| draft-ietf-oauth-jwt-bearer-00.txt | draft-ietf-oauth-jwt-bearer-01.txt | |||
|---|---|---|---|---|
| OAuth Working Group M. Jones | OAuth Working Group M. Jones | |||
| Internet-Draft Microsoft | Internet-Draft Microsoft | |||
| Intended status: Standards Track B. Campbell | Intended status: Standards Track B. Campbell | |||
| Expires: November 23, 2012 Ping Identity | Expires: January 7, 2013 Ping Identity | |||
| C. Mortimore | C. Mortimore | |||
| Salesforce | Salesforce | |||
| May 22, 2012 | July 6, 2012 | |||
| JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0 | JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0 | |||
| draft-ietf-oauth-jwt-bearer-00 | draft-ietf-oauth-jwt-bearer-01 | |||
| Abstract | Abstract | |||
| This specification defines the use of a JSON Web Token (JWT) Bearer | This specification defines the use of a JSON Web Token (JWT) Bearer | |||
| Token as a means for requesting an OAuth 2.0 access token as well as | Token as a means for requesting an OAuth 2.0 access token as well as | |||
| for use as a means of client authentication. | for use as a means of client authentication. | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| skipping to change at page 1, line 35 | skipping to change at page 1, line 35 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on November 23, 2012. | This Internet-Draft will expire on January 7, 2013. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2012 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 7 | skipping to change at page 3, line 7 | |||
| urn:ietf:params:oauth:client-assertion-type:jwt-bearer . . 8 | urn:ietf:params:oauth:client-assertion-type:jwt-bearer . . 8 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . . 8 | 7.1. Normative References . . . . . . . . . . . . . . . . . . . 8 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . . 9 | 7.2. Informative References . . . . . . . . . . . . . . . . . . 9 | |||
| Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . . 9 | Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . . 9 | |||
| Appendix B. Document History . . . . . . . . . . . . . . . . . . . 9 | Appendix B. Document History . . . . . . . . . . . . . . . . . . . 9 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 1. Introduction | 1. Introduction | |||
| JSON Web Token (JWT) [JWT] is a JSON-based security token encoding | JSON Web Token (JWT) [JWT] is a JavaScript Object Notation (JSON) | |||
| that enables identity and security information to be shared across | [RFC4627] based security token encoding that enables identity and | |||
| security domains. JWTs utilize JSON data structures, as defined in | security information to be shared across security domains. A | |||
| RFC 4627 [RFC4627]. A security token is generally issued by an | security token is generally issued by an identity provider and | |||
| identity provider and consumed by a relying party that relies on its | consumed by a relying party that relies on its content to identify | |||
| content to identify the token's subject for security related | the token's subject for security related purposes. | |||
| purposes. | ||||
| The OAuth 2.0 Authorization Protocol [I-D.ietf-oauth-v2] provides a | The OAuth 2.0 Authorization Framework [I-D.ietf-oauth-v2] provides a | |||
| method for making authenticated HTTP requests to a resource using an | method for making authenticated HTTP requests to a resource using an | |||
| access token. Access tokens are issued to third-party clients by an | access token. Access tokens are issued to third-party clients by an | |||
| authorization server (AS) with the (sometimes implicit) approval of | authorization server (AS) with the (sometimes implicit) approval of | |||
| the resource owner. In OAuth, an authorization grant is an abstract | the resource owner. In OAuth, an authorization grant is an abstract | |||
| term used to describe intermediate credentials that represent the | term used to describe intermediate credentials that represent the | |||
| resource owner authorization. An authorization grant is used by the | resource owner authorization. An authorization grant is used by the | |||
| client to obtain an access token. Several authorization grant types | client to obtain an access token. Several authorization grant types | |||
| are defined to support a wide range of client types and user | are defined to support a wide range of client types and user | |||
| experiences. OAuth also allows for the definition of new extension | experiences. OAuth also allows for the definition of new extension | |||
| grant types to support additional clients or to provide a bridge | grant types to support additional clients or to provide a bridge | |||
