oauth2.dev

x5t#S256

IESG

Registry Context

x5t#S256 identifies an X.509 certificate by its SHA-256 thumbprint within a JWT confirmation claim.

Technical Summary

RFC 8705 Section 3.1 defines x5t#S256 as a JWT confirmation method member whose value is the unpadded base64url encoding of the SHA-256 hash of the certificate's DER encoding.

When Used

Used to carry certificate hash information when an access token is represented as a JWT.

Normative Requirements

Generators of x5t#S256 values

MUST NOT
1
  1. RFC 8705 - Section 3.1

    Include line breaks, whitespace, or other additional characters in the base64url-encoded value..

    Condition: When encoding an x5t#S256 member value.

    MUST NOT include any line breaks, whitespace, or other additional characters

MUST
1
  1. RFC 8705 - Section 3.1

    Omit all trailing equals-sign padding characters from the base64url-encoded value..

    Condition: When encoding an x5t#S256 member value.

    MUST omit all trailing pad '=' characters

Token issuers

SHOULD
1
  1. RFC 8705 - Section 3.1

    Represent certificate hash information using the x5t#S256 confirmation method member..

    Condition: When access tokens are represented as JWTs.

    certificate hash information SHOULD be represented using the x5t#S256 confirmation method member

Validation Guidance

warning

Warn when certificate hash information in a JWT access token is not represented using `cnf.x5t#S256`.

error

Reject an `x5t#S256` value containing trailing `=` padding.

error

Reject an `x5t#S256` value containing line breaks, whitespace, or additional non-base64url characters.

error

Verify that the value is the base64url-encoded SHA-256 hash of the DER encoding of the applicable X.509 certificate.

Reference

Details

Entry Id
x5t#S256
Confirmation Method Value
x5t#S256
Confirmation Method Description
X.509 Certificate SHA-256 Thumbprint
Change Controller
IESG
Reference
RFC8705 - Section 3.1