recommendation to the use of explicit typing for ID Tokens
Issue #2162
open
The OpenID Connect Core 1.0 incorporating (errata set 2) neither defines a value for the “typ” header parameter nor requires the use of it (see section the explicit typing in RFC 8725 JSON Web Token Best Current Practices).
The suggestion is at least to recommend using it for 1.0.
Newer versions of the spec can require it, the same holds true for Logout Tokens
It is RECOMMENDED that Logout Tokens be explicitly typed. This is accomplished by including a typ (type) Header Parameter with a value of logout+jwt in the Logout Token.
and for JWT assertions that are used as client credentials (client_secret_jwt and private_key_jwt).
Comments (3)
-
reporter
-
- changed status to open
We discussed this on the 29-Jul-24 working group call. We agreed that this would be something to do in a next version.
@Brian Campbell also cited anecdotal evidence of deployments using explicit typing in some contexts causing code failures.
-
some pointers to discussion around the anecdotal failures:
https://bitbucket.org/openid/fapi/issues/684/typ-in-request-objects
https://bitbucket.org/openid/fapi/pull-requests/493
https://bitbucket.org/openid/fapi/issues/705/conformance-testing-for-typ-in-request
- Log in to comment
Among many other things, this is a defensive mechanism against the misuse for a family of use cases where ID Tokens get exchanged for something else (using the token exchange grant type) especially in cases where an authorization server performing an exchange doesn’t belong to the security domain which issued an ID Token.