OAuth2: local validation with RFC9068 tokens
Tomas Habarta
lists+dovecot at tocc.cz
Wed Mar 1 11:24:46 UTC 2023
Hello,
my IdP is kind of progressive and implemented RFC9068, where all access tokens now come with typ "at+JWT".
Since the setup has used local validation, I had to switch and currently use introspection endpoint. Looked around at the src and there seems to be relatively simple check of the token typ checking the only fixed value of "JWT" -- do you think you could consider tuning it a little bit so that local validation works also with such tokens?
I am not an expert on OAuth2 so have no idea whether this is a valid request, but think that such a token is still JWT but has the required structure per RFC, which should not anyhow be in collision with a simple "JWT" typ. Saying that, I would not wonder if the statement is not correct :)
Many thanks,
Tomas
More information about the dovecot
mailing list