Overview#
Security Event Token (
SET) is defined in
RFC 8417 and defines the Security Event token, which may be distributed via a protocol such as
HTTP.
Security Event Token specification profiles the JSON Web Token (JWT) and may be optionally signed and/or encrypted.
Security Event Token describes a statement of fact that may be shared by an event publisher with event subscribers.
The following new claims are defined by this specification:
events (Security Events)#
"events" Claim This claim contains a set of event statements that each provide information describing a single logical event that has occurred about a security subject (e.g., a state change to the subject). Multiple event identifiers with the same value MUST NOT be used. The "events" claim MUST NOT be used to express multiple independent logical events.
The value of the "events" claim is a
JSON Object whose members are name/value pairs whose names are
URIs identifying the
event statements being expressed. Event identifiers SHOULD be stable values (e.g., a permanent URL for an event specification). For each name present, the corresponding value MUST be a JSON object. The JSON object MAY be an empty object ("{}"), or it MAY be a JSON object containing data described by the profiling specification.
"txn" (Transaction Identifier) Claim#
txn is An
OPTIONAL string value that represents a unique
transaction identifier. In cases in which multiple related
JWTs are issued, the transaction identifier claim can be used to correlate these related
JWTs. Note that this claim can be used in
JWTs that are SETs and also in JWTs using non-SET profiles.
"toe" (Time of Event) Claim#
"toe" is a value that represents the date and time at which the event occurred. This value is a
NumericDate (see Section 2 of
RFC 7519). By omitting this claim, the issuer indicates that they are not sharing an event time with the recipient. (Note that in some use cases, the represented time might be approximate; statements about the accuracy of this field MAY be made by profiling specifications.) This claim is
OPTIONAL.
Structured Syntax Suffix Registration#
IANA has registered the "+jwt"
Structured Syntax Suffix RFC 6838 in the "Structured Syntax Suffix" registry
IANA.StructuredSuffix in the manner described in
RFC 6838, which can be used to indicate that the media type is encoded as a
JWT.
There might be more information for this subject on one of the following: