Re: [OAUTH-WG] [jose] JWT JSON representation
John Bradley <ve7jtb@ve7jtb.com> Mon, 10 November 2014 21:31 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 700401A1F70 for <oauth@ietfa.amsl.com>; Mon, 10 Nov 2014 13:31:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EKLvw5-GNxz5 for <oauth@ietfa.amsl.com>; Mon, 10 Nov 2014 13:31:52 -0800 (PST)
Received: from mail-wi0-f174.google.com (mail-wi0-f174.google.com [209.85.212.174]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4789A1A1B26 for <oauth@ietf.org>; Mon, 10 Nov 2014 13:31:52 -0800 (PST)
Received: by mail-wi0-f174.google.com with SMTP id d1so12317317wiv.7 for <oauth@ietf.org>; Mon, 10 Nov 2014 13:31:50 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=7s1k7NtaTvq2biMzmd3pEUCZHF+ooXIDMCzGXmQXZIc=; b=juQFHboJocCPcAQwHcm/8sR0x3cEa4triUS5rSFKe7yPZMzwTMYxUsY5WmAN+5z8/F tp/paUCyj++rRkr+ltuVdmTEatBj7m89IEzet87TC6xnCnCwlR3tcgTXF+Ss9qEZ5zEI JRI9VpNEw2lIukZlWvt9izyt+Y3ifLhfg3TXZd337qGStNbk+PSIdXyDB4w8YUvY9D0V Xhwgj/cJvyAGoohJv1GTruFSscbSIttPlNe1809bIDpXvPZ8b06E3KZTUFKdYYF/occL TdxbJdy4V5E3fBVEgxff6B4eOUFyYRl55r8vxjVNwm3E1Di6n75K1y0FYHYVnClgZZfu 4Seg==
X-Gm-Message-State: ALoCoQmffRFFXKhW9eeLPS8RTX427ZXOp/yufRHQx3N9/cWVNPvP/TLbMc2tX8cjS4VzVS5iAHTE
X-Received: by 10.194.82.74 with SMTP id g10mr48319876wjy.116.1415655110288; Mon, 10 Nov 2014 13:31:50 -0800 (PST)
Received: from dhcp-93a8.meeting.ietf.org (dhcp-93a8.meeting.ietf.org. [31.133.147.168]) by mx.google.com with ESMTPSA id mw7sm14905401wib.14.2014.11.10.13.31.48 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 10 Nov 2014 13:31:49 -0800 (PST)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <54612C83.6050404@gmail.com>
Date: Mon, 10 Nov 2014 11:31:45 -1000
Content-Transfer-Encoding: quoted-printable
Message-Id: <F5677435-4B04-4E9C-80AC-6CEE33FF2541@ve7jtb.com>
References: <5458E645.9020904@mit.edu> <CAL02cgTVHkGmB2+L90EaqpBT26+FqsNsvkvsV0Tig45tDJLjaw@mail.gmail.com> <5458E955.3090700@mit.edu> <CAL02cgSf_MeLys1D+bJcSsfPz9e5TLt5wT4G9szhD-=2OVFAnA@mail.gmail.com> <54610366.6010400@gmail.com> <C2D6E747-65C8-4BB7-9B14-EF5370620782@ve7jtb.com> <54612C83.6050404@gmail.com>
To: Sergey Beryozkin <sberyozkin@gmail.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/iX1V8a0yZFrJWlNyG0_Coj7fcbI
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] [jose] JWT JSON representation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Nov 2014 21:31:54 -0000
In the JSON form of a JWS the JWT body would still be base64 encoded, so I don't think that is what you are looking for. If you don't care about integrity protection you can just store the JSON form the body, however to avoid canonicalization (as with XML signature) you need to keep the base64url encoded parts around if you want to verify the signature. John B. On Nov 10, 2014, at 11:22 AM, Sergey Beryozkin <sberyozkin@gmail.com> wrote: > Hi John > > Moving it to the OAuth list as suggested > On 10/11/14 18:39, John Bradley wrote: >> JWT is a OAuth spec for historic reasons, so it might be best to discuss this on that list. >> >> Are you talking about a unsigned JWT? > No, just a complete JSON representation >> >> JWT currently only supports the compact form. For access tokens that allows them to be passed in headers without additional escaping. >> >> I would need to see a use case before adding the JSON encoding to JWT. >> >> Nothing stops someone from using a JSON encoded JWS with a set of claims in the body, but that is not by definition a JWT on the wire. >> >> They can be converted between the two forms programatically. >> > I do not have any major use case in mind. Right now I have something called a JAX-RS MessageBodyWriter/Reader for a Jwt token, and internally it converts it to the compact Jws or reads from it. > > It just occurred to me, what if Jwt simply acts as a basic standardized data container, so on the wire it is just a JSON document. > Or if we have an access JWT token, right now it would be JWS-compacted, but if we had a JSON form then another option would be to have a base64URL representation of JWT as a token (though I haven't thought about the integrity protection of it...). > Or may be it would be easier to store such JWT in JSON in JSON-aware databases... > > Sorry, just thinking aloud here while experimenting... > > Cheers, Sergey > >> John B. >> >> On Nov 10, 2014, at 8:26 AM, Sergey Beryozkin <sberyozkin@gmail.com> wrote: >> >>> Hi All, >>> >>> Would it make sense to have a JWT spec talk about its JSON representation, example: >>> { >>> "headers": {...} >>> "claims": {...} >>> } >>> >>> IMHO it might be interesting in cases where JWT is an access token passed over the secure channel or simply used as a standard data/token container >>> >>> Sergey >>> >>> >>> _______________________________________________ >>> jose mailing list >>> jose@ietf.org >>> https://www.ietf.org/mailman/listinfo/jose >> > >
- Re: [OAUTH-WG] [jose] JWT JSON representation Sergey Beryozkin
- Re: [OAUTH-WG] [jose] JWT JSON representation John Bradley
- Re: [OAUTH-WG] [jose] JWT JSON representation Sergey Beryozkin