| draft-ietf-oauth-jwt-bearer-08.txt | draft-ietf-oauth-jwt-bearer-09.txt | |||
|---|---|---|---|---|
| OAuth Working Group M. Jones | OAuth Working Group M. Jones | |||
| Internet-Draft Microsoft | Internet-Draft Microsoft | |||
| Intended status: Standards Track B. Campbell | Intended status: Standards Track B. Campbell | |||
| Expires: September 20, 2014 Ping Identity | Expires: October 30, 2014 Ping Identity | |||
| C. Mortimore | C. Mortimore | |||
| Salesforce | Salesforce | |||
| March 19, 2014 | April 28, 2014 | |||
| JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and | JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and | |||
| Authorization Grants | Authorization Grants | |||
| draft-ietf-oauth-jwt-bearer-08 | draft-ietf-oauth-jwt-bearer-09 | |||
| Abstract | Abstract | |||
| This specification defines the use of a JSON Web Token (JWT) Bearer | This specification defines the use of a JSON Web Token (JWT) Bearer | |||
| Token as a means for requesting an OAuth 2.0 access token as well as | Token as a means for requesting an OAuth 2.0 access token as well as | |||
| for use as a means of client authentication. | for use as a means of client authentication. | |||
| Status of this Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 20, 2014. | This Internet-Draft will expire on October 30, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 4 | 1.1. Notational Conventions . . . . . . . . . . . . . . . . . 3 | |||
| 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 | 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. HTTP Parameter Bindings for Transporting Assertions . . . . . 4 | 2. HTTP Parameter Bindings for Transporting Assertions . . . . . 4 | |||
| 2.1. Using JWTs as Authorization Grants . . . . . . . . . . . . 4 | 2.1. Using JWTs as Authorization Grants . . . . . . . . . . . 4 | |||
| 2.2. Using JWTs for Client Authentication . . . . . . . . . . . 5 | 2.2. Using JWTs for Client Authentication . . . . . . . . . . 5 | |||
| 3. JWT Format and Processing Requirements . . . . . . . . . . . . 6 | 3. JWT Format and Processing Requirements . . . . . . . . . . . 5 | |||
| 3.1. Authorization Grant Processing . . . . . . . . . . . . . . 7 | 3.1. Authorization Grant Processing . . . . . . . . . . . . . 7 | |||
| 3.2. Client Authentication Processing . . . . . . . . . . . . . 8 | 3.2. Client Authentication Processing . . . . . . . . . . . . 7 | |||
| 4. Authorization Grant Example . . . . . . . . . . . . . . . . . 8 | 4. Authorization Grant Example . . . . . . . . . . . . . . . . . 8 | |||
| 5. Interoperability Considerations . . . . . . . . . . . . . . . 9 | 5. Interoperability Considerations . . . . . . . . . . . . . . . 9 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 7.1. Sub-Namespace Registration of | 7.1. Sub-Namespace Registration of urn:ietf:params:oauth | |||
| urn:ietf:params:oauth:grant-type:jwt-bearer . . . . . . . 10 | :grant-type:jwt-bearer . . . . . . . . . . . . . . . . . 9 | |||
| 7.2. Sub-Namespace Registration of | 7.2. Sub-Namespace Registration of urn:ietf:params:oauth | |||
| urn:ietf:params:oauth:client-assertion-type:jwt-bearer . . 10 | :client-assertion-type:jwt-bearer . . . . . . . . . . . . 10 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . . 10 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . . 11 | 8.2. Informative References . . . . . . . . . . . . . . . . . 11 | |||
| Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 12 | Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 11 | |||
| Appendix B. Document History . . . . . . . . . . . . . . . . . . 12 | Appendix B. Document History . . . . . . . . . . . . . . . . . . 11 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 1. Introduction | 1. Introduction | |||
| JSON Web Token (JWT) [JWT] is a JavaScript Object Notation (JSON) | JSON Web Token (JWT) [JWT] is a JavaScript Object Notation (JSON) | |||
| [RFC7159] based security token encoding that enables identity and | [RFC7159] based security token encoding that enables identity and | |||
| security information to be shared across security domains. A | security information to be shared across security domains. A | |||
| security token is generally issued by an identity provider and | security token is generally issued by an identity provider and | |||
| consumed by a relying party that relies on its content to identify | consumed by a relying party that relies on its content to identify | |||
