JWTs are being used in many places these days – identity tokens, access tokens, security events, logout tokens…
You actually have to be careful when validating a JWT that you don’t mistakenly confuse it with a JWT that was issued for a different purpose, but “looks” very similar to what you expect.
One example is from the OpenID Connect back-channel logout spec. Besides the “normal” validation steps like signature, issuer, audience and expiration – in addition you need to check for the existence of a specific claim – and it MUST NOT contain a nonce claim. Why? – well because otherwise you might confuse it with an identity token.
Explicit typing
The new JWT BCP document recommends introducing explicit types for JWTs.
Confusion of one kind of JWT for another can be prevented by having all the kinds of JWTs that could otherwise potentially be confused include an explicit JWT type value and include checking the type value in their validation rules. Explicit JWT typing is accomplished by using the "typ" header parameter.
And the JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens draft proposes using at+jwt for the value of the typ header in OAuth 2.0 access tokens.
We agree that this is an issue and added the typed typ header in the new IdentityServer4 v3 – here’s an example access token:
Image may be NSFW.
Clik here to view.
The value is configurable via our options – and if you don’t like it, you can go back to the standard value as well.