| between OAuth and other trust frameworks. Finally, OAuth allows the | between OAuth and other trust frameworks. Finally, OAuth allows the | |||
| definition of additional authentication mechanisms to be used by | definition of additional authentication mechanisms to be used by | |||
| clients when interacting with the authorization server. | clients when interacting with the authorization server. | |||
| The OAuth 2.0 Assertion Profile [I-D.ietf-oauth-assertions] is an | The Assertion Framework for OAuth 2.0 [I-D.ietf-oauth-assertions] is | |||
| abstract extension to OAuth 2.0 that provides a general framework for | an abstract extension to OAuth 2.0 that provides a general framework | |||
| the use of Assertions (a.k.a. Security Tokens) as client credentials | for the use of Assertions (a.k.a. Security Tokens) as client | |||
| and/or authorization grants with OAuth 2.0. This specification | credentials and/or authorization grants with OAuth 2.0. This | |||
| profiles the OAuth 2.0 Assertion Profile [I-D.ietf-oauth-assertions] | specification profiles the Assertion Framework for OAuth 2.0 | |||
| to define an extension grant type that uses a JSON Web Token (JWT) | [I-D.ietf-oauth-assertions] to define an extension grant type that | |||
| Bearer Token to request an OAuth 2.0 access token as well as for use | uses a JSON Web Token (JWT) Bearer Token to request an OAuth 2.0 | |||
| as client credentials. The format and processing rules for the JWT | access token as well as for use as client credentials. The format | |||
| defined in this specification are intentionally similar, though not | and processing rules for the JWT defined in this specification are | |||
| identical, to those in the closely related SAML 2.0 Bearer Assertion | intentionally similar, though not identical, to those in the closely | |||
| Profiles for OAuth 2.0 [I-D.ietf-oauth-saml2-bearer]. | related SAML 2.0 Bearer Assertion Profiles for OAuth 2.0 | |||
| [I-D.ietf-oauth-saml2-bearer]. | ||||
| This document defines how a JSON Web Token (JWT) Bearer Token can be | This document defines how a JSON Web Token (JWT) Bearer Token can be | |||
| used to request an access token when a client wishes to utilize an | used to request an access token when a client wishes to utilize an | |||
| existing trust relationship, expressed through the semantics of (and | existing trust relationship, expressed through the semantics of (and | |||
| digital signature calculated over) the JWT, without a direct user | digital signature calculated over) the JWT, without a direct user | |||
| approval step at the authorization server. It also defines how a JWT | approval step at the authorization server. It also defines how a JWT | |||
| can be used as a client authentication mechanism. The use of a | can be used as a client authentication mechanism. The use of a | |||
| security token for client authentication is orthogonal and separable | security token for client authentication is orthogonal and separable | |||
| from using a security token as an authorization grant and the two can | from using a security token as an authorization grant and the two can | |||
| be used either in combination or in isolation. | be used either in combination or in isolation. | |||
| skipping to change at page 4, line 18 | skipping to change at page 4, line 18 | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
| Unless otherwise noted, all the protocol parameter names and values | Unless otherwise noted, all the protocol parameter names and values | |||
| are case sensitive. | are case sensitive. | |||
| 1.2. Terminology | 1.2. Terminology | |||
| All terms are as defined in The OAuth 2.0 Authorization Protocol | All terms are as defined in The OAuth 2.0 Authorization Framework | |||
| [I-D.ietf-oauth-v2], OAuth 2.0 Assertion Profile | [I-D.ietf-oauth-v2], Assertion Framework for OAuth 2.0 | |||
| [I-D.ietf-oauth-assertions], and JSON Web Token (JWT) [JWT]. | [I-D.ietf-oauth-assertions], and JSON Web Token (JWT) [JWT]. | |||
| 2. HTTP Parameter Bindings for Transporting Assertions | 2. HTTP Parameter Bindings for Transporting Assertions | |||
| The OAuth 2.0 Assertion Profile [I-D.ietf-oauth-assertions] defines | The Assertion Framework for OAuth 2.0 [I-D.ietf-oauth-assertions] | |||
| generic HTTP parameters for transporting Assertions (a.k.a. Security | defines generic HTTP parameters for transporting Assertions (a.k.a. | |||
| Tokens) during interactions with a token endpoint. This section | Security Tokens) during interactions with a token endpoint. This | |||
| defines the values of those parameters for use with JWT Bearer | section defines the values of those parameters for use with JWT | |||
