oauth2.dev

sub_jwk

OpenID_Foundation_Artifact_Binding_Working_Group

Registry Context

`sub_jwk` carries the public key used to verify an ID Token issued by a Self-Issued OpenID Provider.

Technical Summary

In a Self-Issued OpenID Provider response, `sub_jwk` is a bare JWK public key, not an X.509 certificate value. The `sub` claim is the base64url-encoded SHA-256 JWK thumbprint of the public key in `sub_jwk`.

When Used

Used in Self-Issued OpenID Provider ID Token responses.

Normative Requirements

Responses

MUST
1
  1. openid-connect-core-1_0 - Section 7.4

    return all claims in the ID Token..

    Condition: Because no Access Token is returned for accessing a UserInfo Endpoint.

    No Access Token is returned for accessing a UserInfo Endpoint, so all Claims returned MUST be in the ID Token.

REQUIRED
1
  1. openid-connect-core-1_0 - Section 7.4

    include `sub_jwk` as the public key used to check the signature of the ID Token..

    Condition: When returning a Self-Issued OpenID Provider response.

    REQUIRED. Public key used to check the signature of an ID Token issued by a Self-Issued OpenID Provider

Validation Guidance

error

For a Self-Issued OpenID Provider response, require `sub_jwk` in the ID Token.

error

Verify that `sub_jwk` is a bare public JWK, not an X.509 certificate value.

error

Verify that `sub` equals the base64url-encoded SHA-256 thumbprint of the public key in `sub_jwk`.

warning

Warn if `sub_jwk` is used when the OP is not Self-Issued.

Security Notes

openid-connect-core-1_0 - Section 7.4

For self-issued responses, the subject identifier is derived from the key in `sub_jwk`; validate the thumbprint binding before relying on the subject.

Reference

Details

Entry Id
sub_jwk
Claim Name
sub_jwk
Claim Description
Public key used to check the signature of an ID Token
Change Controller
OpenID_Foundation_Artifact_Binding_Working_Group
Reference
OpenID Connect Core 1.0 - Section 7.4