Merge pull request #2 from selfissued/mbj-explicit-typing

selfissued · web-flow · commit 28c114cf220e · 2024-11-20T12:05:56.000-08:00
Explicitly type JWTs
diff --git a/draft-jones-oauth-rfc7523bis.xml b/draft-jones-oauth-rfc7523bis.xml
@@ -189,8 +189,9 @@
   Content-Type: application/x-www-form-urlencoded
 
   grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer
-  &assertion=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0.
-  eyJpc3Mi[...omitted for brevity...].
+  &assertion=eyJ0eXAiOiJhdXRob3JpemF0aW9uLWdyYW50K2p3dCIsImFsZyI6Ik
+    VTMjU2Iiwia2lkIjoiMTYifQ.
+  eyJhdWQiOiJodHRwczovLw[...omitted for brevity...].
   J9l-ZhwP[...omitted for brevity...]
 ]]></artwork>
         </figure>
@@ -220,8 +221,9 @@
   code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4&
   client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3A
   client-assertion-type%3Ajwt-bearer&
-  client_assertion=eyJhbGciOiJSUzI1NiIsImtpZCI6IjIyIn0.
-  eyJpc3Mi[...omitted for brevity...].
+  client_assertion=eyJ0eXAiOiJjbGllbnQtYXV0aGVudGljYXRpb24rand0Iiwi
+    YWxnIjoiUlMyNTYiLCJraWQiOiIyMiJ9.
+  eyJhdWQiOiJodHRwczovLw[...omitted for brevity...].
   cC4hiUPo[...omitted for brevity...]
 ]]></artwork>
         </figure>
@@ -240,6 +242,15 @@
       <t>
 	<list style="numbers">
 
+	  <t>
+	    The JWT MUST be explicitly typed,
+	    as defined in Section 3.11 of <xref target="RFC8725"/>.
+	    The <spanx style="verb">typ</spanx> header parameter values
+	    that MUST be used are defined in <xref target="GrantProcessing"/>
+	    and <xref target="ClientProcessing"/>.
+	    The authorization server MUST reject JWTs that do not use
+	    the specified explicit type value.
+	  </t>
 	  <t>
 	    The JWT MUST contain an <spanx style="verb">iss</spanx>
 	    (issuer) claim that contains a unique identifier for the
@@ -339,6 +350,13 @@
 
       <section title="Authorization Grant Processing" anchor="GrantProcessing">
 
+	<t>
+	  Authorization grant JWTs MUST be explicitly typed by using the
+	  <spanx style="verb">typ</spanx> header parameter value
+	  <spanx style="verb">authorization-grant+jwt</spanx>.
+	  Authorization grant JWTs not using this explicit type value
+	  MUST be rejected by the authorization server.
+	</t>
 	<t>
 	  JWT authorization grants may be used with or without client authentication
 	  or identification. Whether or not client authentication is needed in
@@ -373,6 +391,13 @@
 
       <section title="Client Authentication Processing" anchor="ClientProcessing">
 
+	<t>
+	  Client authentication JWTs MUST be explicitly typed by using the
+	  <spanx style="verb">typ</spanx> header parameter value
+	  <spanx style="verb">client-authentication+jwt</spanx>.
+	  Client authentication JWTs not using this explicit type value
+	  MUST be rejected by the authorization server.
+	</t>
 	<t>If the client JWT is not valid, the
 	authorization server constructs an error response as defined in
 	OAuth 2.0 <xref target="RFC6749"/>.
@@ -414,13 +439,14 @@
 
       <figure>
 	<preamble>
-	  The following example JSON object, used as the header of a
-	  JWT, declares that the JWT is signed with the Elliptic Curve
-          Digital Signature Algorithm (ECDSA) P-256
-	  SHA-256 using a key identified by the <spanx style="verb">kid</spanx> value <spanx style="verb">16</spanx>.
+	  The following example JSON object, used as the header parameters of a JWT,
+	  declares that the JWT is an authorization grant JWT,
+	  is signed with the Elliptic Curve Digital Signature Algorithm (ECDSA) P-256 with SHA-256,
+	  and was signed with a key identified by
+	  the <spanx style="verb">kid</spanx> value <spanx style="verb">16</spanx>.
 	</preamble>
 	<artwork><![CDATA[
-  {"alg":"ES256","kid":"16"}
+  {"typ":"authorization-grant+jwt","alg":"ES256","kid":"16"}
 ]]></artwork>
       </figure>
 
