terminology: JWT payload, JWT body, JWS payload

oauth-wg / oauth-selective-disclosure-jwt

https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/

Other

56 stars 29 forks source link

terminology: JWT payload, JWT body, JWS payload #319

Closed Sakurann closed 1 year ago

Sakurann commented 1 year ago

feedback received:

The draft uses the terms "JWT body" and "JWT payload" which are not used / not defined in RFC 7519. While it is quite clear from the context what is meant, it could be preferable to use the term (JWT Claims Set) defined in RFC 7519 in order to avoid any misinterpretations.

Sakurann commented 1 year ago

it is true that https://www.rfc-editor.org/rfc/rfc7515#section-2 only defines JWS payload. JWT payload is mainly used as "SD-JWT payload", which I think it fine, but JWT body might be worth revisiting..

bc-pi commented 1 year ago

FWIW DPoP, which is past last calls and IESG reviews and in the RFC editor queue, uses "JWT payload".

alenhorvat commented 1 year ago

Maybe related to this (or can be a separate issue):

https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-05.html#section-7

section 7 is referring to enveloping + using JWT claims. Some JWS signatures don't use JWT claims.

In the text:

"JWT container"
JWT
JWT payload

appear. Depending on the signature type, payload may or may not contain JWT claims.

alenhorvat commented 1 year ago

Similar with "issuer signed JWT" appears quite frequently in the text, even though some JWS signatures don't use JWT claims or are JSON serialised JWS.

Sakurann commented 1 year ago

PR merged