JSON Web Token Best Current Practices
Draft of message to be sent after approval:
From: The IESG <firstname.lastname@example.org> To: IETF-Announce <email@example.com> Cc: firstname.lastname@example.org, email@example.com, The IESG <firstname.lastname@example.org>, Hannes Tschofenig <email@example.com>, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com Subject: Protocol Action: 'JSON Web Token Best Current Practices' to Best Current Practice (draft-ietf-oauth-jwt-bcp-07.txt) The IESG has approved the following document: - 'JSON Web Token Best Current Practices' (draft-ietf-oauth-jwt-bcp-07.txt) as Best Current Practice This document is the product of the Web Authorization Protocol Working Group. The IESG contact persons are Benjamin Kaduk and Roman Danyliw. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-bcp/
Technical Summary JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security tokens that contain a set of claims that can be signed and/or encrypted. JWTs are being widely used and deployed as a simple security token format in numerous protocols and applications, both in the area of digital identity, and in other application areas. The goal of this Best Current Practices document is to provide actionable guidance leading to secure implementation and deployment of JWTs. Working Group Summary This document has been written in response to reports about insecure implementations and deployments of JWT. The working group is in agreement that this document provides value to the community. Document Quality The document has received substantial review and suggestions for threat mitigations to cover. Many of the recommendations have been provided by researchers and implementers outside the working group. Personnel The document shepherd is Hannes Tschofenig. The responsible Area Director is Roman Danyliw (and was previously Eric Rescorla).