-
assigned issue to
Core: IANA Consideration
Authorization request parameter registration is needed.
https://mailarchive.ietf.org/arch/msg/oauth/_E14Trqu962cReu3t6FquPEyigY
We should register the top level JWT claims such as iss
, aud
, sub
, and
exp
(and maybe other common JWT claims that are about the token itself
like jti
, iat
, etc) as authorization request parameters in
https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#parameters
because the parameter names and claim names collide when using a request object.
Potentially, we may need to register everything in https://www.iana.org/assignments/jwt/jwt.xhtml
Comments (9)
-
-
-
reporter For JAR, only the missing parameters for core OAuth are
- response_type
- redirect_uri
- state
For OIDC
- display
- prompt
- max_age
- ui_locales
- id_token_hint
- login_hint
- acr_values
A meta question would be what to do with other extensions like PKCE etc.
-
reporter
iss
sub
aud
exp
nbf
iat
jtiare already registered.
-
Considering the real work context of how things will be used, I really think that all that’s needed here is to register some of the major/meta JWT claims into https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#parameters
-
reporter I did a bit of study on the diff between the OAuth Authz Req Parameters and JWT Claims in the JAR context. Here is the result. These are the claims not in the JWT Claims registry.
-
I really don’t think we want to or need to pollute the JWT claims registry with all the OAuth Authz Req Parameters.
-
Note that OAuth JAR will accomplish these registrations. See https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-26#section-9.1 .
-
reporter - changed status to closed
Taken care of by JAR draft. It is now in the IETF Editors queue.
- Log in to comment
Thanks - I will add registrations for the claims about the authentication. I'm thinking "iss", "aud", "sub", "exp", "iat", "nbf", "jti", and "cnf".