draft-ietf-oauth-jwt-bearer-00.txt   draft-ietf-oauth-jwt-bearer-01.txt 
OAuth Working Group M. Jones OAuth Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track B. Campbell Intended status: Standards Track B. Campbell
Expires: November 23, 2012 Ping Identity Expires: January 7, 2013 Ping Identity
C. Mortimore C. Mortimore
Salesforce Salesforce
May 22, 2012 July 6, 2012
JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0 JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0
draft-ietf-oauth-jwt-bearer-00 draft-ietf-oauth-jwt-bearer-01
Abstract Abstract
This specification defines the use of a JSON Web Token (JWT) Bearer This specification defines the use of a JSON Web Token (JWT) Bearer
Token as a means for requesting an OAuth 2.0 access token as well as Token as a means for requesting an OAuth 2.0 access token as well as
for use as a means of client authentication. for use as a means of client authentication.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 35 skipping to change at page 1, line 35
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 23, 2012. This Internet-Draft will expire on January 7, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 7 skipping to change at page 3, line 7
urn:ietf:params:oauth:client-assertion-type:jwt-bearer . . 8 urn:ietf:params:oauth:client-assertion-type:jwt-bearer . . 8
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8
7.1. Normative References . . . . . . . . . . . . . . . . . . . 8 7.1. Normative References . . . . . . . . . . . . . . . . . . . 8
7.2. Informative References . . . . . . . . . . . . . . . . . . 9 7.2. Informative References . . . . . . . . . . . . . . . . . . 9
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . . 9 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . . 9
Appendix B. Document History . . . . . . . . . . . . . . . . . . . 9 Appendix B. Document History . . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction 1. Introduction
JSON Web Token (JWT) [JWT] is a JSON-based security token encoding JSON Web Token (JWT) [JWT] is a JavaScript Object Notation (JSON)
that enables identity and security information to be shared across [RFC4627] based security token encoding that enables identity and
security domains. JWTs utilize JSON data structures, as defined in security information to be shared across security domains. A
RFC 4627 [RFC4627]. A security token is generally issued by an security token is generally issued by an identity provider and
identity provider and consumed by a relying party that relies on its consumed by a relying party that relies on its content to identify
content to identify the token's subject for security related the token's subject for security related purposes.
purposes.
The OAuth 2.0 Authorization Protocol [I-D.ietf-oauth-v2] provides a The OAuth 2.0 Authorization Framework [I-D.ietf-oauth-v2] provides a
method for making authenticated HTTP requests to a resource using an method for making authenticated HTTP requests to a resource using an
access token. Access tokens are issued to third-party clients by an access token. Access tokens are issued to third-party clients by an
authorization server (AS) with the (sometimes implicit) approval of authorization server (AS) with the (sometimes implicit) approval of
the resource owner. In OAuth, an authorization grant is an abstract the resource owner. In OAuth, an authorization grant is an abstract
term used to describe intermediate credentials that represent the term used to describe intermediate credentials that represent the
resource owner authorization. An authorization grant is used by the resource owner authorization. An authorization grant is used by the
client to obtain an access token. Several authorization grant types client to obtain an access token. Several authorization grant types
are defined to support a wide range of client types and user are defined to support a wide range of client types and user
experiences. OAuth also allows for the definition of new extension experiences. OAuth also allows for the definition of new extension
grant types to support additional clients or to provide a bridge grant types to support additional clients or to provide a bridge
between OAuth and other trust frameworks. Finally, OAuth allows the between OAuth and other trust frameworks. Finally, OAuth allows the
definition of additional authentication mechanisms to be used by definition of additional authentication mechanisms to be used by
clients when interacting with the authorization server. clients when interacting with the authorization server.
