oauth2.dev

kid

IESG

Registry Context

`kid` identifies a proof-of-possession key by key identifier instead of embedding or referencing the key material directly.

Technical Summary

Within a JWT `cnf` claim, `kid` is an application-specific key identifier. It is usable when the recipient can obtain the identified proof-of-possession key from that identifier and then cryptographically confirm the presenter's possession of the key.

When Used

Used when the issuer and recipient have an application-specific way to resolve a key identifier to the proof-of-possession key.

Normative Requirements

An implementation

MUST
1
  1. RFC 7800 - Section 3.1

    ignore confirmation members it does not understand..

    Condition: In the absence of application-specific requirements for processing those members.

    all confirmation members that are not understood by implementations MUST be ignored

The `cnf` claim value

MUST
1
  1. RFC 7800 - Section 3.1

    represent only one proof-of-possession key, with at most one of `jwk`, `jwe`, and `jku` present..

    Condition: When a JWT contains a `cnf` claim.

    The "cnf" claim value MUST represent only a single proof-of-possession key

Validation Guidance

error

Reject or flag a `cnf` object containing two or more of `jwk`, `jwe`, and `jku`.

error

Absent application-specific requirements, ignore unrecognized confirmation members rather than rejecting the JWT because of them.

error

Verify that the recipient can resolve `cnf.kid` to the intended proof-of-possession key before relying on the confirmation claim.

Security Notes

RFC 7800 - Section 3.4

`kid` is application specific; accepting it without a trusted key-resolution mechanism does not establish proof-of-possession semantics.

Reference

Details

Entry Id
kid
Confirmation Method Value
kid
Confirmation Method Description
Key Identifier
Change Controller
IESG
Reference
RFC7800 - Section 3.4