RFC Errata
RFC 8225, "PASSporT: Personal Assertion Token", February 2018
Source of RFC: stir (art)
Errata ID: 5985
Status: Reported
Type: Editorial
Publication Format(s) : TEXT
Reported By: James Manger
Date Reported: 2020-02-20
Section 7.1 says:
eyJkZXN0Ijp7InVyaSI6WyJzaXA6YWxpY2VAZXhhbXBsZS5jb20iXX0sImlhdCI 6IjE0NDMyMDgzNDUiLCJvcmlnIjp7InRuIjoiMTIxNTU1NTEyMTIifX0
It should say:
eyJkZXN0Ijp7InVyaSI6WyJzaXA6YWxpY2VAZXhhbXBsZS5jb20iXX0sImlhdCI 6MTQ0MzIwODM0NSwib3JpZyI6eyJ0biI6IjEyMTU1NTUxMjEyIn19Cg
Notes:
The "iat" claim in the example's JWT payload is incorrectly encoded as a string (with double-quotes around its value), instead of a number (without double-quotes).
WRONG: Base64url( ... "iat":"1443208345", ... ) = ... 6IjE0NDMyMDgzNDUiLCJv ...
RIGHT: Base64url( ... "iat":1443208345, ... ) = ... 6MTQ0MzIwODM0NSwi ...
The same example appears in Appendix A, where it is correct. I assume the JWS signature in section 7.1 should also be replaced with the value from Appendix A.