- From: Rory Hewitt <rory.hewitt@gmail.com>
- Date: Tue, 22 Jul 2025 09:11:22 -0700
- To: Amos Jeffries <squid3@treenet.co.nz>
- Cc: ietf-http-wg@w3.org
- Message-ID: <CAEmMwDw2mfB_i725mE-YPU9+Dk3pweWabUqjJxoJSk9DZwnsTw@mail.gmail.com>
Is there a benefit to creating a specific new header for JWTs? I would suggest either passing them in an Authentication header (commonly currently used by some apps) or the application which needs them can define its own header (also common). On Tue, Jul 22, 2025 at 8:24 AM Amos Jeffries <squid3@treenet.co.nz> wrote: > On 22/07/25 06:28, Atul Tulshibagwale wrote: > > Hello, > > We are currently working on a draft for Transaction Tokens <https:// > > datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/>, which > > envisions a new HTTP Request Header called "Txn-Token" <https:// > > www.ietf.org/archive/id/draft-ietf-oauth-transaction- > > tokens-05.html#name-txn-token-http-header>. The header value is expected > > to be a JWT. > > > Taking a brief looks at the document ... > > > 2.1. What are Transaction Tokens? > > > > Txn-Tokens are short-lived, signed JWTs [RFC7519] that assert the > > identity of a user or a workload and assert an authorization context. > > > So, if I am reading that correctly these are a cross between login > credentials and a session ID. > > > I am wondering why these credentials are using a custom header instead > of being sent as part of HTTP Authentication (request) and > Authentication-Info (response) headers. > > There is a lot of HTTP security behaviour that can be leveraged just by > using the Authn headers instead of re-inventing the wheel. > > > Cheers > Amos > > -- Rory Hewitt https://www.linkedin.com/in/roryhewitt
Received on Tuesday, 22 July 2025 16:11:38 UTC