Use JWT header `typ` from RFC 9068 to differentiate between an id_token and access_token

[robotdan]

Use JWT header typ from RFC 9068 to differentiate between an id_token and access_token

Description

I don't know if RFC 9068 ever caught on.. so we should look at how many other libraries are platforms support this, but according to that RFC the typ claim in the header can be at+jwt to indicate this is intended to be used as an access token.

However, I can't find any reference to this in the OIDC spec, and there is no such recommendation in the OIDC spec that I can find for the id_token - which be extension would have the typ of it+jwt or something like that.

Related

• https://www.rfc-editor.org/rfc/rfc9068
• https://openid.net/specs/openid-connect-core-1_0.html
• JWT claim overriding, namespacing or the ability to unreserve claims. #1721

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

[mooreds]

Maybe a duplicate of #1455 ?

[mooreds]

And 9068 was codified relatively recently, I think in the past year.