feature request: Support issuing Access Token JWTs with typ other than at+jwt (e.g. JWT)
#6915
Comments
|
This issue is stale because it has been open for 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
|
Any chance this can be looked at? It would be better to be able to use Access Tokens for Auth in systems that only support JWTs with a |
|
Hi thanks for asking, Logto follows OIDC standards, and during a user authentication and authorization flow, both ID tokens and access tokens will be issued. To ensure that the ID token is not mistakenly recognized as the access token, the JWT token type at+jwt is used. This is why in OIDC, the at+ prefix is mandatory for access tokens. As noted in our Spring Boot API example, you'll need to customize the decoder rule slightly to validate the token typ properly and ensure accurate handling of both token types. |
|
I guess the problem is that not everyone follows the same RFCs in the same way, which is what leads to this kind of thing. While I've raised a related Issue on Elasticsearch, that's not a component to which I can make the suggested change. |
What problem did you meet?
LogTo Access Token JWTs are always issued with a
typofat+jwt, but not all services are able to consume these tokens, for example Elasticsearch (elastic/elasticsearch#119370) or any Spring-based application using the default JWT Decoder (as noted in the LogTo docs - https://github.com/logto-io/logto/blob/master/packages/console/src/assets/docs/guides/api-spring-boot/README.mdx).For example, when requesting by an Access Token JWT machine-to-machine Application for an API Resource and permitted scopes - the JWT is returned without issue by LogTo, but then cannot be consumed by the target application.
Describe what you'd like Logto to have
An option to return Access Token JWTs with
typofJWTfor use in a wider number of target applicationsThe text was updated successfully, but these errors were encountered: