I have a resource that generates a tokens for users. I want to add possibility choose token generation algorithm. I can't change request structure but can add some http header with algorithm name. My question is what header to choose? Is Accept would be acceptable?
now I use a Accept-Token-Algorithm header to send values like: RS256, HS256
If both client and server agree with Accept-Token-Algorithm
There's no standard header for that purpose.
If both client and server agree with Accept-Token-Algorithm, that seems to be a reasonable choice. More descriptive (and verbose) alternatives would be Accept-Token-Signature-Algorithm (assuming the JWT is actually a JWS) and Accept-Token-Encryption-Algorithm (for JWE).
Keep in mind that your API is as good as the documentation you provide for it and custom headers are not obvious to API consumers. So ensure that you document it properly.
You also should consider falling back to a default algorithm if the desired header is not present in the request and ensure that you validate the values you receive. Refer to the RFC 7518 for a list of the valid algorithms for JWS and for valid algorithms for JWE.
- 3 reads