oauth2.dev

txn

IESG

Registry Context

The `txn` claim is an optional string containing a unique transaction identifier. It can correlate multiple related JWTs.

Technical Summary

RFC 8417 defines `txn` for both Security Event Tokens and non-SET JWT profiles. RFC 7519's general JWT processing rules also require unique claim names and require unrecognized claims to be ignored.

When Used

When related JWTs need to be correlated using a shared transaction identifier.

Normative Requirements

Unspecified actor

OPTIONAL
1
  1. RFC 8417 - Section 2.2

    Include the `txn` claim as a string value representing a unique transaction identifier..

    An OPTIONAL string value that represents a unique transaction identifier.

JWT implementations

MUST
1
  1. RFC 7519 - Section 4

    Ignore claims that are not understood in the absence of application-specific processing requirements..

    Condition: When no applicable specification defines processing requirements for the claim.

    all claims that are not understood by implementations MUST be ignored

JWT parsers

MUST
1
  1. RFC 7519 - Section 4

    Reject JWTs with duplicate Claim Names or use a JSON parser that returns only the lexically last duplicate member name..

    Condition: When processing a JWT Claims Set.

    JWT parsers MUST either reject JWTs with duplicate Claim Names or use a JSON parser that returns only the lexically last duplicate member name.

Validation Guidance

info

Allow `txn` to be absent because its use is optional.

error

When present, verify that `txn` is a string representing a transaction identifier.

error

Reject the JWT or apply lexically-last-member handling if duplicate `txn` claim names occur.

info

Ignore `txn` when it is not understood and no applicable profile defines processing rules for it.

Reference

Details

Entry Id
txn
Claim Name
txn
Claim Description
Transaction Identifier
Change Controller
IESG
Reference
RFC8417 - Section 2.2