OpenIddict 3.0 implements the JSON Web Token, JSON Web Signature and JSON Web Encryption standards and relies on the +
OpenIddict 3.0 implements the JSON Web Token, JSON Web Signature +and JSON Web Encryption standards and relies on the Azure Active Directory IdentityModel Extensions for .NET library -developed and maintained by Microsoft to generate signed and encrypted JWT tokens using the encryption and signing credentials registered in the server options.
+developed and maintained by Microsoft to generate signed and encrypted tokens using the credentials registered in the server options.To protect against token substitution and confused deputy attacks, OpenIddict 3.0 uses the standard typ JWT header to convey the actual token type.
This mechanism replaces the private token_usage claim used for the same purpose in previous versions of OpenIddict.
OpenIddict 3.0 can also be configured to use ASP.NET Core Data Protection to create -Data Protection tokens instead of JWT tokens. ASP.NET Core Data Protection is supported for all types of tokens, except identity tokens, that are always JWT tokens.
+Data Protection tokens instead of JWT tokens. ASP.NET Core Data Protection uses its own key ring to encrypt and protect tokens against tampering and is supported for all +types of tokens, except identity tokens, that are always JWT tokens.Unlike JWT, ASP.NET Core Data Protection tokens only support symmetric encryption and rely on a binary format developed by the ASP.NET team rather than on a standard like JWT. While this prevents using such tokens in scenarios where interoperability is needed, opting for ASP.NET Core Data Protection rather than JWT has actually a few advantages: