oauth2.dev

htu

IETF

Registry Context

In a DPoP proof JWT, `htu` identifies the HTTP target URI of the request to which the proof is attached, without query and fragment parts.

Technical Summary

The `htu` claim contains the HTTP target URI of the request associated with the DPoP proof, excluding query and fragment parts. During validation, the receiving server compares it with the request's HTTP URI while ignoring those parts. Servers should apply syntax-based and scheme-based URI normalization before comparison to reduce false negatives.

When Used

Used in DPoP proof JWTs to bind a proof to the target URI of an HTTP request.

Normative Requirements

Servers

MUST
1
  1. RFC 9449 - Section 4.3

    ensure that the `htu` claim matches the HTTP URI of the request in which the proof was received, ignoring query and fragment parts.

    Condition: When validating a DPoP proof

    The receiving server MUST ensure that the `htu` claim matches the request's HTTP URI value, ignoring query and fragment parts.

SHOULD
1
  1. RFC 9449 - Section 4.3

    apply syntax-based and scheme-based normalization before comparing the `htu` claim.

    Condition: To reduce the likelihood of false negatives

    Servers SHOULD employ syntax-based and scheme-based normalization before comparing the `htu` claim.

DPoP proof payload

MUST
1
  1. RFC 9449 - Section 4.2

    contain the `htu` claim as one of its required claims.

    The payload of a DPoP proof MUST contain at least the listed claims, including `htu`, the HTTP target URI without query and fragment parts.

Validation Guidance

error

Verify that the DPoP proof payload contains an `htu` claim.

error

Verify that `htu` matches the request's HTTP URI after query and fragment parts are ignored.

warning

Apply RFC 3986 syntax-based and scheme-based normalization before comparing the URIs.

Security Notes

RFC 9449 - Section 4.2

Because `htu` excludes query and fragment parts, the DPoP proof does not bind those URI components.

RFC 9449 - Section 4.3

URI normalization before comparison reduces the likelihood that equivalent URI representations will cause false-negative validation results.

Reference

Details

Entry Id
htu
Claim Name
htu
Claim Description
The HTTP URI of the request (without query and fragment parts)
Change Controller
IETF
Reference
RFC9449 - Section 4.2