Do we need a special JWT type

Issue #1365 resolved

Roland Hedberg created an issue 2021-12-05

We use JWTs as the format for trust marks. Is there a reason for registering a special JWT type for this usage.

DPoP has dpop+jwt should we have trust_mark+jwt ?

Comments (8)

Giuseppe De Marco
In “JWT Response for OAuth Token Introspection“ we also have “token-introspection+jwt” and it has been included in the JSON Web Token (JWT) IANA registry.
I believe it is formally correct to have a registered claim for the trust marks of oidc federation 1.0

+1 on my side
- 2021-12-05T11:42:07+00:00
Joseph Heenan
Yes, explicit typing is recommended in the JWT BCP: https://www.rfc-editor.org/rfc/rfc8725.html#section-3.11

There seems to be at least a precedent for the use of - rather than _ in https://www.iana.org/assignments/media-types/media-types.xhtml (which is where it will need to be registered), so trust-mark+jwt might be a better choice?
- 2021-12-05T18:29:46+00:00
Roland Hedberg reporter
Agree !
- 2021-12-06T07:31:54+00:00
Giuseppe De Marco
What about registering a type also for Fetch Entity Statements Response and any other federation_api operation?
- 2021-12-06T22:32:27+00:00
Michael Jones
Mike to work with Roland on spec text defining these JWT types.
- 2021-12-16T19:08:11+00:00
Michael Jones
- changed status to open
- 2021-12-16T19:08:35+00:00
Giuseppe De Marco
some content types have been proposed here:
https://bitbucket.org/openid/connect/issues/1382/proposal-of-an-improved-federation-api
- 2021-12-22T11:07:56+00:00
Roland Hedberg reporter
- changed status to resolved
Mike has added spec text defining a couple of JWT types.
- 2022-04-01T06:22:57+00:00
Log in to comment