lsm/openiddict-documentation
1
0
Fork 0
mirror of https://gitee.com/dcren/openiddict-documentation.git synced 2025-09-19 10:07:58 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update the link to the JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens specification

Browse Source
This commit is contained in:
Kévin Chalet
2022-01-07 17:00:27 +01:00
parent 97d86fe382
commit b3a75b3a63
2 changed files with 10 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
configuration/token-formats.md
View File

@@ -18,7 +18,7 @@ developed and maintained by Microsoft to generate signed and encrypted tokens us
To protect against token substitution and confused deputy attacks, **OpenIddict 3.0 uses the standard `typ` JWT header to convey the actual token type**.
This mechanism replaces the private `token_usage` claim used for the same purpose in previous versions of OpenIddict.
As required by the [JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens draft](https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-04#section-2.1),
As required by the [JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens specification](https://datatracker.ietf.org/doc/html/rfc9068),
**access tokens produced by OpenIddict 3.0 are always issued with a `"typ": "at+jwt"` header** while identity tokens still use `"typ": "JWT"` for backward compatibility.
Other types of tokens only accepted by OpenIddict's own endpoints use private token types prefixed by `oi_`.