|
355 | 355 | used as the audience of the JWT; |
356 | 356 | this includes that the token endpoint URL of the authorization server |
357 | 357 | MUST NOT be used as an audience value. |
358 | | - To simplify implementations, |
359 | | - the <spanx style="verb">aud</spanx> claim value MUST |
360 | | - be a JSON string, and not a single-valued JSON array. |
361 | 358 | The authorization server MUST reject any JWT that does not |
362 | 359 | contain its issuer identifier as its sole audience value. |
363 | 360 | </t> |
|
375 | 372 | the following requirement is added: |
376 | 373 | <list style="empty"> |
377 | 374 | <t> |
378 | | - Client authentication JWTs MUST be explicitly typed by using the |
| 375 | + Client authentication JWTs SHOULD be explicitly typed by using the |
379 | 376 | <spanx style="verb">typ</spanx> header parameter value |
380 | 377 | <spanx style="verb">client-authentication+jwt</spanx> |
381 | | - another more specific explicit type value defined by a specification profiling this specification. |
382 | | - Client authentication JWTs not using the explicit type value |
383 | | - MUST be rejected by the authorization server. |
| 378 | + or another more specific explicit type value defined by a specification profiling this specification. |
384 | 379 | </t> |
385 | 380 | </list> |
386 | 381 | </t> |
|
529 | 524 | The authorization server MUST reject any such JWT that does not |
530 | 525 | contain its own issuer identifier as the sole audience value. |
531 | 526 | </t> |
| 527 | + <t> |
| 528 | + The introduction of strong typing for JWTs (using explicit <spanx style="verb">typ</spanx> |
| 529 | + values) serves as a signal to distinguish between tokens produced in accordance with |
| 530 | + specifications published prior to these updates and those incorporating them. However, |
| 531 | + the primary security protection comes from the tightened audience requirements. Since |
| 532 | + strong typing alone does not prevent the attacks described in <xref |
| 533 | + target="private_key_jwt.Disclosure" /> and <xref target="Audience.Injection" />, the |
| 534 | + use of explicit typing is suggestion for clients enabling them to signal their intention of sending |
| 535 | + a JWT conforming to the requirements herein. This approach balances security signaling with practical |
| 536 | + deployment considerations, avoiding disruption to client deployments that already |
| 537 | + conform to the tightened audience requirements but have not yet adopted explicit typing. |
| 538 | + </t> |
532 | 539 | </list> |
533 | 540 | </t> |
534 | 541 | </section> |
|
799 | 806 | </t> |
800 | 807 |
|
801 | 808 | <t> |
| 809 | + -03 |
| 810 | + <list style="symbols"> |
| 811 | + <t> |
| 812 | + Relaxed client requirement to use strong typed JWTs. SHOULD instead of MUST. |
| 813 | + </t> |
| 814 | + <t> |
| 815 | + Do not restrict the "aud" claim's type. Allow it to be a an array with a single member. |
| 816 | + </t> |
| 817 | + </list> |
802 | 818 | -02 |
803 | 819 | <list style="symbols"> |
804 | 820 | <t> |
|
0 commit comments