nbf and jti claims in section 7.1.1.
In Section 7.1.1. say that “The JWT MUST also contain the following [RFC7519] registered claims:“ and then in the list nbf and jti appear, but reading the JWT specification this claims are optionals and also reading OpenId Connect Core Section 6 where describe the “Passing a Request Object by Value“ only say that claims iss
and aud
are mandatory if the JWT requets is signed.
The question here is, why CIBA put nbf and jti claim as mandatory?
Comments (6)
-
-
reporter Great thanks! and what about the jti?
-
jit is just an identifier for the data object that can be used in support of auditing, logging, etc.
-
reporter And why this id is mandatory in CIBA spec? in OpenID for example this claim is not mandatory at all, there are any reason?
-
just so it’d be consistently there
-
- changed status to resolved
We discussed on the call and agreed to close this issue rather than add a note to the spec.
- Log in to comment
An explanation for nbf is on https://bitbucket.org/openid/mobile/issues/131/authentication-request-may-not-have