No, per https://tools.ietf.org/html/rfc7515#section-4.1.11 the "crit" header is only to indicate what JWS/JWE extension *headers* must be understood and processed by the recipient. It has no bearing on the payload whatsoever.
Typically designating a set of mandatory claims is done by the profile or application of JWT and enforced by policy set up (configured or coded) at the receiver. On Mon, Oct 21, 2019 at 2:44 PM Seraphin, Vinod <[email protected]> wrote: > Can this header be used to designate which claims within the payload are > deemed mandatory? The desire is to have any token verification fail if > such a specified list of mandatory claims are not found within the payload. > > > > Our security team has currently implemented such a feature by utilizing > the “crit” header to contain this list of mandatory claims. I’ve recently > found that the jose library fails any validation attempt of our token as it > doesn’t find matching parameters for each of the crit array elements within > the header portion of the token (the parameters are only within the payload > at present), and the author has informed me that his interpretation of RFC > 7515 is that any values within the crit array MUST also be in the header. > There is an example in section 4.1.11 with trying to make “exp” mandatory, > and shows “exp” with other header parameters. There is no mention of > whether in such an example the “exp” would also be repeated within the > payload or not. What would be the expectation? > > > > If “crit” is not meant to convey mandatory parameters, are there any other > standardization efforts for designating mandatory claims within a token? > > > > Thanks > > - Vinod > > > > > > *[image: id:[email protected]] * > > *Vinod Seraphin *|* Senior Fellow Engineer, Emerging Technologies *|* > Pegasystems > Inc.* > > Office: (617) 528.5272 | E-Mail: [email protected] | LinkedIn: > vinodseraphin <https://www.linkedin.com/in/vinodseraphin> | www.pega.com > > > > > > > > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
