[Openid-specs-ab] Issue #2162: recommendation to the use of explicit typing for ID Tokens (openid/connect)
Andrii Deinega
issues-reply at bitbucket.org
Mon Jul 29 22:34:00 UTC 2024
New issue 2162: recommendation to the use of explicit typing for ID Tokens
https://bitbucket.org/openid/connect/issues/2162/recommendation-to-the-use-of-explicit
Andrii Deinega:
The OpenID Connect Core 1.0 incorporating \(errata set 2\) neither defines a value for the “typ” header parameter nor requires the use of it \(see section [the explicit typing in RFC 8725 JSON Web Token Best Current Practices](https://datatracker.ietf.org/doc/html/rfc8725#name-use-explicit-typing)\).
The suggestion is at least to recommend using it for 1.0.
Newer versions of the spec can require it, the same holds true for Logout Tokens
> It is RECOMMENDED that Logout Tokens be explicitly typed. This is accomplished by including a typ \(type\) Header Parameter with a value of logout\+jwt in the Logout Token.
and for JWT assertions that are used as client credentials \(client\_secret\_jwt and private\_key\_jwt\).
More information about the Openid-specs-ab
mailing list