LWS 1.0 Authentication Suite: Self-signed Identity using Controlled Identifiers

W3C First Public Working Draft 23 April 2026

Abstract

This document defines an authentication suite for the Linked Web Storage (LWS) protocol, enabling clients that are able to sign their own identity tokens to integrate with LWS.

Status of This Document

This section describes the status of this document at the time of its publication. A list of current W3C publications and the latest revision of this technical report can be found in the W3C standards and drafts index.

This is an unofficial proposal.

This document was published by the Linked Web Storage Working Group as a First Public Working Draft using the Recommendation track.

Publication as a First Public Working Draft does not imply endorsement by W3C and its Members.

This is a draft document and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to cite this document as other than a work in progress.

This document was produced by a group operating under the W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent that the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

This document is governed by the 18 August 2025 W3C Process Document.

Self-issued identity is important for cases where applications act on their own behalf. This includes autonomous bots as well as server-side scripts, among others. In these cases, the agent is able to securely manage the private portion of a keypair, which it uses to generate signed JSON Web Tokens (JWT). This specification describes how this class of agents can generate authentication credentials that can be used with a Linked Web Storage.

As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.

The key words MAY, MUST, and MUST NOT in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

The terms "authorization server" and "client" are defined by The OAuth 2.0 Authorization Framework [RFC6749].

The terms "controlled identifier document" and "verification method" are defined by W3C Controlled Identifiers 1.0 [CID-1.0].

The terms "JSON Web Token (JWT)" and "claim" are defined by JSON Web Token [RFC7519].

The terms "authentication credential" and "authentication suite" are defined by Linked Web Storage Protocol [LWS-PROTOCOL]

A self-issued authentication credential is serialized as a signed JSON Web Token (JWT). In order to use a JWT as an LWS authentication credential, the following additional requirements apply.

The JWT MUST NOT use "none" as the signing algorithm.

The JWT MUST use the sub (subject) claim for the LWS subject identifier.

The JWT MUST use the iss (issuer) claim for the LWS issuer identifier.

The JWT MUST use the client_id (client ID) claim for the LWS client identifier.

The claims sub, iss, and client_id MUST all use the same URI value.

Any audience restriction in the ID Token MUST use the aud (audience) claim. The aud claim MUST include the target authorization server.

The JWT MUST include an exp (expiration) claim, indicating the time the token expires.

The JWT MUST include an iat (issued at) claim, indicating the time the token was issued.

An example JWT that is also an LWS authentication credential is included below.

Example 1

{
  "kid": "c1f52577",
  "kty": "EC",
  "alg": "ES256",
  "typ": "JWT",
  "crv": "P-256"
}
.
{
  "sub": "https://id.example/agent",
  "iss": "https://id.example/agent",
  "client_id": "https://id.example/agent",
  "aud": ["https://as.example"],
  "iat": 1761313600,
  "exp": 1761313900
}
.
signature

In order to validate a JWT as an LWS authentication credential, there must be a trust relationship between the verifier and the issuing party.

In the absence of a pre-existing trust relationship, the verifier MUST dereference the sub (subject) claim in the authentication credential. The resulting resource MUST be formatted as a valid controlled identifier document [CID-1.0] with an id value equal to the subject identifier.

A verifier MUST reject any tokens using an alg header parameter that equals "none".

A verifier MUST validate all claims described by the authentication credential data model.

The verifier MUST use the kid (key id) value from the signed JWT header to identify a verification method from the subject's controlled identifier document. This process is described in [CID-1.0] Section 3.3. Using the selected verification method from the controlled identifier document, the signature of the JWT MUST be validated as described in [RFC7515], Section 5.2.

A verifier MUST ensure that the current time is before the time represented by the exp claim. Implementers MAY provide for some small leeway to account for clock skew.

An example Controlled Identifier Document is included below.

Example 2

{
    "@context": [
        "https://www.w3.org/ns/cid/v1" ],
    "id": "https://id.example/agent",
    "authentication": [{
        "id": "https://id.example/agent#c1f52577",
        "type": "JsonWebKey",
        "controller": "https://id.example/agent",
        "publicKeyJwk": {
            "kid": "c1f52577",
            "kty": "EC",
            "crv": "P-256",
            "alg": "ES256",
            "x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
            "y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0"
        }
    }]
}

A self-issued JSON Web Token used as an authentication credential MUST use the urn:ietf:params:oauth:token-type:jwt URI when interacting with an authorization server.

This section is non-normative.

All security considerations described in "Best Current Practice for OAuth 2.0 Security" [RFC9700] and "OpenID Connect Core 1.0" Section 16 [OPENID-CONNECT-CORE] apply to this specification.

This section is non-normative.

Issue 119: Add Privacy Considerations sections to the authentication suites

This section needs to be completed.

[CID-1.0]: Controlled Identifiers v1.0. Michael Jones; Manu Sporny. W3C. 15 May 2025. W3C Recommendation. URL: https://www.w3.org/TR/cid-1.0/
[LWS-PROTOCOL]: LWS Protocol. W3C. FPWD. URL: https://www.w3.org/TR/lws-core/
[RFC2119]: Key words for use in RFCs to Indicate Requirement Levels. S. Bradner. IETF. March 1997. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc2119
[RFC6749]: The OAuth 2.0 Authorization Framework. D. Hardt, Ed. IETF. October 2012. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc6749
[RFC7515]: JSON Web Signature (JWS). M. Jones; J. Bradley; N. Sakimura. IETF. May 2015. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc7515
[RFC7519]: JSON Web Token (JWT). M. Jones; J. Bradley; N. Sakimura. IETF. May 2015. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc7519
[RFC8174]: Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words. B. Leiba. IETF. May 2017. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc8174

[OPENID-CONNECT-CORE]: OpenID Connect Core 1.0 incorporating errata set 2. N. Sakimura; J. Bradley; M. Jones; B. de Medeiros; C. Mortimore. OpenID Foundation. 15 December 2023. Final. URL: https://openid.net/specs/openid-connect-core-1_0.html
[RFC9700]: Best Current Practice for OAuth 2.0 Security. T. Lodderstedt; J. Bradley; A. Labunets; D. Fett. IETF. January 2025. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc9700

LWS 1.0 Authentication Suite: Self-signed Identity using Controlled Identifiers

Abstract

Status of This Document

1. Introduction

2. Conformance

3. Terminology

4. Authentication Credential Serialization

5. Authentication Credential Validation

6. Token Type Identifier

7. Security Considerations

8. Privacy Considerations

A. References

A.1 Normative references

A.2 Informative references