[Openid-specs-ab] OpenID Connect: Explicitly typed ID tokens and UserInfo
Vittorio Bertocci
vittorio at auth0.com
Tue Mar 29 16:02:43 UTC 2022
Hi Vladimir!
We introduced explicit typing in the JWT access token profile - in theory,
that should be enough to distinguish as in all other JWTs floating in OIDC
are either IDtokens or don't strictly require signature validation (eg
userinfo ones coming from a direct connection rather than redirects).
What are the use cases where the extra info you are embedding there leads
to different processing logic?
thanks
V.
On Tue, Mar 29, 2022 at 8:20 AM Vladimir Dzhuvinov via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:
> *This message originated outside your organization.*
>
> ------------------------------
>
> The classic OIDC appears to be no longer the hot topic here, but I want to
> inform the WG that after resisting pressure from users for some time we
> recently started supporting explicitly typed ID tokens and UserInfo JWTs,
> the rationale being the prevention of mix ups in applications with many
> types of JWTs floating around, plus making it easier for code and people to
> determine the JWT purpose by simply examining the "typ" (type) header and
> not having to analyze the claims structure.
>
> By explicit JWT typing I mean use of the optional "typ" header in a JWT,
> something the JWT profile for access tokens for instance uses (and other
> OAuth related specs that carry JWTs).
>
> {
> "kid" : "1",
> "alg" : "RS256",
> "typ" : "id_token+jwt"
> }
>
> {
> "kid" : "1",
> "alg" : "RS256",
> "typ" : "userinfo+jwt"
> }
>
>
> I know this is non-standard and may likely break existing validation code
> and client libraries. If you have thoughts or feedback about this typing,
> good or bad, I'd love to hear it.
>
> Vladimir
>
> --
> Vladimir Dzhuvinov
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220329/42f31481/attachment.html>
More information about the Openid-specs-ab
mailing list