oauth2.dev

e

IESG

Registry Context

The `e` parameter contains an RSA public key's exponent and is encoded as a Base64urlUInt. It must be present in an RSA public key JWK. For exponent 65537, the encoded value is `AQAB`.

Technical Summary

RFC 7518 defines `e` as the Base64urlUInt-encoded exponent value for an RSA public key. Section 6.3.1 requires the RSA public-key members, including `e`, to be present. Section 6.3.1.2 requires exponent 65537 to use the octet sequence [1, 0, 1] before base64url encoding, resulting in `AQAB`.

When Used

When representing an RSA public key as a JWK.

Normative Requirements

A JWK producer representing an RSA public key

MUST
1
  1. RFC 7518 - Section 6.3.1

    include the `e` member.

    Condition: when representing an RSA public key

    The following members MUST be present for RSA public keys.

An implementation representing RSA exponent 65537

MUST
1
  1. RFC 7518 - Section 6.3.1.2

    use the three-octet sequence [1, 0, 1] as the input to base64url encoding.

    Condition: when representing the value 65537 in the `e` parameter

    the octet sequence to be base64url-encoded MUST consist of the three octets [1, 0, 1]

Validation Guidance

error

Reject an RSA public key JWK that omits `e`.

error

For exponent 65537, verify that the Base64urlUInt encoding is `AQAB`, derived from the octet sequence [1, 0, 1].

Reference

Details

Entry Id
e
Parameter Name
e
Parameter Description
Exponent
Used With Kty Value
RSA
Parameter Information Class
Public
Change Controller
IESG
Reference
RFC7518 - Section 6.3.1.2