Recommended media type for JWT Authorization Grant

oauth-wg / oauth-identity-chaining

Draft specification for Identity Chaining

https://drafts.oauth.net/oauth-identity-chaining/draft-ietf-oauth-identity-chaining.html

Other

4 stars 3 forks source link

Recommended media type for JWT Authorization Grant #85

Open aaronpk opened 9 months ago

aaronpk commented 9 months ago

There should probably be a recommendation for a media type for the JWT Authorization Grant, because:

cross-JWT confusion
the token request grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer needs to know how to process the JWT authorization differently from other uses of JWT-Bearer

RFC 7523 was published before the more recent recommendation of explicit typing

I don't think this draft needs to define one, but it should at least recommend that an implementation uses one.

bc-pi commented 8 months ago

In my own defense - RFC 7523 was published several years before RFC8725...

Anyway, such a recommendation (and maybe even definition of one) seems reasonable as long as it doesn't suggest or imply that plain vanilla RFC 7523 implementations/deployments (new or existing) can't function as-is or are problematic security-wise or otherwise somehow deficient.