Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples

Mike Jones <> Mon, 28 April 2014 16:22 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 71B361A6F4C for <>; Mon, 28 Apr 2014 09:22:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id K_A7RZkM0VpA for <>; Mon, 28 Apr 2014 09:22:24 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 3D59C1A6F45 for <>; Mon, 28 Apr 2014 09:22:24 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.929.12; Mon, 28 Apr 2014 16:22:22 +0000
Received: from (2a01:111:f400:7c0c::142) by (2a01:111:e400:2c2c::21) with Microsoft SMTP Server (TLS) id 15.0.929.12 via Frontend Transport; Mon, 28 Apr 2014 16:22:22 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.929.8 via Frontend Transport; Mon, 28 Apr 2014 16:22:21 +0000
Received: from ([]) by ([]) with mapi id 14.03.0181.007; Mon, 28 Apr 2014 16:21:48 +0000
From: Mike Jones <>
To: Hannes Tschofenig <>, Brian Campbell <>
Thread-Topic: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples
Date: Mon, 28 Apr 2014 16:21:47 +0000
Message-ID: <>
References: <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(6009001)(438001)(24454002)(189002)(199002)(13464003)(377454003)(479174003)(83322001)(80976001)(87936001)(23676002)(6806004)(19580395003)(44976005)(19580405001)(97736001)(2656002)(84676001)(15975445006)(92726001)(20776003)(47776003)(92566001)(50986999)(76176999)(33656001)(4396001)(79102001)(85852003)(15202345003)(77982001)(54356999)(31966008)(81542001)(74662001)(99396002)(50466002)(46102001)(2009001)(86362001)(66066001)(55846006)(83072002)(80022001)(81342001)(76482001); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR03MB363;; FPR:B656F336.2E3195C8.41E0F7C9.46E093AC.20289; MLV:sfv; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 01952C6E96
Received-SPF: Pass (: domain of designates as permitted sender) receiver=; client-ip=;;
Cc: "" <>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 28 Apr 2014 16:22:26 -0000

I'm confused by your statement below, Hannes, about the examples not showing JWTs protected by MACs or digital signatures, since the example JWT in is protected by a MAC and the nested JWT example in is protected by a digital signature (and then encrypted).

-----Original Message-----
From: Hannes Tschofenig [] 
Sent: Monday, April 28, 2014 1:39 AM
To: Mike Jones; Brian Campbell
Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples

Hi Mike,

On 04/25/2014 06:37 PM, Mike Jones wrote:
> While we could add other examples, doing so is beyond the scope of the 
> immediate mission to validate the existing examples, Hannes.  There’s 
> lots of examples in the underlying JOSE specs, so it’s not clear that 
> we really need to add additional ones at this time.  (If this 
> suggestion comes up again during IESG review, we could do that, but I 
> don’t think it’s necessary at this point to move the spec to IESG 
> review.)
It is certainly true that examples are not mandatory and that the JOSE specs contain a number of examples.

Read through the document it came to my mind that the most common uses of JWTs are actually not covered as part of the examples. Many readers look at the examples to quickly get the idea and neither a JWT protected using a MAC is there nor a JWT protected with a digital signature.

I will, however, get over it.