JSON Web Token Best Current Practices
draft-ietf-oauth-jwt-bcp-07

• Status
• IESG evaluation record
• IESG writeups
• Email expansions
• History

Approval announcement
Draft of message to be sent after approval:

Announcement

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: rdd@cert.org, draft-ietf-oauth-jwt-bcp@ietf.org, The IESG <iesg@ietf.org>, Hannes Tschofenig <hannes.tschofenig@arm.com>, oauth@ietf.org, hannes.tschofenig@arm.com, oauth-chairs@ietf.org, rfc-editor@rfc-editor.org
Subject: Protocol Action: 'JSON Web Token Best Current Practices' to Best Current Practice (draft-ietf-oauth-jwt-bcp-07.txt)

The IESG has approved the following document:
- 'JSON Web Token Best Current Practices'
  (draft-ietf-oauth-jwt-bcp-07.txt) as Best Current Practice

This document is the product of the Web Authorization Protocol Working Group.

The IESG contact persons are Benjamin Kaduk and Roman Danyliw.

A URL of this Internet Draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-bcp/

Ballot Text

Technical Summary

JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security
tokens that contain a set of claims that can be signed and/or
encrypted.  JWTs are being widely used and deployed as a simple
security token format in numerous protocols and applications, both in
the area of digital identity, and in other application areas.  The
goal of this Best Current Practices document is to provide actionable
guidance leading to secure implementation and deployment of JWTs.

Working Group Summary

This document has been written in response to reports about insecure implementations and deployments of JWT.
The working group is in agreement that this document provides value to the community. 

Document Quality

The document has received substantial review and suggestions for threat mitigations to cover. Many of the recommendations have been provided by researchers and implementers outside the working group. 

Personnel

The document shepherd is Hannes Tschofenig. 
The responsible Area Director is Roman Danyliw (and was previously Eric Rescorla).

RFC Editor Note