jkt
Registry Context
`jkt` carries the base64url-encoded SHA-256 JWK thumbprint of the DPoP public key to which an access token is bound.
Technical Summary
`jkt` is the JWK SHA-256 Thumbprint confirmation method. In a JWT access token, it appears under the `cnf` claim. The same `cnf` structure is used as a top-level member of a token introspection response for a DPoP-bound access token.
When Used
When conveying the public-key binding of a DPoP-bound access token in a JWT or token introspection response.
Normative Requirements
Unspecified actor
RFC 9449 - Section 6.1
Set the `jkt` member to the base64url encoding of the RFC 7638 JWK SHA-256 Thumbprint of the DPoP public key, in JWK format, to which the access token is bound..
Condition: When using the `jkt` confirmation method.
The value of the jkt member MUST be the base64url encoding ... of the JWK SHA-256 Thumbprint
RFC 9449 - Section 6.2
Set `token_type` to `DPoP`..
Condition: If the `token_type` member is included in an introspection response for a DPoP-bound access token.
If the token_type member is included in the introspection response, it MUST contain the value DPoP.
Validation Guidance
Verify that `jkt` is valid base64url and represents an RFC 7638 JWK SHA-256 Thumbprint.
Verify that `jkt` matches the RFC 7638 thumbprint of the DPoP public key to which the access token is bound.
If `token_type` is present in the applicable token introspection response, verify that its value is `DPoP`.
Security Notes
RFC 9449 - Section 6.2
The authorization server does not validate an access token's DPoP binding at the introspection endpoint; the resource server uses the introspection response data to validate the binding locally.
Reference
Details
- Entry Id
jkt- Confirmation Method Value
jkt- Confirmation Method Description
JWK SHA-256 Thumbprint- Change Controller
IETF- Reference
RFC9449 - Section 6