On 10/11/14 21:31, John Bradley wrote:
In the JSON form of a JWS the JWT body would still be base64 encoded, so I
don't think that is what you are looking for.
Do you refer to a 'payload' property of Jws Json ? I understand...
I was only suggesting supporting Jwt as a data container possibly even
outside of OAuth in the format suggested below...
I'm OK with not introducing it at this stage. I guess it may become more
interesting to consider later on once 'JWT' becomes a mainstream term.
If you don't care about integrity protection you can just store the JSON form
the body, however to avoid canonicalization (as with XML signature) you need to
keep the base64url encoded parts around if you want to verify the signature.
OK...
Thanks, Sergey
John B.
On Nov 10, 2014, at 11:22 AM, Sergey Beryozkin <sberyoz...@gmail.com> wrote:
Hi John
Moving it to the OAuth list as suggested
On 10/11/14 18:39, John Bradley wrote:
JWT is a OAuth spec for historic reasons, so it might be best to discuss this
on that list.
Are you talking about a unsigned JWT?
No, just a complete JSON representation
JWT currently only supports the compact form. For access tokens that allows
them to be passed in headers without additional escaping.
I would need to see a use case before adding the JSON encoding to JWT.
Nothing stops someone from using a JSON encoded JWS with a set of claims in the
body, but that is not by definition a JWT on the wire.
They can be converted between the two forms programatically.
I do not have any major use case in mind. Right now I have something called a
JAX-RS MessageBodyWriter/Reader for a Jwt token, and internally it converts it
to the compact Jws or reads from it.
It just occurred to me, what if Jwt simply acts as a basic standardized data
container, so on the wire it is just a JSON document.
Or if we have an access JWT token, right now it would be JWS-compacted, but if
we had a JSON form then another option would be to have a base64URL
representation of JWT as a token (though I haven't thought about the integrity
protection of it...).
Or may be it would be easier to store such JWT in JSON in JSON-aware
databases...
t>> Sorry, just thinking aloud here while experimenting...
Cheers, Sergey
John B.
On Nov 10, 2014, at 8:26 AM, Sergey Beryozkin <sberyoz...@gmail.com> wrote:
Hi All,
Would it make sense to have a JWT spec talk about its JSON representation,
example:
{
"headers": {...}
"claims": {...}
}
IMHO it might be interesting in cases where JWT is an access token passed over
the secure channel or simply used as a standard data/token container
Sergey
_______________________________________________
jose mailing list
j...@ietf.org
https://www.ietf.org/mailman/listinfo/jose
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
