IETF Logo Mail Archive

[OAUTH-WG] JSON Web Token Best Current Practices sent to the RFC Editor

Mike Jones <Michael.Jones@microsoft.com> Tue, 22 October 2019 23:37 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC379120152 for <oauth@ietfa.amsl.com>; Tue, 22 Oct 2019 16:37:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wrKR5049CT7a for <oauth@ietfa.amsl.com>; Tue, 22 Oct 2019 16:37:24 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650124.outbound.protection.outlook.com [40.107.65.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DE0D12006A for <oauth@ietf.org>; Tue, 22 Oct 2019 16:37:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=alTcShy/eJRs+qVoFzHyf+3efX+jScLhopO0sMuKrUv8GIdP37JJcHo4x3EIii1QspDKMvPc8uEmz4714W2l04e1Jpbeb9Tr9b3ZkSrCDqt81ML/XPIj4FjBnzr1ObpBDKI6hrr3O3E5Tvlmg+hw/PS2TCAuBtWFmLWQca+3NBYkAehXsCENJP9zCxutKcPGoTDUYhuMDzWORP4blOj3WhrPk1/YYIcaE+8U9mmDWVqPSDF3czy25eruTppJmWWD0PvZp4LJNnMA9e5NRBF1QCwmZYXJ5unyu4vxqzC7XIGV+tAg9rFKenCV+nvQykIgp8r2GvgQJy68NlPiZVrp7g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KnkJrO35K3Dhs4/c4lV3R6B9O6/dlL9YbrJ5dZgD70w=; b=jUJn3ArwKvAaJLnO4ehpKIrxqvPzFEpi3zQVjgEB85jKIUSRvmYNw4z23eRyvUi0r4Ma1DHbPAgAGxCIhumylR7bS22VxmU7LmiHeuHQd2J1yorMNFKZ3tD9bfycfeibTpHwtkr4YFwGyMMdKP/VouhIW23ZeEHjMj89u/LQiJAaUEUXeiyq0m/uHyqkX7hYSug0CIBsL4oUS8HcryMW8qj13J4pvwRCuBCf8IXvVECuWCp+cwZXKai3D54RF9tKJ+S90h1nM41FD0vLhWrz7+GkRYLGKffCgO2IzAQ1U0ButYqm5BCJTj69LuQpQpvcQPbQ+3Iw0e4MeGUZZLloaQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KnkJrO35K3Dhs4/c4lV3R6B9O6/dlL9YbrJ5dZgD70w=; b=SihLoW9KhkPITIiGN+ANeoZliryqrmoGB0EfFRIBfFWAPAf9sNu+UEWfI31ENQEUAZBFRkO1+s1AW+lhlYczhFaSHTpbNGCOSUpiULMEZRFPQvE9hTcQsBJvI3BYfPHI1+mG0xj6yCRfIbMcH6EmXDc1olFvMktxWH+bv2xLQOE=
Received: from MN2PR00MB0574.namprd00.prod.outlook.com (20.178.255.147) by MN2PR00MB0558.namprd00.prod.outlook.com (20.178.255.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2418.0; Tue, 22 Oct 2019 23:37:22 +0000
Received: from MN2PR00MB0574.namprd00.prod.outlook.com ([fe80::9045:7aad:269b:eb01]) by MN2PR00MB0574.namprd00.prod.outlook.com ([fe80::9045:7aad:269b:eb01%8]) with mapi id 15.20.2425.000; Tue, 22 Oct 2019 23:37:22 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: JSON Web Token Best Current Practices sent to the RFC Editor
Thread-Index: AdWJME9LD3rjQ6NpQ0C4kW1Vhkt1bw==
Date: Tue, 22 Oct 2019 23:37:21 +0000
Message-ID: <MN2PR00MB05740FA9132A20C134688BF1F5680@MN2PR00MB0574.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=274a692e-96e8-4aac-8705-0000a62b3254; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-10-22T23:27:43Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [2001:4898:80e8:f:f46e:6954:41c7:f992]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 02e0349c-6ead-4ddc-18b2-08d75748c939
x-ms-traffictypediagnostic: MN2PR00MB0558:
