Refresh Token header definition is missing

Question

Refresh Token header definition is missing

Opened this issue a year ago · 1 comments

In the documentation, only the body of the RT is defined. We have to define the header as well. In particular the typ parameter.

Answer 1 · 2024-01-15T16:55:10.000Z

In OAuth 2.0, Refresh Tokens are not JWTs (JSON Web Tokens) and therefore do not have a JWT header. Refresh Tokens are opaque strings that are issued by the authorization server and can be used to obtain a new access token when the current one expires. They are typically long strings of characters that do not contain any meaningful information to the client.

However, the implementation that uses JWTs as access and refresh tokens in OpenID Conenct, as the italian one, the typ (type) header parameter in the JWT would typically be set to JWT. This is defined in the JWT specification, RFC 7519.

other cases are JWT that have specific typ value registered in IANA and defined in IETF/OpenID specs.
Access Tokens have their typ value, according to https://datatracker.ietf.org/doc/html/rfc9068, while refresh token doesn't.

if we want to define the typ value for the refresh token we should propose an IETF draft. Otherwise we can omit the typ value or set it to JWT allowing missing typ value, since when missing the default value is implicitly set to JWT.