFC A JSON numeric value representing the number of seconds from 1970-
3339 [RFC3339] for details regarding date/times in general and UTC 01-01T0:0:0Z UTC until the specified UTC date/time. See RFC 3339
in particular. [RFC3339] for details regarding date/times in general and UTC in
particular.
3. JSON Web Token (JWT) Overview 3. JSON Web Token (JWT) Overview
JWTs represent a set of claims as a JSON object that is encoded in a JWTs represent a set of claims as a JSON object that is encoded in a
JWS and/or JWE structure. This JSON object is the JWT Claims Set. As JWS and/or JWE structure. This JSON object is the JWT Claims Set. As
per Section 4 of [I-D.ietf-json-rfc4627bis], the JSON object consists per Section 4 of [RFC7158], the JSON object consists of zero or more
of zero or more name/value pairs (or members), where the names are name/value pairs (or members), where the names are strings and the
strings and the values are arbitrary JSON values. These members are values are arbitrary JSON values. These members are the claims
the claims represented by the JWT. represented by the JWT.
The member names within the JWT Claims Set are referred to as Claim The member names within the JWT Claims Set are referred to as Claim
Names. The corresponding values are referred to as Claim Values. Names. The corresponding values are referred to as Claim Values.
The contents of the JWT Header describe the cryptographic operations The contents of the JWT Header describe the cryptographic operations
applied to the JWT Claims Set. If the JWT Header is a JWS Header, the applied to the JWT Claims Set. If the JWT Header is a JWS Header, the
JWT is represented as a JWS, and the claims are digitally signed or JWT is represented as a JWS, and the claims are digitally signed or
MACed, with the JWT Claims Set being the JWS Payload. If the JWT MACed, with the JWT Claims Set being the JWS Payload. If the JWT
Header is a JWE Header, the JWT is represented as a JWE, and the Header is a JWE Header, the JWT is represented as a JWE, and the
claims are encrypted, with the JWT Claims Set being the input claims are encrypted, with the JWT Claims Set being the input
skipping to change at page 13, line 42 skipping to change at page 14, line 13
1. The JWT MUST contain at least one period ('.') character. 1. The JWT MUST contain at least one period ('.') character.
2. Let the Encoded JWT Header be the portion of the JWT before the 2. Let the Encoded JWT Header be the portion of the JWT before the
first period ('.') character. first period ('.') character.
3. The Encoded JWT Header MUST be successfully base64url decoded 3. The Encoded JWT Header MUST be successfully base64url decoded
following the restriction given in this specification that no following the restriction given in this specification that no
padding characters have been used. padding characters have been used.
4. The resulting JWT Header MUST be completely valid JSON syntax 4. The resulting JWT Header MUST be completely valid JSON syntax
conforming to [I-D.ietf-json-rfc4627bis]. conforming to [RFC7158].
5. The resulting JWT Header MUST be validated to only include 5. The resulting JWT Header MUST be validated to only include
parameters and values whose syntax and semantics are both parameters and values whose syntax and semantics are both
understood and supported or that are specified as being ignored understood and supported or that are specified as being ignored
when not understood. when not understood.
6. Determine whether the JWT is a JWS or a JWE using any of the 6. Determine whether the JWT is a JWS or a JWE using any of the
methods described in Section 9 of [JWE]. methods described in Section 9 of [JWE].
7. Depending upon whether the JWT is a JWS or JWE, there are two 7. Depending upon whether the JWT is a JWS or JWE, there are two
skipping to change at page 14, line 24 skipping to change at page 14, line 42
JWE Plaintext. JWE Plaintext.
8. If the JWT Header contains a "cty" (content type) value of 8. If the JWT Header contains a "cty" (content type) value of
"JWT", then the Message is a JWT that was the subject of nested "JWT", then the Message is a JWT that was the subject of nested
signing or encryption operations. In this case, return to Step signing or encryption operations. In this case, return to Step
1, using the Message as the JWT. 1, using the Message as the JWT.
9. Otherwise, let the JWT Claims Set be the Message. 9. Otherwise, let the JWT Claims Set be the Message.
10. The JWT Claims Set MUST be completely valid JSON syntax 10. The JWT Claims Set MUST be completely valid JSON syntax
conforming to [I-D.ietf-json-rfc4627bis]. conforming to [RFC7158].
7.1. String Comparison Rules 7.1. String Comparison Rules
Processing a JWT inevitably requires comparing known strings to Processing a JWT inevitably requires comparing known strings to
values in JSON objects. For example, in checking what the algorithm values in JSON objects. For example, in checking what the algorithm
is, the Unicode string encoding "alg" will be checked against the is, the Unicode string encoding "alg" will be checked against the
member names in the JWT Header to see if there is a matching Header member names in the JWT Header to see if there is a matching Header
Parameter Name. Parameter Name.
Comparisons between JSON strings and other Unicode strings MUST be Comparisons between JSON strings and other Unicode strings MUST be
skipping to change at page 20, line 13 skipping to change at page 20, line 29
specification. specification.
12. References 12. References
12.1. Normative References 12.1. Normative References
[ECMAScript] [ECMAScript]
Ecma International, "ECMAScript Language Specification, Ecma International, "ECMAScript Language Specification,
5.1 Edition", ECMA 262, June 2011. 5.1 Edition", ECMA 262, June 2011.
[I-D.ietf-json-rfc4627bis]
Bray, T., "The JSON Data Interchange Format",
draft-ietf-json-rfc4627bis-10 (work in progress),
December 2013.
[IANA.MediaTypes] [IANA.MediaTypes]
Internet Assigned Numbers Authority (IANA), "MIME Media Internet Assigned Numbers Authority (IANA), "MIME Media
Types", 2005. Types", 2005.
