[Openid-specs-ab] Issue #2185: ID tokens should have an associated Media Type (openid/connect)
Gabriel Corona
issues-reply at bitbucket.org
Mon Nov 3 22:09:55 UTC 2025
New issue 2185: ID tokens should have an associated Media Type
https://bitbucket.org/openid/connect/issues/2185/id-tokens-should-have-an-associated-media
Gabriel Corona:
Most other standard JWT-based tokens have an associated Media Type.
For example :
* application/at\+jwt for JWT access tokens;
* application/authorization-grant\+jwt for OAuth JWT Authorization Grants;
* application/client-authentication\+jwt for JWT client assertion;
* application/oauth-authz-req\+jwt for JAR;
* application/dpop\+jwt for DPoP proofs;
* application/token-introspection\+jwt for Token Introspection JWT;
* application/logout\+jwt for OIDC Logout JWT;
* etc, etc.
A standard media type for ID tokens could be used to properly type ID tokens \(“typ” header field\) in order to prevent token type confusion attacks. Currently, the specifications do not discuss which value for “typ” header field should be used for ID token which implies that the “typ” header field should not be verified by the consumer. The specification should probably be clarified on this point.
See Updates to OAuth 2.0 JSON Web Token \(JWT\) Client Authentication and Assertion-Based Authorization Grants drafts \([https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rfc7523bis#name-introduction](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rfc7523bis#name-introduction)\) for more context.
More information about the Openid-specs-ab
mailing list