- changed status to open
JWT Type in JOSE Header
The draft for JSON Web Tokens: https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32 describes the usage of "typ" in the header with a fixed value of "JWT".
Currently, the implementation only allows JWS and JWE as types in the header.
Also, "typ" is currently a field in the claims set for JWTs, but it should be removed from there and lifted to the header.
Comments (7)
-
-
Removed misplaced 'typ' claim from claims set in commit 1495d04.
-
reporter You might want to add "JWT" as a static instance to JOSEObjectType (like JWS and JWE) so you don't have to use the constructor.
-
Updated the 'typ' constants to match the latest JWS draft 40 / JWT draft 40, see commit be09fd9.
-
PS: Please note that the recommended way to indicate a nested (signed + encrypted) JWT is to use the "cty" parameter for that. The "typ" parameter is there for legacy reasons.
-
Dave, the changes just got pushed to Maven Central as version 3.9.
-
- changed status to resolved
- Log in to comment
Thanks for reporting this!