@@ -436,8 +462,9 @@
   Content-Type: application/x-www-form-urlencoded
 
   grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer
-  &assertion=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0.
-  eyJpc3Mi[...omitted for brevity...].
+  &assertion=eyJ0eXAiOiJhdXRob3JpemF0aW9uLWdyYW50K2p3dCIsImFsZyI6Ik
+    VTMjU2Iiwia2lkIjoiMTYifQ.
+  eyJhdWQiOiJodHRwczovLw[...omitted for brevity...].
   J9l-ZhwP[...omitted for brevity...]
 ]]></artwork>
       </figure>
@@ -516,8 +543,156 @@
 	established by
 	"An IETF URN Sub-Namespace for OAuth" <xref target="RFC6755"/>
 	were performed by <xref target="RFC7523"/>.
-	No IANA actions are requested by this specification.
       </t>
+
+      <section title="Media Type Registration" anchor="MediaReg">
+        <t>
+          This section registers the following media types <xref target="RFC2046"/>
+          in the "Media Types" registry <xref target="IANA.MediaTypes"/>
+          in the manner described in <xref target="RFC6838"/>.
+        </t>
+
+        <section title="Registry Contents" anchor="MediaContents">
+          <t>
+            <?rfc subcompact="yes"?>
+            <list style="symbols">
+              <t>
+                Type name: application
+              </t>
+              <t>
+                Subtype name: authorization-grant+jwt
+              </t>
+              <t>
+                Required parameters: n/a
+              </t>
+              <t>
+                Optional parameters: n/a
+              </t>
+              <t>
+                Encoding considerations: binary;
+                An authorization grant JWT is a JWT;
+                JWT values are encoded as a
+                series of base64url-encoded values (some of which may be the
+                empty string) separated by period ('.') characters.
+              </t>
+              <t>
+                Security considerations: See <xref target="Security"/> of this specification
+              </t>
+              <t>
+                Interoperability considerations: n/a
+              </t>
+              <t>
+                Published specification: <xref target="GrantProcessing"/> of this specification
+              </t>
+              <t>
+                Applications that use this media type:
+                Applications that use this specification
+              </t>
+              <t>
+                Fragment identifier considerations: n/a
+              </t>
+              <t>
+                Additional information:<list style="empty">
+                <t>Magic number(s): n/a</t>
+                <t>File extension(s): n/a</t>
+                <t>Macintosh file type code(s): n/a </t></list>
+                <vspace/>
+              </t>
+              <t>
+                Person &amp; email address to contact for further information:
+                <vspace/>
+                Michael B. Jones, michael_b_jones@hotmail.com
+              </t>
+              <t>
+                Intended usage: COMMON
+              </t>
+              <t>
+                Restrictions on usage: none
+              </t>
+              <t>
+                Author: Michael B. Jones, michael_b_jones@hotmail.com
+              </t>
+              <t>
+                Change controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
+              </t>
+              <t>
+                Provisional registration? No
+              </t>
+            </list>
+            <?rfc subcompact="no"?>
+          </t>
+
+          <t>
+            <?rfc subcompact="yes"?>
+            <list style="symbols">
+              <t>
+                Type name: application
+              </t>
+              <t>
+                Subtype name: client-authentication+jwt
+              </t>
+              <t>
+                Required parameters: n/a
+              </t>
+              <t>
+                Optional parameters: n/a
+              </t>
+              <t>
+                Encoding considerations: binary;
+                A client authentication JWT is a JWT;
+                JWT values are encoded as a
+                series of base64url-encoded values (some of which may be the
+                empty string) separated by period ('.') characters.
+              </t>
+              <t>
+                Security considerations: See <xref target="Security"/> of this specification
+              </t>
+              <t>
+                Interoperability considerations: n/a
+              </t>
+              <t>
+                Published specification: <xref target="ClientProcessing"/> of this specification
+              </t>
+              <t>
+                Applications that use this media type:
+                Applications that use this specification
+              </t>
+              <t>
+                Fragment identifier considerations: n/a
+              </t>
+              <t>
+                Additional information:<list style="empty">
+                <t>Magic number(s): n/a</t>
+                <t>File extension(s): n/a</t>
+                <t>Macintosh file type code(s): n/a </t></list>
+                <vspace/>
+              </t>
+              <t>
+                Person &amp; email address to contact for further information:
+                <vspace/>
+                Michael B. Jones, michael_b_jones@hotmail.com
+              </t>
+              <t>
+                Intended usage: COMMON
+              </t>
+              <t>
+                Restrictions on usage: none
+              </t>
+              <t>
+                Author: Michael B. Jones, michael_b_jones@hotmail.com
+              </t>
+              <t>
+                Change controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
+              </t>
+              <t>
+                Provisional registration? No
+              </t>
+            </list>
+            <?rfc subcompact="no"?>
+          </t>
+        </section>
+
+      </section>
     </section>
   </middle>
 
@@ -532,6 +707,7 @@
       <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7521.xml"/>
       <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>
       <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8414.xml"/>
+      <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8725.xml"/>
 
       <!-- Reference from https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7518.xml with change to anchor="JWA" -->
 
@@ -568,7 +744,9 @@
     </references>
 
     <references title="Informative References">
+      <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2046.xml"/>
       <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6755.xml"/>
+      <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6838.xml"/>
       <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7522.xml"/>
       <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7523.xml"/>
       <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7591.xml"/>
@@ -644,6 +822,16 @@
         </front>
       </reference>
 
+      <reference anchor="IANA.MediaTypes" target="https://www.iana.org/assignments/media-types">
+        <front>
+          <title>Media Types</title>
+          <author>
+            <organization>IANA</organization>
+          </author>
+          <date/>
+        </front>
+      </reference>
+
     </references>
 
     <section title="Document History" anchor="History">
@@ -661,9 +849,12 @@
 	    removing the IANA actions already performed,
 	    and adding the Document History section.
           </t>
-	  <t>
+          <t>
 	    Use AS issuer identifier as the sole audience value.
-	  </t>
+          </t>
+          <t>
+ 	    Explicitly typed authorization grant JWTs and client authentication JWTs.
+          </t>
         </list>
       </t>
 
