Ok - I'll ask the questions explicitly.
What additional features do you get from the claims that are already defined for a JWT. How do these features relate to the original problem statement of needing encryption and origination? Why are these not features that should be in the base OAuth design and thus part of the OAuth registry? Jim From: Mike Jones <michael.jo...@microsoft.com> Sent: Wednesday, October 31, 2018 9:18 AM To: Jim Schaad <i...@augustcellars.com>; draft-ietf-oauth-jws...@ietf.org Cc: 'oauth' <oauth@ietf.org> Subject: RE: [OAUTH-WG] Mail regarding draft-ietf-oauth-jwsreq JWT defines a number of standard claims that are used in this application, including "iss" (issuer), "aud" (audience), etc. Making the requests a JWT allows code reuse, rather than having an application-specific signed request representation that has many of the semantics and fields of a JWT anyway. It's also worth noting that this practice has been a standard since 2014. OpenID Connect Core standardized the OAuth signed request format in https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests. The draft-ietf-oauth-jwsreq <https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-17> spec is the OAuth-only version of this already standard and deployed practice. (There's other precedents for OAuth subsetting standard OpenID Connect functionality. For instance, RFC 8414 <https://tools.ietf.org/html/rfc8414> is the OAuth-specific subset of the metadata format defined by OpenID Connect Discovery <https://openid.net/specs/openid-connect-discovery-1_0.html> .) -- Mike -----Original Message----- From: OAuth <oauth-boun...@ietf.org <mailto:oauth-boun...@ietf.org> > On Behalf Of Jim Schaad Sent: Wednesday, October 31, 2018 8:33 AM To: draft-ietf-oauth-jws...@ietf.org <mailto:draft-ietf-oauth-jws...@ietf.org> Cc: 'oauth' <oauth@ietf.org <mailto:oauth@ietf.org> > Subject: [OAUTH-WG] Mail regarding draft-ietf-oauth-jwsreq As part of looking at the issues of using CWTs for this purpose I did some more reading of the document. I am having a problem with the understanding the reasons for using JWT as opposed to just saying that you are going to use JWS and JWE. There is nothing in this section that I can see that points to a reason to be using JWTs as the carrier. What am I missing? Jim _______________________________________________ OAuth mailing list <mailto:OAuth@ietf.org> OAuth@ietf.org <https://www.ietf.org/mailman/listinfo/oauth> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
