JSON Web Token (JWT)
Last updated
Version 2.1 (current version)
Last updated
A JSON Web Token (JWT) is used when non-repudiation between parties is required. A statement, of which the data is encoded in JSON, is digitally signed to protect the authenticity and integrity of the statement.
iSHARE uses signed JWTs in the following ways:
In a request for an OAuth Access Token or an OpenID Connect ID token the client sends a signed JWT. The client is authenticated based on the verification of the JWT's signature.
Delegation evidence is presented as a signed JWT. The signature of the Authorization Registry or Entitled Party provides proof to other parties.
In a response from a server iSHARE metadata is presented as a signed JWT. The signature is used to bind the iSHARE metadata (such as license information) in the JWT to the content of the response.
A service from an iSHARE Service Provider MAY require a request to be signed.
On the generic requirements for a signed iSHARE JWT are specified.