You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: IdentityServer/v7/docs/content/tokens/authentication/jwt.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -181,11 +181,11 @@ The OpenID Foundation proposed a two-part fix: strictly validate the audience an
181
181
explicit `typ` header (with value `client-authentication+jwt`) in the authentication JWT.
182
182
183
183
You can enable strict audience validation using the [**StrictClientAssertionAudienceValidation**]({{< ref "/reference/options/#strict-audience-validation" >}})
184
-
flag, which strictly validates that the audience is equal to the issuer and validates the token's
185
-
`typ` header.
184
+
flag, which always strictly validates that the audience is equal to the issuer and validates the token's
185
+
`typ` header, as specified in [RFC 7523 bis](https://datatracker.ietf.org/doc/draft-ietf-oauth-rfc7523bis/).
186
186
187
-
Validation behavior is determined based on the `typ` header being present.
188
-
If the **StrictClientAssertionAudienceValidation** flag is not set but the token sets the `typ`
189
-
to `client-authentication+jwt`, then the audience will still be validated strictly.
187
+
When **StrictClientAssertionAudienceValidation** is not enabled, validation behavior is determined based
188
+
on the `typ` header being present. When the token sets the `typ` header to `client-authentication+jwt`,
189
+
IdentityServer assumes the client's intention is to apply strict audience validation.
190
190
If `typ` is not present, [default audience validation]({{< ref "/apis/aspnetcore/jwt/#adding-audience-validation" >}})
0 commit comments