search

iSHARE JWT

circle-info

This page must be considered part of the iSHARE Framework

This page is considered normative and is therefore compliant with RFC 2119.

The following section describes the requirements for an iSHARE Signed JWT.

hashtag
JWT Signing (JWS)

All iSHARE JWTs MUST be signed using the JSON Web Signature (JWS) standard, which can be found at RFC 7515arrow-up-right.

hashtag
JWT Header

  • Signed JWTs MUST use and specify the RS256, RS384 or RS512 algorithm in the alg header parameter.

  • Signed JWTs MUST contain an array of the complete certificate chain that should be used for validating the JWT’s signature in the x5c header parameter, including the root certificate of the issuing CA that is listed in the iSHARE Trusted Listarrow-up-right.

  • Certificates MUST be formatted as base64 encoded DER without headers and footers.

  • The certificate of the client MUST be the first in the array, and the root certificate MUST be the last.

  • The JWT header MUST contain alg, typ and x5c header parameters. It MAY contain additional parameters in the header. If these additional parameters are not understood, they shall be ignored.

Example JWT Header:

{
  "alg": "RS256",
  "typ": "JWT",
  "x5c": [
    "MIIGkDCCBHigAwIBAgIUJXrCNvnzy5yjU9WA+NjkC3OzGiIwDQYJKoZIhvcNAQELBQAwXTEeMBwGA1UEAwwVZUlEQVNlU0VBTE9JRF9Jc3NDQUc0MRkwFwYDVQRhExBOVFJOTC1pU0hBUkVURVNUMRMwEQYDVQQKEwppU0hBUkVUZXN0MQswCQYDVQQGEwJYWDAeFw0yNDExMDYxNDMyMTFaFw0yNzExMDYxNDMyMTBaMG4xCzAJBgNVBAYTAk5MMSIwIAYDVQQKDBlUZXN0IFBhcnRpY2lwYW50IFJlZ2lzdHJ5MSIwIAYDVQQDDBlUZXN0IFBhcnRpY2lwYW50IFJlZ2lzdHJ5MRcwFQYDVQRhDA5OVFJOTC0xMDAwMDAwMDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALTsAEeAUk95B6lvdgXOr4hzE1N2Q/a5Re0rk/dBbFfBMPD1ctzELxrxkHKHAJZ0Mflc9gO2+X27HVDhPqwJFueh4U9izwyvqzs1VG+9SQsnwzWZyCTP40lXlvqKG1krUifF2lF3LJeQFiwRdRwkqg4O3gRSdoNgESHc9RQyVS0sOAHKVXxzmkKCN7aSpa7mPUCotIeRFb2tUvGXb5lNQBhz7OwMcAmMV587uzUlndVKsA0mN4PkrIfPZ3VVeY8qurPrLsOXPXmRrF0+XVfpz2xbC0763S5lr6Uik6baXOdCcVs7t1b/78ZMet4C3W1nKGEbemplbv0hazLuGelLXWkCAwEAAaOCAjUwggIxMA4GA1UdDwEB/wQEAwIGQDAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFLMaT0JA6dh4nWv//CSwELE0PPCJMFcGCCsGAQUFBwEBBEswSTBHBggrBgEFBQcwAYY7aHR0cHM6Ly9jYTcuaXNoYXJldGVzdC5uZXQ6ODQ0Mi9lamJjYS9wdWJsaWN3ZWIvc3RhdHVzL29jc3AwEAYDVR0gBAkwBzAFBgNVHSAwHwYDVR0lBBgwFgYIKwYBBQUHAwQGCisGAQQBgjcKAwwwWwYIKwYBBQUHAQMETzBNMBMGBgQAjkYBBjAJBgcEAI5GAQYCMDYGCCsGAQUFBwEDDCpUaGlzIGlzIHRlc3QgZXNlYWwgY2VydGlmaWNhdGUgZm9yIHRlc3RpbmcwHgYFZ4EMAwEEFTATEwNOVFITAk5MDAgxMDAwMDAwMDCBxwYDVR0fBIG/MIG8MIG5oIG2oIGzhoGwaHR0cHM6Ly9jYTcuaXNoYXJldGVzdC5uZXQ6ODQ0Mi9lamJjYS9wdWJsaWN3ZWIvd2ViZGlzdC9jZXJ0ZGlzdD9jbWQ9Y3JsJmlzc3Vlcj1DTiUzRGVJREFTZVNFQUxPSURfSXNzQ0FHNCUyQ29yZ2FuaXphdGlvbklkZW50aWZpZXIlM0ROVFJOTC1pU0hBUkVURVNUJTJDTyUzRGlTSEFSRVRlc3QlMkNDJTNEWFgwHQYDVR0OBBYEFFP6DDc/+d2kfIrmnJAuT74813cbMA0GCSqGSIb3DQEBCwUAA4ICAQBHp5WXi8VNoD0Mc8brsfKmwuuQn5aPGPYh+z5PcQWzR40HvO1Fe9voyZNZuVNqpCEJcI04OeBeZon/lzYoTFGSLCSPpZy92hqfha4JrLkJvF00i7oIO5HSck/JQxjuaGumq0uQ02aA6mF3Wb9ZWkrhIoXRUpSigG4kMJsC2rVdfXiz6UPdjvKK5k3a8BIzffG70gJDPj0+sIzcpxZre+MPEInzBDmQgkbkl/RX4RDhnS1j/4B6Tshb2RemA3q6bAYoN9IhKlhFuMd9z/MIpnDpSwHhIrhnmRZU/4CBEptat4MUEtRqi2QE5H8PEMLlT/56pannimyFyQNSIxbTpucJQ3yI3PIToLKgzNcgTTiihaektvtz2uj+Ukdn003fazF3NQvUE7cx9F7TWBDmk4hGdA/PofVAATyp0Tu7kWLgvhnSMTG8ylidmYcqRTMFiSiXhbwIuBu85yyAeWJJopjO9IAUCqgqmNSBKNVmhEzEbk8m1orbDUgh+ZAGSajg+wSAc1gnOdj1iJk/5L1CLyV6iUbS/z65gi37wSymasl/pOg9JBxbFSwiPDuU654hvX1iajC/H2KrDGTWi5LhbzDTcwBTmhcq6G9ZNxo+9YoNlduelXp0wVIG2Z9OEgY/qFvlNq/TzG0RVuogq3wgRmNlgxPSv2B9Ta3EDGTlk4NVmA==",
    "MIIF2jCCA8KgAwIBAgIUPG3+TAnxVOBce9NaPt9pTAgm5R4wDQYJKoZIhvcNAQELBQAwQjEeMBwGA1UEAwwVZUlEQVNlU0VBTE9JRF9TdWJDQUczMRMwEQYDVQQKEwppU0hBUkVUZXN0MQswCQYDVQQGEwJYWDAeFw0yMzA4MjUwOTAxMzJaFw00ODA4MjUwOTAwMDVaMF0xHjAcBgNVBAMMFWVJREFTZVNFQUxPSURfSXNzQ0FHNDEZMBcGA1UEYRMQTlRSTkwtaVNIQVJFVEVTVDETMBEGA1UEChMKaVNIQVJFVGVzdDELMAkGA1UEBhMCWFgwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDanUgM1/PQyXNTX+UOLGrZjS8HaTWR/P4xD8SMCRxOXHKzHLQqEQOuHD/w+rx9/bEwzH4wVfJ0m6/r56KOg0wLUlVwOyikOXGoITD2u+Ui9t24tYIkx8zjLG7VHVcw4dXOt92svKY1LybvlproWzTHlRwoIO1YQ4hO+rybsw/KEDEXUbkowjlHAPcwnsOW64367EN+ezT1sS8dzFIxmG8qC2LrM2sXJWqq5vJeE/86TfZ2NMO+CUxkjj7uPgbW2V/MOUhYyAtGAjzd/KwOrLMRMYaXOIj61m8R71nh/LV9n8dnj0wTQONTHhuM7mdZQxhqOdkL2ckSrBWi3atEVT1OhBRX4FmmhIhmSWuCtgyKiDCIotyGAsX2o6817fee4Rdtwfw9Q4oN3NAhtod60iOAWApVt+BT5tvdgGOYWPcbMR5pGzbp38dGUyuwYZV4LAnIGSm5yaucNE2E2xrQCbEeZm4RPsx5JleWzipk+42d7vqvWD88IQcQ+bZM2X4rJBZNs166Clx+m6HmKxKALebUtjszsgyH8cq10d+k4Ao8oCaOYjv2IaEbMd+fV/Uf8kPkzTtKlttdqiixoIqycXMEgBaSgkub7XoQ6K26tRPJ0w5Qkuuh3MKtGEWfW7EEGmpnCqjOv6/rAMJiMWyh1IgLgNBUPP7zaVPpDAtC88OSJQIDAQABo4GsMIGpMBIGA1UdEwEB/wQIMAYBAf8CAQEwHwYDVR0jBBgwFoAU4ubX0p6DVjN9DKtOWWMYAs+HxdQwGAYDVR0gBBEwDzAFBgNVHSAwBgYEVR0gADApBgNVHSUEIjAgBggrBgEFBQcDAgYIKwYBBQUHAwQGCisGAQQBgjcKAwwwHQYDVR0OBBYEFLMaT0JA6dh4nWv//CSwELE0PPCJMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAZv5Gukx0PEvVREIt8MTaPfCH4awyiiYyi17h6R5LLk1rerwQsSSSHfVqftdwRF0ocLp2PXJhe075qV406C04CjamNk3ez9ZiNHCNjPtfid6oOxqz1Xk8XPjNYElbAFmP7eKl/441vZhGuk/RhXGNxQbto0Q16g8IRcGDvWgNhtrtB1G2xSmtB1S2uUpSaiZVNOrkdzThiEJseURBoXxUXIqpLyPTRl6MMgVaLGRYRc3vYij4B7M2hBN7/cjnGLsMVtgbOv6CV21g2SXowbgOqzByH51UTR6ObHiGj0kSCALG14IQPkzQPiSpju++9M2jAjPM3o421ZOUDMP246CsqPXrTAbPXJVUR/gi4u53kmzC210jvVq9hHwelxQOTPFhlM6E1Ch4Jb4PQRLKDPFl+5NW4Fy2JADjyupyVHncdLEuPy0PgCL2Yo147HSpPj4u7jc1RmHU7NO12EV2ZCMfFlRwdGv6if8qO7s/6lpZJjpPtLEObA5tD4ahc+aPNAi9WCk0peRm1KE5VGDWKFNSNAiLJNzP7m2Q6y8fOy38cNgFBhGOF/KgEIsT10V+5K5o+ylVVtPVeRRENEvKO9ELkze0IHgsTB/6cwOij4pxM9Jvauj06GglhIhiIA6q0iDUqB1MUR0HziY9BsnWY9kR8hwV3OW+nsmztQwGVEw2kjU=",
    "MIIFjjCCA3agAwIBAgIUFj9/3jGORhtIpZ98OLRtRHs0AYswDQYJKoZIhvcNAQELBQAwQTEdMBsGA1UEAwwUZUlEQVNlU0VBTE9JRF9Sb290RzIxEzARBgNVBAoTCmlTSEFSRVRlc3QxCzAJBgNVBAYTAlhYMB4XDTIzMDgyNTA5MDA0NFoXDTQ4MDgyNTA5MDAwNVowQjEeMBwGA1UEAwwVZUlEQVNlU0VBTE9JRF9TdWJDQUczMRMwEQYDVQQKEwppU0hBUkVUZXN0MQswCQYDVQQGEwJYWDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL7nzkyoFXWg1ghdG6fnuzuvAdMWsm/I+mX3Dbz3I/KyqLdWt7XG3OWVSnhosAD2W2SXnlGXqxye0hPtEgkQIdel7FnFosWWrsEOratgXlnM4NWpYDKMWEVYro7hzHgCZ126ZPQULls52NcvpRM8S3dZk+XK1kf3VeS0J2hUSFEAZHLyXCXkhTnUI7qo1ur1TmDWYsNQwxDGOu7CQyZYdKIwKqI9eGsRLgM6PQlg3vZCropOodM7loTuirCl3UKw4HrGk2cOiAf4Id//eaVCafwkjKsJTQuAahuRz4qMsHYA3kDQz+0+hgnR74r+iLr+8lr044glnaWIWvrEGciRR+PectfrLOQQIW7ha13dzWozkT0agnT1Lk/CGrgNXVqhosGC0ruAQPI6DcPNy2INM9JgtCmBsSjMM185FIBX4Cy17m73h9rKjXZMxb6TxX7CIZyesgAS0bBRb6xIpKsZrlrjEazsjC2VHRRWOMJWYqcXLD5ZNzGMZUr6Tt2yCUAtamecDATKN6/Gbsxe0tABN0pk0rx5ic+4TXdBroN9OAZchH4tJCsOCKonCzApPxVThDNMxsooyFq9DmgXhyEUOOoeS+Fr4FgH+jSANm/l178Jh9epfXQ9gE/6aqPxYjNSBgS60S1EVqCpxw2rT1mUYeGfwibVm53ixGptR8kte70nAgMBAAGjfTB7MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU2LubNS1bP+/ha8vMDM+iLrppeowwGAYDVR0gBBEwDzAFBgNVHSAwBgYEVR0gADAdBgNVHQ4EFgQU4ubX0p6DVjN9DKtOWWMYAs+HxdQwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQB8jqYUw7Tv+W4ZH06PraF6zfdCxT03DhRChw4Z/Qm0XVS2gRyRwcMptQFERhPNOA221u9LqozZ1aK3B35wkcGD/dFJgJCJB96SMttQl2Hp/EiQz9PFF02dBSruXhIaraPbM+NIGdmyN2ZywGGXI1aU7JD3XG29Sh2AAdOkv8dI6gEgzt/DHSIIbakbaLdEIc7WB95GUHcHnNj58TzTSyVfBmtb3vBK9JG0Io6NAPWQYx2VP8