oauth2.dev

id_token_encryption_enc_values_supported

OpenID_Foundation_Artifact_Binding_WG

Registry Context

Advertises JWE content-encryption algorithms supported for encrypted ID Tokens.

Technical Summary

An OpenID Provider metadata claim containing JWE "enc" identifiers. When included in an RFC 8414 authorization server metadata response, it is an extension claim represented as a JSON array.

When Used

Used during OpenID Provider discovery when selecting content encryption for encrypted ID Tokens.

Normative Requirements

Authorization server metadata responses

MUST
1
  1. RFC 8414 - Section 3.2

    omit a claim that has zero elements.

    Condition: when the claim returns multiple values

    Claims with zero elements MUST be omitted from the response.

MAY
1
  1. RFC 8414 - Section 3.2

    return claims other than the metadata values defined by RFC 8414 Section 2.

    Condition: when publishing extension metadata

    Other claims MAY also be returned.

JWE content encryption algorithm

MUST
1
  1. RFC 7516 - Section 4.1.2

    be an AEAD algorithm with a specified key length.

    Condition: when identified by an "enc" Header Parameter value

    This algorithm MUST be an AEAD algorithm with a specified key length.

Validation Guidance

error

When this claim appears in an RFC 8414 authorization server metadata response, require a non-empty JSON array; a zero-element claim must be omitted.

error

Ensure each value identifies a JWE content-encryption algorithm suitable for the "enc" Header Parameter and that the algorithm is AEAD with a specified key length.

info

Treat this as an OpenID Provider metadata claim that may be returned as extension metadata in an RFC 8414 authorization server metadata response.

Reference

Details

Entry Id
id_token_encryption_enc_values_supported
Metadata Name
id_token_encryption_enc_values_supported
Metadata Description
JSON array containing a list of the JWE "enc" values supported by the OP for the ID Token
Change Controller
OpenID_Foundation_Artifact_Binding_WG
Reference
OpenID Connect Discovery 1.0 - Section 3