| the token's subject for security related purposes. | the token's subject for security related purposes. | |||
| skipping to change at page 3, line 32 | skipping to change at page 3, line 12 | |||
| are defined to support a wide range of client types and user | are defined to support a wide range of client types and user | |||
| experiences. OAuth also allows for the definition of new extension | experiences. OAuth also allows for the definition of new extension | |||
| grant types to support additional clients or to provide a bridge | grant types to support additional clients or to provide a bridge | |||
| between OAuth and other trust frameworks. Finally, OAuth allows the | between OAuth and other trust frameworks. Finally, OAuth allows the | |||
| definition of additional authentication mechanisms to be used by | definition of additional authentication mechanisms to be used by | |||
| clients when interacting with the authorization server. | clients when interacting with the authorization server. | |||
| The Assertion Framework for OAuth 2.0 Client Authentication and | The Assertion Framework for OAuth 2.0 Client Authentication and | |||
| Authorization Grants [I-D.ietf-oauth-assertions] specification is an | Authorization Grants [I-D.ietf-oauth-assertions] specification is an | |||
| abstract extension to OAuth 2.0 that provides a general framework for | abstract extension to OAuth 2.0 that provides a general framework for | |||
| the use of Assertions (a.k.a. Security Tokens) as client credentials | the use of Assertions (a.k.a. Security Tokens) as client credentials | |||
| and/or authorization grants with OAuth 2.0. This specification | and/or authorization grants with OAuth 2.0. This specification | |||
| profiles the Assertion Framework for OAuth 2.0 Client Authentication | profiles the Assertion Framework for OAuth 2.0 Client Authentication | |||
| and Authorization Grants [I-D.ietf-oauth-assertions] specification to | and Authorization Grants [I-D.ietf-oauth-assertions] specification to | |||
| define an extension grant type that uses a JSON Web Token (JWT) | define an extension grant type that uses a JSON Web Token (JWT) | |||
| Bearer Token to request an OAuth 2.0 access token as well as for use | Bearer Token to request an OAuth 2.0 access token as well as for use | |||
| as client credentials. The format and processing rules for the JWT | as client credentials. The format and processing rules for the JWT | |||
| defined in this specification are intentionally similar, though not | defined in this specification are intentionally similar, though not | |||
| identical, to those in the closely related SAML 2.0 Profile for OAuth | identical, to those in the closely related SAML 2.0 Profile for OAuth | |||
| 2.0 Client Authentication and Authorization Grants | 2.0 Client Authentication and Authorization Grants | |||
| [I-D.ietf-oauth-saml2-bearer] specification. | [I-D.ietf-oauth-saml2-bearer] specification. | |||
| skipping to change at page 5, line 15 | skipping to change at page 4, line 42 | |||
| The value of the "grant_type" parameter MUST be | The value of the "grant_type" parameter MUST be | |||
| "urn:ietf:params:oauth:grant-type:jwt-bearer". | "urn:ietf:params:oauth:grant-type:jwt-bearer". | |||
| The value of the "assertion" parameter MUST contain a single JWT. | The value of the "assertion" parameter MUST contain a single JWT. | |||
| The "scope" parameter may be used, as defined in the Assertion | The "scope" parameter may be used, as defined in the Assertion | |||
| Framework for OAuth 2.0 Client Authentication and Authorization | Framework for OAuth 2.0 Client Authentication and Authorization | |||
| Grants [I-D.ietf-oauth-assertions] specification, to indicate the | Grants [I-D.ietf-oauth-assertions] specification, to indicate the | |||
| requested scope. | requested scope. | |||
| Authentication of the client is optional, as described in Section | Authentication of the client is optional, as described in | |||
| 3.2.1 of OAuth 2.0 [RFC6749] and consequently, the "client_id" is | Section 3.2.1 of OAuth 2.0 [RFC6749] and consequently, the | |||
| only needed when a form of client authentication that relies on the | "client_id" is only needed when a form of client authentication that | |||
| parameter is used. | relies on the parameter is used. | |||
| The following non-normative example demonstrates an Access Token | The following non-normative example demonstrates an Access Token | |||
