jkt
Registry Context
`jkt` is the JWT confirmation method that carries the SHA-256 thumbprint of the DPoP public key bound to the access token. Its value is encoded with base64url.
Technical Summary
`jkt` denotes the JWK SHA-256 Thumbprint confirmation method used under the `cnf` claim. The member value is the base64url encoding of the RFC 7638 JWK SHA-256 Thumbprint of the DPoP public key, in JWK format, to which the access token is bound.
When Used
When a JWT access token needs to convey public key confirmation for DPoP binding.
Normative Requirements
Unspecified actor
RFC 9449 - Section 6.1
Set the `jkt` member value to the base64url encoding of the JWK SHA-256 Thumbprint of the DPoP public key in JWK format to which the access token is bound..
Condition: When using the `jkt` confirmation method member under `cnf` in a JWT access token.
The value of the jkt member MUST be the base64url encoding of the JWK SHA-256 Thumbprint
Validation Guidance
Verify that the `jkt` value is valid base64url and decodes to a 32-byte SHA-256 thumbprint representation.
Verify that the value corresponds to the JWK SHA-256 Thumbprint of the bound DPoP public key.
Security Notes
RFC 9449 - Section 6.1
A mismatched `jkt` value breaks proof-of-possession binding and can cause the access token to be accepted against the wrong key.
Reference
Details
- Entry Id
jkt- Confirmation Method Value
jkt- Confirmation Method Description
JWK SHA-256 Thumbprint- Change Controller
IETF- Reference
RFC9449 - Section 6