Do we need a special JWT type
We use JWTs as the format for trust marks. Is there a reason for registering a special JWT type for this usage.
DPoP has dpop+jwt should we have trust_mark+jwt ?
Comments (8)
-
-
Yes, explicit typing is recommended in the JWT BCP: https://www.rfc-editor.org/rfc/rfc8725.html#section-3.11
There seems to be at least a precedent for the use of
-
rather than_
in https://www.iana.org/assignments/media-types/media-types.xhtml (which is where it will need to be registered), so trust-mark+jwt might be a better choice? -
reporter Agree !
-
What about registering a type also for Fetch Entity Statements Response and any other federation_api operation?
-
Mike to work with Roland on spec text defining these JWT types.
-
- changed status to open
-
some content types have been proposed here:
https://bitbucket.org/openid/connect/issues/1382/proposal-of-an-improved-federation-api -
reporter - changed status to resolved
Mike has added spec text defining a couple of JWT types.
- Log in to comment
In “JWT Response for OAuth Token Introspection“ we also have “token-introspection+jwt” and it has been included in the JSON Web Token (JWT) IANA registry.
I believe it is formally correct to have a registered claim for the trust marks of oidc federation 1.0
+1 on my side