Difference between revisions of "JWT"
From MgmtWiki
(→Problems) |
(→Problems) |
||
| Line 6: | Line 6: | ||
==Problems== | ==Problems== | ||
| − | * The existing specs at the time the [[JWT]] was created were XML and SAML which were very wording and not amenable to coding in an HTTP header. | + | * The existing specs at the time the [[JWT]] was created were XML and [[SAML 2.0|SAML]] which were very wording and not amenable to coding in an HTTP header. |
==Solutions== | ==Solutions== | ||
Revision as of 19:36, 28 May 2019
Full Title
JSON Web Token (JWT) -- pronounced "JOOT" as though it were Welsh.
Context
In OAuth 2.0 and other specs from the Open ID Foundation, there was a need for a small packed of identity information that could be coded and include in a HTTP header.
Problems
- The existing specs at the time the JWT was created were XML and SAML which were very wording and not amenable to coding in an HTTP header.
Solutions
- The RFC definition of the JSON Web Token (JWT). The abstract from the spec
JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.
- Justin Richer has some suggestions.[1]
References
- RFC 6749 The OAuth 2.0 Authorization Framework specification
- RFC 8252 OAuth 2.0 for Native Apps Specification
