search

openid-certification / oidctest

THE CERTIFICATION TEST SUITE HAS BEEN MIGRATED TO A NEW SERVICE https://www.certificatinon.openid.net
Other
49 stars 15 forks source link

Nested request objects must include cty:JWT in the JWE header #183

Open yv13 opened 5 years ago

yv13 commented 5 years ago

Signed + encrypted request objects are expected to have the "cty" header parameter set to "JWT":

https://tools.ietf.org/html/rfc7519#section-5.2

The "cty" (content type) Header Parameter defined by [JWS] and [JWE] is used by this specification to convey structural information about the JWT.

In the normal case in which nested signing or encryption operations are not employed, the use of this Header Parameter is NOT RECOMMENDED. In the case that nested signing or encryption is employed, this Header Parameter MUST be present; in this case, the value MUST be "JWT", to indicate that a Nested JWT is carried in this JWT. While media type names are not case sensitive, it is RECOMMENDED that "JWT" always be spelled using uppercase characters for compatibility with legacy implementations. See Appendix A.2 for an example of a Nested JWT.

One of the affected tests is OP-request_uri-Enc.

selfissued commented 4 years ago

Hans to ask for clarifications, per 11-Oct-19 certification call.

If we're looking at nested JWTs, we should validate this requirement.