Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a client authentication JWT

Dominick Baier <> Wed, 22 July 2020 16:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 286563A0B00 for <>; Wed, 22 Jul 2020 09:32:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mjIPAEnFacnP for <>; Wed, 22 Jul 2020 09:32:22 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1D54C3A0AC8 for <>; Wed, 22 Jul 2020 09:32:21 -0700 (PDT)
Received: by with SMTP id v6so3218313iob.4 for <>; Wed, 22 Jul 2020 09:32:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:in-reply-to:references:mime-version:date:message-id:subject:to; bh=I7vk7EBjDIJH5et4/GhcEY0HlC2PYXeaFJleEXBB54s=; b=xblzH4aZ2VzhGUbqP9NbHeJrgp2pPKcSRLAadNnfkohlCaaz+EH/cUkuIwJ2Ajx4i4 3JKzq0KZBka+1BEhLLfyIu4mbGZFtOh1EzWnFZf4lmTh/CRw71beeY7NViBKvG3MnYSm uNT8dkDXLyrxE8JKu6mCqVJrRuMjfv9d0VfgnhgGvJ2pbSS+B5dPev3RA30ARvswzs3p qgAIEtTxQlyqVuu1K0MBEzFChspK712P+NxPA0gkRh5gyuc1bOZh1OiuWK/RyAFfYDfP q0HeBqQLDAWwVn5txtGoAFi+DPJbAwnZtwr+FAJIFAlFIYsWdCAOjLZxkJqdEa+Emj2Y QBEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to; bh=I7vk7EBjDIJH5et4/GhcEY0HlC2PYXeaFJleEXBB54s=; b=kJGsCxPv8yMTLIQusJN3EdBHMlQx1mDUCcN8gHa6biX3rmRpm6AnEcbp7ILQa8zG3B f5ugvVv9DXVcwxMAeSiLxkKCOyIWvEuGctP32bp6B+pkcjholzN6UzfkhU7d5hTXDn3l YPHIYOqmbIBEhc4twk2qUXeS++f5hOfIqUR8RkAoM2Shwrm3qaUt1fYNPvgXWtr52Z9W m5RYqNA6CYY8DW9ippJWssjecJiERqdKkHw2sQkpguS1Hn/5OSrXKfJtE3PRI4ZryDuA 3Y0mxm9+55S5SV+L8eNV1XA2ADXgM6Jhu26WiDvq5iohfNTaM/65YP54L8730GgUMbmN iU+w==
X-Gm-Message-State: AOAM533pBPbdAlTu2TPNqih7uScZIsd/3jDjPo7wGB8BVQrYbPfSfuQy +RhR2+LmNohQr3myBZWaWE0Ma2HxTlbvZGlOOHDucUU=
X-Google-Smtp-Source: ABdhPJyzgOxmwRwuaJtD0kyXT7poPWjy4aMN4l9LZyQAaKgEJEIk2Y9wcVivKvPUu0U7OzMOiPMS+YPFJplM/BghZCQ=
X-Received: by 2002:a6b:6413:: with SMTP id t19mr537855iog.167.1595435541161; Wed, 22 Jul 2020 09:32:21 -0700 (PDT)
Received: from 1058052472880 named unknown by with HTTPREST; Wed, 22 Jul 2020 12:32:20 -0400
From: Dominick Baier <>
In-Reply-To: <>
References: <>
MIME-Version: 1.0
Date: Wed, 22 Jul 2020 12:32:20 -0400
Message-ID: <>
To: Brian Campbell <>, oauth <>
Content-Type: multipart/alternative; boundary="000000000000b1826905ab0a4840"
Archived-At: <>
Subject: Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a client authentication JWT
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 22 Jul 2020 16:32:24 -0000

Why not use a typ header as suggested by the JWT BCP?

Dominick Baier

On 22. July 2020 at 17:37:41, Brian Campbell ( wrote:

The TL;DR here is a somewhat tentative suggestion that a brief security
consideration be added to
<> that prohibits
the inclusion of a 'sub' claim containing the client id value in the
request object JWT so as to prevent the request object JWT (which is
exposed to the user agent) from being erroneously accepted as a valid JWT
for client authentication.

Some more details and the discussion that led to this here email can be
found at

*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited..  If you have
received this communication in error, please notify the sender immediately
by e-mail and delete the message and any file attachments from your
computer. Thank you.*_______________________________________________
OAuth mailing list