Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Decode error due to invalid typ header #20

Closed
AdnaneOnFire opened this issue Mar 27, 2024 · 1 comment
Closed

Decode error due to invalid typ header #20

AdnaneOnFire opened this issue Mar 27, 2024 · 1 comment

Comments

@AdnaneOnFire
Copy link

AdnaneOnFire commented Mar 27, 2024

I noticed the following behavior while trying to validate third party produced tokens. It seems that the only allowed value for the typ header is jwt. This is due to the following https://github.com/authlib/joserfc/blob/main/src/joserfc/jwt.py#L109

I feel this is contradictory with the assessment made for the following older issue , which allowed a more free form typ header. At any rate if we can encode a jwt with typ other than jwt , we should be able to decode the generated jwt.

Can you maybe validate typ header as a string with a reasonable max length instead ? or maybe accept any string with "mime type format" as valid. This make sens as , according to https://www.rfc-editor.org/rfc/rfc7519#section-5.1 :

The "typ" (type) Header Parameter defined by [[JWS](https://www.rfc-editor.org/rfc/rfc7519#ref-JWS)] 
and [[JWE](https://www.rfc-editor.org/rfc/rfc7519#ref-JWE)] is used by JWT applications to declare 
the media type [[IANA.MediaTypes](https://www.rfc-editor.org/rfc/rfc7519#ref-IANA.MediaTypes)] 
of this complete JWT.

I would be happy to make a PR in this direction.

@lepture
Copy link
Member

lepture commented Apr 7, 2024

Thanks, a PR is welcome.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants