Re: [OAUTH-WG] [jose] JWT JSON representation

Sergey Beryozkin <> Mon, 10 November 2014 21:38 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id BE94C1A1B4F for <>; Mon, 10 Nov 2014 13:38:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9EtQhJZSbFE2 for <>; Mon, 10 Nov 2014 13:38:18 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c00::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D54161A1B1F for <>; Mon, 10 Nov 2014 13:38:17 -0800 (PST)
Received: by with SMTP id x12so10029945wgg.17 for <>; Mon, 10 Nov 2014 13:38:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=C0wqwc5rZGTGpgfA4VWDZlTboMTWl7sfDueNXnhdDXU=; b=gTMVVdgbGH8afwpqd3JSDegkXd/0G0SQFsXjxbLo3EH+NNwvoTW1KxkTr0pAez4Y9K WIQKMfz6sYJ2wjfaLYnFlqpSE7V/xS3lLWV1MYBsB6cK/j5mqevZE0qNIM1pjHlFtoRT HDCaTs/bY5/V7bs8MhuiC48zuXm7O6b1IVetu0H36WXuw0Y+SuvSovf8lrzIgp7XqxXx +jV1R+Dd1a+6FUppaC30c5lsOkCEE6HOpaqO7bUaoQ8oyJoBOfa+syjILBwtjyZJxeJm BQi9yccqV3PAFvpc7Tg7u7afqYikCsC40iL1ycd5umr75CVPA8+uimaVFt64dOJFXQ6D j42g==
X-Received: by with SMTP id j6mr33609211wiz.23.1415655496524; Mon, 10 Nov 2014 13:38:16 -0800 (PST)
Received: from [] ([]) by with ESMTPSA id bj7sm24693203wjc.33.2014. for <multiple recipients> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 10 Nov 2014 13:38:14 -0800 (PST)
Message-ID: <>
Date: Mon, 10 Nov 2014 21:38:12 +0000
From: Sergey Beryozkin <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: John Bradley <>
References: <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [OAUTH-WG] [jose] JWT JSON representation
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 10 Nov 2014 21:38:19 -0000

On 10/11/14 21:31, John Bradley wrote:
> In the JSON form of a JWS the JWT body would still be base64 encoded, so I don't think that is what you are looking for.
Do you refer to a 'payload' property of Jws Json ? I understand...

I was only suggesting supporting Jwt as a data container possibly even 
outside of OAuth in the format suggested below...
I'm OK with not introducing it at this stage. I guess it may become more 
interesting to consider later on once 'JWT' becomes a mainstream term.
> If you don't care about integrity protection you can just store the JSON form the body, however to avoid canonicalization (as with XML signature) you need to keep the base64url encoded parts around if you want to verify the signature.

Thanks, Sergey
> John B.
> On Nov 10, 2014, at 11:22 AM, Sergey Beryozkin <> wrote:
>> Hi John
>> Moving it to the OAuth list as suggested
>> On 10/11/14 18:39, John Bradley wrote:
>>> JWT is a OAuth spec for historic reasons, so it might be best to discuss this on that list.
>>> Are you talking about a unsigned JWT?
>> No, just a complete JSON representation
>>> JWT currently only supports the compact form.   For access tokens that allows them to be passed in headers without additional escaping.
>>> I would need to see a use case before adding the JSON encoding to JWT.
>>> Nothing stops someone from using a JSON encoded JWS with a set of claims in the body, but that is not by definition a JWT on the wire.
>>> They can be converted between the two forms programatically.
>> I do not have any major use case in mind. Right now I have something called a JAX-RS MessageBodyWriter/Reader for a Jwt token, and internally it converts it to the compact Jws or reads from it.
>> It just occurred to me, what if Jwt simply acts as a basic standardized data container, so on the wire it is just a JSON document.
>> Or if we have an access JWT token, right now it would be JWS-compacted, but if we had a JSON form then another option would be to have a base64URL representation of JWT as a token (though I haven't thought about the integrity protection of it...).
>> Or may be it would be easier to store such JWT in JSON in JSON-aware databases...
t>> Sorry, just thinking aloud here while experimenting...
>> Cheers, Sergey
>>> John B.
>>> On Nov 10, 2014, at 8:26 AM, Sergey Beryozkin <> wrote:
>>>> Hi All,
>>>> Would it make sense to have a JWT spec talk about its JSON representation, example:
>>>> {
>>>>    "headers": {...}
>>>>    "claims": {...}
>>>> }
>>>> IMHO it might be interesting in cases where JWT is an access token passed over the secure channel or simply used as a standard data/token container
>>>> Sergey
>>>> _______________________________________________
>>>> jose mailing list