I’ve posted updated versions of the JSON Web Token (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) specifications. No changes should be required to any existing deployments as a result of these updates.
The primary thrust of these changes was updating the JWT spec to describe how to create and process encrypted JWTs. (The previous JWT spec pre-dated publication of the JWE spec.) I also removed duplicate content from the JWT spec describing the steps to sign JWTs and instead simply referenced it in the JWS spec. Numerous suggestions on improving the specifications from the WOES and JOSE lists were also incorporated. The changelog entries are as follows:
draft-jones-json-web-token-06:
- Reference and use content from [JWS] and [JWE], rather than repeating it here.
- Simplified terminology to better match JWE, where the terms “JWT Header” and “Encoded JWT Header” are now used, for instance, rather than the previous terms “Decoded JWT Header Segment” and “JWT Header Segment”. Also changed to “Plaintext JWT” from “Unsigned JWT”.
- Describe how to perform nested encryption and signing operations.
- Changed “integer” to “number”, since that is the correct JSON type.
- Changed StringAndURI to StringOrURI.
draft-jones-json-web-signature-03:
- Simplified terminology to better match JWE, where the terms “JWS Header” and “Encoded JWS Header”, are now used, for instance, rather than the previous terms “Decoded JWS Header Input” and “JWS Header Input”. Likewise the terms “JWS Payload” and “JWS Signature” are now used, rather than “JWS Payload Input” and “JWS Crypto Output”.
- The jku and x5u URLs are now required to be absolute URLs.
- Removed this unnecessary language from the kid description: “Omitting this parameter is equivalent to setting it to an empty string”.
- Changed StringAndURI to StringOrURI.
draft-jones-json-web-encryption-01:
- Changed type of Ephemeral Public Key (epk) from string to JSON object, so that a JWK Key Object value can be used directly.
- Specified that the Digest Method for ECDH-ES is SHA-256. (The specification was previously silent about the choice of digest method.)
- The jku and x5u URLs are now required to be absolute URLs.
- Removed this unnecessary language from the kid description: “Omitting this parameter is equivalent to setting it to an empty string”.
- Use the same language as RFC 2616 does when describing GZIP message compression.
draft-jones-json-web-key-02:
- Editorial changes to have this spec better match the JWT, JWS, and JWE specs. No normative changes.
The specs are available in the standard places. The HTML versions can be found at these locations:
Feedback welcome!
I updated the OAuth JWT Bearer Token Profile spec to track the changes made in the OAuth SAML Bearer Token Profile spec. Changes were: