Redesign JWS JSON Serialization

danielfett commented 4 months ago

Through discussions in the EUDI context, we found that the current JSON Serialization design is not well-suited for existing implementations. We now also better understand the original use cases that lead us to include this section into the spec in the first place and we agreed that we should update it as follows:

The disclosures should go into the unprotected header (to be defined: What happens when there are multiple signatures and therefore multiple unprotected headers with disclosures?)
There should be a way to put the key binding JWT into the unprotected header (to be defined: What happens when there are multiple signatures and therefore multiple places where a KB JWT could go?). The way the hash is built could remain unchanged, but the order of disclosures needs to be clearly defined if they can show up in multiple headers. This would also solve #392.

The new flattened format could be:

{
  "payload":"eyJfc2QiOiBbIjR...Aic2hhLTI1NiJ9",
  "protected":"eyJhbGciOiAiRVMyNTYiLCAidHlwIjogImV4YW1wbGUrc2Qtand0In0",
  "signature":"oL5lornrs6CFBMu...4HQby6OaaLqAw",
  "header":{
    "disclosures":[
      "WyI2SWo3dE0tYTVpVlBH...W1lIiwgIkRvZSJd",
      "WyJBSngtMDk1VlBycFR...ImFkZHJlc3MiLCB7InN0cmVldF9",
      "WyJlbHVWNU9nM2dTT...VuX25hbWUiLCAiSm9obiJd"
    ],
    "kb_jwt":"eyJhbGciOiAiRVMyNTYiLCAidHlwIjogI...bGUrc2Qtand0In0"
  }
}

And the new general format could be:

{
  "payload":"eyJfc2QiOiBbIjR...Aic2hhLTI1NiJ9",
  "signatures":[
    {
      "protected":"eyJhbGciOiAiRVMyNTYiLCAidHlwIjogImV4YW1wbGUrc2Qtand0In0",
      "signature":"oL5lornrs6CFBMu...4HQby6OaaLqAw",
      "header":{
        "disclosures":[
          "WyI2SWo3dE0tYTVpVlBH...W1lIiwgIkRvZSJd",
          "WyJBSngtMDk1VlBycFR...ImFkZHJlc3MiLCB7InN0cmVldF9",
          "WyJlbHVWNU9nM2dTT...VuX25hbWUiLCAiSm9obiJd"
        ],
        "kb_jwt":"eyJhbGciOiAiRVMyNTYiLCAidHlwIjogI...bGUrc2Qtand0In0"
      }
    },
    {
      "protected":"eyJhbGciOiAiRVMyNTYiLCAidHlwIjogImV4YW1wbGUrc2Qtand0In0",
      "signature":"oL5lornrs6CFBMu...4HQby6OaaLqAw"
    }
  ]
}

danielfett commented 4 months ago

Here is a first draft, it would be great to get some feedback: https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/414/files

I'll update the code for the Python library later on.

bc-pi commented 1 month ago

PR #414 has been merged and this can be closed, no?

oauth-wg / oauth-selective-disclosure-jwt

Redesign JWS JSON Serialization #403