iSHARE Developer Portal
Other resources
Version 2.1 (current version)
Version 2.1 (current version)
  • Welcome to the iSHARE Developer Portal
  • Introduction
    • Getting started
      • Test certificates
      • Test participants
      • Postman collections
    • Release info
    • Help & support
    • Specific technical standards
      • JSON Web Token (JWT)
      • OAuth 2.0
      • OpenID Connect 1.0
      • PKI
      • TLS
      • XACML 3.0
      • Caching
      • DID
      • UTC
      • X.509
      • HTTP response codes
    • UI Guidelines
    • Conformance test tool
  • Roles
    • Roles
  • All roles (common endpoints)
    • Access token (M2M)
    • Capabilities
  • Authorisation Registry Role
    • Getting started
    • Access token (M2M)
    • Capabilities
    • Delegation
    • Delegation Policy
  • Entitled Party
    • Getting started
  • Identity Provider
    • Getting started
    • Authorize
    • Login
    • Access token
    • User info
    • Capabilities
  • Participant Registry role
    • Getting started
    • Access token (M2M)
    • Capabilities
    • Parties
    • Parties (single party)
    • Trusted list
    • Versions
    • Data Spaces
    • Create Entitled Party / Service Consumer
  • Service Consumer Role
    • Getting started
  • Service Provider Role
    • Getting started
      • Service
    • Access token (M2M)
    • Capabilities
    • Return
  • Reference
    • iSHARE JWT
      • Client Assertion
    • Authentication
    • Authorization
    • Authorisation rules
Powered by GitBook
LogoLogo

  • Cookie Policy

  • Privacy Policy

  • Imprint

  • Contact Us

Copyright © 2024 iSHARE Foundation

On this page
  • JWT Signing (JWS)
  • JWT Header
  • JWT Payload
  • Additional rationale
  • JWT Processing
  1. Reference

iSHARE JWT

PreviousReturnNextClient Assertion

Last updated 2 months ago

This page must be considered part of the iSHARE Framework

This page is considered normative and is therefore compliant with RFC 2119.

The following section describes the requirements for an iSHARE Signed JWT.

JWT Signing (JWS)

All iSHARE JWTs MUST be signed using the JSON Web Signature (JWS) standard which can be found at .

JWT Header

  • Signed JWTs MUST use and specify the RS256, RS384 or RS512 algorithm in the alg header parameter.

  • Signed JWTs MUST contain an array of the complete certificate chain that should be used for validating the JWT’s signature in the x5c header parameter, including the root certificate of the issuing CA that is listed in the .

  • Certificates MUST be formatted as base64 encoded PEM.

  • The certificate of the client MUST be the first in the array, the root certificate MUST be the last.

  • Except from the alg, typ and x5c parameter, the JWT header SHALL NOT contain other header parameters.

Example JWT Header:

