oauth2.dev

OKP

IESG

Registry Context

OKP is the JWK key type for octet key pairs. An OKP JWK uses `kty` value `OKP` and includes a curve subtype in `crv` and a base64url-encoded public key in `x`. A private key also includes a base64url-encoded `d` parameter, which is omitted from public keys.

Technical Summary

RFC 8037 defines `OKP` for public key algorithms that use octet strings as private and public keys. The `crv` value identifies the key subtype from the JSON Web Elliptic Curve registry. For JWK Thumbprints, the public key fields are included in lexicographic order: `crv`, `kty`, and `x`.

When Used

When defining, validating, serializing, or consuming a JWK whose `kty` value is `OKP`.

Normative Requirements

Unspecified actor

MUST NOT
1

  1. RFC 8037 - Section 2

    include the `d` parameter..

    Condition: For a public OKP key.

    This parameter MUST NOT be present for public keys.

MUST
4

  1. RFC 8037 - Section 2

    set the `kty` parameter to `OKP`..

    Condition: For an OKP JWK.

    The parameter "kty" MUST be "OKP".

  2. RFC 8037 - Section 2

    include `crv` containing the key subtype from the JSON Web Elliptic Curve registry..

    Condition: For an OKP JWK.

    The parameter "crv" MUST be present and contain the subtype of the key.

  3. RFC 8037 - Section 2

    include `x` containing the public key encoded using base64url..

    Condition: For an OKP JWK.

    The parameter "x" MUST be present and contain the public key encoded using the base64url encoding.

  4. RFC 8037 - Section 2

    include `d` containing the private key encoded using base64url..

    Condition: For a private OKP key.

    The parameter "d" MUST be present for private keys.

Validation Guidance

error

Require `kty` to be exactly `OKP`.

error

Require `crv` to identify a key subtype from the JSON Web Elliptic Curve registry.

error

Require `x` to contain a base64url-encoded public key.

error

For a private key, require `d` to contain a base64url-encoded private key.

error

Reject a public key that contains `d`.

error

When calculating a JWK Thumbprint, include `crv`, `kty`, and `x` in lexicographic order.

Reference

RFC8037 - Section 2

Details

Entry Id
OKP
Kty Parameter Value
OKP
Key Type Description
Octet string key pairs
Jose Implementation Requirements
Optional
Change Controller
IESG
Reference
RFC8037 - Section 2