Linked Data in JWTs

[msporny]

Is the approach that we've taken to embed Linked Data in JWTs valid? Is it okay to just include JSON-LD data in a JWT? Should we be embedding NQuads instead? What is the most appropriate format for expressing data in a JWT and JSON-LD?

[jonnycrunch]

My understanding is that it is valid, additional data is currently sent in the OpenID Connect standard as JWT over the OAUTH2 protocol.

[msporny]

My understanding is that it is valid, additional data is currently sent in the OpenID Connect standard as JWT over the OAUTH2 protocol.

Sorry, I should not have used "valid". What I meant is, from a standardization perspective, is it okay to just include data? I would expect that we should spec out what needs to be included and there may be an RFC publication process that I'm unaware of where it's good practice to publish extensions to JWTs via that extension registry. So, the "validity" had more to do with the process than it did the data format.

The other questions had to do with "best mode" for data format. For example, we're digitally signing JWTs, which means we're forcing JSON, which means that the digital signatures won't work in other data syntaxes. This is not a limitation w/ Linked Data Signatures, you can have multiple representation syntaxes w/ LDS where you can't with JWT. So, the question had to do with whether we should be expressing the data in a unified format (like NQuads) and then doing a JWT signature over that data. At least in that case, we could have a unified signature across all formats. The downside there being that maybe 0.001% of Web developers even know what NQuads are.

I hope that clarifies the question.

[msporny]

No one has worked on this issue. I suggest we close it.

The latest RsaSignature2018 cryptography suite supports JOSE JWS-style signatures: digitalbazaar/jsonld-signatures@f583bd4

Given that no one in the group has written a JWT-based VC implementation, I'm suggesting that we close this issue for the 1.0 work. We can always support JWT-based VCs later if someone decides to write a spec encapsulating VCs in JWTs.

Notice: Closing this issue on or after 2018-2-20.