lousando opened a new issue, #5838: URL: https://github.com/apache/couchdb/issues/5838
### Version 3.4.2 ### Describe the problem you're encountering We have a central [Logto](https://logto.io/) OIDC provider that has the ability to add extra claims to the JWT it generates using a [getCustomJwtClaims](https://docs.logto.io/developers/custom-token-claims/create-script) callback the software provides. Logto is setup to add `_couchdb.roles` to the JWT _before_ it's signed, which is great and we're able to verify that in the decoded JWT body _before_ we send out the encoded + signed version to CouchDB: ```jsonc // decoded JWT body from Logto with added "_couchdb.roles" claim { "_couchdb.roles": [ "premium-user" ], "sub": "v4zk0po04pk7", "exp": 1767911186, // [redacted] // .......... } ``` The problem lies that when this signed JWT is sent over to CouchDB, we get the following `500` response: `{"error":"case_clause","reason":"{undefined,<<\"at+jwt\">>}","ref":799328086}` What we've narrowed down the issue to seems to be that CouchDB doesn't accept the `at+jwt` value as a JWT header claim for key `typ`. ```jsonc // decoded header from Logto { "alg": "ES384", "typ": "at+jwt", "kid": "<a-key-id-by-logto>" } ``` When we manually sign and send a signed JWT, using Postman, with the same secret key that Logto is using, while also excluding the `typ` header claim, CouchDB successfully authenticates. We found that also setting `"typ": "JWT"` works, while `"typ": "jwt"` fails in the header claims. We would just overwrite the `typ` header claim in Logto, but they don't allow for that: https://docs.logto.io/developers/custom-token-claims > Logto build-in token claims can NOT be overridden or modified. Custom claims will be added to the token as additional claims. If any custom claims conflict with the built-in claims, those custom claims will be ignored. ### Expected Behaviour A JWT with a header of `typ` of `"at+jwt"` should successfully authenticate. ### Steps to Reproduce 1. Generate an ES384 keypair 2. Configure CouchDB with the public key for JWT authentication 3. Use the private ES384 key to sign a JWT with a header claim of `"typ": "at+jwt"` 4. Use signed JWT to attempt to authenticate with CouchDB ### Your Environment _No response_ ### Additional Context _No response_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
