<div dir="ltr">Hi Gabriel,<br><br>Sadly, BitBucket gives me "Something went wrong" when I hit your <a href="https://bitbucket.org/openid/connect/issues/2185/id-tokens-should-have-an-associated-media">https://bitbucket.org/openid/connect/issues/2185/id-tokens-should-have-an-associated-media</a>.<div><br></div><div>It would be safe to say that this behavior change would be suitable for a new version of OpenID Connect (say OpenID Connect Core 2). Have a look at <a href="https://bitbucket.org/openid/connect/issues/2162/recommendation-to-the-use-of-explicit">https://bitbucket.org/openid/connect/issues/2162/recommendation-to-the-use-of-explicit</a> and comments in it.<br><div><br>All the best,<br>Andrii</div></div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Mon, Nov 3, 2025 at 2:10 PM Gabriel Corona via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">New issue 2185: ID tokens should have an associated Media Type<br>
<a href="https://bitbucket.org/openid/connect/issues/2185/id-tokens-should-have-an-associated-media" rel="noreferrer" target="_blank">https://bitbucket.org/openid/connect/issues/2185/id-tokens-should-have-an-associated-media</a><br>
<br>
Gabriel Corona:<br>
<br>
Most other standard JWT-based tokens have an associated Media Type.<br>
<br>
For example :<br>
<br>
* application/at\+jwt for JWT access tokens;<br>
* application/authorization-grant\+jwt for OAuth JWT Authorization Grants;<br>
* application/client-authentication\+jwt for JWT client assertion;<br>
* application/oauth-authz-req\+jwt for JAR;<br>
* application/dpop\+jwt for DPoP proofs;<br>
* application/token-introspection\+jwt for Token Introspection JWT;<br>
* application/logout\+jwt for OIDC Logout JWT;<br>
* etc, etc.<br>
<br>
A standard media type for ID tokens could be used to properly type ID tokens \(“typ” header field\) in order to prevent token type confusion attacks. Currently, the specifications do not discuss which value for “typ” header field should be used for ID token which implies that the “typ” header field should not be verified by the consumer. The specification should probably be clarified on this point.<br>
<br>
See Updates to OAuth 2.0 JSON Web Token \(JWT\) Client Authentication and Assertion-Based Authorization Grants drafts \([<a href="https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rfc7523bis#name-introduction](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rfc7523bis%23name-introduction)%5C" rel="noreferrer" target="_blank">https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rfc7523bis#name-introduction](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rfc7523bis#name-introduction)\</a>) for more context.<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>