oauth2.dev

signed_metadata

IESG

Registry Context

`signed_metadata` is an optional JWT containing authorization server metadata values as claims. Consumers may ignore it if unsupported, but supporting consumers must give its values precedence over corresponding plain JSON values.

Technical Summary

RFC 8414 Section 2.1 defines `signed_metadata` as an OPTIONAL string member containing the entire signed JWT. The JWT MUST be digitally signed or MACed using JWS, MUST contain an `iss` claim identifying the attesting party, and SHOULD NOT itself contain a `signed_metadata` claim.

When Used

Used to provide authorization server metadata values as a digitally signed or MACed JWT in addition to plain JSON elements.

Normative Requirements

Authorization server metadata publishers

MAY
1
  1. RFC 8414 - Section 2.1

    provide metadata values as a `signed_metadata` value in addition to JSON elements..

    Condition: When publishing authorization server metadata.

    metadata values MAY also be provided as a "signed_metadata" value

A `signed_metadata` metadata value

SHOULD NOT
1
  1. RFC 8414 - Section 2.1

    appear as a claim in the signed metadata JWT..

    Condition: When constructing the signed metadata JWT.

    A "signed_metadata" metadata value SHOULD NOT appear as a claim in the JWT

Metadata consumers

MAY
1
  1. RFC 8414 - Section 2.1

    ignore the signed metadata..

    Condition: If they do not support signed metadata.

    Consumers of the metadata MAY ignore the signed metadata if they do not support this feature

Metadata consumers that support signed metadata

MUST
1
  1. RFC 8414 - Section 2.1

    give metadata values conveyed in the signed metadata precedence over corresponding values conveyed using plain JSON elements..

    Condition: If they support signed metadata.

    metadata values conveyed in the signed metadata MUST take precedence over the corresponding values conveyed using plain JSON elements

The authorization server metadata JSON object

OPTIONAL
1
  1. RFC 8414 - Section 2.1

    include a `signed_metadata` member containing the entire signed JWT as a string..

    Condition: When publishing authorization server metadata.

    using this OPTIONAL member

The signed metadata

MUST
2
  1. RFC 8414 - Section 2.1

    be digitally signed or MACed using JSON Web Signature (JWS)..

    Condition: When `signed_metadata` is provided.

    The signed metadata MUST be digitally signed or MACed using JSON Web Signature (JWS)

  2. RFC 8414 - Section 2.1

    contain an `iss` claim denoting the party attesting to its claims..

    Condition: When `signed_metadata` is provided.

    MUST contain an "iss" (issuer) claim

Validation Guidance

error

If `signed_metadata` is present, ensure that it is digitally signed or MACed using JWS and contains an `iss` claim.

error

If the consumer supports signed metadata, give its metadata values precedence over conflicting corresponding values in the plain JSON object.

info

Do not reject authorization server metadata solely because `signed_metadata` is absent.

warning

Flag a warning if the JWT contains a `signed_metadata` claim.

Security Notes

RFC 8414 - Section 2.1

When provided, the signed metadata must be digitally signed or MACed using JWS and identify the attesting party through the `iss` claim.

Reference

Details

Entry Id
signed_metadata
Metadata Name
signed_metadata
Metadata Description
Signed JWT containing metadata values about the authorization server as claims
Change Controller
IESG
Reference
RFC8414 - Section 2.1