The OAuth 2.0 Assertion Profile [I-D.ietf-oauth-assertions] is an The Assertion Framework for OAuth 2.0 [I-D.ietf-oauth-assertions] is
abstract extension to OAuth 2.0 that provides a general framework for an abstract extension to OAuth 2.0 that provides a general framework
the use of Assertions (a.k.a. Security Tokens) as client credentials for the use of Assertions (a.k.a. Security Tokens) as client
and/or authorization grants with OAuth 2.0. This specification credentials and/or authorization grants with OAuth 2.0. This
profiles the OAuth 2.0 Assertion Profile [I-D.ietf-oauth-assertions] specification profiles the Assertion Framework for OAuth 2.0
to define an extension grant type that uses a JSON Web Token (JWT) [I-D.ietf-oauth-assertions] to define an extension grant type that
Bearer Token to request an OAuth 2.0 access token as well as for use uses a JSON Web Token (JWT) Bearer Token to request an OAuth 2.0
as client credentials. The format and processing rules for the JWT access token as well as for use as client credentials. The format
defined in this specification are intentionally similar, though not and processing rules for the JWT defined in this specification are
identical, to those in the closely related SAML 2.0 Bearer Assertion intentionally similar, though not identical, to those in the closely
Profiles for OAuth 2.0 [I-D.ietf-oauth-saml2-bearer]. related SAML 2.0 Bearer Assertion Profiles for OAuth 2.0
[I-D.ietf-oauth-saml2-bearer].
This document defines how a JSON Web Token (JWT) Bearer Token can be This document defines how a JSON Web Token (JWT) Bearer Token can be
used to request an access token when a client wishes to utilize an used to request an access token when a client wishes to utilize an
existing trust relationship, expressed through the semantics of (and existing trust relationship, expressed through the semantics of (and
digital signature calculated over) the JWT, without a direct user digital signature calculated over) the JWT, without a direct user
approval step at the authorization server. It also defines how a JWT approval step at the authorization server. It also defines how a JWT
can be used as a client authentication mechanism. The use of a can be used as a client authentication mechanism. The use of a
security token for client authentication is orthogonal and separable security token for client authentication is orthogonal and separable
from using a security token as an authorization grant and the two can from using a security token as an authorization grant and the two can
be used either in combination or in isolation. be used either in combination or in isolation.
skipping to change at page 4, line 18 skipping to change at page 4, line 18
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
Unless otherwise noted, all the protocol parameter names and values Unless otherwise noted, all the protocol parameter names and values
are case sensitive. are case sensitive.
1.2. Terminology 1.2. Terminology
All terms are as defined in The OAuth 2.0 Authorization Protocol All terms are as defined in The OAuth 2.0 Authorization Framework
[I-D.ietf-oauth-v2], OAuth 2.0 Assertion Profile [I-D.ietf-oauth-v2], Assertion Framework for OAuth 2.0
[I-D.ietf-oauth-assertions], and JSON Web Token (JWT) [JWT]. [I-D.ietf-oauth-assertions], and JSON Web Token (JWT) [JWT].
2. HTTP Parameter Bindings for Transporting Assertions 2. HTTP Parameter Bindings for Transporting Assertions
The OAuth 2.0 Assertion Profile [I-D.ietf-oauth-assertions] defines The Assertion Framework for OAuth 2.0 [I-D.ietf-oauth-assertions]
generic HTTP parameters for transporting Assertions (a.k.a. Security defines generic HTTP parameters for transporting Assertions (a.k.a.
Tokens) during interactions with a token endpoint. This section Security Tokens) during interactions with a token endpoint. This
defines the values of those parameters for use with JWT Bearer section defines the values of those parameters for use with JWT
Tokens. Bearer Tokens.
2.1. Using JWTs as Authorization Grants 2.1. Using JWTs as Authorization Grants
To use a JWT Bearer Token as an authorization grant, use the To use a JWT Bearer Token as an authorization grant, use the
following parameter values and encodings. following parameter values and encodings.
The value of the "grant_type" parameter MUST be The value of the "grant_type" parameter MUST be
"urn:ietf:params:oauth:grant-type:jwt-bearer". "urn:ietf:params:oauth:grant-type:jwt-bearer".
The value of the "assertion" parameter MUST contain a single JWT. The value of the "assertion" parameter MUST contain a single JWT.
skipping to change at page 5, line 8 skipping to change at page 5, line 8
The value of the "client_assertion_type" parameter MUST be The value of the "client_assertion_type" parameter MUST be
"urn:ietf:params:oauth:client-assertion-type:jwt-bearer". "urn:ietf:params:oauth:client-assertion-type:jwt-bearer".
