Re: [OAUTH-WG] [jose] JWT JSON representation
Sergey Beryozkin <sberyozkin@gmail.com> Mon, 10 November 2014 21:22 UTC
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE3161A1B63 for <oauth@ietfa.amsl.com>; Mon, 10 Nov 2014 13:22:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8tHwyG2TM-5D for <oauth@ietfa.amsl.com>; Mon, 10 Nov 2014 13:22:56 -0800 (PST)
Received: from mail-wi0-x22a.google.com (mail-wi0-x22a.google.com [IPv6:2a00:1450:400c:c05::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DE5D1A1B19 for <oauth@ietf.org>; Mon, 10 Nov 2014 13:22:29 -0800 (PST)
Received: by mail-wi0-f170.google.com with SMTP id r20so11438489wiv.5 for <oauth@ietf.org>; Mon, 10 Nov 2014 13:22:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=U1nnaV51w9hVUCghK/UTmJTUwGWx5Iq5COTg6iN/wHc=; b=dPNW+jLAt/ipmjBFma6nlXjf7VNoKxnt5B8uUB4Cp3qk4IebWeQEhe0ELlg+r8FXPj jUwd1bHYaf2r2GcxguJDZ/W5vLlR6eNac9x2YWwaoHPZrwnJpN6WGm4sZvh4JX6C14KK SlmHZPhQb7mzj/OR6uZQCSGDXTJtcrTtx10KmXT29cq4qKRJd8vvLnVWzRc7emG9LXC/ yR32CXTqKlrhNh91e53bchkjFMME1OMBhrwrRnTDCkh3+o2nsLjTFDeoYaABJjSaeKNW TatPboaWDF1QJLDNDF3XYpXS1W+iHIuy/k+67ZUFdkrpr0ssq9gWj4MnXhKbSywJVJ9E 7hfA==
X-Received: by 10.180.218.136 with SMTP id pg8mr33442278wic.37.1415654546890; Mon, 10 Nov 2014 13:22:26 -0800 (PST)
Received: from [192.168.2.7] ([109.255.82.67]) by mx.google.com with ESMTPSA id ci9sm14864045wid.24.2014.11.10.13.22.25 for <multiple recipients> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 10 Nov 2014 13:22:26 -0800 (PST)
Message-ID: <54612C83.6050404@gmail.com>
Date: Mon, 10 Nov 2014 21:22:11 +0000
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: John Bradley <ve7jtb@ve7jtb.com>
References: <5458E645.9020904@mit.edu> <CAL02cgTVHkGmB2+L90EaqpBT26+FqsNsvkvsV0Tig45tDJLjaw@mail.gmail.com> <5458E955.3090700@mit.edu> <CAL02cgSf_MeLys1D+bJcSsfPz9e5TLt5wT4G9szhD-=2OVFAnA@mail.gmail.com> <54610366.6010400@gmail.com> <C2D6E747-65C8-4BB7-9B14-EF5370620782@ve7jtb.com>
In-Reply-To: <C2D6E747-65C8-4BB7-9B14-EF5370620782@ve7jtb.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/siDRB04KwSX4PJV8yllD34taCiA
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] [jose] JWT JSON representation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Nov 2014 21:22:59 -0000
Hi John Moving it to the OAuth list as suggested On 10/11/14 18:39, John Bradley wrote: > JWT is a OAuth spec for historic reasons, so it might be best to discuss this on that list. > > Are you talking about a unsigned JWT? No, just a complete JSON representation > > JWT currently only supports the compact form. For access tokens that allows them to be passed in headers without additional escaping. > > I would need to see a use case before adding the JSON encoding to JWT. > > Nothing stops someone from using a JSON encoded JWS with a set of claims in the body, but that is not by definition a JWT on the wire. > > They can be converted between the two forms programatically. > I do not have any major use case in mind. Right now I have something called a JAX-RS MessageBodyWriter/Reader for a Jwt token, and internally it converts it to the compact Jws or reads from it. It just occurred to me, what if Jwt simply acts as a basic standardized data container, so on the wire it is just a JSON document. Or if we have an access JWT token, right now it would be JWS-compacted, but if we had a JSON form then another option would be to have a base64URL representation of JWT as a token (though I haven't thought about the integrity protection of it...). Or may be it would be easier to store such JWT in JSON in JSON-aware databases... Sorry, just thinking aloud here while experimenting... Cheers, Sergey > John B. > > On Nov 10, 2014, at 8:26 AM, Sergey Beryozkin <sberyozkin@gmail.com> wrote: > >> Hi All, >> >> Would it make sense to have a JWT spec talk about its JSON representation, example: >> { >> "headers": {...} >> "claims": {...} >> } >> >> IMHO it might be interesting in cases where JWT is an access token passed over the secure channel or simply used as a standard data/token container >> >> Sergey >> >> >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose >
- Re: [OAUTH-WG] [jose] JWT JSON representation Sergey Beryozkin
- Re: [OAUTH-WG] [jose] JWT JSON representation John Bradley
- Re: [OAUTH-WG] [jose] JWT JSON representation Sergey Beryozkin