{
  "alg": "RS256",
  "typ": "JWT",
  "x5c": [
    "MIIGkDCCBHigAwIBAgIUJXrCNvnzy5yjU9WA+NjkC3OzGiIwDQYJKoZIhvcNAQELBQAwXTEeMBwGA1UEAwwVZUlEQVNlU0VBTE9JRF9Jc3NDQUc0MRkwFwYDVQRhExBOVFJOTC1pU0hBUkVURVNUMRMwEQYDVQQKEwppU0hBUkVUZXN0MQswCQYDVQQGEwJYWDAeFw0yNDExMDYxNDMyMTFaFw0yNzExMDYxNDMyMTBaMG4xCzAJBgNVBAYTAk5MMSIwIAYDVQQKDBlUZXN0IFBhcnRpY2lwYW50IFJlZ2lzdHJ5MSIwIAYDVQQDDBlUZXN0IFBhcnRpY2lwYW50IFJlZ2lzdHJ5MRcwFQYDVQRhDA5OVFJOTC0xMDAwMDAwMDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALTsAEeAUk95B6lvdgXOr4hzE1N2Q/a5Re0rk/dBbFfBMPD1ctzELxrxkHKHAJZ0Mflc9gO2+X27HVDhPqwJFueh4U9izwyvqzs1VG+9SQsnwzWZyCTP40lXlvqKG1krUifF2lF3LJeQFiwRdRwkqg4O3gRSdoNgESHc9RQyVS0sOAHKVXxzmkKCN7aSpa7mPUCotIeRFb2tUvGXb5lNQBhz7OwMcAmMV587uzUlndVKsA0mN4PkrIfPZ3VVeY8qurPrLsOXPXmRrF0+XVfpz2xbC0763S5lr6Uik6baXOdCcVs7t1b/78ZMet4C3W1nKGEbemplbv0hazLuGelLXWkCAwEAAaOCAjUwggIxMA4GA1UdDwEB/wQEAwIGQDAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFLMaT0JA6dh4nWv//CSwELE0PPCJMFcGCCsGAQUFBwEBBEswSTBHBggrBgEFBQcwAYY7aHR0cHM6Ly9jYTcuaXNoYXJldGVzdC5uZXQ6ODQ0Mi9lamJjYS9wdWJsaWN3ZWIvc3RhdHVzL29jc3AwEAYDVR0gBAkwBzAFBgNVHSAwHwYDVR0lBBgwFgYIKwYBBQUHAwQGCisGAQQBgjcKAwwwWwYIKwYBBQUHAQMETzBNMBMGBgQAjkYBBjAJBgcEAI5GAQYCMDYGCCsGAQUFBwEDDCpUaGlzIGlzIHRlc3QgZXNlYWwgY2VydGlmaWNhdGUgZm9yIHRlc3RpbmcwHgYFZ4EMAwEEFTATEwNOVFITAk5MDAgxMDAwMDAwMDCBxwYDVR0fBIG/MIG8MIG5oIG2oIGzhoGwaHR0cHM6Ly9jYTcuaXNoYXJldGVzdC5uZXQ6ODQ0Mi9lamJjYS9wdWJsaWN3ZWIvd2ViZGlzdC9jZXJ0ZGlzdD9jbWQ9Y3JsJmlzc3Vlcj1DTiUzRGVJREFTZVNFQUxPSURfSXNzQ0FHNCUyQ29yZ2FuaXphdGlvbklkZW50aWZpZXIlM0ROVFJOTC1pU0hBUkVURVNUJTJDTyUzRGlTSEFSRVRlc3QlMkNDJTNEWFgwHQYDVR0OBBYEFFP6DDc/+d2kfIrmnJAuT74813cbMA0GCSqGSIb3DQEBCwUAA4ICAQBHp5WXi8VNoD0Mc8brsfKmwuuQn5aPGPYh+z5PcQWzR40HvO1Fe9voyZNZuVNqpCEJcI04OeBeZon/lzYoTFGSLCSPpZy92hqfha4JrLkJvF00i7oIO5HSck/JQxjuaGumq0uQ02aA6mF3Wb9ZWkrhIoXRUpSigG4kMJsC2rVdfXiz6UPdjvKK5k3a8BIzffG70gJDPj0+sIzcpxZre+MPEInzBDmQgkbkl/RX4RDhnS1j/4B6Tshb2RemA3q6bAYoN9IhKlhFuMd9z/MIpnDpSwHhIrhnmRZU/4CBEptat4MUEtRqi2QE5H8PEMLlT/56pannimyFyQNSIxbTpucJQ3yI3PIToLKgzNcgTTiihaektvtz2uj+Ukdn003fazF3NQvUE7cx9F7TWBDmk4hGdA/PofVAATyp0Tu7kWLgvhnSMTG8ylidmYcqRTMFiSiXhbwIuBu85yyAeWJJopjO9IAUCqgqmNSBKNVmhEzEbk8m1orbDUgh+ZAGSajg+wSAc1gnOdj1iJk/5L1CLyV6iUbS/z65gi37wSymasl/pOg9JBxbFSwiPDuU654hvX1iajC/H2KrDGTWi5LhbzDTcwBTmhcq6G9ZNxo+9YoNlduelXp0wVIG2Z9OEgY/qFvlNq/TzG0RVuogq3wgRmNlgxPSv2B9Ta3EDGTlk4NVmA==",
    "MIIF2jCCA8KgAwIBAgIUPG3+TAnxVOBce9NaPt9pTAgm5R4wDQYJKoZIhvcNAQELBQAwQjEeMBwGA1UEAwwVZUlEQVNlU0VBTE9JRF9TdWJDQUczMRMwEQYDVQQKEwppU0hBUkVUZXN0MQswCQYDVQQGEwJYWDAeFw0yMzA4MjUwOTAxMzJaFw00ODA4MjUwOTAwMDVaMF0xHjAcBgNVBAMMFWVJREFTZVNFQUxPSURfSXNzQ0FHNDEZMBcGA1UEYRMQTlRSTkwtaVNIQVJFVEVTVDETMBEGA1UEChMKaVNIQVJFVGVzdDELMAkGA1UEBhMCWFgwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDanUgM1/PQyXNTX+UOLGrZjS8HaTWR/P4xD8SMCRxOXHKzHLQqEQOuHD/w+rx9/bEwzH4wVfJ0m6/r56KOg0wLUlVwOyikOXGoITD2u+Ui9t24tYIkx8zjLG7VHVcw4dXOt92svKY1LybvlproWzTHlRwoIO1YQ4hO+rybsw/KEDEXUbkowjlHAPcwnsOW64367EN+ezT1sS8dzFIxmG8qC2LrM2sXJWqq5vJeE/86TfZ2NMO+CUxkjj7uPgbW2V/MOUhYyAtGAjzd/KwOrLMRMYaXOIj61m8R71nh/LV9n8dnj0wTQONTHhuM7mdZQxhqOdkL2ckSrBWi3atEVT1OhBRX4FmmhIhmSWuCtgyKiDCIotyGAsX2o6817fee4Rdtwfw9Q4oN3NAhtod60iOAWApVt+BT5tvdgGOYWPcbMR5pGzbp38dGUyuwYZV4LAnIGSm5yaucNE2E2xrQCbEeZm4RPsx5JleWzipk+42d7vqvWD88IQcQ+bZM2X4rJBZNs166Clx+m6HmKxKALebUtjszsgyH8cq10d+k4Ao8oCaOYjv2IaEbMd+fV/Uf8kPkzTtKlttdqiixoIqycXMEgBaSgkub7XoQ6K26tRPJ0w5Qkuuh3MKtGEWfW7EEGmpnCqjOv6/rAMJiMWyh1IgLgNBUPP7zaVPpDAtC88OSJQIDAQABo4GsMIGpMBIGA1UdEwEB/wQIMAYBAf8CAQEwHwYDVR0jBBgwFoAU4ubX0p6DVjN9DKtOWWMYAs+HxdQwGAYDVR0gBBEwDzAFBgNVHSAwBgYEVR0gADApBgNVHSUEIjAgBggrBgEFBQcDAgYIKwYBBQUHAwQGCisGAQQBgjcKAwwwHQYDVR0OBBYEFLMaT0JA6dh4nWv//CSwELE0PPCJMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAZv5Gukx0PEvVREIt8MTaPfCH4awyiiYyi17h6R5LLk1rerwQsSSSHfVqftdwRF0ocLp2PXJhe075qV406C04CjamNk3ez9ZiNHCNjPtfid6oOxqz1Xk8XPjNYElbAFmP7eKl/441vZhGuk/RhXGNxQbto0Q16g8IRcGDvWgNhtrtB1G2xSmtB1S2uUpSaiZVNOrkdzThiEJseURBoXxUXIqpLyPTRl6MMgVaLGRYRc3vYij4B7M2hBN7/cjnGLsMVtgbOv6CV21g2SXowbgOqzByH51UTR6ObHiGj0kSCALG14IQPkzQPiSpju++9M2jAjPM3o421ZOUDMP246CsqPXrTAbPXJVUR/gi4u53kmzC210jvVq9hHwelxQOTPFhlM6E1Ch4Jb4PQRLKDPFl+5NW4Fy2JADjyupyVHncdLEuPy0PgCL2Yo147HSpPj4u7jc1RmHU7NO12EV2ZCMfFlRwdGv6if8qO7s/6lpZJjpPtLEObA5tD4ahc+aPNAi9WCk0peRm1KE5VGDWKFNSNAiLJNzP7m2Q6y8fOy38cNgFBhGOF/KgEIsT10V+5K5o+ylVVtPVeRRENEvKO9ELkze0IHgsTB/6cwOij4pxM9Jvauj06GglhIhiIA6q0iDUqB1MUR0HziY9BsnWY9kR8hwV3OW+nsmztQwGVEw2kjU=",
