signed_ metadata
Registry Context
`signed_metadata` is an optional JWT containing authorization server metadata values as claims. Consumers may ignore it if unsupported, but supporting consumers must give its values precedence over corresponding plain JSON values.
Technical Summary
RFC 8414 Section 2.1 defines `signed_metadata` as an OPTIONAL string member containing the entire signed JWT. The JWT MUST be digitally signed or MACed using JWS, MUST contain an `iss` claim identifying the attesting party, and SHOULD NOT itself contain a `signed_metadata` claim.
When Used
Used to provide authorization server metadata values as a digitally signed or MACed JWT in addition to plain JSON elements.
Normative Requirements
Authorization server metadata publishers
RFC 8414 - Section 2.1
provide metadata values as a `signed_metadata` value in addition to JSON elements..
Condition: When publishing authorization server metadata.
metadata values MAY also be provided as a "signed_metadata" value
A `signed_metadata` metadata value
RFC 8414 - Section 2.1
appear as a claim in the signed metadata JWT..
Condition: When constructing the signed metadata JWT.
A "signed_metadata" metadata value SHOULD NOT appear as a claim in the JWT
Metadata consumers
RFC 8414 - Section 2.1
ignore the signed metadata..
Condition: If they do not support signed metadata.
Consumers of the metadata MAY ignore the signed metadata if they do not support this feature
Metadata consumers that support signed metadata
RFC 8414 - Section 2.1
give metadata values conveyed in the signed metadata precedence over corresponding values conveyed using plain JSON elements..
Condition: If they support signed metadata.
metadata values conveyed in the signed metadata MUST take precedence over the corresponding values conveyed using plain JSON elements
The authorization server metadata JSON object
RFC 8414 - Section 2.1
include a `signed_metadata` member containing the entire signed JWT as a string..
Condition: When publishing authorization server metadata.
using this OPTIONAL member
The signed metadata
RFC 8414 - Section 2.1
be digitally signed or MACed using JSON Web Signature (JWS)..
Condition: When `signed_metadata` is provided.
The signed metadata MUST be digitally signed or MACed using JSON Web Signature (JWS)
RFC 8414 - Section 2.1
contain an `iss` claim denoting the party attesting to its claims..
Condition: When `signed_metadata` is provided.
MUST contain an "iss" (issuer) claim
Validation Guidance
If `signed_metadata` is present, ensure that it is digitally signed or MACed using JWS and contains an `iss` claim.
If the consumer supports signed metadata, give its metadata values precedence over conflicting corresponding values in the plain JSON object.
Do not reject authorization server metadata solely because `signed_metadata` is absent.
Flag a warning if the JWT contains a `signed_metadata` claim.
Security Notes
RFC 8414 - Section 2.1
When provided, the signed metadata must be digitally signed or MACed using JWS and identify the attesting party through the `iss` claim.
Reference
Details
- Entry Id
signed_metadata - Metadata Name
signed_metadata - Metadata Description
Signed JWT containing metadata values about the authorization server as claims- Change Controller
IESG- Reference
RFC8414 - Section 2.1