JSON Web Token (JWT) Profile for OAuth 2.0 Access TokensAuth0vittorio@auth0.com
Security
OAuthOAuthResourceAccess tokenJWT
This specification defines a profile for issuing OAuth 2.0 access tokens in JSON Web Token (JWT) format. Authorization
servers
and resource servers from different vendors can leverage this profile to issue and consume access tokens in an interoperable manner.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by
the Internet Engineering Steering Group (IESG). Further
information on Internet Standards is available in Section 2 of
RFC 7841.
Information about the current status of this document, any
errata, and how to provide feedback on it may be obtained at
.
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
() in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.
Table of Contents
. Introduction
. Requirements Notation and Conventions
. Terminology
. JWT Access Token Header and Data Structure
. Header
. Data Structure
. Authentication Information Claims
. Identity Claims
. Authorization Claims
. Claims for Authorization Outside of Delegation Scenarios
. Requesting a JWT Access Token
. Validating JWT Access Tokens
. Security Considerations
. Privacy Considerations
. IANA Considerations
. Media Type Registration
. Registry Content
. Claims Registration
. Registry Content
. Roles
. Groups
. Entitlements
. References
. Normative References
. Informative References
Acknowledgements
Author's Address
Introduction
The original
OAuth 2.0 Authorization Framework specification does not mandate any specific format for access tokens.
While that remains perfectly appropriate for many important scenarios, in-market use has shown that many commercial OAuth 2.0
implementations elected to issue access tokens using a format that can be parsed and validated by resource servers directly, without further authorization server involvement.
The approach is particularly common in topologies where the authorization server and resource server are not co-located,
are not run by the same entity, or are otherwise separated by some boundary. At the time of writing, many commercial implementations leverage the
JSON Web Token (JWT) format.
Many vendor-specific JWT access tokens share the same functional layout, using JWT claims to convey the information needed to support a common set of use cases: token validation, transporting authorization information in the form of scopes and entitlements,
carrying identity information about the subject, and so on. The differences are mostly confined to the claim names and syntax
used to represent the same entities, suggesting that interoperability could be easily achieved by standardizing a common set of claims and validation rules.
The assumption that access tokens are associated with specific information doesn't appear only in commercial implementations.
Various specifications in the OAuth 2.0 family (such as
resource indicators,
OAuth 2.0 bearer token usage, and others) postulate the presence of scoping mechanisms, such as an audience, in access tokens.
The family of specifications associated with introspection also indirectly
suggests a fundamental set of information that access tokens are expected to carry or at least be associated with.
This specification aims to provide a standardized and interoperable profile as an alternative to the proprietary JWT access token layouts going forward.
Besides defining a common set of mandatory and optional claims, the profile provides clear indications on how authorization request
parameters determine the content of the issued JWT access token, how an authorization server can publish metadata relevant to the
JWT access tokens it issues, and how a resource server should validate incoming JWT access tokens.
Finally, this specification provides security and privacy considerations meant to prevent common mistakes and anti-patterns
that are likely to occur in naive use of the JWT format to represent access tokens.
Please note: Although both this document and use JSON Web Tokens in the context of the OAuth2 framework, the two specifications differ in both intent and mechanics. Whereas defines how a JWT Bearer Token can be used to request an access token, this document describes how to encode access tokens in JWT format.
Requirements Notation and Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14
when, and only when, they appear in all capitals, as shown here.
Terminology
JWT access token:
An OAuth 2.0 access token encoded in JWT format and complying with the requirements described in this specification.
This specification uses the terms
"access token",
"refresh token",
"authorization server",
"resource server",
"authorization endpoint",
"authorization request",
"authorization response",
"token endpoint",
"grant type",
"access token request",
"access token response",
and "client"
defined by
The OAuth 2.0 Authorization Framework.
JWT Access Token Header and Data StructureHeader
JWT access tokens MUST be signed. Although JWT access tokens can use any signing algorithm, use of asymmetric cryptography is RECOMMENDED as it simplifies the process of acquiring validation information for resource servers (see
). JWT access tokens MUST NOT use "none" as the signing algorithm. See
for more details.
Authorization servers and resource servers conforming to this specification MUST include RS256 (as defined in ) among their supported signature algorithms.
This specification registers the "application/at+jwt" media type, which can be used to indicate that the content is a JWT access token.
JWT access tokens MUST include this media type in the "typ" header parameter to explicitly declare that the JWT represents an access token complying with this profile.
