Replies: 1 comment 2 replies
-
Hello @JonNode28
There's little opinion in the function, it does exactly what the standard says it should do, sans the documented things it doesn't validate that you're expected to validate after the function resolves.
I am not sure I want to support an API that does off-spec behaviours, it is also not needed, you can instantiate a // with dpop
new Request(new URL("https://rs.example.com/api/path"), {
method: "GET",
headers: new Headers({
authorization: "dpop <JWT Access Token>",
dpop: "<DPoP JWT Proof>",
}),
});
// without dpop
new Request(new URL("https://rs.example.com/api/path"), {
method: "GET",
headers: new Headers({
authorization: "bearer <JWT Access Token>",
}),
}); |
Beta Was this translation helpful? Give feedback.
-
The
validateJwtAccessToken
function assumes the access token will be supplied in theauthentication
header which, while a common standard, is not always the case. A lower level function that accepts the access token (and dpop) and does the validation without knowing where the values came from would accomodate other strategies such as secure cookies. Happy to do the work if acceptedBeta Was this translation helpful? Give feedback.
All reactions