    "MIIFjjCCA3agAwIBAgIUFj9/3jGORhtIpZ98OLRtRHs0AYswDQYJKoZIhvcNAQELBQAwQTEdMBsGA1UEAwwUZUlEQVNlU0VBTE9JRF9Sb290RzIxEzARBgNVBAoTCmlTSEFSRVRlc3QxCzAJBgNVBAYTAlhYMB4XDTIzMDgyNTA5MDA0NFoXDTQ4MDgyNTA5MDAwNVowQjEeMBwGA1UEAwwVZUlEQVNlU0VBTE9JRF9TdWJDQUczMRMwEQYDVQQKEwppU0hBUkVUZXN0MQswCQYDVQQGEwJYWDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL7nzkyoFXWg1ghdG6fnuzuvAdMWsm/I+mX3Dbz3I/KyqLdWt7XG3OWVSnhosAD2W2SXnlGXqxye0hPtEgkQIdel7FnFosWWrsEOratgXlnM4NWpYDKMWEVYro7hzHgCZ126ZPQULls52NcvpRM8S3dZk+XK1kf3VeS0J2hUSFEAZHLyXCXkhTnUI7qo1ur1TmDWYsNQwxDGOu7CQyZYdKIwKqI9eGsRLgM6PQlg3vZCropOodM7loTuirCl3UKw4HrGk2cOiAf4Id//eaVCafwkjKsJTQuAahuRz4qMsHYA3kDQz+0+hgnR74r+iLr+8lr044glnaWIWvrEGciRR+PectfrLOQQIW7ha13dzWozkT0agnT1Lk/CGrgNXVqhosGC0ruAQPI6DcPNy2INM9JgtCmBsSjMM185FIBX4Cy17m73h9rKjXZMxb6TxX7CIZyesgAS0bBRb6xIpKsZrlrjEazsjC2VHRRWOMJWYqcXLD5ZNzGMZUr6Tt2yCUAtamecDATKN6/Gbsxe0tABN0pk0rx5ic+4TXdBroN9OAZchH4tJCsOCKonCzApPxVThDNMxsooyFq9DmgXhyEUOOoeS+Fr4FgH+jSANm/l178Jh9epfXQ9gE/6aqPxYjNSBgS60S1EVqCpxw2rT1mUYeGfwibVm53ixGptR8kte70nAgMBAAGjfTB7MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU2LubNS1bP+/ha8vMDM+iLrppeowwGAYDVR0gBBEwDzAFBgNVHSAwBgYEVR0gADAdBgNVHQ4EFgQU4ubX0p6DVjN9DKtOWWMYAs+HxdQwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQB8jqYUw7Tv+W4ZH06PraF6zfdCxT03DhRChw4Z/Qm0XVS2gRyRwcMptQFERhPNOA221u9LqozZ1aK3B35wkcGD/dFJgJCJB96SMttQl2Hp/EiQz9PFF02dBSruXhIaraPbM+NIGdmyN2ZywGGXI1aU7JD3XG29Sh2AAdOkv8dI6gEgzt/DHSIIbakbaLdEIc7WB95GUHcHnNj58TzTSyVfBmtb3vBK9JG0Io6NAPWQYx2VP8+fIylja2d128hgh0dsDrXFAM+9AX8hae5vvxVi8TWs/z2ing+k+immtSNfzzKMiO7r5wJAkyjwtUBlBStKIA6Zer22pmSTZZeucHdEThabcWQidVZmMP3If6ix5UeyX8V6OAw0gsI3IUb91Q76d4sLWbzoGNONAYFC1Iyz0xWj47Zd6P7Z2Gfh1ViIbMxViFDlNmbEZflpES87K/yhBUQ/tnCNGQoSdtsuyuWg3NfWbyJoNZzlU96JWxcqSaXkzse9j8wahayKNM6SWKSY1Z05h8JScOCmFB5F8V3bd5nP/uKja7H8O4GOAAPM3OtG+eq37xW/xN0oAsjbvt4ojnUbJs2kiAxEdwXx0K7mcPeS7zWmVt8h4RdcDm/PGTDa9m8OqhQuck80QnuxIUWVr7GWadh1Ly/tl0+bvmkcnO2ybRJ+gbqREHDTe0sxsw==",