The value of the "client_assertion" parameter MUST contain a single The value of the "client_assertion" parameter MUST contain a single
JWT. JWT.
3. JWT Format and Processing Requirements 3. JWT Format and Processing Requirements
In order to issue an access token response as described in The OAuth In order to issue an access token response as described in The OAuth
2.0 Authorization Protocol [I-D.ietf-oauth-v2] or to rely on a JWT 2.0 Authorization Framework [I-D.ietf-oauth-v2] or to rely on a JWT
for client authentication, the authorization server MUST validate the for client authentication, the authorization server MUST validate the
JWT according to the criteria below. Application of additional JWT according to the criteria below. Application of additional
restrictions and policy are at the discretion of the authorization restrictions and policy are at the discretion of the authorization
server. server.
o The JWT MUST contain an "iss" (issuer) claim that contains a o The JWT MUST contain an "iss" (issuer) claim that contains a
unique identifier for the entity that issued the JWT. unique identifier for the entity that issued the JWT.
o The JWT MUST contain a "prn" (principal) claim identifying the o The JWT MUST contain a "prn" (principal) claim identifying the
subject of the transaction. The principal MAY identify the subject of the transaction. The principal MAY identify the
skipping to change at page 7, line 36 skipping to change at page 7, line 36
Content-Type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer
&assertion=eyJhbGciOiJFUzI1NiJ9. &assertion=eyJhbGciOiJFUzI1NiJ9.
eyJpc3Mi[...omitted for brevity...]. eyJpc3Mi[...omitted for brevity...].
J9l-ZhwP_2n[...omitted for brevity...] J9l-ZhwP_2n[...omitted for brevity...]
5. Security Considerations 5. Security Considerations
No additional security considerations apply beyond those described No additional security considerations apply beyond those described
within The OAuth 2.0 Authorization Protocol [I-D.ietf-oauth-v2], the within The OAuth 2.0 Authorization Framework [I-D.ietf-oauth-v2], the
OAuth 2.0 Assertion Profile [I-D.ietf-oauth-assertions], and the JSON Assertion Framework for OAuth 2.0 [I-D.ietf-oauth-assertions], and
Web Token (JWT) [JWT] specification. the JSON Web Token (JWT) [JWT] specification.
6. IANA Considerations 6. IANA Considerations
6.1. Sub-Namespace Registration of 6.1. Sub-Namespace Registration of
urn:ietf:params:oauth:grant-type:jwt-bearer urn:ietf:params:oauth:grant-type:jwt-bearer
This specification registers the value "grant-type:jwt-bearer" in the This specification registers the value "grant-type:jwt-bearer" in the
registry urn:ietf:params:oauth established in An IETF URN Sub- IANA urn:ietf:params:oauth registry established in An IETF URN Sub-
Namespace for OAuth [I-D.ietf-oauth-urn-sub-ns]. Namespace for OAuth [I-D.ietf-oauth-urn-sub-ns].
o URN: urn:ietf:params:oauth:grant-type:jwt-bearer o URN: urn:ietf:params:oauth:grant-type:jwt-bearer
o Common Name: JWT Bearer Token Grant Type Profile for OAuth 2.0 o Common Name: JWT Bearer Token Grant Type Profile for OAuth 2.0
o Change controller: IETF o Change controller: IETF
o Description: [[this document]] o Specification Document: [[this document]]
6.2. Sub-Namespace Registration of 6.2. Sub-Namespace Registration of
urn:ietf:params:oauth:client-assertion-type:jwt-bearer urn:ietf:params:oauth:client-assertion-type:jwt-bearer
This specification registers the value This specification registers the value
"client-assertion-type:jwt-bearer" in the registry "client-assertion-type:jwt-bearer" in the IANA urn:ietf:params:oauth
urn:ietf:params:oauth established in An IETF URN Sub-Namespace for registry established in An IETF URN Sub-Namespace for OAuth
OAuth [I-D.ietf-oauth-urn-sub-ns]. [I-D.ietf-oauth-urn-sub-ns].
