clarified fields versus claims and IANA registry name #92
Conversation
| @@ -542,7 +542,7 @@ Txn-Tokens SHOULD NOT be logged if they contain Personally Identifiable Informat | |||
|
|
|||
| # IANA Considerations {#IANA} | |||
|
|
|||
| This specification registers the following claims defined in Section {{txn-token-header}} to the OAuth Access Token Types Registry defined in {{RFC6749}}, and the following claims defined in Section {{txn-token-claims}} in the IANA JSON Web Token Claims Registry defined in {{RFC7519}} | |||
| This specification registers the following field defined in Section {{txn-token-header}} to the OAuth Access Token Types Registry defined in {{RFC6749}}, and the following claims defined in Section {{txn-token-claims}} in the IANA JSON Web Token Claims Registry defined in {{RFC7519}} | |||
There was a problem hiding this comment.
Lots to unpack here that goes beyond changing one word...
The referenced section {{txn-token-header}} is JWT Header which calls headers claims. Headers are not claims. Also the value of the typ header is supposed to be a media type so the txn_token value probably isn't quite right and the registration for it below certainly isn't right. Also the urn:ieft:params:oauth:token-type:txn-token URI is missing a registration and the Txn-Token Request section that defines it has some major formatting issues.
Some related reading, issues, and examples of these things being done in other specs follows:
#84
https://www.rfc-editor.org/rfc/rfc7515#section-4.1.9
https://www.rfc-editor.org/rfc/rfc7519#section-5.1
https://www.rfc-editor.org/rfc/rfc8725.html#name-use-explicit-typing
https://datatracker.ietf.org/doc/html/rfc9068#name-header
https://www.rfc-editor.org/rfc/rfc9449.html#name-dpop-proof-jwt-syntax
https://www.rfc-editor.org/rfc/rfc7519.html#section-10.2
There was a problem hiding this comment.
I'm pulling out the misuse of the "typ" Header Parameter as a separate issue so that it can be discussed on its own.
No description provided.