oauth2.dev

introspection_endpoint_auth_signing_alg_values_supported

IESG

Registry Context

Lists the JWS signing algorithms an authorization server supports for JWT-based client authentication at its introspection endpoint.

Technical Summary

An optional authorization server metadata member containing a JSON array of JWS "alg" values supported for signatures on JWTs used with private_key_jwt and client_secret_jwt authentication at the introspection endpoint. It must be present when either method is advertised in introspection_endpoint_auth_methods_supported and must not contain "none".

When Used

Used by clients to discover supported JWT signing algorithms for authentication to the token introspection endpoint.

Normative Requirements

Authorization servers

MUST NOT
1
  1. RFC 8414 - Section 2

    Include the value "none" in introspection_endpoint_auth_signing_alg_values_supported..

    The value "none" MUST NOT be used.

MUST
1
  1. RFC 8414 - Section 2

    Include introspection_endpoint_auth_signing_alg_values_supported..

    Condition: If private_key_jwt or client_secret_jwt is specified in introspection_endpoint_auth_methods_supported.

    This metadata entry MUST be present if either of these authentication methods are specified

OPTIONAL
1
  1. RFC 8414 - Section 2

    Publish introspection_endpoint_auth_signing_alg_values_supported as a JSON array of supported JWS signing algorithm values..

    Condition: For JWT client authentication using private_key_jwt or client_secret_jwt at the introspection endpoint.

    OPTIONAL. JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the introspection endpoint

Validation Guidance

error

If present, verify that the value is a JSON array of JWS signing algorithm identifiers supported for introspection endpoint JWT client authentication.

error

If introspection_endpoint_auth_methods_supported includes private_key_jwt or client_secret_jwt, require introspection_endpoint_auth_signing_alg_values_supported to be present.

error

Flag any occurrence of "none" in introspection_endpoint_auth_signing_alg_values_supported.

info

Do not infer any default signing algorithms when introspection_endpoint_auth_signing_alg_values_supported is omitted.

Reference

Details

Entry Id
introspection_endpoint_auth_signing_alg_values_supported
Metadata Name
introspection_endpoint_auth_signing_alg_values_supported
Metadata Description
JSON array containing a list of the JWS signing algorithms supported by the introspection endpoint for the signature on the JWT used to authenticate the client at the introspection endpoint
Change Controller
IESG
Reference
RFC8414 - Section 2