Per the definition of "typ" in , it is RECOMMENDED that the "application/" prefix be omitted. Therefore, the "typ" value used SHOULD be "at+jwt".
See the section for details on the importance of preventing OpenID Connect ID Tokens (as defined by Section 2 of ) from being accepted as access tokens by resource servers implementing this profile.
Data Structure
The following claims are used in the JWT access token data structure.
iss
REQUIRED - as defined in .
exp
REQUIRED - as defined in .
aud
REQUIRED - as defined in . See
for indications on how an authorization server should determine the value of "aud" depending on the request.
sub
REQUIRED - as defined in . In cases of access tokens obtained through grants where a resource owner is involved, such as the authorization code grant, the value of "sub" SHOULD correspond to the subject identifier of the resource owner. In cases of access tokens obtained through grants where no resource owner is involved, such as the client credentials grant, the value of "sub" SHOULD correspond to an identifier the authorization server uses to indicate the client application.
See
for more details on this scenario. Also, see
for a discussion about how different choices in assigning "sub" values can impact privacy.
client_id
REQUIRED - as defined in .
iat
REQUIRED - as defined in .
This claim identifies the time at which the JWT access token was issued.
jti
REQUIRED - as defined in .
Authentication Information ClaimsThe claims listed in this section MAY be issued in the context of authorization grants involving the resource owner and reflect the types and strength of authentication in the access token that the authentication server enforced prior to returning the authorization response to the client. Their values are fixed and remain the same across all access tokens that derive from a given authorization response, whether the access token was obtained directly
in the response (e.g., via the implicit flow) or after one or more token exchanges (e.g., obtaining a fresh access token using a refresh token or exchanging one access token for another via
procedures).
auth_time
OPTIONAL - as defined in Section 2 of
.
acr
OPTIONAL - as defined in Section 2 of
.
amr
OPTIONAL - as defined in Section 2 of
.
Identity Claims
In the context of authorization grants involving the resource owner, commercial authorization servers will often include resource owner attributes directly in access tokens so that resource servers can consume them directly for authorization or other purposes without any further round trips to introspection () or UserInfo () endpoints.
This is particularly common in scenarios where the client and the resource server belong to the same entity and are part of the same solution, as is the case for first-party clients invoking their own backend API.
This profile does not introduce any mechanism for a client to directly request the presence of specific claims in JWT access tokens, as the authorization server can determine what additional claims are required by a particular resource server by taking the client_id of the client and the "scope" and the "resource" parameters included in the request into consideration.
Any additional identity attribute whose semantic is well described by an entry in the "JSON Web Token (JWT)" IANA registry introduced in SHOULD be encoded using the corresponding claim name, if that attribute is to be included in the JWT access token. Note that the JWT IANA registry includes the claims found in Section 5.1 of .
Authorization servers MAY return arbitrary attributes not defined in any existing specification, as long as the corresponding claim names are collision resistant or the access tokens are meant to be used only within a private subsystem. Please refer to Sections and of for details.
Authorization servers including resource owner attributes in JWT access tokens need to exercise care and verify that all privacy requirements are met, as discussed in
.
Authorization Claims
If an authorization request includes a scope parameter, the corresponding issued JWT access token SHOULD include a "scope" claim as defined in .
All the individual scope strings in the "scope" claim MUST have meaning for the resources indicated in the "aud" claim. See
for more considerations about the relationship between scope strings and resources indicated by the "aud" claim.
Claims for Authorization Outside of Delegation Scenarios
Many authorization servers embed authorization attributes that go beyond the delegated scenarios described by
in the access tokens they issue. Typical examples include resource owner memberships in roles and groups that are relevant to the resource being accessed, entitlements assigned to the resource owner for the targeted resource that the authorization server knows about, and so on.
An authorization server wanting to include such attributes in a JWT access token SHOULD use the "groups", "roles", and "entitlements" attributes of the "User" resource schema defined by ) as claim types.
Authorization servers SHOULD encode the corresponding claim values according to the guidance defined in . In particular, a non-normative example of a "groups" attribute can be found in . No specific vocabulary is provided for "roles" and "entitlements".
of this document provides entries for registering "groups", "roles", and "entitlements" attributes from
as claim types to be used in this profile.
Requesting a JWT Access Token
An authorization server can issue a JWT access token in response to any authorization grant defined by
and subsequent extensions meant to result in an access token.
If the request includes a "resource" parameter (as defined in
), the resulting JWT access token "aud" claim SHOULD have the same value as the "resource" parameter in the request.
