[Openid-specs-ab] OpenID Connect: Explicitly typed ID tokens and UserInfo

[Vladimir Dzhuvinov]

The classic OIDC appears to be no longer the hot topic here, but I want 
to inform the WG that after resisting pressure from users for some time 
we recently started supporting explicitly typed ID tokens and UserInfo 
JWTs, the rationale being the prevention of mix ups in applications with 
many types of JWTs floating around, plus making it easier for code and 
people to determine the JWT purpose by simply examining the "typ" (type) 
header and not having to analyze the claims structure.

By explicit JWT typing I mean use of the optional "typ" header in a JWT, 
something the JWT profile for access tokens for instance uses (and other 
OAuth related specs that carry JWTs).

|{ "kid" : "1", "alg" : "RS256", "typ" : "id_token+jwt" }|

|{ "kid" : "1", "alg" : "RS256", "typ" : "userinfo+jwt" }|


I know this is non-standard and may likely break existing validation 
code and client libraries. If you have thoughts or feedback about this 
typing, good or bad, I'd love to hear it.

Vladimir

-- 
Vladimir Dzhuvinov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220329/84f8e6f7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4007 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220329/84f8e6f7/attachment.p7s>