oauth2.dev

cnf

IESG

Registry Context

The `cnf` claim contains confirmation data used to identify a proof-of-possession key for a JWT.

Technical Summary

RFC 7800 defines `cnf` as a JSON object containing members used to identify a proof-of-possession key, while allowing other confirmation methods to be defined. Unrecognized confirmation members are ignored unless application-specific requirements apply. The claim must represent only one proof-of-possession key.

When Used

When a JWT conveys confirmation information for a proof-of-possession key.

Normative Requirements

Implementations

MUST
1
  1. RFC 7800 - Section 3.1

    ignore all confirmation members they do not understand.

    Condition: In the absence of application-specific requirements for processing those members

    All confirmation members that are not understood by implementations MUST be ignored.

The `cnf` claim value

MUST
1
  1. RFC 7800 - Section 3.1

    represent only a single proof-of-possession key.

    Condition: Always

    The `cnf` claim value MUST represent only a single proof-of-possession key.

Validation Guidance

error

Verify that the `cnf` value represents no more than one proof-of-possession key; in particular, at most one of `jwk`, `jwe`, and `jku` may be present.

info

Ignore unrecognized confirmation members when no application-specific processing requirement applies.

Reference

Details

Entry Id
cnf
Claim Name
cnf
Claim Description
Confirmation
Change Controller
IESG
Reference
RFC7800 - Section 3.1