- changed status to invalid
Messages 2.2.1: client auth claims not consistent with draft-jones-oauth-jwt-bearer-04
Issue #583
invalid
In particular:
-
OpenID Connect Messages lists "jti" as required whereas draft-jones-oauth-jwt-bearer-04 says it's optional.
-
OpenID Connect Messages doesn't mention "nbf" claim.
Comments (2)
-
-
reporter Thank you Michael for clarifying this!
- Log in to comment
OpenID Connect needs "jti" for message de-duplication for one-time use assertions, so it's reasonable to make it required in this case.
It doesn't need the "nbf" not-before functionality, and it's optional in JWT and the OAuth JWT profile, so we don't need to say anything about it in OpenID Connect.