Support for JWT Header TYP as "at+jwt" #13185
Assignees
Labels
in: oauth2
An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
status: duplicate
A duplicate of another issue
type: enhancement
A general enhancement
Comments
ymajoros
added
status: waiting-for-triage
|
Pull request: #13186 |
|
Thanks, @ymajoros. I'm closing this in favor of reopening #9900. Please see #9900 (comment) for details. |
jzheaux
added
status: duplicate
|
Thanks, let's go further in #9900 but please note that there was a pull request attached. |
jzheaux
added a commit
to ymajoros/spring-security
that referenced
this issue
Feb 27, 2025
jzheaux
added a commit
to ymajoros/spring-security
that referenced
this issue
Feb 27, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is a follow-up issue:
Expected Behavior
Currently, if the JWT is having typ as "at+jwt", the token is rejected with message "Failed to authenticate since the JWT was invalid". Spring Security Oauth2 Resource Server with JWT as bearer token should accept typ as "at+jwt" as well.
Current Behavior
Currently, if the JWT is having typ as "at+jwt", the token is rejected with message "Failed to authenticate since the JWT was invalid".
My Authorization server is issuing JWT access token with typ as "at+jwt" as per the following draft:
https://www.rfc-editor.org/rfc/rfc9068.html
How has this issue affected you?
JWT token is rejected although this is correct as per Authorization server
What are you trying to accomplish?
Validate JWT Bearer token using Spring Security OAuth2 Resource Server capabilities.
What other alternatives have you considered?
Ugly workaround (custom JWT decoder).
Are you aware of any workarounds?
Custom JWT decoder (quite cumbersome).
The text was updated successfully, but these errors were encountered: