oauth2.dev

jkt

IETF

Registry Context

`jkt` carries the base64url-encoded SHA-256 JWK thumbprint of the DPoP public key to which an access token is bound.

Technical Summary

`jkt` is the JWK SHA-256 Thumbprint confirmation method. In a JWT access token, it appears under the `cnf` claim. The same `cnf` structure is used as a top-level member of a token introspection response for a DPoP-bound access token.

When Used

When conveying the public-key binding of a DPoP-bound access token in a JWT or token introspection response.

Normative Requirements

Unspecified actor

MUST
2
  1. RFC 9449 - Section 6.1

    Set the `jkt` member to the base64url encoding of the RFC 7638 JWK SHA-256 Thumbprint of the DPoP public key, in JWK format, to which the access token is bound..

    Condition: When using the `jkt` confirmation method.

    The value of the jkt member MUST be the base64url encoding ... of the JWK SHA-256 Thumbprint

  2. RFC 9449 - Section 6.2

    Set `token_type` to `DPoP`..

    Condition: If the `token_type` member is included in an introspection response for a DPoP-bound access token.

    If the token_type member is included in the introspection response, it MUST contain the value DPoP.

Validation Guidance

error

Verify that `jkt` is valid base64url and represents an RFC 7638 JWK SHA-256 Thumbprint.

error

Verify that `jkt` matches the RFC 7638 thumbprint of the DPoP public key to which the access token is bound.

error

If `token_type` is present in the applicable token introspection response, verify that its value is `DPoP`.

Security Notes

RFC 9449 - Section 6.2

The authorization server does not validate an access token's DPoP binding at the introspection endpoint; the resource server uses the introspection response data to validate the binding locally.

Reference

Details

Entry Id
jkt
Confirmation Method Value
jkt
Confirmation Method Description
JWK SHA-256 Thumbprint
Change Controller
IETF
Reference
RFC9449 - Section 6