joserfc icon indicating copy to clipboard operation
joserfc copied to clipboard
verified publisher icon authlib

Error when validating MS Entra access token JWT: "Unsupported {'nonce'} in header"

Open bjmc opened this issue 7 months ago • 1 comments

I don't know if this a vendor-specific issue or not, but Microsoft includes a nonce field in the header of their JWT access tokens. Because joserfc strictly validates the keys in the header against its registry, this causes these tokens to fail validation.

How would you feel about accepting a nonce parameter in the header and exposing it to callers that wish to validate it?

bjmc avatar May 12 '25 14:05 bjmc

You can set validator for nonce yourself.

https://jose.authlib.org/en/guide/jwt/#validate-claims

lepture avatar May 13 '25 14:05 lepture