x-microsoft-antispam-prvs: <MN2PR00MB0558A2E0CFC9EBAFFF828330F5680@MN2PR00MB0558.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 01986AE76B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(366004)(39860400002)(136003)(346002)(376002)(396003)(209900001)(199004)(189003)(256004)(14444005)(476003)(7696005)(966005)(186003)(606006)(46003)(14454004)(486006)(6506007)(21615005)(66574012)(99286004)(25786009)(790700001)(102836004)(7736002)(6116002)(74316002)(2906002)(478600001)(10290500003)(86362001)(9686003)(8990500004)(55016002)(236005)(6306002)(54896002)(8936002)(6436002)(1730700003)(81156014)(8676002)(5640700003)(81166006)(316002)(10090500001)(2351001)(22452003)(76116006)(52536014)(33656002)(66446008)(66946007)(66476007)(6916009)(66556008)(2501003)(5660300002)(71200400001)(71190400001)(64756008)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:MN2PR00MB0558; H:MN2PR00MB0574.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: nRj8BFPrJoRoUd37Wza6qJoPbj9jc7swEZugxjgMltVsOASSGsikZSxj35+qjtQG+RZZDxn/uqWOZ7LllmK0MbKBu6cX99t/mVW/GKIvJySEEf8uynjjrjDqoxyVT5w1N/F6hgC8AMXfSx9bYWnNof7RffwRPH23PCMv6ucYOlhgekxJTlnfUqQWTdWwseWRU+CcbQYgS0CLSjGMKfvyZLMT28X6PivAy/aScapIDVCBc8V+38K3K2wLDD+CI/JzOPDZcod+XY8+5ijDBvHAyOxQrAgc8NAg9rdpdguBe9JAVd8QYQSzajVn2lA0vmCQaQdpzuNG7Ot+r/fthGBcOKa2uvrrv70sc1P9HcAPmlYRJggA7nT6O8tJLwmZ21AS7T/LMpFbfdGRZxxDLi7S6oV/tKTpe+6sRUlLh2Kl1m26eZFkwxyCEUy7B4W/z17b
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR00MB05740FA9132A20C134688BF1F5680MN2PR00MB0574namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 02e0349c-6ead-4ddc-18b2-08d75748c939
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Oct 2019 23:37:21.9949 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: G6gr4zn7PBr46E845csf2jL83EFjcvBYzSOc1O4HJPQWBBE371a2J0TatByhhgSNq5RbxrMMZlgDH8FsHUuEGQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR00MB0558
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/NZhKSykjvNtccfXKobcYbfJ5T3Y>
Subject: [OAUTH-WG] JSON Web Token Best Current Practices sent to the RFC Editor
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Oct 2019 23:37:27 -0000

I'm pleased to report that the JSON Web Token (JWT) Best Current Practices (BCP) specification is now technically stable and will shortly be an RFC - an Internet standard.  Specifically, it has now progressed to the RFC Editor queue, meaning that the only remaining step before finalization is editorial due diligence.  Thus, implementations can now utilize the draft specification with confidence that that breaking changes will not occur as it is finalized.

The abstract of the specification is:
JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security tokens that contain a set of claims that can be signed and/or encrypted. JWTs are being widely used and deployed as a simple security token format in numerous protocols and applications, both in the area of digital identity, and in other application areas. The goal of this Best Current Practices document is to provide actionable guidance leading to secure implementation and deployment of JWTs.

Thanks to the OAuth working group<https://datatracker.ietf.org/wg/oauth/about/> for completing this important specification.

The specification is available at:

  *   https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-07

An HTML-formatted version is also available at:

  *   http://self-issued.info/docs/draft-ietf-oauth-jwt-bcp-07.html

                                                       -- Mike

P.S.  This note was also posted at http://self-issued.info/?p=2020 and as @selfissued<https://twitter.com/selfissued>.

v2.23.0 | Report a Bug | By Email