| Request with a JWT as an authorization grant (with extra line breaks | Request with a JWT as an authorization grant (with extra line breaks | |||
| for display purposes only): | for display purposes only): | |||
| POST /token.oauth2 HTTP/1.1 | POST /token.oauth2 HTTP/1.1 | |||
| Host: as.example.com | Host: as.example.com | |||
| Content-Type: application/x-www-form-urlencoded | Content-Type: application/x-www-form-urlencoded | |||
| grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer | grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer | |||
| skipping to change at page 6, line 36 | skipping to change at page 6, line 12 | |||
| unique identifier for the entity that issued the JWT. In the | unique identifier for the entity that issued the JWT. In the | |||
| absence of an application profile specifying otherwise, | absence of an application profile specifying otherwise, | |||
| compliant applications MUST compare Issuer values using the | compliant applications MUST compare Issuer values using the | |||
| Simple String Comparison method defined in Section 6.2.1 of RFC | Simple String Comparison method defined in Section 6.2.1 of RFC | |||
| 3986 [RFC3986]. | 3986 [RFC3986]. | |||
| 2. The JWT MUST contain a "sub" (subject) claim identifying the | 2. The JWT MUST contain a "sub" (subject) claim identifying the | |||
| principal that is the subject of the JWT. Two cases need to be | principal that is the subject of the JWT. Two cases need to be | |||
| differentiated: | differentiated: | |||
| A. For the authorization grant, the subject SHOULD identify an | A. For the authorization grant, the subject typically | |||
| authorized accessor for whom the access token is being | identifies an authorized accessor for which the access token | |||
| requested (typically the resource owner, or an authorized | is being requested (i.e., the resource owner or an | |||
| delegate). | authorized delegate), but in some cases, may be a | |||
| pseudonymous identifier or other value denoting an anonymous | ||||
| user. | ||||
| B. For client authentication, the subject MUST be the | B. For client authentication, the subject MUST be the | |||
| "client_id" of the OAuth client. | "client_id" of the OAuth client. | |||
| 3. The JWT MUST contain an "aud" (audience) claim containing a | 3. The JWT MUST contain an "aud" (audience) claim containing a | |||
| value that identifies the authorization server as an intended | value that identifies the authorization server as an intended | |||
| audience. The token endpoint URL of the authorization server | audience. The token endpoint URL of the authorization server | |||
| MAY be used as a value for an "aud" element to identify the | MAY be used as a value for an "aud" element to identify the | |||
| authorization server as an intended audience of the JWT. JWTs | authorization server as an intended audience of the JWT. JWTs | |||
| that do not identify the authorization server as an intended | that do not identify the authorization server as an intended | |||
| skipping to change at page 8, line 39 | skipping to change at page 8, line 18 | |||
| Though non-normative, the following examples illustrate what a | Though non-normative, the following examples illustrate what a | |||
| conforming JWT and access token request would look like. | conforming JWT and access token request would look like. | |||
| The example shows a JWT issued and signed by the system entity | The example shows a JWT issued and signed by the system entity | |||
| identified as "https://jwt-idp.example.com". The subject of the JWT | identified as "https://jwt-idp.example.com". The subject of the JWT | |||
| is identified by email address as "mike@example.com". The intended | is identified by email address as "mike@example.com". The intended | |||
| audience of the JWT is "https://jwt-rp.example.net", which is an | audience of the JWT is "https://jwt-rp.example.net", which is an | |||
| identifier with which the authorization server identifies itself. | identifier with which the authorization server identifies itself. | |||
| The JWT is sent as part of an access token request to the | The JWT is sent as part of an access token request to the | |||
| authorization server's token endpoint at | authorization server's token endpoint at "https://authz.example.net/ | |||
| "https://authz.example.net/token.oauth2". | token.oauth2". | |||
