I was about to write about the same thing. See
http://openid.net/specs/openid-connect-messages-1_0.html#id_token for the
definition of "acr" (Authentication Context Class Reference) as used by OpenID
Connect.
It's not clear to me that this should move into the JWT spec itself, as I'd
rather we get more industry experience with it first. Most of the JWT
definitions are intentionally very general, whereas the "acr" definition is
intentionally much more specific, especially as it defines the values "1", "2",
"3", and "4" as mappings to ISO29115 levels, plus the value "0" with the
OpenID-specific meaning.
Cheers,
-- Mike
From: John Bradley [mailto:ve7...@ve7jtb.com]
Sent: Tuesday, May 15, 2012 9:54 AM
To: Lewis Adam-CAL022
Cc: Mike Jones; oauth@ietf.org
Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Specification Draft -10
We added on in openID Connect.
acr : Though that is intended as a class reference for things like FICAM LoA 2
etc. You could make class references that only defined the primary
authenticator.
The question is if there is enough consensus to put it in the JWT spec rather
than in things profiling JWT. I am OK with putting it in JWT if there is a
demand.
John B.
On 2012-05-15, at 10:54 AM, Lewis Adam-CAL022 wrote:
Hi,
Apologies if the OAuth list is not the right place to ask this question, but
I'm trying to understand why JWT doesn't have an "Authentication Context" like
reserved claim name (such as present in SAML). Knowing the primary
authentication method used to obtain the JWT seems just as fundamental as
knowing the issuer, principal, etc.
I realize it's easy enough to add your own, but from an inter-op perspective,
it just seems really valuable to be able to assert the primary authentication
method.
Tx!
adam
From: oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org>
[mailto:oauth-boun...@ietf.org]<mailto:[mailto:oauth-boun...@ietf.org]> On
Behalf Of Mike Jones
Sent: Saturday, May 12, 2012 7:19 PM
To: oauth@ietf.org<mailto:oauth@ietf.org>
Subject: [OAUTH-WG] JSON Web Token (JWT) Specification Draft -10
Draft -10<http://self-issued.info/docs/draft-jones-json-web-token-10.html> of
the JSON Web Token
(JWT)<http://self-issued.info/docs/draft-jones-json-web-token.html>
specification has been published. It uses the -02 versions of the JOSE
specifications and contains parallel editorial changes to those applied to the
JOSE specs. Changes were:
* Clarified the relationship between typ header parameter values, typ claim
values, and MIME types.
* Clarified that JWTs with duplicate Header Parameter Names or Duplicate
Claim names MUST be rejected.
* Required implementation of AES-128-KW and AES-256-KW when the
implementation provides encryption capabilities.
* Registered "JWT" typ header parameter value.
* Generalized language to refer to Message Authentication Codes (MACs)
rather than Hash-based Message Authentication Codes (HMACs) unless in a context
specific to HMAC algorithms.
* Reformatted to give each claim definition and header parameter its own
section heading.
The specification is available at:
* http://tools.ietf.org/html/draft-jones-json-web-token-10
An HTML formatted version is available at:
* http://self-issued.info/docs/draft-jones-json-web-token-10.html
-- Mike
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