o URN: urn:ietf:params:oauth:client-assertion-type:jwt-bearer o URN: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
o Common Name: JWT Bearer Token Profile for OAuth 2.0 Client o Common Name: JWT Bearer Token Profile for OAuth 2.0 Client
Authentication Authentication
o Change controller: IETF o Change controller: IETF
o Description: [[this document]] o Specification Document: [[this document]]
7. References 7. References
7.1. Normative References 7.1. Normative References
[I-D.ietf-oauth-assertions] [I-D.ietf-oauth-assertions]
Jones, M., Campbell, B., and Y. Goland, "OAuth 2.0 Campbell, B., Mortimore, C., Jones, M., and Y. Goland,
Assertion Profile", draft-ietf-oauth-assertions-03 (work "Assertion Framework for OAuth 2.0",
in progress), May 2012. draft-ietf-oauth-assertions-04 (work in progress),
July 2012.
[I-D.ietf-oauth-urn-sub-ns] [I-D.ietf-oauth-urn-sub-ns]
Tschofenig, H., "An IETF URN Sub-Namespace for OAuth", Campbell, B. and H. Tschofenig, "An IETF URN Sub-Namespace
draft-ietf-oauth-urn-sub-ns-02 (work in progress), for OAuth", draft-ietf-oauth-urn-sub-ns-05 (work in
January 2012. progress), June 2012.
[I-D.ietf-oauth-v2] [I-D.ietf-oauth-v2]
Hammer-Lahav, E., Recordon, D., and D. Hardt, "The OAuth Hammer-Lahav, E., Recordon, D., and D. Hardt, "The OAuth
2.0 Authorization Framework", draft-ietf-oauth-v2-26 (work 2.0 Authorization Framework", draft-ietf-oauth-v2-28 (work
in progress), May 2012. in progress), June 2012.
[JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token [JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
(JWT)", May 2012. (JWT)", July 2012.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4627] Crockford, D., "The application/json Media Type for [RFC4627] Crockford, D., "The application/json Media Type for
JavaScript Object Notation (JSON)", RFC 4627, July 2006. JavaScript Object Notation (JSON)", RFC 4627, July 2006.
7.2. Informative References 7.2. Informative References
[I-D.ietf-oauth-saml2-bearer] [I-D.ietf-oauth-saml2-bearer]
Mortimore, C., "SAML 2.0 Bearer Assertion Profiles for Campbell, B. and C. Mortimore, "SAML 2.0 Bearer Assertion
OAuth 2.0", draft-ietf-oauth-saml2-bearer-12 (work in Profiles for OAuth 2.0", draft-ietf-oauth-saml2-bearer-13
progress), May 2012. (work in progress), July 2012.
Appendix A. Acknowledgements Appendix A. Acknowledgements
This profile was derived from SAML 2.0 Bearer Assertion Profiles for This profile was derived from SAML 2.0 Bearer Assertion Profiles for
OAuth 2.0 [I-D.ietf-oauth-saml2-bearer] by Brian Campbell and Chuck OAuth 2.0 [I-D.ietf-oauth-saml2-bearer] by Brian Campbell and Chuck
Mortimore. Mortimore.
Appendix B. Document History Appendix B. Document History
[[ to be removed by the RFC editor before publication as an RFC ]] [[ to be removed by the RFC editor before publication as an RFC ]]
-01
o Tracked specification name changes: "The OAuth 2.0 Authorization
Protocol" to "The OAuth 2.0 Authorization Framework" and "OAuth
2.0 Assertion Profile" to "Assertion Framework for OAuth 2.0".
o Merged in changes between draft-ietf-oauth-saml2-bearer-11 and
draft-ietf-oauth-saml2-bearer-13. All changes were strictly
editorial.
-00 -00
o Created the initial IETF draft based upon o Created the initial IETF draft based upon
draft-jones-oauth-jwt-bearer-04 with no normative changes. draft-jones-oauth-jwt-bearer-04 with no normative changes.
Authors' Addresses Authors' Addresses
Michael B. Jones Michael B. Jones
Microsoft Microsoft
 End of changes. 21 change blocks. 
52 lines changed or deleted 63 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/