RFC Errata
RFC 7519, "JSON Web Token (JWT)", May 2015
Note: This RFC has been updated by RFC 7797, RFC 8725
Source of RFC: oauth (sec)
Errata ID: 8060
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Pieter Kasselman
Date Reported: 2024-07-31
Section 7.2 says:
5. Verify that the resulting JOSE Header includes only parameters
and values whose syntax and semantics are both understood and
supported or that are specified as being ignored when not
understood.
It should say:
5. Verify that the resulting JOSE Header includes only parameters
and values whose syntax and semantics are both understood and
supported or that are specified as being ignored when not
understood. If the JWT is a JWS, the steps specified in
RFC7515 takes precedence when validating JOSE Header parameters.
Notes:
Validation step 5 in section 7.2 of RFC 7519 states that header parameters should only be ignored if they are explicitly specified as needing to be ignored.
This is contrary to step 7 in section 7.2 which requires that the processing rules of RFC 1515 be used if the JWT is a JWS (defined in RFC 1515). RFC 7515 does not include any special provisions for only ignoring header parameters if they are specified as being ignored, but instead requires all header parameters to be ignored if they are not understood (repeated below for convenience).
"Unless listed as a critical Header Parameter, per
Section 4.1.11, all Header Parameters not defined by this
specification MUST be ignored when not understood."
A discussion with the authors at IETF 120 confirmed that all header parameters that are not understood must be ignored.
The proposed errata aims to clarify that if the JWT is a JWS, the processing rules of RFC 7151 should apply (including ignoring header parameters that are not understood). This is consistent with point 7.2, which requires that RFC 7515 [JWS] rules applies and avoids the impression that a new requirement on when parameters are ignored is being introduced in (i.e. the need to be explicitly defined as needing to be ignored).