Is there a requirement that client assertion JWTs must use the HMAC algorithm
Issue #403
invalid
Hi,
We are looking to use the ClientSecretJWT to construct a client assertion according to RFC-7521 spec. Our client assertion is going to use RSA256 in order to sign the client assertion. The library checks for HMAC algorithms here.
I'm wondering if there is a specific spec where this is mentioned? If not, is it possible to have this check removed or made some way configurable?
Cheers John
Comments (2)
-
-
- changed status to invalid
Yep, PrivateKeyJWT is the correct class for dealing with RS256 signed JWT assertions.
Happy coding!
- Log in to comment
OP here, I have since had it explained to me that the ClientSecretJWT is specifically intended for symmetric algorithms. I should have been using PrivateKeyJWT.
Apologies, this can be closed.
Cheers
John