1. Nat Sakimura Avatar Nat Sakimura
  2. Untitled project
  3. oauth-jwsreq
  4. Issues

SECDIR review: Section 6 -- authentication and integrity need not be provided if the requestor encrypts the token?

Issue #25 resolved
Nat Sakimura repo owner created an issue

Section 6 describes how to validate a received JWT request token. Section 6.1 appears to not mandate use of a signature for an encrypted token, suggesting that authentication and integrity need not be provided if the requestor encrypts the token (and does not employ an authenticated encryption algorithm).

Comments (4)

  1. Nat Sakimura reporter

    The relevant sentence probably is: 

    The Authorization Server MUST decrypt the JWT in accordance with 
the JSON Web Encryption [RFC7516] specification.

    Perhaps we might want to add a sentence or two.

  3. Nat Sakimura reporter

    Some comments:

    All JWE algorithms are integrity protecting. We also mandate JWS unless JWE uses symmetric key. It was clarified through Denis Pinkas (DP) comments, so I gather this is a Dup of the DP comment. Shall I close this as Dup?

  5. Log in to comment
Assignee
Type
enhancement
Priority
major
Status
resolved
Votes
0
Watchers
0
Jira: the preferred issue tracker for Bitbucket. Join the team!