我的 JWT 的 header 中的 "at+jwt" 是什么?

What is "at+jwt" in the header of my JWT?

我见过几个像这样的令牌 header。

{
  "alg": "HS256",
  "typ": "at+jwt"
}

我不清楚 at 代表什么,也不清楚它意味着什么。检查 docs 并没有告诉我太多信息。谷歌搜索有点困难,因为关键字被视为介词。所以,那里的相关点击率也不高。

它是否特定于 IDS4(这是我们用来创建令牌的框架)?那里也没有明显的记录,但这是通常的情况。我不会假设,因为我在 context of Spring 中看到过它,但我不太确定。

https://datatracker.ietf.org/doc/html/rfc9068

This specification registers the "application/at+jwt" media type, which can be used to indicate that the content is a JWT access token. JWT access tokens MUST include this media type in the "typ" header parameter to explicitly declare that the JWT represents an access token complying with this profile. Per the definition of "typ" in Section 4.1.9 of [RFC7515], it is RECOMMENDED that the "application/" prefix be omitted. Therefore, the "typ" value used SHOULD be "at+jwt". See the Security Considerations section for details on the importance of preventing OpenID Connect ID Tokens (as defined by Section 2 of [OpenID.Core]) from being accepted as access tokens by resource servers implementing this profile.

另请参阅 https://datatracker.ietf.org/doc/html/rfc9068#section-4,了解您必须如何验证遵循此配置文件的令牌。