php-jwt icon indicating copy to clipboard operation
php-jwt copied to clipboard

Published 20 hours ago verified publisher icon miladrahimi

Support at+jwt access token type

Open ronnybremer opened this issue 8 months ago • 0 comments

https://github.com/miladrahimi/php-jwt/blob/6555d0d46b396436e5bf64fbc2cecc78ba5c6f27/src/Parser.php#L154

This code line will throw an exception when any other JTW type besides "jwt" is found. This RFC https://datatracker.ietf.org/doc/html/rfc9068 registers the type "at+jwt" for OAuth2 access tokens and I think this library should be able to validate them.

Section 4 of the RFC outlines the validation steps needed, which seems to be pretty much in line with what this library does anyway:

  • validate signature
  • validate ISS
  • validate AUD
  • validate EXP

In case the access token is encrypted, it would need to be decrypted, same holds for type "jwt". What do you think?

ronnybremer avatar Jun 19 '24 12:06 ronnybremer