Nested JSON Web Token (JWT)
Avaya
250 Sidney Street
Belleville
Ontario
Canada
+1-613-967-5176
rifaat.ietf@gmail.com
Security
ACME Working Group
ACME
3rd party
Attestation
This specification extends the scope of the Nested JSON Web Token (JWT) to
allow the enclosing JWT to contain its own Claims Set in addition to the enclosed JWT.
JSON Web Token (JWT) is a mechanism that is used to transfer claims between
two parties across security domains. Nested JWT is a JWT in which the payload
is another JWT. The current specification does not define a means by which
the enclosing JWT could have its own Claims Set, only the enclosed JWT would
have claims.
This specification extends the scope of the Nested JWT to allow the enclosing
JWT to contain its own Claims Set in addition to the enclosed JWT.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be
interpreted as described in .
RFC7519 defines Nested JWT as a JWT in which nested signing and/or encryption
are employed. In Nested JWTs, a JWT is used as the payload or plaintext value
of an enclosing JWS or JWE structure, respectively.
To indicate that the payload of an enclosing JWT is yet another JWT, the
value of the Content Type Parameter of the JOSE header, i.e. "cty", must be
set to "JWT", which means that the enclosing JWT cannot have its own claims.
This document updates the enclosing JWT content to allow it to represent a
Claims Set and an enclosed JWT, using JSON data structures, and updates the
Content Type to indicate this new nested content.
The JOSE Header contains an optional parameter that could be used to
indicate the type of the payload of a JWT. With a typical Nested JWT, the
value of the "cty" header must be "JWT". To indicate that the payload
contains a Claims Set in addition to the JWT, the value of the "cty" header
must be "NJWT".
The payload of the enclosing JWT is JSON object that contains the Claims Set,
and one new claim that is used to hold the enclosed JWT.
This document defines a new claim, "njwt", that is used to contain the enclosed JWT.
Key words for use in RFCs to Indicate Requirement Levels