use Public Claim Names for CIBA JWT claims

Issue #93 resolved
Brian Campbell created an issue

Related to Issue #86 CIBA needs IANA Considerations, there are two new JWT claims in 10.3.1. Successful Token Delivery - rt_hash and auth_req_id.

New claims used in a specification really should be registered or use a collision-resistant name a.k.a. a Public Claim Name as discussed at

Based on the advice to the Designated Experts about claims registration and what I know about how that advice has been interpreted, I suspect there would be some push-back on the registration requests for rt_hash as it's written now and for auth_req_id in general.

Given that in CIBA the ID token is always passed in the HTTP message body, the size is not of particular concern. I'd propose using public collision resistant names for the non standard JWT claims used in CIBA. Perhaps urn:openid:params:jwt:claim:rt_hash and urn:openid:params:jwt:claim:auth_req_id.

Comments (7)

  1. Brian Campbell reporter

    issue #92 "update/fix ID Token examples in CIBA Authentication Results" should be considered with this too

  2. Brian Campbell
    • changed status to open

    Not sure what happened but the changes didn't seem to actually make it in. Pull request #24 says it was MERGED at 2a712c4 but there's no actual changes in that commit.

  3. Brian Campbell

    merged pull request #36 to hopefully fix for real this time with, CIBA: use Public Claim Names for the auth_req_id and refresh token JWT claims for Issue #93 and also fix/update the two ID Token examples in the Authentication Results section for Issue #92

  4. Log in to comment