express-jwt icon indicating copy to clipboard operation
express-jwt copied to clipboard
verified publisher icon auth0

Enable header.typ assertion

Open ewan-chalmers opened this issue 3 months ago • 0 comments

Describe the problem you'd like to have solved

I would like to be able to differentiate between access tokens and identity tokens, and specifically to fail JWT validation if the token is not an access token.

Describe the ideal solution

We can assert that a token is an access token but checking the typ header for the value at+jwt. See https://datatracker.ietf.org/doc/rfc9068/

I would like to have a typ option which I could set to the required value, with JWT verification failing if the expected type is not found in the header.

I cannot use express-jwt to do this 'manually' (as far as I can see) because the JWT.header is not available after the middleware completes, only JWT.payload is available.

Alternatives and current work-arounds

Do not share identity token to clients, so they cannot present id_token for authentication.

Additional context

Perhaps I should raise this on jsonwebtoken rather than express-jwt. I have raised it there now: https://github.com/auth0/node-jsonwebtoken/issues/1004

ewan-chalmers avatar Nov 11 '25 11:11 ewan-chalmers