Composite Token Claims

Claims Composition claims contain one or more claim sets. In tokens without composition claims, there is exactly one set of claims, so the acceptability of the claim set decides the acceptability of the token. However, this document defines multiple claim sets, so it instead refers to accepting or rejecting claim sets. If the primary claim set is unacceptable, the token is unacceptable and MUST be rejected. Some applications use tokens to convey information. For example, a token might simply have a subject claim that identifies the bearer and the relying party simply uses that as information, not necessarily as a means by which to provide or deny access or make some other kind of decision. In this context, the token simply describes all situations in which the token would accurately describe that situation. Composition claims may be nested arbitrarily. Implementations MAY reject tokens exceeding an implementation-defined nesting depth but MUST support at least four levels.

Logical Claims These claims identify one or more sets of claims in a logical relation. The type of these claims is array and the elements of the array are maps that are themselves sets of claims. In CWTs, the value is a CBOR array of CBOR maps. In JWTs, the value is a JSON array of JSON objects. For the following CDDL, Claims-Set is a map of claims as defined in . It is described informatively in , Appendix D.

or (Or) Claim The "or" (Or) claim identifies one or more claim sets of which at least one is acceptable. If none of the claim sets in an "or" claim is acceptable, the claim set containing the "or" claim is also unacceptable. Use of this claim is OPTIONAL. In JWTs, the Claim Name is "or" and the Claim Value is a JSON array of JSON objects. In CWTs, the Claim Key is TBD (to be registered in the "CBOR Web Token (CWT) Claims" registry). The "or" (Or) claim is described by the following CDDL: or-claim-value ) or-claim-label = TBD or-claim-value = [ + Claims-Set ] ]]>

nor (Not Or) Claim The "nor" (Nor) claim identifies one or more claim sets of which none are acceptable. If any claim set in a "nor" claim is acceptable, the claim set containing the "nor" claim is also unacceptable. This is the logical negation of the "or" claim. Use of this claim is OPTIONAL. In JWTs, the Claim Name is "nor" and the Claim Value is a JSON array of JSON objects. In CWTs, the Claim Key is TBD (to be registered in the "CBOR Web Token (CWT) Claims" registry). The "nor" (Nor) claim is described by the following CDDL: nor-claim-value ) nor-claim-label = TBD nor-claim-value = [ + Claims-Set ] ]]>

and (And) Claim The "and" (And) claim identifies one or more claim sets of which all are acceptable. If any claim set in an "and" claim is not acceptable, the claim set containing the "and" claim is also unacceptable. The "and" claim is often unnecessary because a claim set is only accepted when all its claims are acceptable. However, CBOR maps cannot have duplicate keys, so claims cannot be repeated. The "and" claim is useful when a claim needs to appear multiple times, like when using the "or" and "nor" claims. Use of this claim is OPTIONAL. In JWTs, the Claim Name is "and" and the Claim Value is a JSON array of JSON objects. In CWTs, the Claim Key is TBD (to be registered in the "CBOR Web Token (CWT) Claims" registry). The "and" (And) claim is described by the following CDDL: and-claim-value ) and-claim-label = TBD and-claim-value = [ + Claims-Set ] ]]>

Examples These logical claims can be used to describe more complex relationships between claims. For example, the following claim set describes a token with multiple subject claims. This token describes a situation where either of the two subjects must be true, but the issuer is not disclosing which one must be true or even whether the two subjects are genuinely different. A relying party that receives this token knows that bearer claims to be both George and Harriet and if either subject is acceptable, the token is acceptable. The following JWT claim set example is equivalent: The "nor" claim is useful both as a logical negation, even when only one claim is present. For example, consider the following claim set: This token is intended for any audience except "example.com". The following JWT claim set example is equivalent: Complex relationships can also be described using the claims in combination. The "geohash" claim describes a geographical region. For example: This token describes an audience of "https://example.com" and a region described by the geohash of "9q8yy" that does not include the region described by "9q8yy9" or "9q8yyd". And if a very complex relationship is required, the "and" claim can be used to combine multiple claims. For example, consider the following claim set: This admittedly contrived example describes a token that is valid for both George and Harriet and is intended for both https://example.com and https://example.net. It is a bit contrived because the "aud" claim already describes a list of acceptable audiences. The use of the "and" claim is required in order to effectively repeat the "or" claim, because a single claim set cannot contain the same claim twice.

crit (Critical) Claim The "crit" (Critical) claim indicates critical extensions to this kind of claim set. The semantics of the JWT claim name "crit" are defined by OpenID Federation 1.0 . This specification defines only the CWT representation. The value of this claim is an array. Each element identifies a claim within the same claim set. In CWTs, elements are integers or text strings identifying claim keys. The "crit" array MUST NOT be empty. Each element of the "crit" array MUST identify a claim that is present in the same claim set. Elements in the "crit" array MUST be unique. Elements in the "crit" array MUST NOT identify claims that are specified as MANDATORY to understand for the token. This will vary by application profile as described in [RFC7519], Section 4. As noted in , Section 13.4, any profile that requires correct processing of the "crit" claim MUST of necessity specify that it is MANDATORY to understand. If a claim listed in the "crit" claim is present in a claim set and the processor cannot process the claim for any reason, the claim set MUST be rejected. If a claim listed in the "crit" claim is not present in a claim set, the claim set MUST be rejected. (TODO: Square this with the OpenID definition. The OpenID definition does not explicitly require claim sets to be rejected if the claim name rules like including duplicates, empty arrays, or the presence of claims that are not present in the claim set.) Use of this claim is OPTIONAL. In CWTs, the Claim Key is TBD (to be registered in the "CBOR Web Token (CWT) Claims" registry).

Example A "crit" claim can be used in conjunction with logical claims to condition a portion of the token on the ability to process a claim: This example assumes the existence of some kind of claim in the private space that a relying party may or may not be able to process. This token claims that the subject is in the described region and also that a private claim is present and that the relying party must be able to verify at least one of those claims, but it does not need to be able to process both.