    "MIIFczCCA1ugAwIBAgIUCvfSvQerjFDmM2LvmjoTDOInLAwwDQYJKoZIhvcNAQELBQAwQTEdMBsGA1UEAwwUZUlEQVNlU0VBTE9JRF9Sb290RzIxEzARBgNVBAoTCmlTSEFSRVRlc3QxCzAJBgNVBAYTAlhYMB4XDTIzMDgyNTA5MDAwNloXDTQ4MDgyNTA5MDAwNVowQTEdMBsGA1UEAwwUZUlEQVNlU0VBTE9JRF9Sb290RzIxEzARBgNVBAoTCmlTSEFSRVRlc3QxCzAJBgNVBAYTAlhYMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxVMKI9RMhnOSA2LorgEC3YDNd2itn72LOdfRRUu45fG70Iev+E4kRrzJ1k23WXH5sHTbcslpETeAZnj0/xKBYdELuwe6HX8kIwd1s6WGlZc0l7ki1fmj4HqSstGJ/BKGj1a7236WwPJEWEHqfx9QMEeuJKlUSVFFyE4jMsfYp87ifIpuwE8oLOw4ykDDOP52Td06vHCIYrqDBrvxFdAuEnFxNxlPXRE4gLsygg62HOxOuGmhWfsy6TccIp5XIOdj2CzeoXJ82m5/imBPJvkefnrjEQXziSE2mi2IBDtGP/AwFWI7WpsEyDXWImMSR0T3CuDmkeQ14pNmcqMp/bqX3i1aetadFTWsuhl0nH2iRqKZDJxZlScu99toq5GrdcFUcxGRQyl+sFhUh3XcBWJV7Y2wnFL2tY7thtQ8ZPmzTO8kPKCbEl5U6gCSIkpRPNZBPG4dT0qu+8Bd71Pu7nAy1iB4U6ys34cFlOlJpGM0FGr35LefbPR8bgz6M9XNjRbgMDQcXDMnfiDJ7E81oVBpCXN9ydHi1blhakuEBaoa9M/kazipGPmAuxrWBMmp2q0wzQp9GS2e8keJIDwJuyzELaRZC4yjVsVZQMK//D+4J3boU5drCmmm6C1rwNRfSZuFGNcIYDZeHteGoCF4EA5jcgdFaIYrDej6VAab42vN5LUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTYu5s1LVs/7+Fry8wMz6Iuuml6jDAdBgNVHQ4EFgQU2LubNS1bP+/ha8vMDM+iLrppeowwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQBbcHyV2b5mGwHWxCSbDwr5V7PgSZIJa1scrCnIHD3Z/yxG7Xp5cIlBj4My4lRHjZtJVvUfTjFpsEDEv/PAq74OIolN/kPdMfTczFBGpvsZr0x2yUPEJzQsTSLx0gwZ+wvoKHWE0C7GqgkABNrFW8FLqRzNqXsmM5oI4c3V5syxwBYFDUY5MPWdqJEDfRvjjJPCXmKOP1lO+i+E07vsFpDzHS2FKB5c6sTIZkvt+H/CG4hVu6ZvcFXXzv2JK/EoVZ6wUdClt4pLgTQZ/W0qQCJ3GjFe/PZ74mckW1x/zk9z0VQjUpTqz3AjPLIjj60nMLTLp50oFcMLjuXss0vv4tUjCTps2Qg9n0GwLlDR42Nyw2TKcMMB6ycEoNiUEu0lga1JM0SVSsFP7GSU/W9VqatK7xp/XW9/GDvgp3Z/pPM0E3i1tqp/nOU43Yof8Wi4JJ6zOgXBzqQxO6MILZJ4qEfenAtI7o95Ty5yk9vRboUstywsfC6CVsu08NL/ttw4OSXOvbkQ+7zMxCYT9YyQD5l/ltC3bgdj/lBZznsBuGYNOB16wDNcGpuuaeksfQfBDPHT+vR6gPVFZpyVwy/tzH6NTpUGDjoHVsCxUjY870OM4D2Jcj9OIqqdlkCoWO6i4Vec7sTzxiX39oNSr1G7Cobc3sYdhnxg/vlg1BeCJ87p0A=="
  ]
}

