Open dickhardt opened 5 months ago
The value of explicitly typing in the context of something like DBSC isn't as clear as some other JWT usages but it's probably worth doing nonetheless. And would certainly be more useful than "typ": "JWT",
in the current readme, which is pretty much meaningless.
FWIW this seems quite similar to DPoP where we did go with explicit typing. See https://www.rfc-editor.org/rfc/rfc9449.html#section-4.2-2.2 for example.
Should be doable. The idea here was to work with existing token types (JWT), and helps in merging DBSC with authentication flows if needed.
Per JWT best practices explicitly type the JWT, such as
"typ":"dbsc+jwt"
see https://datatracker.ietf.org/doc/html/rfc8725#name-use-explicit-typing