almartmart
commented
1 year ago I really suggest merging this. I've already found some APIs that (for some reason) requires the "typ" header to not be sent, which is impossible without this change.
Open alxnik opened 3 years ago
almartmart
commented
1 year ago I really suggest merging this. I've already found some APIs that (for some reason) requires the "typ" header to not be sent, which is impossible without this change.
Setting the JOSE header "typ" to "JWT" is hardcoded in jws._encode_header(). Although setting this parameter is recommended in rfc7519 (JWT specification), in rfc 7515 (JWS specification) it is marked as optional. Currently there is no way to remove it from the header.
The proposed solution is to not hardcode it in jws._encode_header() but added to the extra headers through jwt.encode(). Thus, JWT functionality remains unaffected, but JWS is RFC compliant