Re: [OAUTH-WG] [jose] JWT JSON representation

Sergey Beryozkin <> Mon, 10 November 2014 21:22 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id CE3161A1B63 for <>; Mon, 10 Nov 2014 13:22:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8tHwyG2TM-5D for <>; Mon, 10 Nov 2014 13:22:56 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c05::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9DE5D1A1B19 for <>; Mon, 10 Nov 2014 13:22:29 -0800 (PST)
Received: by with SMTP id r20so11438489wiv.5 for <>; Mon, 10 Nov 2014 13:22:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=U1nnaV51w9hVUCghK/UTmJTUwGWx5Iq5COTg6iN/wHc=; b=dPNW+jLAt/ipmjBFma6nlXjf7VNoKxnt5B8uUB4Cp3qk4IebWeQEhe0ELlg+r8FXPj jUwd1bHYaf2r2GcxguJDZ/W5vLlR6eNac9x2YWwaoHPZrwnJpN6WGm4sZvh4JX6C14KK SlmHZPhQb7mzj/OR6uZQCSGDXTJtcrTtx10KmXT29cq4qKRJd8vvLnVWzRc7emG9LXC/ yR32CXTqKlrhNh91e53bchkjFMME1OMBhrwrRnTDCkh3+o2nsLjTFDeoYaABJjSaeKNW TatPboaWDF1QJLDNDF3XYpXS1W+iHIuy/k+67ZUFdkrpr0ssq9gWj4MnXhKbSywJVJ9E 7hfA==
X-Received: by with SMTP id pg8mr33442278wic.37.1415654546890; Mon, 10 Nov 2014 13:22:26 -0800 (PST)
Received: from [] ([]) by with ESMTPSA id ci9sm14864045wid.24.2014. for <multiple recipients> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 10 Nov 2014 13:22:26 -0800 (PST)
Message-ID: <>
Date: Mon, 10 Nov 2014 21:22:11 +0000
From: Sergey Beryozkin <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: John Bradley <>
References: <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [OAUTH-WG] [jose] JWT JSON representation
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 10 Nov 2014 21:22:59 -0000

Hi John

Moving it to the OAuth list as suggested
On 10/11/14 18:39, John Bradley wrote:
> JWT is a OAuth spec for historic reasons, so it might be best to discuss this on that list.
> Are you talking about a unsigned JWT?
No, just a complete JSON representation
> JWT currently only supports the compact form.   For access tokens that allows them to be passed in headers without additional escaping.
> I would need to see a use case before adding the JSON encoding to JWT.
> Nothing stops someone from using a JSON encoded JWS with a set of claims in the body, but that is not by definition a JWT on the wire.
> They can be converted between the two forms programatically.
I do not have any major use case in mind. Right now I have something 
called a JAX-RS MessageBodyWriter/Reader for a Jwt token, and internally 
it converts it to the compact Jws or reads from it.

It just occurred to me, what if Jwt simply acts as a basic standardized 
data container, so on the wire it is just a JSON document.
Or if we have an access JWT token, right now it would be JWS-compacted, 
but if we had a JSON form then another option would be to have a 
base64URL representation of JWT as a token (though I haven't thought 
about the integrity protection of it...).
Or may be it would be easier to store such JWT in JSON in JSON-aware 

Sorry, just thinking aloud here while experimenting...

Cheers, Sergey

> John B.
> On Nov 10, 2014, at 8:26 AM, Sergey Beryozkin <> wrote:
>> Hi All,
>> Would it make sense to have a JWT spec talk about its JSON representation, example:
>> {
>>    "headers": {...}
>>    "claims": {...}
>> }
>> IMHO it might be interesting in cases where JWT is an access token passed over the secure channel or simply used as a standard data/token container
>> Sergey
>> _______________________________________________
>> jose mailing list