+fIylja2d128hgh0dsDrXFAM+9AX8hae5vvxVi8TWs/z2ing+k+immtSNfzzKMiO7r5wJAkyjwtUBlBStKIA6Zer22pmSTZZeucHdEThabcWQidVZmMP3If6ix5UeyX8V6OAw0gsI3IUb91Q76d4sLWbzoGNONAYFC1Iyz0xWj47Zd6P7Z2Gfh1ViIbMxViFDlNmbEZflpES87K/yhBUQ/tnCNGQoSdtsuyuWg3NfWbyJoNZzlU96JWxcqSaXkzse9j8wahayKNM6SWKSY1Z05h8JScOCmFB5F8V3bd5nP/uKja7H8O4GOAAPM3OtG+eq37xW/xN0oAsjbvt4ojnUbJs2kiAxEdwXx0K7mcPeS7zWmVt8h4RdcDm/PGTDa9m8OqhQuck80QnuxIUWVr7GWadh1Ly/tl0+bvmkcnO2ybRJ+gbqREHDTe0sxsw==",
    "MIIFczCCA1ugAwIBAgIUCvfSvQerjFDmM2LvmjoTDOInLAwwDQYJKoZIhvcNAQELBQAwQTEdMBsGA1UEAwwUZUlEQVNlU0VBTE9JRF9Sb290RzIxEzARBgNVBAoTCmlTSEFSRVRlc3QxCzAJBgNVBAYTAlhYMB4XDTIzMDgyNTA5MDAwNloXDTQ4MDgyNTA5MDAwNVowQTEdMBsGA1UEAwwUZUlEQVNlU0VBTE9JRF9Sb290RzIxEzARBgNVBAoTCmlTSEFSRVRlc3QxCzAJBgNVBAYTAlhYMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxVMKI9RMhnOSA2LorgEC3YDNd2itn72LOdfRRUu45fG70Iev+E4kRrzJ1k23WXH5sHTbcslpETeAZnj0/xKBYdELuwe6HX8kIwd1s6WGlZc0l7ki1fmj4HqSstGJ/BKGj1a7236WwPJEWEHqfx9QMEeuJKlUSVFFyE4jMsfYp87ifIpuwE8oLOw4ykDDOP52Td06vHCIYrqDBrvxFdAuEnFxNxlPXRE4gLsygg62HOxOuGmhWfsy6TccIp5XIOdj2CzeoXJ82m5/imBPJvkefnrjEQXziSE2mi2IBDtGP/AwFWI7WpsEyDXWImMSR0T3CuDmkeQ14pNmcqMp/bqX3i1aetadFTWsuhl0nH2iRqKZDJxZlScu99toq5GrdcFUcxGRQyl+sFhUh3XcBWJV7Y2wnFL2tY7thtQ8ZPmzTO8kPKCbEl5U6gCSIkpRPNZBPG4dT0qu+8Bd71Pu7nAy1iB4U6ys34cFlOlJpGM0FGr35LefbPR8bgz6M9XNjRbgMDQcXDMnfiDJ7E81oVBpCXN9ydHi1blhakuEBaoa9M/kazipGPmAuxrWBMmp2q0wzQp9GS2e8keJIDwJuyzELaRZC4yjVsVZQMK//D+4J3boU5drCmmm6C1rwNRfSZuFGNcIYDZeHteGoCF4EA5jcgdFaIYrDej6VAab42vN5LUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTYu5s1LVs/7+Fry8wMz6Iuuml6jDAdBgNVHQ4EFgQU2LubNS1bP+/ha8vMDM+iLrppeowwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQBbcHyV2b5mGwHWxCSbDwr5V7PgSZIJa1scrCnIHD3Z/yxG7Xp5cIlBj4My4lRHjZtJVvUfTjFpsEDEv/PAq74OIolN/kPdMfTczFBGpvsZr0x2yUPEJzQsTSLx0gwZ+wvoKHWE0C7GqgkABNrFW8FLqRzNqXsmM5oI4c3V5syxwBYFDUY5MPWdqJEDfRvjjJPCXmKOP1lO+i+E07vsFpDzHS2FKB5c6sTIZkvt+H/CG4hVu6ZvcFXXzv2JK/EoVZ6wUdClt4pLgTQZ/W0qQCJ3GjFe/PZ74mckW1x/zk9z0VQjUpTqz3AjPLIjj60nMLTLp50oFcMLjuXss0vv4tUjCTps2Qg9n0GwLlDR42Nyw2TKcMMB6ycEoNiUEu0lga1JM0SVSsFP7GSU/W9VqatK7xp/XW9/GDvgp3Z/pPM0E3i1tqp/nOU43Yof8Wi4JJ6zOgXBzqQxO6MILZJ4qEfenAtI7o95Ty5yk9vRboUstywsfC6CVsu08NL/ttw4OSXOvbkQ+7zMxCYT9YyQD5l/ltC3bgdj/lBZznsBuGYNOB16wDNcGpuuaeksfQfBDPHT+vR6gPVFZpyVwy/tzH6NTpUGDjoHVsCxUjY870OM4D2Jcj9OIqqdlkCoWO6i4Vec7sTzxiX39oNSr1G7Cobc3sYdhnxg/vlg1BeCJ87p0A=="
  ]
}

