oauth2.dev

_sd

IETF

Registry Context

`_sd` is an object member in an SD-JWT payload that contains digests for selectively disclosable object properties rather than the properties themselves.

Technical Summary

RFC 9901 defines `_sd` as an array of strings, each containing a Disclosure digest or decoy digest. The array may be empty, although omitting `_sd` is recommended in that case. The issuer must hide the claims' original order and is recommended to shuffle the digest array using a method independent of that order.

When Used

Used to embed Disclosure digests for selectively disclosable object properties in an SD-JWT.

Normative Requirements

Issuer

MUST
2
  1. RFC 9901 - Section 4.2.4.1

    Make the `_sd` value an array of strings, with each string containing a Disclosure digest or decoy digest..

    The _sd key MUST refer to an array of strings

  2. RFC 9901 - Section 4.2.4.1

    Hide the original order of claims represented in the `_sd` array..

    The Issuer MUST hide the original order of the claims in the array

RECOMMENDED
2
  1. RFC 9901 - Section 4.2.4.1

    Omit the `_sd` member to save space instead of including an empty array..

    Condition: When no claims at that object level are made selectively disclosable.

    it is RECOMMENDED to omit the _sd key in this case

  2. RFC 9901 - Section 4.2.4.1

    Shuffle the digest array after potentially adding decoy digests, using an ordering method that does not depend on the original claim order..

    it is RECOMMENDED to shuffle the array of hashes

MAY
1
  1. RFC 9901 - Section 4.2.4.1

    Use an empty `_sd` array..

    Condition: When no claims at that object level are made selectively disclosable.

    The array MAY be empty

Validation Guidance

error

Reject an `_sd` value that is not an array containing only strings.

info

Accept an empty `_sd` array when no claims at that level are selectively disclosable.

warning

Warn when an empty `_sd` member is retained instead of omitted.

error

When validating issuer construction, report an error if `_sd` ordering preserves or depends on the original claim order.

warning

When validating issuer construction, warn if the digest array was not shuffled after any decoy digests were added.

Reference

Details

Entry Id
_sd
Claim Name
_sd
Claim Description
Digests of Disclosures for object properties
Change Controller
IETF
Reference
RFC9901 - Section 4.2.4.1