identity 1.0 documentation

OAuth 2.0 Registered JWT Profile 1.0

Contents

OAuth 2.0 Registered JWT Profile 1.0

1 Introduction

OAuth 2.0 Bearer Token Usage follows the “Bearer Instrument” pattern that the token is not registered to any party, thus the token can be used by any party that act as a bearer.

The flexibility provided by this pattern is very flexible. However, when it has its weakness in the cases of token loss.

This draft addresses the issue with another very popular pattern in the area of financial instruments called “registered instruments”. In this case, the token is registered to a user, thus it will not be usable by any other party than the registered user whose identity can be verified through evidence of identity.

Note

  • Proofed Token ?
  • 3.1. Tokens では Bearer Token とProof Token の2つに分類されていますよ

To achieve the same effect as the “registered instruments”, this draft uses JWT as the token type and defines two additional claims to make it possible to obtain the identifier of the rightful registered owner of the token.

In addition, this draft defines a method to verify that the exerciser of the token is the registered owner of the token.

1.2 Terminology

entity
something that has separate and distinct existence and that can be identified in a context [X.1252]
Registered JWT
JWT that is registered to an entity

Note: There are two main ways to achieve this. One is to have the identifier of the owner in the token itself, while the other is to provide an interface that returns the identifier of the owner when asked.

2. Registered JWT

The Registered JWT is a JWT that is registered to an entity. To achieve it, this document defines the two new claims for JWT.

rto

String.

Required if rcu is not available.

The identifier of the entity that this JWT is registered to. This is primarily used in the case that the registered owner of the JWT will not change.

rcu

String.

Required if rto is not available.

A URL to which the jwi claim is sent to obtain the identifier of the registered owner of the JWT.

This is used in the case where the registered owner of the JWT will change over time.

In addition, the Registered JWT MUST have the following claims.

typ
The value of the typ standard JWT claim MUST be “rjwt”.

Following is a non‐normative example of the JWT payload with the above claims.

{
  "typ":"rjwt",
  "rto":"https://example.com/",
}

Contents