-
assigned issue to
use Public Claim Names for CIBA JWT claims
Related to Issue #86 CIBA needs IANA Considerations, there are two new JWT claims in 10.3.1. Successful Token Delivery - rt_hash and auth_req_id.
New claims used in a specification really should be registered or use a collision-resistant name a.k.a. a Public Claim Name as discussed at https://tools.ietf.org/html/rfc7519#section-4.2
Based on the advice to the Designated Experts about claims registration https://tools.ietf.org/html/rfc7519#section-10.1 and what I know about how that advice has been interpreted, I suspect there would be some push-back on the registration requests for rt_hash as it's written now and for auth_req_id in general.
Given that in CIBA the ID token is always passed in the HTTP message body, the size is not of particular concern. I'd propose using public collision resistant names for the non standard JWT claims used in CIBA. Perhaps urn:openid:params:jwt:claim:rt_hash
and urn:openid:params:jwt:claim:auth_req_id
.
Comments (7)
-
-
reporter issue
#92"update/fix ID Token examples in CIBA Authentication Results" should be considered with this too -
reporter Folks were onboard with this during the Oct 2 MODRNA call.
-
-
- changed status to resolved
Resolves with this PR: https://bitbucket.org/openid/mobile/pull-requests/24/ciba-public-claim-names-and-updated-id
-
- changed status to open
-
- changed status to resolved
- Log in to comment