OAuth2: local validation with RFC9068 tokens

Tomas Habarta lists+dovecot at tocc.cz
Wed Mar 1 11:24:46 UTC 2023


my IdP is kind of progressive and implemented RFC9068, where all access tokens now come with typ "at+JWT".
Since the setup has used local validation, I had to switch and currently use introspection endpoint. Looked around at the src and there seems to be relatively simple check of the token typ checking the only fixed value of "JWT" -- do you think you could consider tuning it a little bit so that local validation works also with such tokens?
I am not an expert on OAuth2 so have no idea whether this is a valid request, but think that such a token is still JWT but has the required structure per RFC, which should not anyhow be in collision with a simple "JWT" typ. Saying that, I would not wonder if the statement is not correct :)

Many thanks,

More information about the dovecot mailing list