Add `kty` as required authentication JWT header

smart-on-fhir / fhir-bulk-data-docs

Documentation and issue tracking for the emerging FHIR bulk data implementation guide

75 stars 28 forks source link

Add `kty` as required authentication JWT header #83

Closed vlad-ignatov closed 6 years ago

vlad-ignatov commented 6 years ago

This is in addition to https://github.com/smart-on-fhir/fhir-bulk-data-docs/pull/77.

Note that I've kept the alg as optional.

dennispatterson commented 6 years ago

While a JWK with a particular kty can be used for multiple algorithms, I'm not certain we can make the algorithm optional in the JWT header. Not sure the kty is required in the header, either, since it's implied by the required algorithm. The algorithm must be communicated in the JWT header, correct? RFC 7519 points towards RFC 7515 which requires the 'alg' header

jmandel commented 6 years ago

We're getting confused here between the "alg" header in the JWT (which must be present) and the "alg" property of a JWK (which is optional). I merged the PR but shouldn't have -- I only wanted to say that "kty" should be present in the JWK, not the JWT. Reverting...