JWT defines a number of standard claims that are used in this application, including "iss" (issuer), "aud" (audience), etc. Making the requests a JWT allows code reuse, rather than having an application-specific signed request representation that has many of the semantics and fields of a JWT anyway..
It's also worth noting that this practice has been a standard since 2014. OpenID Connect Core standardized the OAuth signed request format in https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests. The draft-ietf-oauth-jwsreq<https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-17> spec is the OAuth-only version of this already standard and deployed practice. (There's other precedents for OAuth subsetting standard OpenID Connect functionality. For instance, RFC 8414<https://tools.ietf.org/html/rfc8414> is the OAuth-specific subset of the metadata format defined by OpenID Connect Discovery<https://openid.net/specs/openid-connect-discovery-1_0.html>.) -- Mike -----Original Message----- From: OAuth <oauth-boun...@ietf.org> On Behalf Of Jim Schaad Sent: Wednesday, October 31, 2018 8:33 AM To: draft-ietf-oauth-jws...@ietf.org Cc: 'oauth' <oauth@ietf.org> Subject: [OAUTH-WG] Mail regarding draft-ietf-oauth-jwsreq As part of looking at the issues of using CWTs for this purpose I did some more reading of the document. I am having a problem with the understanding the reasons for using JWT as opposed to just saying that you are going to use JWS and JWE. There is nothing in this section that I can see that points to a reason to be using JWTs as the carrier. What am I missing? Jim _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