hashtag
JWT Payload

  • The JWT payload MUST conform to the private_key_jwt method as specified in OpenID Connect 1.0 Chapter 9arrow-up-right (2).

  • The JWT MUST always contain the iat claim.

  • The iss and sub claims MUST contain a valid Party Identifierarrow-up-right of the party that creates and signs the JWT (unless specified otherwise).

  • The aud claim MUST contain a valid Party Identifierarrow-up-right of the party receiving the JWT.

  • Both iat and exp MUST be formatted as Unix Timestamp.

  • Client Assertions used at the access token endpoint (/connect/token) MUST be set to expire in 30 seconds to mitigate replay attacks. The combination of iat and exp claims MUST reflect that.

  • JWTs other then Client Assertions MAY shorten or elongate the time difference of the validity of the JWT as per their requirements. 30 second difference is recommended as default. &#xNAN;Example: Delegation Evidence provided as JWT may be valid for 5 minutes. It is up to the involved parties to determine what is appropriate value.

  • The JWT MUST contain the jti claim for audit trail purposes. The jti is not necessary a GUID/UUID. A new jti key must be used for each JWT to avoid replay attacks.

  • Depending on the use of the JWT, other JWT payload data MAY be defined.

hashtag
Additional rationale

(1) In OAuth 2.0, clients are generally pre-registered. Since in iSHARE servers interact with clients that have been previously unknown, this is not a workable requirement. Therefore, iSHARE implements a generic client identification and authentication scheme, based on iSHARE whitelisted PKIs.

(2) Since OAuth 2.0 doesn't specify a PKI-based authentication scheme, but OpenID Connect 1.0 does, iSHARE chooses to use the scheme specified by OpenID Connect in all use cases. This is preferred over defining a new proprietary scheme.

(3) iSHARE implementation is compatible with the following RFC extensions of OAuth:

  • RFC7522: SAML 2.0 Assertions

  • RFC7523: JSON Web Tokens (JWTs)

Example JWT Payload:

hashtag
JWT Processing

  • A server SHALL NOT accept a JWT more than once for authentication of the Client. However, within its time to live, a Service Provider MAY forward a JWT from a Service Consumer to one or more other servers (Entitled Party or Authorisation Registry) to obtain additional evidence on behalf of the Service Consumer. These other servers SHALL accept the JWT for indirect authentication of the Service Consumer during the JWT’s complete time to live.

  • A server SHALL only accept a forwarded JWT if the aud claim of the forwarded JWT matches the iss claim of the JWT from the client that forwards the JWT.

  • JWT contents that are not specified within the iSHARE scope SHOULD be ignored.

PreviousOpenID4VP EndpointsNextClient Assertion

Last updated