| Below is an example JSON object that could be encoded to produce the | Below is an example JSON object that could be encoded to produce the | |||
| JWT Claims Object for a JWT: | JWT Claims Object for a JWT: | |||
| {"iss":"https://jwt-idp.example.com", | {"iss":"https://jwt-idp.example.com", | |||
| "sub":"mailto:mike@example.com", | "sub":"mailto:mike@example.com", | |||
| "aud":"https://jwt-rp.example.net", | "aud":"https://jwt-rp.example.net", | |||
| "nbf":1300815780, | "nbf":1300815780, | |||
| "exp":1300819380, | "exp":1300819380, | |||
| "http://claims.example.com/member":true} | "http://claims.example.com/member":true} | |||
| skipping to change at page 10, line 12 | skipping to change at page 9, line 38 | |||
| [RFC6749], and the JSON Web Token (JWT) [JWT] specifications are all | [RFC6749], and the JSON Web Token (JWT) [JWT] specifications are all | |||
| applicable to this document. | applicable to this document. | |||
| The specification does not mandate replay protection for the JWT | The specification does not mandate replay protection for the JWT | |||
| usage for either the authorization grant or for client | usage for either the authorization grant or for client | |||
| authentication. It is an optional feature, which implementations may | authentication. It is an optional feature, which implementations may | |||
| employ at their own discretion. | employ at their own discretion. | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| 7.1. Sub-Namespace Registration of | 7.1. Sub-Namespace Registration of urn:ietf:params:oauth:grant-type | |||
| urn:ietf:params:oauth:grant-type:jwt-bearer | :jwt-bearer | |||
| This specification registers the value "grant-type:jwt-bearer" in the | This specification registers the value "grant-type:jwt-bearer" in the | |||
| IANA urn:ietf:params:oauth registry established in An IETF URN Sub- | IANA urn:ietf:params:oauth registry established in An IETF URN Sub- | |||
| Namespace for OAuth [RFC6755]. | Namespace for OAuth [RFC6755]. | |||
| o URN: urn:ietf:params:oauth:grant-type:jwt-bearer | o URN: urn:ietf:params:oauth:grant-type:jwt-bearer | |||
| o Common Name: JWT Bearer Token Grant Type Profile for OAuth 2.0 | o Common Name: JWT Bearer Token Grant Type Profile for OAuth 2.0 | |||
| o Change controller: IETF | o Change controller: IETF | |||
| o Specification Document: [[this document]] | o Specification Document: [[this document]] | |||
| 7.2. Sub-Namespace Registration of | 7.2. Sub-Namespace Registration of urn:ietf:params:oauth:client- | |||
| urn:ietf:params:oauth:client-assertion-type:jwt-bearer | assertion-type:jwt-bearer | |||
| This specification registers the value | This specification registers the value "client-assertion-type:jwt- | |||
| "client-assertion-type:jwt-bearer" in the IANA urn:ietf:params:oauth | bearer" in the IANA urn:ietf:params:oauth registry established in An | |||
| registry established in An IETF URN Sub-Namespace for OAuth | IETF URN Sub-Namespace for OAuth [RFC6755]. | |||
| [RFC6755]. | ||||
| o URN: urn:ietf:params:oauth:client-assertion-type:jwt-bearer | o URN: urn:ietf:params:oauth:client-assertion-type:jwt-bearer | |||
| o Common Name: JWT Bearer Token Profile for OAuth 2.0 Client | o Common Name: JWT Bearer Token Profile for OAuth 2.0 Client | |||
| Authentication | Authentication | |||
| o Change controller: IETF | o Change controller: IETF | |||
| o Specification Document: [[this document]] | o Specification Document: [[this document]] | |||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| [I-D.ietf-oauth-assertions] | [I-D.ietf-oauth-assertions] | |||
| Campbell, B., Mortimore, C., Jones, M., and Y. Goland, | Campbell, B., Mortimore, C., Jones, M., and Y. Goland, | |||
| "Assertion Framework for OAuth 2.0 Client Authentication | "Assertion Framework for OAuth 2.0 Client Authentication | |||
| and Authorization Grants", draft-ietf-oauth-assertions | and Authorization Grants", draft-ietf-oauth-assertions | |||
| (work in progress), March 2014. | (work in progress), April 2014. | |||
| [JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | [JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | |||
| (JWT)", draft-ietf-oauth-json-web-token (work in | (JWT)", draft-ietf-oauth-json-web-token (work in | |||
| progress), March 2014. | progress), March 2014. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | |||
