oauth2.dev

jku

IESG

Registry Context

The `jku` confirmation method conveys a proof-of-possession key by reference. Its value is a URI for a JWK Set containing the key. If the set contains multiple keys, a `kid` identifies the intended key.

Technical Summary

Within a JWT `cnf` claim, `jku` is a URI referencing a JWK Set containing the proof-of-possession key. A `cnf` value may contain at most one of `jwk`, `jwe`, and `jku`. For a referenced set containing multiple keys, the `cnf` object must include `kid`, and the referenced JWK must contain the same value. Resource acquisition must provide integrity protection; HTTP GET retrieval must use TLS and validate the server identity.

When Used

When a proof-of-possession key is conveyed by reference instead of by value in a JWT `cnf` claim.

Normative Requirements

Requests

MUST
1
  1. RFC 7800 - Section 3.5

    use TLS..

    Condition: When retrieving the referenced JWK Set using HTTP GET.

    MUST use TLS

An implementation

MUST
1
  1. RFC 7800 - Section 3.1

    ignore confirmation members it does not understand..

    Condition: In the absence of application-specific requirements for processing those members.

    confirmation members that are not understood by implementations MUST be ignored

The `cnf` claim value

MUST
1
  1. RFC 7800 - Section 3.1

    represent only one proof-of-possession key, with at most one of `jwk`, `jwe`, and `jku` present..

    Condition: When a JWT contains a `cnf` claim.

    The "cnf" claim value MUST represent only a single proof-of-possession key

The `cnf` object and referenced key's JWK

MUST
1
  1. RFC 7800 - Section 3.5

    include a `kid` member in the `cnf` object and contain the same `kid` value in the referenced JWK..

    Condition: If the referenced JWK Set contains multiple keys.

    a "kid" member MUST also be included with the referenced key's JWK also containing the same "kid" value

The protocol used to acquire the referenced resource

MUST
1
  1. RFC 7800 - Section 3.5

    provide integrity protection..

    Condition: When acquiring the JWK Set resource referenced by `jku`.

    MUST provide integrity protection

The retriever

MUST
1
  1. RFC 7800 - Section 3.5

    validate the server identity as specified by RFC 6125 Section 6..

    Condition: When retrieving the referenced JWK Set using HTTP GET.

    the identity of the server MUST be validated

Validation Guidance

error

Reject or flag a `cnf` object containing two or more of `jwk`, `jwe`, and `jku`.

error

Absent application-specific requirements, ignore unrecognized confirmation members rather than rejecting the JWT because of them.

error

If the referenced JWK Set contains multiple keys, require `kid` in the `cnf` object and the same `kid` value in the selected JWK.

error

Verify that acquisition of the referenced JWK Set provides integrity protection.

error

For HTTP GET retrieval, require TLS and validate the server identity according to RFC 6125 Section 6.

Reference

Details

Entry Id
jku
Confirmation Method Value
jku
Confirmation Method Description
JWK Set URL
Change Controller
IESG
Reference
RFC7800 - Section 3.5