Example request below:
Once redeemed, the code obtained from the request above will result in a JWT access token in the form shown below:
The authorization server MUST NOT issue a JWT access token if the authorization granted by the token would be ambiguous.
See
for more details about common cases that might lead to ambiguity and strategies an authorization server can enact to prevent them.
If the request does not include a "resource" parameter, the authorization server MUST use a default resource indicator in the "aud" claim. If a "scope" parameter is present in the request, the authorization server SHOULD use it to infer the value of the default resource indicator to be used in the "aud" claim. The mechanism through which scopes are associated with default resource indicator values is outside the scope of this specification. If the values in the "scope" parameter refer to different default resource indicator values, the authorization server SHOULD reject the request with "invalid_scope" as described in .
Validating JWT Access Tokens
For the purpose of facilitating validation data retrieval, it is RECOMMENDED here that authorization servers sign JWT access tokens with an asymmetric algorithm.
Authorization servers SHOULD use
OAuth 2.0 Authorization Server Metadata to advertise to resource servers their signing keys via "jwks_uri" and what "iss" claim value to expect
via the "issuer" metadata value. Alternatively, authorization servers implementing OpenID Connect MAY use the OpenID Connect discovery document for the same purpose. If an authorization server supports both OAuth 2.0 Authorization Server Metadata and OpenID Connect discovery, the values provided MUST be consistent across the two publication methods.
An authorization server MAY elect to use different keys to sign OpenID Connect ID Tokens and JWT access tokens. This specification does not provide a mechanism for identifying a specific key as the one used to sign JWT access tokens. An authorization server can sign JWT access tokens with any of the keys advertised via authorization server (AS) metadata or OpenID Connect discovery. See
for further guidance on security implications.
Resource servers receiving a JWT access token MUST validate it in the following manner.
The resource server MUST verify that the "typ" header value is "at+jwt" or "application/at+jwt" and reject tokens carrying any other value.
If the JWT access token is encrypted, decrypt it using the keys and algorithms that the resource server specified during registration. If encryption was negotiated with the authorization server at registration time and the incoming JWT access token is not encrypted, the resource server SHOULD reject it.
The issuer identifier for the authorization server (which is typically obtained during discovery) MUST exactly match the value of the "iss" claim.
The resource server MUST validate that the "aud" claim contains a resource indicator value corresponding to an identifier the resource server expects for itself. The JWT access token MUST be rejected if "aud" does not contain a resource indicator of the current resource server as a valid audience.
The resource server MUST validate the signature of all incoming JWT access tokens according to
using the algorithm specified in the JWT "alg" Header Parameter. The resource server MUST reject any JWT in which the value of "alg" is "none". The resource server MUST use the keys provided by the authorization server.
The current time MUST be before the time represented by the "exp" claim. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew.
The resource server MUST handle errors as described in . In particular, in case of any failure in the validation checks listed above, the authorization server response MUST include the error code "invalid_token".
Please note that this requirement does not prevent JWT access tokens from using authentication schemes other than "Bearer".
If the JWT access token includes authorization claims as described in
, the resource server SHOULD use them in combination with any other contextual information available to determine whether the current call should be authorized or rejected. Details about how a resource server performs those checks is beyond the scope of this profile specification.
Security Considerations
The JWT access token data layout described here is very similar to that of the id_token as defined by
. The explicit typing required in this profile, in line with the recommendations in
, helps the resource server to distinguish between JWT access tokens and OpenID Connect ID Tokens.
Authorization servers should prevent scenarios where clients can affect the value of the "sub" claim in ways that could confuse resource servers.
For example, if the authorization server elects to use the client_id as the "sub" value for access tokens issued using the client credentials grant, the authorization server should prevent clients from registering an arbitrary client_id value, as this would allow malicious clients to select the sub of a high-privilege resource owner and confuse any authorization logic on the resource server relying on the "sub" value.
For more details, please refer to .
To prevent cross-JWT confusion, authorization servers MUST use a distinct identifier as an "aud" claim value to uniquely identify access tokens issued by the same issuer for distinct resources. For more details on cross-JWT confusion, please refer to .
Authorization servers should use particular care when handling requests that might lead to ambiguous authorization grants. For example, if a request includes multiple resource indicators, the authorization server should ensure that each scope string included in the resulting JWT access token, if any, can be unambiguously correlated to a specific resource among the ones listed in the "aud" claim. The details on how to recognize and mitigate this and other ambiguous situations is highly scenario dependent and hence is out of scope for this profile.