| Resource Identifier (URI): Generic Syntax", STD 66, | Resource Identifier (URI): Generic Syntax", STD 66, RFC | |||
| RFC 3986, January 2005. | 3986, January 2005. | |||
| [RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", | [RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC | |||
| RFC 6749, October 2012. | 6749, October 2012. | |||
| [RFC6755] Campbell, B. and H. Tschofenig, "An IETF URN Sub-Namespace | [RFC6755] Campbell, B. and H. Tschofenig, "An IETF URN Sub-Namespace | |||
| for OAuth", RFC 6755, October 2012. | for OAuth", RFC 6755, October 2012. | |||
| [RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data | [RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data | |||
| Interchange Format", RFC 7159, March 2014. | Interchange Format", RFC 7159, March 2014. | |||
| 8.2. Informative References | 8.2. Informative References | |||
| [I-D.ietf-oauth-dyn-reg] | [I-D.ietf-oauth-dyn-reg] | |||
| Richer, J., Jones, M., Bradley, J., Machulak, M., and P. | Richer, J., Jones, M., Bradley, J., Machulak, M., and P. | |||
| Hunt, "OAuth 2.0 Dynamic Client Registration Core | Hunt, "OAuth 2.0 Dynamic Client Registration Core | |||
| Protocol", draft-ietf-oauth-dyn-reg-16 (work in progress), | Protocol", draft-ietf-oauth-dyn-reg-16 (work in progress), | |||
| February 2014. | February 2014. | |||
| [I-D.ietf-oauth-saml2-bearer] | [I-D.ietf-oauth-saml2-bearer] | |||
| Campbell, B., Mortimore, C., and M. Jones, "SAML 2.0 | Campbell, B., Mortimore, C., and M. Jones, "SAML 2.0 | |||
| Profile for OAuth 2.0 Client Authentication and | Profile for OAuth 2.0 Client Authentication and | |||
| Authorization Grants", draft-ietf-oauth-saml2-bearer (work | Authorization Grants", draft-ietf-oauth-saml2-bearer (work | |||
| in progress), March 2014. | in progress), April 2014. | |||
| [OpenID.Discovery] | [OpenID.Discovery] | |||
| Sakimura, N., Bradley, J., Jones, M., and E. Jay, "OpenID | Sakimura, N., Bradley, J., Jones, M., and E. Jay, "OpenID | |||
| Connect Discovery 1.0", February 2014. | Connect Discovery 1.0", February 2014. | |||
| [OpenID.Registration] | [OpenID.Registration] | |||
| Sakimura, N., Bradley, J., and M. Jones, "OpenID Connect | Sakimura, N., Bradley, J., and M. Jones, "OpenID Connect | |||
| Dynamic Client Registration 1.0", February 2014. | Dynamic Client Registration 1.0", February 2014. | |||
| Appendix A. Acknowledgements | Appendix A. Acknowledgements | |||
| This profile was derived from SAML 2.0 Profile for OAuth 2.0 Client | This profile was derived from SAML 2.0 Profile for OAuth 2.0 Client | |||
| Authentication and Authorization Grants [I-D.ietf-oauth-saml2-bearer] | Authentication and Authorization Grants [I-D.ietf-oauth-saml2-bearer] | |||
| by Brian Campbell and Chuck Mortimore. | by Brian Campbell and Chuck Mortimore. | |||
| Appendix B. Document History | Appendix B. Document History | |||
| [[ to be removed by the RFC editor before publication as an RFC ]] | [[ to be removed by the RFC editor before publication as an RFC ]] | |||
| draft-ietf-oauth-jwt-bearer-09 | ||||
| o Clarified some text around the treatment of subject based on the | ||||
| rough rough consensus from the thread staring at http:// | ||||
| www.ietf.org/mail-archive/web/oauth/current/msg12630.html | ||||
| draft-ietf-oauth-jwt-bearer-08 | draft-ietf-oauth-jwt-bearer-08 | |||
| o Updated references, including replacing references to RFC 4627 | o Updated references, including replacing references to RFC 4627 | |||
| with RFC 7159. | with RFC 7159. | |||
| draft-ietf-oauth-jwt-bearer-07 | draft-ietf-oauth-jwt-bearer-07 | |||
| o Clean up language around subject per | o Clean up language around subject per http://www.ietf.org/mail- | |||
| http://www.ietf.org/mail-archive/web/oauth/current/msg12250.html. | archive/web/oauth/current/msg12250.html. | |||
| o As suggested in | o As suggested in http://www.ietf.org/mail-archive/web/oauth/current | |||
| http://www.ietf.org/mail-archive/web/oauth/current/msg12251.html | /msg12251.html stated that "In the absence of an application | |||
| stated that "In the absence of an application profile specifying | profile specifying otherwise, compliant applications MUST compare | |||
| otherwise, compliant applications MUST compare the audience values | the audience values using the Simple String Comparison method | |||
| using the Simple String Comparison method defined in Section 6.2.1 | defined in Section 6.2.1 of RFC 3986." | |||
| of RFC 3986." | ||||
