lsm/openiddict-documentation
1
0
Fork 0
mirror of https://gitee.com/dcren/openiddict-documentation.git synced 2026-03-23 09:43:26 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update the documentation pages

Browse Source
This commit is contained in:
OpenIddict Bot
2022-01-07 16:01:25 +00:00
parent c7d19ecbc3
commit 61bd763dc1
64 changed files with 134 additions and 134 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
configuration/token-formats.html
View File

@@ -80,7 +80,7 @@ developed and maintained by Microsoft to generate signed and encrypted tokens us
<h3 id="jwt-token-types">JWT token types</h3>
<p>To protect against token substitution and confused deputy attacks, <strong>OpenIddict 3.0 uses the standard <code>typ</code> JWT header to convey the actual token type</strong>.
This mechanism replaces the private <code>token_usage</code> claim used for the same purpose in previous versions of OpenIddict.</p>
<p>As required by the <a href="https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-04#section-2.1">JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens draft</a>,
<p>As required by the <a href="https://datatracker.ietf.org/doc/html/rfc9068">JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens specification</a>,
<strong>access tokens produced by OpenIddict 3.0 are always issued with a <code>&quot;typ&quot;: &quot;at+jwt&quot;</code> header</strong> while identity tokens still use <code>&quot;typ&quot;: &quot;JWT&quot;</code> for backward compatibility.
Other types of tokens only accepted by OpenIddict&#39;s own endpoints use private token types prefixed by <code>oi_</code>.</p>
<h3 id="disabling-jwt-access-token-encryption">Disabling JWT access token encryption</h3>