dpop_ signing_ alg_ values_ supported
Registry Context
Lists the JWS signing algorithms an authorization server supports for DPoP proof JWTs.
Technical Summary
An OAuth Authorization Server Metadata parameter whose value is a JSON array of JWS alg values from the IANA JOSE Algorithms registry supported by the authorization server for DPoP proof JWTs.
When Used
Published in OAuth authorization server metadata to signal general DPoP support and the specific JWS algorithms supported for DPoP proof JWTs.
Normative Requirements
Servers
RFC 9449 - Section 4.3
ensure that the alg JOSE Header Parameter indicates a registered asymmetric digital signature algorithm, is not none, is supported by the application, and is acceptable per local policy.
Condition: When validating a DPoP proof
The receiving server MUST ensure ... the alg JOSE Header Parameter indicates a registered asymmetric digital signature algorithm, is not none, is supported by the application, and is acceptable per local policy.
DPoP JWT alg JOSE Header Parameter
RFC 9449 - Section 4.2
be none or identify a symmetric algorithm.
It MUST NOT be none or an identifier for a symmetric algorithm (Message Authentication Code (MAC)).
DPoP JWT JOSE Header
RFC 9449 - Section 4.2
contain an alg parameter identifying a JWS asymmetric digital signature algorithm from the IANA JOSE Algorithms registry.
The JOSE Header of a DPoP JWT MUST contain at least the following parameters: ... alg: An identifier for a JWS asymmetric digital signature algorithm from [IANA.JOSE.ALGS].
Implementers
RFC 9449 - Section 11.6
allow the algorithm none for signing DPoP proofs.
In particular, the algorithm none MUST NOT be allowed.
RFC 9449 - Section 11.6
ensure that only asymmetric digital signature algorithms deemed secure can be used for signing DPoP proofs.
Implementers MUST ensure that only asymmetric digital signature algorithms (such as ES256) that are deemed secure can be used for signing DPoP proofs.
Validation Guidance
If present, validate dpop_signing_alg_values_supported as a JSON array of JWS alg values from the IANA JOSE Algorithms registry supported by the authorization server for DPoP proof JWTs.
Reject metadata values that include none or symmetric/MAC algorithms, because such algorithms cannot be used as the alg value of a DPoP proof JWT.
Reject advertised algorithms that are not asymmetric digital signature algorithms deemed secure for signing DPoP proofs.
Treat each advertised algorithm as supported by the authorization server for DPoP proof validation; the receiving application must also consider the algorithm acceptable under local policy.
Reference
Details
- Entry Id
dpop_signing_ alg_ values_ supported - Metadata Name
dpop_signing_ alg_ values_ supported - Metadata Description
JSON array containing a list of the JWS algorithms supported for DPoP proof JWTs- Change Controller
IETF- Reference
RFC9449 - Section 5.1