| o Added one-time use, maximum lifetime, and specific subject and | o Added one-time use, maximum lifetime, and specific subject and | |||
| attribute requirements to Interoperability Considerations based on | attribute requirements to Interoperability Considerations based on | |||
| http://www.ietf.org/mail-archive/web/oauth/current/msg12252.html. | http://www.ietf.org/mail-archive/web/oauth/current/msg12252.html. | |||
| o Remove "or its subject confirmation requirements cannot be met" | o Remove "or its subject confirmation requirements cannot be met" | |||
| text. | text. | |||
| o Reword security considerations and mention that replay protection | o Reword security considerations and mention that replay protection | |||
| is not mandated based on | is not mandated based on http://www.ietf.org/mail-archive/web/ | |||
| http://www.ietf.org/mail-archive/web/oauth/current/msg12259.html. | oauth/current/msg12259.html. | |||
| -06 | -06 | |||
| o Stated that issuer and audience values SHOULD be compared using | o Stated that issuer and audience values SHOULD be compared using | |||
| the Simple String Comparison method defined in Section 6.2.1 of | the Simple String Comparison method defined in Section 6.2.1 of | |||
| RFC 3986 unless otherwise specified by the application. | RFC 3986 unless otherwise specified by the application. | |||
| -05 | -05 | |||
| o Changed title from "JSON Web Token (JWT) Bearer Token Profiles for | o Changed title from "JSON Web Token (JWT) Bearer Token Profiles for | |||
| OAuth 2.0" to "JSON Web Token (JWT) Profile for OAuth 2.0 Client | OAuth 2.0" to "JSON Web Token (JWT) Profile for OAuth 2.0 Client | |||
| Authentication and Authorization Grants" to be more explicit about | Authentication and Authorization Grants" to be more explicit about | |||
| the scope of the document per | the scope of the document per http://www.ietf.org/mail-archive/web | |||
| http://www.ietf.org/mail-archive/web/oauth/current/msg11063.html. | /oauth/current/msg11063.html. | |||
| o Numbered the list of processing rules. | o Numbered the list of processing rules. | |||
| o Smallish editorial cleanups to try and improve readability and | o Smallish editorial cleanups to try and improve readability and | |||
| comprehensibility. | comprehensibility. | |||
| o Cleaner split out of the processing rules in cases where they | o Cleaner split out of the processing rules in cases where they | |||
| differ for client authentication and authorization grants. | differ for client authentication and authorization grants. | |||
| o Clarified the parameters that are used/available for authorization | o Clarified the parameters that are used/available for authorization | |||
| skipping to change at page 14, line 14 | skipping to change at page 13, line 38 | |||
| o Tracked specification name changes: "The OAuth 2.0 Authorization | o Tracked specification name changes: "The OAuth 2.0 Authorization | |||
| Protocol" to "The OAuth 2.0 Authorization Framework" and "OAuth | Protocol" to "The OAuth 2.0 Authorization Framework" and "OAuth | |||
| 2.0 Assertion Profile" to "Assertion Framework for OAuth 2.0". | 2.0 Assertion Profile" to "Assertion Framework for OAuth 2.0". | |||
| o Merged in changes between draft-ietf-oauth-saml2-bearer-11 and | o Merged in changes between draft-ietf-oauth-saml2-bearer-11 and | |||
| draft-ietf-oauth-saml2-bearer-13. All changes were strictly | draft-ietf-oauth-saml2-bearer-13. All changes were strictly | |||
| editorial. | editorial. | |||
| -00 | -00 | |||
| o Created the initial IETF draft based upon | o Created the initial IETF draft based upon draft-jones-oauth-jwt- | |||
| draft-jones-oauth-jwt-bearer-04 with no normative changes. | bearer-04 with no normative changes. | |||
| Authors' Addresses | Authors' Addresses | |||
| Michael B. Jones | Michael B. Jones | |||
| Microsoft | Microsoft | |||
| Email: mbj@microsoft.com | Email: mbj@microsoft.com | |||
| URI: http://self-issued.info/ | URI: http://self-issued.info/ | |||
| Brian Campbell | Brian Campbell | |||
| Ping Identity | Ping Identity | |||
| Email: brian.d.campbell@gmail.com | Email: brian.d.campbell@gmail.com | |||
| Chuck Mortimore | Chuck Mortimore | |||
| Salesforce | Salesforce | |||
| Email: cmortimore@salesforce.com | Email: cmortimore@salesforce.com | |||
| End of changes. 25 change blocks. | ||||
| 68 lines changed or deleted | 74 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||