| Tokens. | Bearer Tokens. | |||
| 2.1. Using JWTs as Authorization Grants | 2.1. Using JWTs as Authorization Grants | |||
| To use a JWT Bearer Token as an authorization grant, use the | To use a JWT Bearer Token as an authorization grant, use the | |||
| following parameter values and encodings. | following parameter values and encodings. | |||
| The value of the "grant_type" parameter MUST be | The value of the "grant_type" parameter MUST be | |||
| "urn:ietf:params:oauth:grant-type:jwt-bearer". | "urn:ietf:params:oauth:grant-type:jwt-bearer". | |||
| The value of the "assertion" parameter MUST contain a single JWT. | The value of the "assertion" parameter MUST contain a single JWT. | |||
| skipping to change at page 5, line 8 | skipping to change at page 5, line 8 | |||
| The value of the "client_assertion_type" parameter MUST be | The value of the "client_assertion_type" parameter MUST be | |||
| "urn:ietf:params:oauth:client-assertion-type:jwt-bearer". | "urn:ietf:params:oauth:client-assertion-type:jwt-bearer". | |||
| The value of the "client_assertion" parameter MUST contain a single | The value of the "client_assertion" parameter MUST contain a single | |||
| JWT. | JWT. | |||
| 3. JWT Format and Processing Requirements | 3. JWT Format and Processing Requirements | |||
| In order to issue an access token response as described in The OAuth | In order to issue an access token response as described in The OAuth | |||
| 2.0 Authorization Protocol [I-D.ietf-oauth-v2] or to rely on a JWT | 2.0 Authorization Framework [I-D.ietf-oauth-v2] or to rely on a JWT | |||
| for client authentication, the authorization server MUST validate the | for client authentication, the authorization server MUST validate the | |||
| JWT according to the criteria below. Application of additional | JWT according to the criteria below. Application of additional | |||
| restrictions and policy are at the discretion of the authorization | restrictions and policy are at the discretion of the authorization | |||
| server. | server. | |||
| o The JWT MUST contain an "iss" (issuer) claim that contains a | o The JWT MUST contain an "iss" (issuer) claim that contains a | |||
| unique identifier for the entity that issued the JWT. | unique identifier for the entity that issued the JWT. | |||
| o The JWT MUST contain a "prn" (principal) claim identifying the | o The JWT MUST contain a "prn" (principal) claim identifying the | |||
| subject of the transaction. The principal MAY identify the | subject of the transaction. The principal MAY identify the | |||
| skipping to change at page 7, line 36 | skipping to change at page 7, line 36 | |||
| Content-Type: application/x-www-form-urlencoded | Content-Type: application/x-www-form-urlencoded | |||
| grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer | grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer | |||
| &assertion=eyJhbGciOiJFUzI1NiJ9. | &assertion=eyJhbGciOiJFUzI1NiJ9. | |||
| eyJpc3Mi[...omitted for brevity...]. | eyJpc3Mi[...omitted for brevity...]. | |||
| J9l-ZhwP_2n[...omitted for brevity...] | J9l-ZhwP_2n[...omitted for brevity...] | |||
| 5. Security Considerations | 5. Security Considerations | |||
| No additional security considerations apply beyond those described | No additional security considerations apply beyond those described | |||
| within The OAuth 2.0 Authorization Protocol [I-D.ietf-oauth-v2], the | within The OAuth 2.0 Authorization Framework [I-D.ietf-oauth-v2], the | |||
| OAuth 2.0 Assertion Profile [I-D.ietf-oauth-assertions], and the JSON | Assertion Framework for OAuth 2.0 [I-D.ietf-oauth-assertions], and | |||
| Web Token (JWT) [JWT] specification. | the JSON Web Token (JWT) [JWT] specification. | |||
| 6. IANA Considerations | 6. IANA Considerations | |||
| 6.1. Sub-Namespace Registration of | 6.1. Sub-Namespace Registration of | |||
| urn:ietf:params:oauth:grant-type:jwt-bearer | urn:ietf:params:oauth:grant-type:jwt-bearer | |||
| This specification registers the value "grant-type:jwt-bearer" in the | This specification registers the value "grant-type:jwt-bearer" in the | |||
| registry urn:ietf:params:oauth established in An IETF URN Sub- | IANA urn:ietf:params:oauth registry established in An IETF URN Sub- | |||
| Namespace for OAuth [I-D.ietf-oauth-urn-sub-ns]. | Namespace for OAuth [I-D.ietf-oauth-urn-sub-ns]. | |||
| o URN: urn:ietf:params:oauth:grant-type:jwt-bearer | o URN: urn:ietf:params:oauth:grant-type:jwt-bearer | |||
| o Common Name: JWT Bearer Token Grant Type Profile for OAuth 2.0 | o Common Name: JWT Bearer Token Grant Type Profile for OAuth 2.0 | |||
| o Change controller: IETF | o Change controller: IETF | |||
