Skip to content

Enable header.typ assertion #1004

New issue
New issue
Open
Open
Enable header.typ assertion#1004
@ewan-chalmers

Description

@ewan-chalmers
ewan-chalmers
opened on Nov 11, 2025

Describe the problem you'd like to have solved

I would like to be able to differentiate between access tokens and identity tokens, and specifically to fail JWT validation if the token is not an access token.

Describe the ideal solution

We can assert that a token is an access token but checking the typ header for the value at+jwt. See https://datatracker.ietf.org/doc/rfc9068/

I would like to have a typ option which I could set to the required value, with JWT verification failing if the expected type is not found in the header.

Alternatives and current work-arounds

Do not share identity token to clients, so they cannot present id_token for authentication.

Additional context

n/a

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions