oauth2.dev

x5t#S256

IESG

Registry Context

This optional JWK parameter contains the base64url-encoded SHA-256 thumbprint of the DER encoding of an X.509 certificate. The certificate key must match the JWK public key, and any additional JWK metadata must be consistent with related certificate fields.

Technical Summary

RFC 7517 Section 4.9 defines "x5t#S256" as a base64url-encoded SHA-256 digest of the DER encoding of an X.509 certificate. Use of the member is OPTIONAL. The certificate key MUST match the public key represented by other JWK members. Other key-usage, algorithm, or informational members MAY be included, but their contents MUST be semantically consistent with related certificate fields.

When Used

Use this member to identify an X.509 certificate associated with a JWK by its SHA-256 thumbprint.

Normative Requirements

JWK producer

MAY
1
  1. RFC 7517 - Section 4.9

    include optional JWK members providing key usage, algorithm, or other information.

    Condition: when the "x5t#S256" member is used

    optional JWK members providing key usage, algorithm, or other information MAY also be present

OPTIONAL
1
  1. RFC 7517 - Section 4.9

    include the "x5t#S256" member.

    Use of this member is OPTIONAL.

the contents of other JWK members

MUST
1
  1. RFC 7517 - Section 4.9

    be semantically consistent with related fields in the referenced certificate.

    Condition: if other members are present

    the contents of those members MUST be semantically consistent with the related fields in the referenced certificate.

the key in the certificate

MUST
1
  1. RFC 7517 - Section 4.9

    match the public key represented by other members of the JWK.

    The key in the certificate MUST match the public key represented by other members of the JWK.

Validation Guidance

info

Allow "x5t#S256" to be absent.

error

When the referenced certificate is available, verify that its key matches the public key represented by the JWK.

info

Permit additional key-usage, algorithm, or informational JWK members when "x5t#S256" is present.

error

Reject additional JWK members whose contents are not semantically consistent with related fields in the referenced certificate.

error

Verify that "x5t#S256" is a base64url-encoded SHA-256 digest of the DER encoding of the referenced X.509 certificate.

Reference

Details

Entry Id
x5t#S256
Parameter Name
x5t#S256
Parameter Description
X.509 Certificate SHA-256 Thumbprint
Used With Kty Value
*
Parameter Information Class
Public
Change Controller
IESG
Reference
RFC7517 - Section 4.9