jws: Header - make fields extensible or implement other registered ones #193
Comments
|
Is there any case where the header can be considered in the scope of JWT? JWS package is not a generic implementation of JSON Web messages but rather is scoped to its use with OAuth2 JWT. Also see #196. |
|
@rakyll Yes, the other JWS header types are definitely useful in the context of OAuth2 JWT, especially the two examples that I mentioned: "jwk" and "x5c". As a workaround, you can encode any arbitrary case-sensitive string in "kid", but if the spec calls for additional header types, it would be great to either implement more of them or make it possible for others to implement them but still reuse all the other code for signing / verifying and encoding / decoding. |
|
It would be also good to add extensions to the jwt package so the users can pick a non-default header and grant type. Currently, everyone is restricted to the hardcoded values at https://github.com/golang/oauth2/blob/master/jwt/jwt.go#L28. |
Support for Key ID ("kid") was recently added as a supported Header field. I was using Key ID prior to its addition, but because there's no extensible way to add Header fields, I had to basically duplicate all the other code.
There are other optional header fields mentioned in RFC 7515 that remain unimplemented. For example, "jwk" and "x5c".
If additional support for the remaining registered JWS header types will not be added, then please make Header extensible in some natural way to maximize code re-use if additional fields are needed. Perhaps like ClaimSet.PrivateClaimsSet where there's a map[string]interface{}.
The text was updated successfully, but these errors were encountered: