does "typ: JWT" need to be in the docs?

[warner]

From my reading of http://openid.net/specs/draft-jones-json-web-token-07.html , the sample JWTs in browserid/index.md should have a "typ" header field in addition to the cited "alg" one, so:

{"typ": "JWT", "alg": "RS256"}

instead of:

{"alg": "RS256"}

am I reading this right? If so, I'll whip up a patch for the docs.

[benadida]

I think you are, this appears to have changed. go for it!

[warner]

Our current code does not produce "typ" headers, nor does it look for them. So the objects we're creating can't be called "JWT"s. We've updated the docs to describe these objects as "JWT-like". So we can close this issue as a WONTFIX.

In a future version of the cert format, we should become more like JWTs, and start including these headers. We could safely add them now (since nothing is depending upon their absence), but let's make all the change in a single fell swoop.

[callahad]

Reopening. Tagging parity-jose for inclusion in future data format updates.

[djc]

It seems like I read draft-07 differently than you. It seems to me that "typ" is an optional key, except if "nested signing" is employed. This is the case for the JWT passed by an IdP for registerCertificate(), at least, so the "typ" header MUST be "JWS".