Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reject token with un-encoded payload (b64=false) #301

Open
rdebusscher opened this issue Sep 14, 2022 · 1 comment
Open

Reject token with un-encoded payload (b64=false) #301

rdebusscher opened this issue Sep 14, 2022 · 1 comment
Assignees
@rdebusscher
Milestone
MPJWT-3.0

Comments

@rdebusscher
Copy link
Member

As stated in RFC-7797 JSON Web Signature (JWS) Unencoded Payload Option,

For interoperability reasons, JSON Web Tokens [JWT] MUST NOT use
"b64" with a "false" value.

This means that the this spec must be updated to mention that token with b65=false header must be rejected and a TCK test is needed to confirm an implementation handles it correctly.
@sberyozkin sberyozkin added this to the MPJWT-3.0 milestone Sep 14, 2022
@sberyozkin
Copy link
Contributor

I'm not sure MP JWT spec needs to focus on this property as it also involves the use of the crit header, https://www.rfc-editor.org/rfc/rfc7797#section-6, and it just can make it tricky to deal with; but please investigate if you'd like.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rdebusscher rdebusscher

Labels
None yet
Projects
None yet
Milestone
MPJWT-3.0
Development

No branches or pull requests
2 participants
@sberyozkin @rdebusscher