- From: Brian Campbell <bcampbell@pingidentity.com>
- Date: Tue, 22 Jul 2025 12:20:58 +0200
- To: Mark Nottingham <mnot@mnot.net>
- Cc: Atul Tulshibagwale <atul@sgnl.ai>, ietf-http-wg@w3.org
- Message-ID: <CA+k3eCS0O2AFA7X7hOzA1dBK-MtxRxABmyrqTiWWfpZ1CyxyRg@mail.gmail.com>
RFC 7519 defines JWT but for the purpose of this conversation a JWT is text that is composed of three base64url segments separated by the dot/period "." character. Here's some ABNF from a different draft that attempts to define/describe the structure. ALPHA = %x41-5A / %x61-7A ; A-Z / a-z DIGIT = %x30-39 ; 0-9 base64url = 1*(ALPHA / DIGIT / "-" / "_") JWT = base64url "." base64url "." base64url An example of what one might look like in an HTTP header field (from a different RFC <https://datatracker.ietf.org/doc/html/rfc9449#section-5> ) is here with an unfortunate mix of extra spaces and RFC8792 "\" line wrapping: GET /protectedresource HTTP/1.1 Host: resource.example.org Authorization: DPoP Kz~8mXK1EalYznwH-LC-1fBAo.4Ljp~zsPE_NeO.gxU DPoP: eyJ0eXAiOiJkcG9wK2p3dCIsImFsZyI6IkVTMjU2IiwiandrIjp7Imt0eSI6Ik\ VDIiwieCI6Imw4dEZyaHgtMzR0VjNoUklDUkRZOXpDa0RscEJoRjQyVVFVZldWQVdCR\ nMiLCJ5IjoiOVZFNGpmX09rX282NHpiVFRsY3VOSmFqSG10NnY5VERWclUwQ2R2R1JE\ QSIsImNydiI6IlAtMjU2In19.eyJqdGkiOiJlMWozVl9iS2ljOC1MQUVCIiwiaHRtIj\ oiR0VUIiwiaHR1IjoiaHR0cHM6Ly9yZXNvdXJjZS5leGFtcGxlLm9yZy9wcm90ZWN0Z\ WRyZXNvdXJjZSIsImlhdCI6MTU2MjI2MjYxOCwiYXRoIjoiZlVIeU8ycjJaM0RaNTNF\ c05yV0JiMHhXWG9hTnk1OUlpS0NBcWtzbVFFbyJ9.2oW9RP35yRqzhrtNP86L-Ey71E\ OptxRimPPToA1plemAgR6pxHF8y6-yqyVnmcw6Fy1dqd-jfxSYoMxhAJpLjA There doesn't seem to be a natural fit of an HTTP Structured Field Values to carry a JWT. On Tue, Jul 22, 2025 at 11:55 AM Mark Nottingham <mnot@mnot.net> wrote: > Hi Atul, > > For the benefit of everyone who isn't familiar with JWTs, could you give a > reference to the definition of their data structure? > > Cheers, > > > > On 21 Jul 2025, at 8:28 pm, Atul Tulshibagwale <atul@sgnl.ai> wrote: > > > > Hello, > > We are currently working on a draft for Transaction Tokens, which > envisions a new HTTP Request Header called "Txn-Token". The header value is > expected to be a JWT. > > > > We were debating (see comments here and the attached screenshot) which > HTTP Structured Header Type would be appropriate for such a value. We do > not want to enclose the value in quotes, so the STRING type cannot be used. > The JWTs also might be a bit long (> 1024 bytes). > > > > What is this group's guidance for proposals that want to add HTTP > Headers that have JWT as their values? > > > > Thanks, > > Atul > > > > -- > > Atul Tulshibagwale > > CTO > > > > <image.png> > > -- > Mark Nottingham https://www.mnot.net/ > > > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
Received on Tuesday, 22 July 2025 10:21:29 UTC