jku
Registry Context
The `jku` confirmation method conveys a proof-of-possession key by reference. Its value is a URI for a JWK Set containing the key. If the set contains multiple keys, a `kid` identifies the intended key.
Technical Summary
Within a JWT `cnf` claim, `jku` is a URI referencing a JWK Set containing the proof-of-possession key. A `cnf` value may contain at most one of `jwk`, `jwe`, and `jku`. For a referenced set containing multiple keys, the `cnf` object must include `kid`, and the referenced JWK must contain the same value. Resource acquisition must provide integrity protection; HTTP GET retrieval must use TLS and validate the server identity.
When Used
When a proof-of-possession key is conveyed by reference instead of by value in a JWT `cnf` claim.
Normative Requirements
Requests
RFC 7800 - Section 3.5
use TLS..
Condition: When retrieving the referenced JWK Set using HTTP GET.
MUST use TLS
An implementation
RFC 7800 - Section 3.1
ignore confirmation members it does not understand..
Condition: In the absence of application-specific requirements for processing those members.
confirmation members that are not understood by implementations MUST be ignored
The `cnf` claim value
RFC 7800 - Section 3.1
represent only one proof-of-possession key, with at most one of `jwk`, `jwe`, and `jku` present..
Condition: When a JWT contains a `cnf` claim.
The "cnf" claim value MUST represent only a single proof-of-possession key
The `cnf` object and referenced key's JWK
RFC 7800 - Section 3.5
include a `kid` member in the `cnf` object and contain the same `kid` value in the referenced JWK..
Condition: If the referenced JWK Set contains multiple keys.
a "kid" member MUST also be included with the referenced key's JWK also containing the same "kid" value
The protocol used to acquire the referenced resource
RFC 7800 - Section 3.5
provide integrity protection..
Condition: When acquiring the JWK Set resource referenced by `jku`.
MUST provide integrity protection
The retriever
RFC 7800 - Section 3.5
validate the server identity as specified by RFC 6125 Section 6..
Condition: When retrieving the referenced JWK Set using HTTP GET.
the identity of the server MUST be validated
Validation Guidance
Reject or flag a `cnf` object containing two or more of `jwk`, `jwe`, and `jku`.
Absent application-specific requirements, ignore unrecognized confirmation members rather than rejecting the JWT because of them.
If the referenced JWK Set contains multiple keys, require `kid` in the `cnf` object and the same `kid` value in the selected JWK.
Verify that acquisition of the referenced JWK Set provides integrity protection.
For HTTP GET retrieval, require TLS and validate the server identity according to RFC 6125 Section 6.
Reference
Details
- Entry Id
jku- Confirmation Method Value
jku- Confirmation Method Description
JWK Set URL- Change Controller
IESG- Reference
RFC7800 - Section 3.5