Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I originally thought so myself. But RFC 7519 (https://tools.ietf.org/html/rfc7519) is different from RFC 6750 (https://tools.ietf.org/html/rfc6750) -- and the two don't mention each other's implementation.


RFC 6750 describes the format of Bearer tokens: https://tools.ietf.org/html/rfc6750#section-2.1 # it happens than JWTs fit the format, so they can be used.

The spec is vague enough here that you can stuff almost any string you want into the header, as long as it has sufficient entropy that it is near impossible to brute force. Of course, JWTs introduce their own concerns, as discussed in other comments.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: