draft-ietf-oauth-jwt-bearer-11.txt   draft-ietf-oauth-jwt-bearer-12.txt 
OAuth Working Group M. Jones OAuth Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track B. Campbell Intended status: Standards Track B. Campbell
Expires: April 24, 2015 Ping Identity Expires: May 16, 2015 Ping Identity
C. Mortimore C. Mortimore
Salesforce Salesforce
October 21, 2014 November 12, 2014
JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and
Authorization Grants Authorization Grants
draft-ietf-oauth-jwt-bearer-11 draft-ietf-oauth-jwt-bearer-12
Abstract Abstract
This specification defines the use of a JSON Web Token (JWT) Bearer This specification defines the use of a JSON Web Token (JWT) Bearer
Token as a means for requesting an OAuth 2.0 access token as well as Token as a means for requesting an OAuth 2.0 access token as well as
for use as a means of client authentication. for use as a means of client authentication.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 24, 2015. This Internet-Draft will expire on May 16, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 10, line 15 skipping to change at page 10, line 15
The specification does not mandate replay protection for the JWT The specification does not mandate replay protection for the JWT
usage for either the authorization grant or for client usage for either the authorization grant or for client
authentication. It is an optional feature, which implementations may authentication. It is an optional feature, which implementations may
employ at their own discretion. employ at their own discretion.
7. Privacy Considerations 7. Privacy Considerations
A JWT may contain privacy-sensitive information and, to prevent A JWT may contain privacy-sensitive information and, to prevent
disclosure of such information to unintended parties, should only be disclosure of such information to unintended parties, should only be
transmitted over encrypted channels, such as TLS. In cases where it transmitted over encrypted channels, such as TLS. In cases where it
is desirable to prevent disclosure of certain information the client, is desirable to prevent disclosure of certain information to the
the JWT should be be encrypted to the authorization server. client, the JWT should be be encrypted to the authorization server.
Deployments should determine the minimum amount of information Deployments should determine the minimum amount of information
necessary to complete the exchange and include only such claims in necessary to complete the exchange and include only such claims in
the JWT. In some cases, the "sub" (subject) claim can be a value the JWT. In some cases, the "sub" (subject) claim can be a value
representing an anonymous or pseudonymous user, as described in representing an anonymous or pseudonymous user, as described in
Section 6.3.1 of the Assertion Framework for OAuth 2.0 Client Section 6.3.1 of the Assertion Framework for OAuth 2.0 Client
Authentication and Authorization Grants [I-D.ietf-oauth-assertions]. Authentication and Authorization Grants [I-D.ietf-oauth-assertions].
8. IANA Considerations 8. IANA Considerations
skipping to change at page 11, line 15 skipping to change at page 11, line 15
o Change controller: IESG o Change controller: IESG
o Specification Document: [[this document]] o Specification Document: [[this document]]
9. References 9. References
9.1. Normative References 9.1. Normative References
[I-D.ietf-jose-json-web-algorithms] [I-D.ietf-jose-json-web-algorithms]
Jones, M., "JSON Web Algorithms (JWA)", draft-ietf-jose- Jones, M., "JSON Web Algorithms (JWA)", draft-ietf-jose-
json-web-algorithms-35 (work in progress), October 2014. json-web-algorithms-36 (work in progress), October 2014.
[I-D.ietf-oauth-assertions] [I-D.ietf-oauth-assertions]
Campbell, B., Mortimore, C., Jones, M., and Y. Goland, Campbell, B., Mortimore, C., Jones, M., and Y. Goland,
"Assertion Framework for OAuth 2.0 Client Authentication "Assertion Framework for OAuth 2.0 Client Authentication
and Authorization Grants", draft-ietf-oauth-assertions and Authorization Grants", draft-ietf-oauth-assertions
(work in progress), October 2014. (work in progress), October 2014.
[JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token [JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
(JWT)", draft-ietf-oauth-json-web-token (work in (JWT)", draft-ietf-oauth-json-web-token (work in
progress), October 2014. progress), October 2014.
skipping to change at page 11, line 52 skipping to change at page 11, line 52
[I-D.ietf-oauth-dyn-reg] [I-D.ietf-oauth-dyn-reg]
Richer, J., Jones, M., Bradley, J., Machulak, M., and P. Richer, J., Jones, M., Bradley, J., Machulak, M., and P.
Hunt, "OAuth 2.0 Dynamic Client Registration Protocol", Hunt, "OAuth 2.0 Dynamic Client Registration Protocol",
draft-ietf-oauth-dyn-reg-20 (work in progress), August draft-ietf-oauth-dyn-reg-20 (work in progress), August
2014. 2014.