| o Description: [[this document]] | o Specification Document: [[this document]] | |||
| 6.2. Sub-Namespace Registration of | 6.2. Sub-Namespace Registration of | |||
| urn:ietf:params:oauth:client-assertion-type:jwt-bearer | urn:ietf:params:oauth:client-assertion-type:jwt-bearer | |||
| This specification registers the value | This specification registers the value | |||
| "client-assertion-type:jwt-bearer" in the registry | "client-assertion-type:jwt-bearer" in the IANA urn:ietf:params:oauth | |||
| urn:ietf:params:oauth established in An IETF URN Sub-Namespace for | registry established in An IETF URN Sub-Namespace for OAuth | |||
| OAuth [I-D.ietf-oauth-urn-sub-ns]. | [I-D.ietf-oauth-urn-sub-ns]. | |||
| o URN: urn:ietf:params:oauth:client-assertion-type:jwt-bearer | o URN: urn:ietf:params:oauth:client-assertion-type:jwt-bearer | |||
| o Common Name: JWT Bearer Token Profile for OAuth 2.0 Client | o Common Name: JWT Bearer Token Profile for OAuth 2.0 Client | |||
| Authentication | Authentication | |||
| o Change controller: IETF | o Change controller: IETF | |||
| o Description: [[this document]] | o Specification Document: [[this document]] | |||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [I-D.ietf-oauth-assertions] | [I-D.ietf-oauth-assertions] | |||
| Jones, M., Campbell, B., and Y. Goland, "OAuth 2.0 | Campbell, B., Mortimore, C., Jones, M., and Y. Goland, | |||
| Assertion Profile", draft-ietf-oauth-assertions-03 (work | "Assertion Framework for OAuth 2.0", | |||
| in progress), May 2012. | draft-ietf-oauth-assertions-04 (work in progress), | |||
| July 2012. | ||||
| [I-D.ietf-oauth-urn-sub-ns] | [I-D.ietf-oauth-urn-sub-ns] | |||
| Tschofenig, H., "An IETF URN Sub-Namespace for OAuth", | Campbell, B. and H. Tschofenig, "An IETF URN Sub-Namespace | |||
| draft-ietf-oauth-urn-sub-ns-02 (work in progress), | for OAuth", draft-ietf-oauth-urn-sub-ns-05 (work in | |||
| January 2012. | progress), June 2012. | |||
| [I-D.ietf-oauth-v2] | [I-D.ietf-oauth-v2] | |||
| Hammer-Lahav, E., Recordon, D., and D. Hardt, "The OAuth | Hammer-Lahav, E., Recordon, D., and D. Hardt, "The OAuth | |||
| 2.0 Authorization Framework", draft-ietf-oauth-v2-26 (work | 2.0 Authorization Framework", draft-ietf-oauth-v2-28 (work | |||
| in progress), May 2012. | in progress), June 2012. | |||
| [JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | [JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | |||
| (JWT)", May 2012. | (JWT)", July 2012. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC4627] Crockford, D., "The application/json Media Type for | [RFC4627] Crockford, D., "The application/json Media Type for | |||
| JavaScript Object Notation (JSON)", RFC 4627, July 2006. | JavaScript Object Notation (JSON)", RFC 4627, July 2006. | |||
| 7.2. Informative References | 7.2. Informative References | |||
| [I-D.ietf-oauth-saml2-bearer] | [I-D.ietf-oauth-saml2-bearer] | |||
| Mortimore, C., "SAML 2.0 Bearer Assertion Profiles for | Campbell, B. and C. Mortimore, "SAML 2.0 Bearer Assertion | |||
| OAuth 2.0", draft-ietf-oauth-saml2-bearer-12 (work in | Profiles for OAuth 2.0", draft-ietf-oauth-saml2-bearer-13 | |||
| progress), May 2012. | (work in progress), July 2012. | |||
| Appendix A. Acknowledgements | Appendix A. Acknowledgements | |||
| This profile was derived from SAML 2.0 Bearer Assertion Profiles for | This profile was derived from SAML 2.0 Bearer Assertion Profiles for | |||
| OAuth 2.0 [I-D.ietf-oauth-saml2-bearer] by Brian Campbell and Chuck | OAuth 2.0 [I-D.ietf-oauth-saml2-bearer] by Brian Campbell and Chuck | |||
| Mortimore. | Mortimore. | |||
| Appendix B. Document History | Appendix B. Document History | |||
| [[ to be removed by the RFC editor before publication as an RFC ]] | [[ to be removed by the RFC editor before publication as an RFC ]] | |||
| -01 | ||||
| o Tracked specification name changes: "The OAuth 2.0 Authorization | ||||
| Protocol" to "The OAuth 2.0 Authorization Framework" and "OAuth | ||||
| 2.0 Assertion Profile" to "Assertion Framework for OAuth 2.0". | ||||
| o Merged in changes between draft-ietf-oauth-saml2-bearer-11 and | ||||
| draft-ietf-oauth-saml2-bearer-13. All changes were strictly | ||||
| editorial. | ||||
| -00 | -00 | |||
| o Created the initial IETF draft based upon | o Created the initial IETF draft based upon | |||
| draft-jones-oauth-jwt-bearer-04 with no normative changes. | draft-jones-oauth-jwt-bearer-04 with no normative changes. | |||
| Authors' Addresses | Authors' Addresses | |||
| Michael B. Jones | Michael B. Jones | |||
| Microsoft | Microsoft | |||
| End of changes. 21 change blocks. | ||||
| 52 lines changed or deleted | 63 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||