Merge pull request #696 from MohamedElhedi-BenYedder/master

Claim 'typ' is optional in RFC9068
lepture · Jan 29, 2025 · 3a4b8eb · 3a4b8eb
2 parents 0e8f480 + 23c2189
commit 3a4b8eb
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/authlib/oauth2/rfc9068/claims.py b/authlib/oauth2/rfc9068/claims.py
@@ -30,7 +30,9 @@ def validate(self, **kwargs):
     def validate_typ(self):
         # The resource server MUST verify that the 'typ' header value is 'at+jwt'
         # or 'application/at+jwt' and reject tokens carrying any other value.
-        if self.header['typ'].lower() not in ('at+jwt', 'application/at+jwt'):
+        # 'typ' is not a required claim, so we don't raise an error if it's missing.
+        typ = self.header.get('typ')
+        if typ and typ.lower() not in ('at+jwt', 'application/at+jwt'):
             raise InvalidClaimError('typ')
 
     def validate_client_id(self):