Authorization servers cannot rely on the use of different keys for signing OpenID Connect ID Tokens and JWT tokens as a method to safeguard against the consequences of leaking specific keys. Given that resource servers have no way of knowing what key should be used to validate JWT access tokens in particular, they have to accept signatures performed with any of the keys published in AS metadata or OpenID Connect discovery; consequently, an attacker just needs to compromise any key among the ones published to be able to generate and sign JWTs that will be accepted as valid by the resource server.
Privacy Considerations
As JWT access tokens carry information by value, it now becomes possible for clients and potentially even end users to directly peek inside the token claims collection of unencrypted tokens.
The client MUST NOT inspect the content of the access token: the authorization server and the resource server might decide to change the token format at any time (for example, by switching from this profile to opaque tokens); hence, any logic in the client relying on the ability to read the access token content would break without recourse.
The OAuth 2.0 framework assumes that access tokens are treated as opaque by clients.
Administrators of authorization servers should also take into account that the content of an access token is visible to the client.
Whenever client access to the access token content presents privacy issues for a given scenario, the authorization server needs to take explicit steps to prevent them.
In scenarios in which JWT access tokens are accessible to the end user, it should be evaluated whether the information can be accessed without privacy violations (for example, if an end user would simply access his or her own personal information) or if steps must be taken to enforce confidentiality.
Possible measures to prevent leakage of information to clients and end users include: encrypting the access token, encrypting the sensitive claims, omitting the sensitive claims or not using this profile, and falling back on opaque access tokens.
In every scenario, the content of the JWT access token will eventually be accessible to the resource server. It's important to evaluate whether
the resource server gained the proper entitlement to have access to any content received in the form of claims, for example, through user consent
in some form, policies and agreements with the organization running the authorization servers, and so on.
For example, a user might not wish to consent to granting given resource server information about any of the non-mandatory claims enumerated in (and its subsections).
This profile mandates the presence of the "sub" claim in every JWT access token, making it possible for resource servers to rely on that information for correlating incoming requests with data stored locally for the authenticated principal.
Although the ability to correlate requests might be required by design in many scenarios, there are scenarios where the authorization server might want to prevent correlation. The "sub" claim should be populated by the authorization servers according to a privacy impact assessment.
For instance, if a solution requires preventing tracking of principal activities across multiple resource servers, the authorization server should ensure that JWT access tokens meant for different resource servers have distinct "sub" values that cannot be correlated in the event of resource server collusion.
Similarly, if a solution requires preventing a resource server from correlating the principal's activity within the resource itself, the authorization server should assign different "sub" values for every JWT access token issued.
In turn, the client should obtain a new JWT access token for every call to the resource server to ensure that the resource server receives different "sub" and "jti" values at every call, thus preventing correlation between distinct requests.
IANA ConsiderationsMedia Type RegistrationRegistry Content
This section registers "application/at+jwt", a new media type in the "Media Types" registry in the
manner described in . It can be used to indicate that the
content is an access token encoded in JWT format.
Type name:
Application
Subtype name:
at+jwt
Required parameters:
N/A
Optional parameters:
N/A
Encoding considerations:
Binary; JWT values are
encoded as a series of base64url-encoded values (with trailing '='
characters removed), some of which may be the empty string,
separated by period ('.') characters.
Security considerations:
See the Security Considerations section of RFC 9068.
Interoperability considerations:
N/A
Published specification:
RFC 9068
Applications that use this media type:
Applications that access resource servers using OAuth 2.0 access tokens encoded in JWT format
Fragment identifier considerations:
N/A
Additional information:
Magic number(s):
N/A
File extension(s):
N/A
Macintosh file type code(s):
N/A
Person & email address to contact for further information:
Vittorio Bertocci <vittorio@auth0.com>
Intended usage:
COMMON
Restrictions on usage:
None
Author:
Vittorio Bertocci <vittorio@auth0.com>
Change controller:
IETF
Provisional registration?
No
Claims Registration of this specification refers to the attributes "roles", "groups", "entitlements" defined in
to express authorization information in JWT access tokens.
This section registers those attributes as claims in the "JSON Web Token (JWT)" IANA registry introduced in
.
