Re: New issue: Header type for JWT format values from Brian Campbell on 2025-07-22 (ietf-http-wg@w3.org from July to September 2025)

From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 22 Jul 2025 12:20:58 +0200
To: Mark Nottingham <mnot@mnot.net>
Cc: Atul Tulshibagwale <atul@sgnl.ai>, ietf-http-wg@w3.org
Message-ID: <CA+k3eCS0O2AFA7X7hOzA1dBK-MtxRxABmyrqTiWWfpZ1CyxyRg@mail.gmail.com>

RFC 7519 defines JWT but for the purpose of this conversation a JWT is text
that is composed of three base64url segments separated by the dot/period
"." character.

Here's some ABNF from a different draft that attempts
to define/describe the structure.

ALPHA = %x41-5A / %x61-7A ; A-Z / a-z
DIGIT = %x30-39 ; 0-9
base64url = 1*(ALPHA / DIGIT / "-" / "_")
JWT =  base64url "." base64url "." base64url

An example of what one might look like in an HTTP header field (from a
different RFC <https://datatracker.ietf.org/doc/html/rfc9449#section-5> )
is here with an unfortunate mix of extra spaces and RFC8792 "\" line
wrapping:

GET /protectedresource HTTP/1.1
Host: resource.example.org
Authorization: DPoP Kz~8mXK1EalYznwH-LC-1fBAo.4Ljp~zsPE_NeO.gxU
DPoP: eyJ0eXAiOiJkcG9wK2p3dCIsImFsZyI6IkVTMjU2IiwiandrIjp7Imt0eSI6Ik\
 VDIiwieCI6Imw4dEZyaHgtMzR0VjNoUklDUkRZOXpDa0RscEJoRjQyVVFVZldWQVdCR\
 nMiLCJ5IjoiOVZFNGpmX09rX282NHpiVFRsY3VOSmFqSG10NnY5VERWclUwQ2R2R1JE\
 QSIsImNydiI6IlAtMjU2In19.eyJqdGkiOiJlMWozVl9iS2ljOC1MQUVCIiwiaHRtIj\
 oiR0VUIiwiaHR1IjoiaHR0cHM6Ly9yZXNvdXJjZS5leGFtcGxlLm9yZy9wcm90ZWN0Z\
 WRyZXNvdXJjZSIsImlhdCI6MTU2MjI2MjYxOCwiYXRoIjoiZlVIeU8ycjJaM0RaNTNF\
 c05yV0JiMHhXWG9hTnk1OUlpS0NBcWtzbVFFbyJ9.2oW9RP35yRqzhrtNP86L-Ey71E\
 OptxRimPPToA1plemAgR6pxHF8y6-yqyVnmcw6Fy1dqd-jfxSYoMxhAJpLjA

There doesn't seem to be a natural fit of an HTTP Structured Field Values
to carry a JWT.



On Tue, Jul 22, 2025 at 11:55 AM Mark Nottingham <mnot@mnot.net> wrote:

> Hi Atul,
>
> For the benefit of everyone who isn't familiar with JWTs, could you give a
> reference to the definition of their data structure?
>
> Cheers,
>
>
> > On 21 Jul 2025, at 8:28 pm, Atul Tulshibagwale <atul@sgnl.ai> wrote:
> >
> > Hello,
> > We are currently working on a draft for Transaction Tokens, which
> envisions a new HTTP Request Header called "Txn-Token". The header value is
> expected to be a JWT.
> >
> > We were debating (see comments here and the attached screenshot) which
> HTTP Structured Header Type would be appropriate for such a value. We do
> not want to enclose the value in quotes, so the STRING type cannot be used.
> The JWTs also might be a bit long (> 1024 bytes).
> >
> > What is this group's guidance for proposals that want to add HTTP
> Headers that have JWT as their values?
> >
> > Thanks,
> > Atul
> >
> > --
> >  Atul Tulshibagwale
> >  CTO
> >
> > <image.png>
>
> --
> Mark Nottingham   https://www.mnot.net/
>
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

Received on Tuesday, 22 July 2025 10:21:29 UTC