JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0
draft-ietf-oauth-jwt-bearer-01

The information below is for an old version of the document
Document Type Active Internet-Draft (oauth WG)
Last updated 2012-07-06
Stream IETF
Intended RFC status (None)
Formats plain text pdf html bibtex
Stream WG state WG Document
Document shepherd None
IESG IESG state I-D Exists
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
OAuth Working Group                                             M. Jones
Internet-Draft                                                 Microsoft
Intended status: Standards Track                             B. Campbell
Expires: January 7, 2013                                   Ping Identity
                                                            C. Mortimore
                                                              Salesforce
                                                            July 6, 2012

        JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0
                     draft-ietf-oauth-jwt-bearer-01

Abstract

   This specification defines the use of a JSON Web Token (JWT) Bearer
   Token as a means for requesting an OAuth 2.0 access token as well as
   for use as a means of client authentication.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 7, 2013.

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as

Jones, et al.            Expires January 7, 2013                [Page 1]
Internet-Draft       OAuth JWT Bearer Token Profiles           July 2012

   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
     1.1.  Notational Conventions  . . . . . . . . . . . . . . . . . . 4
     1.2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . 4
   2.  HTTP Parameter Bindings for Transporting Assertions . . . . . . 4
     2.1.  Using JWTs as Authorization Grants  . . . . . . . . . . . . 4
     2.2.  Using JWTs for Client Authentication  . . . . . . . . . . . 4
   3.  JWT Format and Processing Requirements  . . . . . . . . . . . . 5
     3.1.  Authorization Grant Processing  . . . . . . . . . . . . . . 6
     3.2.  Client Authentication Processing  . . . . . . . . . . . . . 6
   4.  Authorization Grant Example . . . . . . . . . . . . . . . . . . 6
   5.  Security Considerations . . . . . . . . . . . . . . . . . . . . 7
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7
     6.1.  Sub-Namespace Registration of
           urn:ietf:params:oauth:grant-type:jwt-bearer . . . . . . . . 7
     6.2.  Sub-Namespace Registration of
           urn:ietf:params:oauth:client-assertion-type:jwt-bearer  . . 8
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 8
     7.1.  Normative References  . . . . . . . . . . . . . . . . . . . 8
     7.2.  Informative References  . . . . . . . . . . . . . . . . . . 9
   Appendix A.  Acknowledgements . . . . . . . . . . . . . . . . . . . 9
   Appendix B.  Document History . . . . . . . . . . . . . . . . . . . 9
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . . . 9

Jones, et al.            Expires January 7, 2013                [Page 2]
Internet-Draft       OAuth JWT Bearer Token Profiles           July 2012

1.  Introduction

   JSON Web Token (JWT) [JWT] is a JavaScript Object Notation (JSON)
   [RFC4627] based security token encoding that enables identity and
   security information to be shared across security domains.  A
   security token is generally issued by an identity provider and
   consumed by a relying party that relies on its content to identify
   the token's subject for security related purposes.

   The OAuth 2.0 Authorization Framework [I-D.ietf-oauth-v2] provides a
   method for making authenticated HTTP requests to a resource using an
   access token.  Access tokens are issued to third-party clients by an
   authorization server (AS) with the (sometimes implicit) approval of
   the resource owner.  In OAuth, an authorization grant is an abstract
   term used to describe intermediate credentials that represent the
   resource owner authorization.  An authorization grant is used by the
Show full document text