x5t#S256
Registry Context
x5t#S256 identifies an X.509 certificate by its SHA-256 thumbprint within a JWT confirmation claim.
Technical Summary
RFC 8705 Section 3.1 defines x5t#S256 as a JWT confirmation method member whose value is the unpadded base64url encoding of the SHA-256 hash of the certificate's DER encoding.
When Used
Used to carry certificate hash information when an access token is represented as a JWT.
Normative Requirements
Generators of x5t#S256 values
RFC 8705 - Section 3.1
Include line breaks, whitespace, or other additional characters in the base64url-encoded value..
Condition: When encoding an x5t#S256 member value.
MUST NOT include any line breaks, whitespace, or other additional characters
RFC 8705 - Section 3.1
Omit all trailing equals-sign padding characters from the base64url-encoded value..
Condition: When encoding an x5t#S256 member value.
MUST omit all trailing pad '=' characters
Token issuers
RFC 8705 - Section 3.1
Represent certificate hash information using the x5t#S256 confirmation method member..
Condition: When access tokens are represented as JWTs.
certificate hash information SHOULD be represented using the x5t#S256 confirmation method member
Validation Guidance
Warn when certificate hash information in a JWT access token is not represented using `cnf.x5t#S256`.
Reject an `x5t#S256` value containing trailing `=` padding.
Reject an `x5t#S256` value containing line breaks, whitespace, or additional non-base64url characters.
Verify that the value is the base64url-encoded SHA-256 hash of the DER encoding of the applicable X.509 certificate.
Reference
Details
- Entry Id
x5t#S256- Confirmation Method Value
x5t#S256- Confirmation Method Description
X.509 Certificate SHA-256 Thumbprint- Change Controller
IESG- Reference
RFC8705 - Section 3.1