[Openid-specs-ab] Issue #1170: typ in the Request Object? (openid/connect)

Nat issues-reply at bitbucket.org
Thu Jun 4 11:31:28 UTC 2020

New issue 1170: typ in the Request Object?

Nat Sakimura:

Brock Allen in the OAuth WG \(May 7, 2020\) that: 

1. When decoded, all the JWT samples are missing the "typ" claim from the header, which I think should be "oauth.authz.req\+jwt".
2. When validating the JAR if we are to validate the "typ" then this would be incompatible with OIDC's request object, I think?
3. When the JAR is passed by reference, then the HTTP response Content-Type of "application/oauth.authz.req\+jwt" would also seem to break or be incompatible with OIDC's request object passed by reference?

There might need to be clarification when mixing this w/ an OIDC OP implementation. 


Draft -23 of OAuth JAR [https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-23](https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-23) 

has implemented the Content-Type but has not done so for “typ” claim as we thought it came in way too late and it may be breaking the compatibility with the Connect too much. 

Please discuss. 

Also, should we try to back-port these?

More information about the Openid-specs-ab mailing list