--- 1/draft-ietf-oauth-jwt-bearer-11.txt 2014-11-12 16:14:50.565710883 -0800 +++ 2/draft-ietf-oauth-jwt-bearer-12.txt 2014-11-12 16:14:50.597711657 -0800 @@ -1,22 +1,22 @@ OAuth Working Group M. Jones Internet-Draft Microsoft Intended status: Standards Track B. Campbell -Expires: April 24, 2015 Ping Identity +Expires: May 16, 2015 Ping Identity C. Mortimore Salesforce - October 21, 2014 + November 12, 2014 JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants - draft-ietf-oauth-jwt-bearer-11 + draft-ietf-oauth-jwt-bearer-12 Abstract This specification defines the use of a JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for use as a means of client authentication. Status of This Memo This Internet-Draft is submitted in full conformance with the @@ -25,21 +25,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on April 24, 2015. + This Internet-Draft will expire on May 16, 2015. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -420,22 +420,22 @@ The specification does not mandate replay protection for the JWT usage for either the authorization grant or for client authentication. It is an optional feature, which implementations may employ at their own discretion. 7. Privacy Considerations A JWT may contain privacy-sensitive information and, to prevent disclosure of such information to unintended parties, should only be transmitted over encrypted channels, such as TLS. In cases where it - is desirable to prevent disclosure of certain information the client, - the JWT should be be encrypted to the authorization server. + is desirable to prevent disclosure of certain information to the + client, the JWT should be be encrypted to the authorization server. Deployments should determine the minimum amount of information necessary to complete the exchange and include only such claims in the JWT. In some cases, the "sub" (subject) claim can be a value representing an anonymous or pseudonymous user, as described in Section 6.3.1 of the Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants [I-D.ietf-oauth-assertions]. 8. IANA Considerations @@ -469,21 +469,21 @@ o Change controller: IESG o Specification Document: [[this document]] 9. References 9.1. Normative References [I-D.ietf-jose-json-web-algorithms] Jones, M., "JSON Web Algorithms (JWA)", draft-ietf-jose- - json-web-algorithms-35 (work in progress), October 2014. + json-web-algorithms-36 (work in progress), October 2014. [I-D.ietf-oauth-assertions] Campbell, B., Mortimore, C., Jones, M., and Y. Goland, "Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants", draft-ietf-oauth-assertions (work in progress), October 2014. [JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", draft-ietf-oauth-json-web-token (work in progress), October 2014. @@ -506,21 +506,21 @@ [I-D.ietf-oauth-dyn-reg] Richer, J., Jones, M., Bradley, J., Machulak, M., and P. Hunt, "OAuth 2.0 Dynamic Client Registration Protocol", draft-ietf-oauth-dyn-reg-20 (work in progress), August 2014. [I-D.ietf-oauth-saml2-bearer] Campbell, B., Mortimore, C., and M. Jones, "SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants", draft-ietf-oauth-saml2-bearer (work - in progress), October 2014. + in progress), November 2014. [OpenID.Discovery] Sakimura, N., Bradley, J., Jones, M., and E. Jay, "OpenID Connect Discovery 1.0", February 2014. [OpenID.Registration] Sakimura, N., Bradley, J., and M. Jones, "OpenID Connect Dynamic Client Registration 1.0", February 2014. [RFC6755] Campbell, B. and H. Tschofenig, "An IETF URN Sub-Namespace @@ -529,20 +529,25 @@ Appendix A. Acknowledgements This profile was derived from SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants [I-D.ietf-oauth-saml2-bearer] by Brian Campbell and Chuck Mortimore. Appendix B. Document History [[ to be removed by the RFC editor before publication as an RFC ]] + draft-ietf-oauth-jwt-bearer-12 + + o Fix typo per http://www.ietf.org/mail-archive/web/oauth/current/ + msg13790.html + draft-ietf-oauth-jwt-bearer-11 o Changes/suggestions from IESG reviews. draft-ietf-oauth-jwt-bearer-10 o Added Privacy Considerations section per AD review discussion http://www.ietf.org/mail-archive/web/oauth/current/msg13148.html and http://www.ietf.org/mail-archive/web/oauth/current/ msg13144.html @@ -551,22 +556,20 @@ o Clarified some text around the treatment of subject based on the rough rough consensus from the thread staring at http://www.ietf.org/mail-archive/web/oauth/current/msg12630.html draft-ietf-oauth-jwt-bearer-08 o Updated references, including replacing references to RFC 4627 with RFC 7159. - draft-ietf-oauth-jwt-bearer-07 - o Clean up language around subject per http://www.ietf.org/mail- archive/web/oauth/current/msg12250.html. o As suggested in http://www.ietf.org/mail- archive/web/oauth/current/msg12251.html stated that "In the absence of an application profile specifying otherwise, compliant applications MUST compare the audience values using the Simple String Comparison method defined in Section 6.2.1 of RFC 3986." o Added one-time use, maximum lifetime, and specific subject and