I think Mike meant to write "JSON Web Token Best Current Practices" rather than "The OAuth 2.0 Token Exchange specification"
On Wed, Feb 19, 2020 at 3:07 PM Mike Jones <Michael.Jones= 40microsoft....@dmarc.ietf.org> wrote: > The OAuth 2.0 Token Exchange specification is now RFC 8725 > <https://www.rfc-editor.org/rfc/rfc8725.html> and BCP 225 > <https://www.rfc-editor.org/info/bcp225>. The abstract of the > specification is: > > > > JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security > tokens that contain a set of claims that can be signed and/or encrypted. > JWTs are being widely used and deployed as a simple security token format > in numerous protocols and applications, both in the area of digital > identity and in other application areas. This Best Current Practices > document updates RFC 7519 to provide actionable guidance leading to secure > implementation and deployment of JWTs. > > > > The JSON Web Token (JWT) specification [RFC 7519 > <https://tools.ietf.org/html/rfc7519>] was approved in May 2015 > <https://self-issued.info/?p=1387>, almost five years ago, and has been > in production use since at least 2013. This Best Current Practices > <https://tools.ietf.org/html/rfc1818> specification contains a compendium > of lessons learned from real JWT deployments and implementations over that > period. It describes pitfalls and how to avoid them as well as new > recommended practices that enable proactively avoiding problems that could > otherwise arise. Importantly, the BCP introduces no breaking changes to > the JWT specification and does not require changes to existing deployments. > > > > The BCP came about as JWTs were starting to be used in new families of > protocols and applications, both in the IETF and by others. For instance, > JWTs are being used by the IETF STIR working group to enable verification > of the calling party's authorization to use a particular telephone number > for an incoming call, providing verified Caller ID > <https://self-issued.info/?p=2045> to help combat fraudulent and unwanted > telephone calls. The advice in the BCP can be used by new JWT profiles and > applications to take advantage of what’s been learned since we created the > JSON Web Token (JWT) specification over a half decade ago. > > > > -- Mike > > > > P.S. This notice was also posted at https://self-issued.info/?p=2052 and > as @selfissued <https://twitter.com/selfissued>. > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth