Allow usage of more Content-Types and `typ` for JARs

eu-digital-identity-wallet / eudi-lib-jvm-siop-openid4vp-kt

Implementation of SIOPv2 and OpenID4VP protocols (wallet's role) in Kotlin

Apache License 2.0

12 stars 2 forks source link

Allow usage of more Content-Types and `typ` for JARs #173

Closed dzarras closed 7 months ago

dzarras commented 9 months ago

As per https://www.rfc-editor.org/rfc/rfc9101#name-cross-jwt-confusion it is a strong recommendation to use the Content-Type HTTP Header application/oauth-authz-req+jwt and set the typ claim to oauth-authz-req+jwt for JAR.

To increase compatibility with Authorization Servers that work only with untyped JWTs we should:

Accept Content-Type application/jwt and application/json
Accept typ jwt or null

babisRoutis commented 9 months ago

We can implement this put it is of low priority. In several specifications the new requirement (not recommendation) is to use type specific JWTs to avoid hijacking. Some examples :

Proof of type JWT in OpenId4VCI which requires openid4vci-proof+jwt
Key binding JWT from SD-JWT which requires kb+jwt

dzarras commented 8 months ago

I believe this issue was duplicated by #186 Given that #186 is closed, we can close this as well. Right?