Hi, Apologies if the OAuth list is not the right place to ask this question, but I'm trying to understand why JWT doesn't have an "Authentication Context" like reserved claim name (such as present in SAML). Knowing the primary authentication method used to obtain the JWT seems just as fundamental as knowing the issuer, principal, etc.
I realize it's easy enough to add your own, but from an inter-op perspective, it just seems really valuable to be able to assert the primary authentication method. Tx! adam From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Mike Jones Sent: Saturday, May 12, 2012 7:19 PM To: oauth@ietf.org Subject: [OAUTH-WG] JSON Web Token (JWT) Specification Draft -10 Draft -10<http://self-issued.info/docs/draft-jones-json-web-token-10.html> of the JSON Web Token (JWT)<http://self-issued.info/docs/draft-jones-json-web-token.html> specification has been published. It uses the -02 versions of the JOSE specifications and contains parallel editorial changes to those applied to the JOSE specs. Changes were: * Clarified the relationship between typ header parameter values, typ claim values, and MIME types. * Clarified that JWTs with duplicate Header Parameter Names or Duplicate Claim names MUST be rejected. * Required implementation of AES-128-KW and AES-256-KW when the implementation provides encryption capabilities. * Registered "JWT" typ header parameter value. * Generalized language to refer to Message Authentication Codes (MACs) rather than Hash-based Message Authentication Codes (HMACs) unless in a context specific to HMAC algorithms. * Reformatted to give each claim definition and header parameter its own section heading. The specification is available at: * http://tools.ietf.org/html/draft-jones-json-web-token-10 An HTML formatted version is available at: * http://self-issued.info/docs/draft-jones-json-web-token-10.html -- Mike
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
