Handle critical fields in JWT tokens

Question

Handle critical fields in JWT tokens

Closed this issue 7 years ago · 1 comments

For future extensibility, as noted in #10, consideration needs to be given to handling critical fields. #11 should not be merged into master until this is done.

Answer 1 · 2017-09-19T13:48:25.000Z

There is no mechanism in JWT to indicate critical fields and even if there was, this verification requires application cooperation since it is application-specific; hence it's up to the consumer to examine the claims and have the final decision.

Additional docstrings have been added to Slosilo methods to highlight this requirement, and a mechanism following this advice rejecting unrecognized claims has been added to conjur-rack. This story can thus be closed.