Use RFC 9068 for token version
Opened this issue · 4 comments
hshort commented
Apparently RFC 9068 uses the standard JWT typ claim to identify the token version/type. It would be better to use this than our own "wlcg.ver" claim. This was raised by @jbasney
jbasney commented
To find the recommendations for the typ
claim, I followed the references from https://www.rfc-editor.org/rfc/rfc9068.html#name-security-considerations to https://www.rfc-editor.org/rfc/rfc8725#section-2.8 to https://www.rfc-editor.org/rfc/rfc8725#section-3.11 (Use Explicit Typing).
maarten-litmaath commented
And after that one we only need to nudge the community towards a "grp" claim and we're done! 🙂
…________________________________
From: hshort ***@***.***>
Sent: Monday, April 24, 2023 4:07 PM
To: WLCG-AuthZ-WG/common-jwt-profile ***@***.***>
Cc: Subscribed ***@***.***>
Subject: [WLCG-AuthZ-WG/common-jwt-profile] Use RFC 9068 for token version (Issue #25)
Apparently RFC 9068 uses the standard JWT typ claim to identify the token version/type. It would be better to use this than our own "wlcg.ver" claim. This was raised by @jbasney<https://github.com/jbasney>
—
Reply to this email directly, view it on GitHub<#25>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ADVMWCJDUZ3PYGIEH4YRRUDXC2CJVANCNFSM6AAAAAAXJUNHT4>.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
msalle commented
better groups then: https://www.rfc-editor.org/rfc/rfc9068.html#section-2.2.3.1
But Brian has brought that up previously AFAIR
maarten-litmaath commented
The "groups" syntax in their example looks usable, AFAICS: