Open ramoas opened 8 years ago
Even in the context of a JWT, use of typ in the JOSE header remains optional. Quoting from RFC 7519:
This parameter is ignored by JWT implementations; any processing of this parameter is performed by the JWT application. If present, it is RECOMMENDED that its value be "JWT" to indicate that this object is a JWT. While media type names are not case sensitive, it is RECOMMENDED that "JWT" always be spelled using uppercase characters for compatibility with legacy implementations. Use of this Header Parameter is OPTIONAL.
This package is meant for internal use only since: https://github.com/golang/oauth2/commit/75e75ddc3d156dc8fc71c6f2ef3607cbdcfc8c27 so I doubt this will be added and I think this issue can be close.
Quoting from RFC 7515, typ is optional:
Thus, it would be nice to omit it when not set.