[Openid-specs-ab] Issue #2185: ID tokens should have an associated Media Type (openid/connect)

Andrii Deinega andrii.deinega at gmail.com
Mon Nov 3 22:25:52 UTC 2025 

Hi Gabriel,

Sadly, BitBucket gives me "Something went wrong" when I hit your
https://bitbucket.org/openid/connect/issues/2185/id-tokens-should-have-an-associated-media
.

It would be safe to say that this behavior change would be suitable for a
new version of OpenID Connect (say OpenID Connect Core 2). Have a look at
https://bitbucket.org/openid/connect/issues/2162/recommendation-to-the-use-of-explicit
and comments in it.

All the best,
Andrii

On Mon, Nov 3, 2025 at 2:10 PM Gabriel Corona via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> New issue 2185: ID tokens should have an associated Media Type
>
> https://bitbucket.org/openid/connect/issues/2185/id-tokens-should-have-an-associated-media
>
> Gabriel Corona:
>
> Most other standard JWT-based tokens have an associated Media Type.
>
> For example :
>
> * application/at\+jwt for JWT access tokens;
> * application/authorization-grant\+jwt for OAuth JWT Authorization Grants;
> * application/client-authentication\+jwt for JWT client assertion;
> * application/oauth-authz-req\+jwt for JAR;
> * application/dpop\+jwt for DPoP proofs;
> * application/token-introspection\+jwt for Token Introspection JWT;
> * application/logout\+jwt for OIDC Logout JWT;
> * etc, etc.
>
> A standard media type for ID tokens could be used to properly type ID
> tokens \(“typ” header field\) in order to prevent token type confusion
> attacks. Currently, the specifications do not discuss which value for “typ”
> header field should be used for ID token which implies that the “typ”
> header field should not be verified by the consumer. The specification
> should probably be clarified on this point.
>
> See Updates to OAuth 2.0 JSON Web Token \(JWT\) Client Authentication and
> Assertion-Based Authorization Grants drafts \([
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rfc7523bis#name-introduction](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rfc7523bis#name-introduction)\)
> for more context.
>
>>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20251103/23982519/attachment.htm>

More information about the Openid-specs-ab mailing list