[JWA] Jones, M., "JSON Web Algorithms (JWA)", [JWA] Jones, M., "JSON Web Algorithms (JWA)",
draft-ietf-jose-json-web-algorithms (work in progress), draft-ietf-jose-json-web-algorithms (work in progress),
February 2014. March 2014.
[JWE] Jones, M., Rescorla, E., and J. Hildebrand, "JSON Web [JWE] Jones, M., Rescorla, E., and J. Hildebrand, "JSON Web
Encryption (JWE)", draft-ietf-jose-json-web-encryption Encryption (JWE)", draft-ietf-jose-json-web-encryption
(work in progress), February 2014. (work in progress), March 2014.
[JWK] Jones, M., "JSON Web Key (JWK)", [JWK] Jones, M., "JSON Web Key (JWK)",
draft-ietf-jose-json-web-key (work in progress), draft-ietf-jose-json-web-key (work in progress),
February 2014. March 2014.
[JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", draft-ietf-jose-json-web-signature (work Signature (JWS)", draft-ietf-jose-json-web-signature (work
in progress), February 2014. in progress), March 2014.
[RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part Two: Media Types", RFC 2046, Extensions (MIME) Part Two: Media Types", RFC 2046,
November 1996. November 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, January 2005. RFC 3986, January 2005.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, October 2006. Encodings", RFC 4648, October 2006.
[RFC7158] Bray, T., "The JavaScript Object Notation (JSON) Data
Interchange Format", RFC 7158, March 2014.
12.2. Informative References 12.2. Informative References
[CanvasApp] [CanvasApp]
Facebook, "Canvas Applications", 2010. Facebook, "Canvas Applications", 2010.
[JSS] Bradley, J. and N. Sakimura (editor), "JSON Simple Sign", [JSS] Bradley, J. and N. Sakimura (editor), "JSON Simple Sign",
September 2010. September 2010.
[MagicSignatures] [MagicSignatures]
Panzer (editor), J., Laurie, B., and D. Balfanz, "Magic Panzer (editor), J., Laurie, B., and D. Balfanz, "Magic
skipping to change at page 24, line 40 skipping to change at page 25, line 10
than supported by JWTs. However, the cost of this flexibility and than supported by JWTs. However, the cost of this flexibility and
expressiveness is both size and complexity. SAML's use of XML expressiveness is both size and complexity. SAML's use of XML
[W3C.CR-xml11-20021015] and XML DSIG [RFC3275] contributes to the [W3C.CR-xml11-20021015] and XML DSIG [RFC3275] contributes to the
size of SAML assertions; its use of XML and especially XML size of SAML assertions; its use of XML and especially XML
Canonicalization [W3C.REC-xml-c14n-20010315] contributes to their Canonicalization [W3C.REC-xml-c14n-20010315] contributes to their
complexity. complexity.
JWTs are intended to provide a simple security token format that is JWTs are intended to provide a simple security token format that is
small enough to fit into HTTP headers and query arguments in URIs. small enough to fit into HTTP headers and query arguments in URIs.
It does this by supporting a much simpler token model than SAML and It does this by supporting a much simpler token model than SAML and
using the JSON [I-D.ietf-json-rfc4627bis] object encoding syntax. It using the JSON [RFC7158] object encoding syntax. It also supports
also supports securing tokens using Message Authentication Codes securing tokens using Message Authentication Codes (MACs) and digital
(MACs) and digital signatures using a smaller (and less flexible) signatures using a smaller (and less flexible) format than XML DSIG.
format than XML DSIG.
Therefore, while JWTs can do some of the things SAML assertions do, Therefore, while JWTs can do some of the things SAML assertions do,
JWTs are not intended as a full replacement for SAML assertions, but JWTs are not intended as a full replacement for SAML assertions, but
rather as a token format to be used when ease of implementation or rather as a token format to be used when ease of implementation or
compactness are considerations. compactness are considerations.
SAML Assertions are always statements made by an entity about a SAML Assertions are always statements made by an entity about a
subject. JWTs are often used in the same manner, with the entity subject. JWTs are often used in the same manner, with the entity
making the statements being represented by the "iss" (issuer) claim, making the statements being represented by the "iss" (issuer) claim,
and the subject being represented by the "sub" (subject) claim. and the subject being represented by the "sub" (subject) claim.
skipping to change at page 26, line 4 skipping to change at page 26, line 19
John Panzer, Emmanuel Raviart, David Recordon, Eric Rescorla, Jim John Panzer, Emmanuel Raviart, David Recordon, Eric Rescorla, Jim
Schaad, Paul Tarjan, Hannes Tschofenig, and Sean Turner. Schaad, Paul Tarjan, Hannes Tschofenig, and Sean Turner.
Hannes Tschofenig and Derek Atkins chaired the OAuth working group Hannes Tschofenig and Derek Atkins chaired the OAuth working group
and Sean Turner and Stephen Farrell served as Security area directors and Sean Turner and Stephen Farrell served as Security area directors
during the creation of this specification. during the creation of this specification.
Appendix E. Document History Appendix E. Document History
[[ to be removed by the RFC Editor before publication as an RFC ]] [[ to be removed by the RFC Editor before publication as an RFC ]]
-17
o Corrected RFC 2119 terminology usage.
o Replaced references to draft-ietf-json-rfc4627bis with RFC 7158.
-16 -16
o Changed some references from being normative to informative, per o Changed some references from being normative to informative, per
JOSE issue #90. JOSE issue #90.
-15 -15
o Replaced references to RFC 4627 with draft-ietf-json-rfc4627bis. o Replaced references to RFC 4627 with draft-ietf-json-rfc4627bis.
-14 -14
 End of changes. 43 change blocks. 
100 lines changed or deleted 116 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/