Understanding JWT/CWT, OpenID
and Related Ecosystem
Michael Jones, John Bradley
Aaron Parecki
JWT, OpenID Connect,
CWT, and Verifiable Claims
Michael B. Jones – Microsoft and John Bradley – Yubico
W3C Workshop on Strong Authentication and Identity
December 10, 2018
JSON Web Token (JWT) – RFC 7519
• Representation of claims in JSON
• Can be signed with JSON Web Signature (JWS) – RFC 7515
• Can be encrypted with JSON Web Encryption (JWE) – RFC 7516
• Algorithms used extensible using IANA JOSE Algorithms Registry
• For instance, ed25519 added and secp256k1 being added
• By design, does not use any form of JSON canonicalization
• Base64url encodes values to maintain content integrity instead
• JWTs used by OpenID Connect, many other applications
ID Token Claims Example
{
"iss": "https://server.example.com",
"sub": "248289761001",
"aud": "0acf77d4-b486-4c99-bd76-074ed6a64ddf",
"iat": 1311280970,
"exp": 1311281970,
"nonce": "n-0S6_WzA2Mj"
}
Working Together
OpenID Connect
You’re Probably Already Using OpenID Connect!
• If you have an Android phone or log in at AOL, Deutsche Telekom, Google,
Microsoft, NEC, NTT, Salesforce, Softbank, Symantec, Verizon, or Yahoo! Japan,
you’re already using OpenID Connect
• Many other sites and apps large and small also use OpenID Connect
OpenID Connect and Verifiable Claims
• Aggregated and Distributed Claims
• Self-Issued Identities
• Representation of Claim Verification Information
OpenID Connect: Aggregated and Distributed Claims
• OpenID Connect Core §5.6.2
• Defines how JWTs can contain claims signed by others
• Issuers of aggregated and distributed claims can be different than JWT issuer
• For example, credit score signed by credit agency and payment information
signed by bank
• Aggregated claims pass 3
rd
party claims by value
• Distributed claims pass 3
rd
party claims by reference
OpenID Connect: Self-Issued Identities
• OpenID Connect Core §7
• Digital identity controlled directly by you
• Backed by public/private key pair
• Sometimes called “user-centric identity” or “self-sovereign identity”
• Claims in self-issued identities
• Self-issued claims signed by you
• Aggregated and distributed claims signed by 3
rd
parties
• Implementations in Japan and at Microsoft
OpenID Connect: Representation of Claim Verification Information
• Syntax for providing metadata about claims along with claims
• For instance, saying that name, address, and payment info validated by a
particular bank
• At a particular time
• In a particular jurisdiction
• Under a particular legal framework
• Also ways of requesting claims with particular validation information
• New work proposed by Torsten Lodderstedt at most recent IIW
• Ideas contributed to OpenID Connect working group
CBOR Web Token (CWT) – RFC 8392
• Binary equivalent of JWT
• Uses CBOR – RFC 7049 – instead of JSON
• Secured with CBOR Object Signing and Encryption (COSE) – RFC 8152
• Can be more compact than JWTs because no base64url encoding
• Good fit for IoT applications and bandwidth-constrained channels
IndieAuth
OAuth for the Open Web
Aaron Parecki
aaronpk.com
monocle.p3k.io
aaronparecki.com
micro.blog
How can I comment on this
without having an account there?
[blog post, photo, issue, etc]
How can I sign in to an app
that lets me post to my account?
Traditional OAuth
IndieAuth: Bring your own identity
URLs for Identity
• aaronparecki.com
• mastodon.social/@aaronpk
• gitlab.com/aaronpk
• twitter.com/aaronpk
IndieAuth Summary
• User IDs are URLs – bring your own identity
• Applications are identified by URLs – no pre-registration
necessary
• Authorization server is discovered from the user’s URL
• User ID is returned at the end of the OAuth exchange
aperture.p3k.io
aaronparecki.com
aperture.p3k.io
IndieAuth Summary
An extension to the OAuth authorization code flow
• Prompt user for their identity (URL input, browser extension
auto-fill, etc)
• Discover user’s authorization endpoint
• Send the user there to ask their permission
• On the redirect back, exchange the authorization code for an
access token and the user’s canonical URL
