Re: New issue: Header type for JWT format values

Is there a benefit to creating a specific new header for JWTs?

I would suggest either passing them in an Authentication header (commonly
currently used by some apps) or the application which needs them can define
its own header (also common).

On Tue, Jul 22, 2025 at 8:24 AM Amos Jeffries <squid3@treenet.co.nz> wrote:

> On 22/07/25 06:28, Atul Tulshibagwale wrote:
> > Hello,
> > We are currently working on a draft for Transaction Tokens <https://
> > datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/>, which
> > envisions a new HTTP Request Header called "Txn-Token" <https://
> > www.ietf.org/archive/id/draft-ietf-oauth-transaction-
> > tokens-05.html#name-txn-token-http-header>. The header value is expected
> > to be a JWT.
>
>
> Taking a brief looks at the document ...
>
>  > 2.1.  What are Transaction Tokens?
>  >
>  >   Txn-Tokens are short-lived, signed JWTs [RFC7519] that assert the
>  >   identity of a user or a workload and assert an authorization context.
>
>
> So, if I am reading that correctly these are a cross between login
> credentials and a session ID.
>
>
> I am wondering why these credentials are using a custom header instead
> of being sent as part of HTTP Authentication (request) and
> Authentication-Info (response) headers.
>
> There is a lot of HTTP security behaviour that can be leveraged just by
> using the Authn headers instead of re-inventing the wheel.
>
>
> Cheers
> Amos
>
>

-- 
Rory Hewitt

https://www.linkedin.com/in/roryhewitt

Received on Tuesday, 22 July 2025 16:11:38 UTC