Handle critical fields in JWT tokens
Closed this issue · 1 comments
dividedmind commented
dividedmind commented
There is no mechanism in JWT to indicate critical fields and even if there was, this verification requires application cooperation since it is application-specific; hence it's up to the consumer to examine the claims and have the final decision.
Additional docstrings have been added to Slosilo methods to highlight this requirement, and a mechanism following this advice rejecting unrecognized claims has been added to conjur-rack
. This story can thus be closed.