sub_ jwk
Registry Context
`sub_jwk` carries the public key used to verify an ID Token issued by a Self-Issued OpenID Provider.
Technical Summary
In a Self-Issued OpenID Provider response, `sub_jwk` is a bare JWK public key, not an X.509 certificate value. The `sub` claim is the base64url-encoded SHA-256 JWK thumbprint of the public key in `sub_jwk`.
When Used
Used in Self-Issued OpenID Provider ID Token responses.
Normative Requirements
Responses
openid-connect-core-1_0 - Section 7.4
return all claims in the ID Token..
Condition: Because no Access Token is returned for accessing a UserInfo Endpoint.
No Access Token is returned for accessing a UserInfo Endpoint, so all Claims returned MUST be in the ID Token.
openid-connect-core-1_0 - Section 7.4
include `sub_jwk` as the public key used to check the signature of the ID Token..
Condition: When returning a Self-Issued OpenID Provider response.
REQUIRED. Public key used to check the signature of an ID Token issued by a Self-Issued OpenID Provider
Validation Guidance
For a Self-Issued OpenID Provider response, require `sub_jwk` in the ID Token.
Verify that `sub_jwk` is a bare public JWK, not an X.509 certificate value.
Verify that `sub` equals the base64url-encoded SHA-256 thumbprint of the public key in `sub_jwk`.
Warn if `sub_jwk` is used when the OP is not Self-Issued.
Security Notes
openid-connect-core-1_0 - Section 7.4
For self-issued responses, the subject identifier is derived from the key in `sub_jwk`; validate the thumbprint binding before relying on the subject.
Reference
Details
- Entry Id
sub_jwk - Claim Name
sub_jwk - Claim Description
Public key used to check the signature of an ID Token- Change Controller
OpenID_Foundation_ Artifact_ Binding_ Working_ Group - Reference
OpenID Connect Core 1.0 - Section 7.4