oauth2.dev

dpop_signing_alg_values_supported

IETF

Registry Context

Lists the JWS signing algorithms an authorization server supports for DPoP proof JWTs.

Technical Summary

An OAuth Authorization Server Metadata parameter whose value is a JSON array of JWS alg values from the IANA JOSE Algorithms registry supported by the authorization server for DPoP proof JWTs.

When Used

Published in OAuth authorization server metadata to signal general DPoP support and the specific JWS algorithms supported for DPoP proof JWTs.

Normative Requirements

Servers

MUST
1
  1. RFC 9449 - Section 4.3

    ensure that the alg JOSE Header Parameter indicates a registered asymmetric digital signature algorithm, is not none, is supported by the application, and is acceptable per local policy.

    Condition: When validating a DPoP proof

    The receiving server MUST ensure ... the alg JOSE Header Parameter indicates a registered asymmetric digital signature algorithm, is not none, is supported by the application, and is acceptable per local policy.

DPoP JWT alg JOSE Header Parameter

MUST NOT
1
  1. RFC 9449 - Section 4.2

    be none or identify a symmetric algorithm.

    It MUST NOT be none or an identifier for a symmetric algorithm (Message Authentication Code (MAC)).

DPoP JWT JOSE Header

MUST
1
  1. RFC 9449 - Section 4.2

    contain an alg parameter identifying a JWS asymmetric digital signature algorithm from the IANA JOSE Algorithms registry.

    The JOSE Header of a DPoP JWT MUST contain at least the following parameters: ... alg: An identifier for a JWS asymmetric digital signature algorithm from [IANA.JOSE.ALGS].

Implementers

MUST NOT
1
  1. RFC 9449 - Section 11.6

    allow the algorithm none for signing DPoP proofs.

    In particular, the algorithm none MUST NOT be allowed.

MUST
1
  1. RFC 9449 - Section 11.6

    ensure that only asymmetric digital signature algorithms deemed secure can be used for signing DPoP proofs.

    Implementers MUST ensure that only asymmetric digital signature algorithms (such as ES256) that are deemed secure can be used for signing DPoP proofs.

Validation Guidance

error

If present, validate dpop_signing_alg_values_supported as a JSON array of JWS alg values from the IANA JOSE Algorithms registry supported by the authorization server for DPoP proof JWTs.

error

Reject metadata values that include none or symmetric/MAC algorithms, because such algorithms cannot be used as the alg value of a DPoP proof JWT.

error

Reject advertised algorithms that are not asymmetric digital signature algorithms deemed secure for signing DPoP proofs.

warning

Treat each advertised algorithm as supported by the authorization server for DPoP proof validation; the receiving application must also consider the algorithm acceptable under local policy.

Reference

Details

Entry Id
dpop_signing_alg_values_supported
Metadata Name
dpop_signing_alg_values_supported
Metadata Description
JSON array containing a list of the JWS algorithms supported for DPoP proof JWTs
Change Controller
IETF
Reference
RFC9449 - Section 5.1