oauth2.dev

jwks_uri

IESG

Registry Context

The jwks_uri metadata value is an optional HTTPS URL pointing to the authorization server's JWK Set. Clients use its signing keys to validate signatures from the authorization server. The set may also contain encryption keys used to encrypt requests to the server.

Technical Summary

jwks_uri is an OPTIONAL authorization server metadata member containing the URL of the authorization server's JWK Set document. The URL MUST use the https scheme. The JWK Set MAY also contain encryption keys. When both signing and encryption keys are available, every key in the referenced JWK Set is REQUIRED to have a use parameter indicating its intended usage.

When Used

Used in OAuth authorization server metadata when clients need signing keys for validating server signatures or encryption keys for encrypting requests to the server.

Normative Requirements

all keys in the referenced JWK Set

REQUIRED
1
  1. RFC 8414 - Section 2

    include a use parameter value indicating each key's intended usage.

    Condition: when both signing and encryption keys are made available

    a "use" (public key use) parameter value is REQUIRED for all keys

authorization server metadata

OPTIONAL
1
  1. RFC 8414 - Section 2

    include jwks_uri as the URL of the authorization server's JWK Set document.

    OPTIONAL. URL of the authorization server's JWK Set [JWK] document.

jwks_uri URL

MUST
1
  1. RFC 8414 - Section 2

    use the https scheme.

    Condition: when jwks_uri is present

    This URL MUST use the "https" scheme.

referenced JWK Set

MAY
1
  1. RFC 8414 - Section 2

    also contain the server's encryption key or keys.

    The JWK Set MAY also contain the server's encryption key or keys

Validation Guidance

info

Treat jwks_uri as optional; do not reject authorization server metadata solely because it is absent.

error

If jwks_uri is present, parse it as a URL and require the https scheme.

info

Allow the referenced JWK Set to contain server encryption keys in addition to signing keys.

error

If the referenced JWK Set makes both signing and encryption keys available, require every key to include a use parameter indicating its intended usage.

Reference

Details

Entry Id
jwks_uri
Metadata Name
jwks_uri
Metadata Description
URL of the authorization server's JWK Set document
Change Controller
IESG
Reference
RFC8414 - Section 2