Can this header be used to designate which claims within the payload are deemed mandatory? The desire is to have any token verification fail if such a specified list of mandatory claims are not found within the payload.
Our security team has currently implemented such a feature by utilizing the “crit” header to contain this list of mandatory claims. I’ve recently found that the jose library fails any validation attempt of our token as it doesn’t find matching parameters for each of the crit array elements within the header portion of the token (the parameters are only within the payload at present), and the author has informed me that his interpretation of RFC 7515 is that any values within the crit array MUST also be in the header. There is an example in section 4.1.11 with trying to make “exp” mandatory, and shows “exp” with other header parameters. There is no mention of whether in such an example the “exp” would also be repeated within the payload or not. What would be the expectation? If “crit” is not meant to convey mandatory parameters, are there any other standardization efforts for designating mandatory claims within a token? Thanks - Vinod [id:[email protected]] Vinod Seraphin | Senior Fellow Engineer, Emerging Technologies | Pegasystems Inc. Office: (617) 528.5272 | E-Mail: [email protected]<mailto:[email protected]> | LinkedIn: vinodseraphin<https://www.linkedin.com/in/vinodseraphin> | www.pega.com<http://www.pega.com/>
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
