revocation_endpoint_auth_signing_alg_values_supported

IESG

Registry Context

This authorization server metadata entry lists the JWS algorithms supported for JWT client authentication at the revocation endpoint using `private_key_jwt` or `client_secret_jwt`. It must be present if either method is advertised, and `none` is prohibited.

Technical Summary

`revocation_endpoint_auth_signing_alg_values_supported` is an OPTIONAL OAuth authorization server metadata parameter containing a JSON array of JWS `alg` values supported for client-authentication JWT signatures at the revocation endpoint. It MUST be present when `revocation_endpoint_auth_methods_supported` includes `private_key_jwt` or `client_secret_jwt`. Omission implies no default algorithms, and `none` MUST NOT be used.

When Used

When publishing authorization server metadata that describes JWT-based client authentication supported by an OAuth 2.0 revocation endpoint.

Normative Requirements

Authorization servers

MUST NOT

RFC 8414 - Section 2
include `none` in `revocation_endpoint_auth_signing_alg_values_supported`.
“The value "none" MUST NOT be used.”

MUST

RFC 8414 - Section 2
include `revocation_endpoint_auth_signing_alg_values_supported` in its metadata.
Condition: if `private_key_jwt` or `client_secret_jwt` is specified in `revocation_endpoint_auth_methods_supported`
“This metadata entry MUST be present if either of these authentication methods are specified in the "revocation_endpoint_auth_methods_supported" entry.”

OPTIONAL

RFC 8414 - Section 2
publish `revocation_endpoint_auth_signing_alg_values_supported` as a JSON array of JWS signing algorithm (`alg`) values supported for client-authentication JWT signatures at the revocation endpoint.
“OPTIONAL. JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the revocation endpoint”

Validation Guidance

error

Reject metadata that includes `private_key_jwt` or `client_secret_jwt` in `revocation_endpoint_auth_methods_supported` but omits `revocation_endpoint_auth_signing_alg_values_supported`.

error

Reject `revocation_endpoint_auth_signing_alg_values_supported` if it contains `none`.

warning

Do not infer a fallback algorithm set when `revocation_endpoint_auth_signing_alg_values_supported` is absent.

error

Ensure `revocation_endpoint_auth_signing_alg_values_supported` is a JSON array when present.

Security Notes

RFC 8414 - Section 2

The `none` algorithm is explicitly prohibited for client-authentication JWT signatures described by this metadata entry.

Reference

RFC8414 - Section 2

Details

Entry Id: revocation_endpoint_auth_signing_alg_values_supported
Metadata Name: revocation_endpoint_auth_signing_alg_values_supported
Metadata Description: JSON array containing a list of the JWS signing algorithms supported by the revocation endpoint for the signature on the JWT used to authenticate the client at the revocation endpoint
Change Controller: IESG
Reference: RFC8414 - Section 2