oauth2.dev

jwe

IESG

Registry Context

`jwe` carries an encrypted JSON Web Key for a symmetric proof-of-possession key inside the JWT `cnf` claim.

Technical Summary

When the presenter holds a symmetric proof-of-possession key, `cnf.jwe` contains a JWE Compact Serialization whose plaintext is the UTF-8 encoding of the symmetric JWK. The JWK is encrypted to a key known to the recipient.

When Used

Used when a JWT confirmation claim needs to convey a symmetric proof-of-possession key without exposing the key directly.

Normative Requirements

An implementation

MUST
1
  1. RFC 7800 - Section 3.1

    ignore confirmation members it does not understand..

    Condition: In the absence of application-specific requirements for processing those members.

    all confirmation members that are not understood by implementations MUST be ignored

The `cnf` claim value

MUST
1
  1. RFC 7800 - Section 3.1

    represent only one proof-of-possession key, with at most one of `jwk`, `jwe`, and `jku` present..

    Condition: When a JWT contains a `cnf` claim.

    The "cnf" claim value MUST represent only a single proof-of-possession key

Validation Guidance

error

Reject or flag a `cnf` object containing two or more of `jwk`, `jwe`, and `jku`.

error

Absent application-specific requirements, ignore unrecognized confirmation members rather than rejecting the JWT because of them.

error

Verify that `cnf.jwe` is a JWE Compact Serialization whose plaintext decrypts to a valid symmetric-key JWK for the intended recipient.

Security Notes

RFC 7800 - Section 3.3

`jwe` is the encrypted representation for conveying a symmetric proof-of-possession key to the recipient without exposing the key directly in the JWT claims.

Reference

Details

Entry Id
jwe
Confirmation Method Value
jwe
Confirmation Method Description
Encrypted JSON Web Key
Change Controller
IESG
Reference
RFC7800 - Section 3.3