typ header for User Statement Token / potential for confusion with id_token

Issue #193 resolved
Joseph Heenan created an issue

If I’ve followed things correctly, the token defined in https://openid.net/specs/openid-connect-user-questioning-api-1_0-11.html#rfc.section.2 is almost a valid id_token - the only difference I spotted vs https://openid.net/specs/openid-connect-core-1_0.html#IDToken is that it doesn’t include an iat/ exp and perhaps nonce - all of which are technically optional to check in https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation

(It does contain a number of claims that are unique to the user statement token, but OIDC clients are required to ignore unknown claims in an id_token so that potentially wouldn’t prevent something accepting a user statement token as an id_token.)

That might be worthy of a security consideration (people may accidentally or deliberately include iat/exp), but as per https://tools.ietf.org/html/rfc8725#section-3.11 it may be worth considering adding a typ header to help avoid any future confusion.

Comments (3)

  1. Log in to comment