oauth2.dev

jwk

IESG

Registry Context

`jwk` identifies a proof-of-possession key by embedding its JSON Web Key representation in the JWT `cnf` claim.

Technical Summary

For an asymmetric private key held by the presenter, `cnf.jwk` contains the corresponding asymmetric public JWK. It may directly contain a symmetric-key JWK only when the JWT is encrypted; otherwise, the symmetric key must use the encrypted representation described by RFC 7800.

When Used

To convey the public key corresponding to a presenter's asymmetric private key, or a symmetric-key JWK when the JWT itself is encrypted.

Normative Requirements

A symmetric key

MUST
1
  1. RFC 7800 - Section 3.2

    be encrypted as described in the following section of RFC 7800..

    Condition: If the JWT is not encrypted.

    If the JWT is not encrypted, the symmetric key MUST be encrypted as described below.

The `jwk` member

MAY
1
  1. RFC 7800 - Section 3.2

    be used for a JWK representing a symmetric key..

    Condition: Provided that the JWT is encrypted so that the key is not revealed to unintended parties.

    The "jwk" member MAY also be used for a JWK representing a symmetric key.

The JWK carried in `cnf.jwk`

MUST
1
  1. RFC 7800 - Section 3.2

    contain the required key members for its JWK key type..

    Condition: When the `jwk` confirmation method is used.

    The JWK MUST contain the required key members for a JWK of that key type.

MAY
1
  1. RFC 7800 - Section 3.2

    contain other JWK members, including `kid`..

    Condition: When the `jwk` confirmation method is used.

    MAY contain other JWK members, including the "kid" (Key ID) member.

Validation Guidance

error

Reject a `cnf.jwk` value that lacks required members for its JWK key type.

info

Allow additional JWK members, including `kid`, in `cnf.jwk`.

error

Reject a directly represented symmetric-key `cnf.jwk` when the JWT is not encrypted; an encrypted symmetric-key representation is required instead.

Security Notes

RFC 7800 - Section 3.2

A symmetric-key JWK may be directly carried in `cnf.jwk` only when the JWT is encrypted so that the key is not revealed to unintended parties. Otherwise, the symmetric key must be encrypted.

Reference

Details

Entry Id
jwk
Confirmation Method Value
jwk
Confirmation Method Description
JSON Web Key Representing Public Key
Change Controller
IESG
Reference
RFC7800 - Section 3.2