Registry ContentRoles
Claim Name:
roles
Claim Description:
Roles
Change Controller:
IETF
Specification Document(s):
and of RFC 9068
Groups
Claim Name:
groups
Claim Description:
Groups
Change Controller:
IETF
Specification Document(s):
and of RFC 9068
Entitlements
Claim Name:
entitlements
Claim Description:
Entitlements
Change Controller:
IETF
Specification Document(s):
and of RFC 9068
ReferencesNormative ReferencesOpenID Connect Core 1.0 incorporating errata set 1OpenID Connect Discovery 1.0 incorporating errata set 1Multipurpose Internet Mail Extensions (MIME) Part Two: Media TypesThis second document defines the general structure of the MIME media typing system and defines an initial set of media types. [STANDARDS-TRACK]Key words for use in RFCs to Indicate Requirement LevelsIn many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK]Media Type Specifications and Registration ProceduresThis document defines procedures for the specification and registration of media types for use in HTTP, MIME, and other Internet protocols. This memo documents an Internet Best Current Practice.JSON Web Signature (JWS)JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification.JSON Web Algorithms (JWA)This specification registers cryptographic algorithms and identifiers to be used with the JSON Web Signature (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) specifications. It defines several IANA registries for these identifiers.JSON Web Token (JWT)JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.System for Cross-domain Identity Management: Core SchemaThe System for Cross-domain Identity Management (SCIM) specifications are designed to make identity management in cloud-based applications and services easier. The specification suite builds upon experience with existing schemas and deployments, placing specific emphasis on simplicity of development and integration, while applying existing authentication, authorization, and privacy models. Its intent is to reduce the cost and complexity of user management operations by providing a common user schema and extension model as well as binding documents to provide patterns for exchanging this schema using HTTP.This document provides a platform-neutral schema and extension model for representing users and groups and other resource types in JSON format. This schema is intended for exchange and use with cloud service providers.Ambiguity of Uppercase vs Lowercase in RFC 2119 Key WordsRFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.OAuth 2.0 Authorization Server MetadataThis specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities.OAuth 2.0 Token ExchangeThis specification defines a protocol for an HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation.Resource Indicators for OAuth 2.0This document specifies an extension to the OAuth 2.0 Authorization Framework defining request parameters that enable a client to explicitly signal to an authorization server about the identity of the protected resource(s) to which it is requesting access.JSON Web Token Best Current PracticesJSON Web Tokens, also known as JWTs, are URL-safe JSON-based security tokens that contain a set of claims that can be signed and/or encrypted. JWTs are being widely used and deployed as a simple security token format in numerous protocols and applications, both in the area of digital identity and in other application areas. This Best Current Practices document updates RFC 7519 to provide actionable guidance leading to secure implementation and deployment of JWTs.Informative ReferencesMedia TypesIANAOAuth 2.0 Security Best Current Practiceyes.comYubicoyes.com This document describes best current security practice for OAuth 2.0.
It updates and extends the OAuth 2.0 Security Threat Model to
incorporate practical experiences gathered since OAuth 2.0 was
published and covers new threats relevant due to the broader
application of OAuth 2.0.
Work in ProgressThe OAuth 2.0 Authorization Framework: Bearer Token UsageThis specification describes how to use bearer tokens in HTTP requests to access OAuth 2.0 protected resources. Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens need to be protected from disclosure in storage and in transport. [STANDARDS-TRACK]JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization GrantsThis specification defines the use of a JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for client authentication.OAuth 2.0 Token IntrospectionThis specification defines a method for a protected resource to query an OAuth 2.0 authorization server to determine the active state of an OAuth 2.0 token and to determine meta-information about this token. OAuth 2.0 deployments can use this method to convey information about the authorization context of the token from the authorization server to the protected resource.Acknowledgements
The initial set of requirements informing this specification was extracted by numerous examples of access tokens issued in JWT format by production systems.
Thanks to (IdentityServer), (Ping Identity), (Microsoft), and (Okta) for providing sample tokens issued by their products and services.
and provided early feedback that shaped the direction of the specification.
This profile was discussed at length during the OAuth Security Workshop 2019, with several individuals contributing ideas and feedback. The author would like to acknowledge the contributions of:,
,
,
,
,
,
and
everyone who actively participated in the unconference discussions.
The following individuals contributed useful feedback and insights on the drafts, both at the IETF OAuth 2.0 WG mailing list and during the 28th Internet Identity Workshop (IIW 28):
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
and
everyone who actively participated in the IIW 28 unconference discussions and the IETF OAuth 2.0 WG mailing list discussions.
Thanks to for the AD review; and for the SECDIR and GENART reviews; and , , , , , for the IESG reviews.
Author's AddressAuth0vittorio@auth0.com