[I-D.ietf-oauth-saml2-bearer] [I-D.ietf-oauth-saml2-bearer]
Campbell, B., Mortimore, C., and M. Jones, "SAML 2.0 Campbell, B., Mortimore, C., and M. Jones, "SAML 2.0
Profile for OAuth 2.0 Client Authentication and Profile for OAuth 2.0 Client Authentication and
Authorization Grants", draft-ietf-oauth-saml2-bearer (work Authorization Grants", draft-ietf-oauth-saml2-bearer (work
in progress), October 2014. in progress), November 2014.
[OpenID.Discovery] [OpenID.Discovery]
Sakimura, N., Bradley, J., Jones, M., and E. Jay, "OpenID Sakimura, N., Bradley, J., Jones, M., and E. Jay, "OpenID
Connect Discovery 1.0", February 2014. Connect Discovery 1.0", February 2014.
[OpenID.Registration] [OpenID.Registration]
Sakimura, N., Bradley, J., and M. Jones, "OpenID Connect Sakimura, N., Bradley, J., and M. Jones, "OpenID Connect
Dynamic Client Registration 1.0", February 2014. Dynamic Client Registration 1.0", February 2014.
[RFC6755] Campbell, B. and H. Tschofenig, "An IETF URN Sub-Namespace [RFC6755] Campbell, B. and H. Tschofenig, "An IETF URN Sub-Namespace
skipping to change at page 12, line 26 skipping to change at page 12, line 26
Appendix A. Acknowledgements Appendix A. Acknowledgements
This profile was derived from SAML 2.0 Profile for OAuth 2.0 Client This profile was derived from SAML 2.0 Profile for OAuth 2.0 Client
Authentication and Authorization Grants [I-D.ietf-oauth-saml2-bearer] Authentication and Authorization Grants [I-D.ietf-oauth-saml2-bearer]
by Brian Campbell and Chuck Mortimore. by Brian Campbell and Chuck Mortimore.
Appendix B. Document History Appendix B. Document History
[[ to be removed by the RFC editor before publication as an RFC ]] [[ to be removed by the RFC editor before publication as an RFC ]]
draft-ietf-oauth-jwt-bearer-12
o Fix typo per http://www.ietf.org/mail-archive/web/oauth/current/
msg13790.html
draft-ietf-oauth-jwt-bearer-11 draft-ietf-oauth-jwt-bearer-11
o Changes/suggestions from IESG reviews. o Changes/suggestions from IESG reviews.
draft-ietf-oauth-jwt-bearer-10 draft-ietf-oauth-jwt-bearer-10
o Added Privacy Considerations section per AD review discussion o Added Privacy Considerations section per AD review discussion
http://www.ietf.org/mail-archive/web/oauth/current/msg13148.html http://www.ietf.org/mail-archive/web/oauth/current/msg13148.html
and http://www.ietf.org/mail-archive/web/oauth/current/ and http://www.ietf.org/mail-archive/web/oauth/current/
msg13144.html msg13144.html
skipping to change at page 12, line 48 skipping to change at page 13, line 5
o Clarified some text around the treatment of subject based on the o Clarified some text around the treatment of subject based on the
rough rough consensus from the thread staring at rough rough consensus from the thread staring at
http://www.ietf.org/mail-archive/web/oauth/current/msg12630.html http://www.ietf.org/mail-archive/web/oauth/current/msg12630.html
draft-ietf-oauth-jwt-bearer-08 draft-ietf-oauth-jwt-bearer-08
o Updated references, including replacing references to RFC 4627 o Updated references, including replacing references to RFC 4627
with RFC 7159. with RFC 7159.
draft-ietf-oauth-jwt-bearer-07
o Clean up language around subject per http://www.ietf.org/mail- o Clean up language around subject per http://www.ietf.org/mail-
archive/web/oauth/current/msg12250.html. archive/web/oauth/current/msg12250.html.
o As suggested in http://www.ietf.org/mail- o As suggested in http://www.ietf.org/mail-
archive/web/oauth/current/msg12251.html stated that "In the archive/web/oauth/current/msg12251.html stated that "In the
absence of an application profile specifying otherwise, compliant absence of an application profile specifying otherwise, compliant
applications MUST compare the audience values using the Simple applications MUST compare the audience values using the Simple
String Comparison method defined in Section 6.2.1 of RFC 3986." String Comparison method defined in Section 6.2.1 of RFC 3986."
o Added one-time use, maximum lifetime, and specific subject and o Added one-time use, maximum lifetime, and specific subject and
 End of changes. 9 change blocks. 
10 lines changed or deleted 13 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/