JWT Payload

  • The JWT MUST always contain the iat claim.

  • The JWT MUST contain the jti claim for audit trail purposes. The jti is not necessary a GUID/UUID. An new jti must be used for each JWT to avoid replay attacks.

  • Depending on the use of the JWT other JWT payload data MAY be defined.

Additional rationale

(2) Since OAuth 2.0 doesn't specify a PKI based authentication scheme, but OpenID Connect 1.0 does, iSHARE chooses to use the scheme specified by OpenID Connect in all use cases. This is preferred above defining a new proprietary scheme.

(3) iSHARE implementation is compatible with the following RFC extensions of oAuth:

  • RFC7522: SAML 2.0 Assertions

  • RFC7523: JSON Web Tokens (JWTs)

Example JWT Payload:

{
  "iss": "did:ishare:EU.NL.NTRNL-10000001",
  "sub": "did:ishare:EU.NL.NTRNL-10000001",
  "aud": "did:ishare:EU.NL.NTRNL-10000000",
  "jti": "378a47c4-2822-4ca5-a49a-7e5a1cc7ea59",
  "exp": 1504683475,
  "iat": 1504683445
}

JWT Processing

  • A server SHALL NOT accept a JWT more than once for authentication of the Client. However within it’s time to live a Service Provider MAY forward a JWT from a Service Consumer to one or more other servers (Entitled Party or Authorization Registry) to obtain additional evidence on behalf of the Service Consumer. These other servers SHALL accept the JWT for indirect authentication of the Service Consumer during the JWT’s complete time to live.

  • A server SHALL only accept a forwarded JWT if the aud claim of the forwarded JWT matches the iss claim of the JWT from the client that forwards the JWT.

  • JWT contents that are not specified within the iSHARE scope SHOULD be ignored.

The JWT payload MUST conform to the private_key_jwt method as specified in (2).

The iss and sub claims MUST contain a valid of the party that creates and signes the JWT (unless specified otherwise).

The aud claim MUST contain a valid of the party receiving the JWT.

The JWT MUST be set to expire in 30 seconds. The combination of iat and exp claims MUST reflect that. Both iat and exp MUST be in seconds, NOT milliseconds. See for requirements.

(1) In OAuth 2.0 clients are generally pre-registered. Since in iSHARE servers interact with clients that have been previously unknown this is not a workable requirement. Therefore iSHARE implements a generic client identification and authentication scheme, based on iSHARE whitelisted .

RFC 7515
iSHARE Trusted List
OpenID Connect 1.0 Chapter 9
Party Identifier
Party Identifier
UTC Time formatting
PKIs