-
Notifications
You must be signed in to change notification settings - Fork 383
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add validation for JWT type #1220
Comments
After investigating, we will probably want to make this change in 5.x and 6.x |
This is a bit involved as we should enable a rule set based on type as covered in 3.12 |
I am think for now it would be totally sufficient to check the typ value. |
@leastprivilege agreed. |
@leastprivilege We will add a 'ValidTypes' property on TokenValidationParameters that will be a collection of strings. Matching will be case-sensitive-ordinal. By default, we will accept all types, but if the property is set we will only allow those types. |
sounds good- thanks! |
According to the latest JWT BCP - different types of JWTs should use different values for the
typ
header field.https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-06#section-3.11
It would be useful to have a
ValidType
property on theTokenValidationParameters
to be able to easily add this validation check.The text was updated successfully, but these errors were encountered: