oauth2.dev

token_endpoint_auth_signing_alg_values_supported

IESG

Registry Context

Lists the JWS signing algorithms an authorization server supports for JWT-based client authentication at its token endpoint using `private_key_jwt` or `client_secret_jwt`.

Technical Summary

An optional authorization server metadata parameter containing a JSON array of supported JWS `alg` values for JWT signatures used to authenticate clients at the token endpoint. It must be present when `token_endpoint_auth_methods_supported` specifies `private_key_jwt` or `client_secret_jwt`. Servers should support `RS256`, and `none` must not be used.

When Used

When publishing OAuth authorization server metadata describing JWT-based client authentication capabilities at the token endpoint.

Normative Requirements

Authorization servers

MUST NOT
1
  1. RFC 8414 - Section 2

    include `none` as a supported algorithm.

    Condition: when populating this metadata entry

    The value "none" MUST NOT be used.

MUST
1
  1. RFC 8414 - Section 2

    include this metadata entry.

    Condition: if `private_key_jwt` or `client_secret_jwt` is specified in `token_endpoint_auth_methods_supported`

    This metadata entry MUST be present if either of these authentication methods are specified.

SHOULD
1
  1. RFC 8414 - Section 2

    support `RS256`.

    Condition: for JWT client authentication at the token endpoint

    Servers SHOULD support "RS256".

OPTIONAL
1
  1. RFC 8414 - Section 2

    include this metadata entry.

    Condition: except where its presence is required because `token_endpoint_auth_methods_supported` specifies `private_key_jwt` or `client_secret_jwt`

    This metadata entry is OPTIONAL.

Validation Guidance

error

Verify that the value is a JSON array containing JWS `alg` values supported for JWT client authentication at the token endpoint.

error

If `token_endpoint_auth_methods_supported` contains `private_key_jwt` or `client_secret_jwt`, require `token_endpoint_auth_signing_alg_values_supported` to be present.

error

Reject metadata values that include `none` in the algorithm array.

warning

Flag the absence of advertised `RS256` support for review.

Reference

Details

Entry Id
token_endpoint_auth_signing_alg_values_supported
Metadata Name
token_endpoint_auth_signing_alg_values_supported
Metadata Description
JSON array containing a list of the JWS signing algorithms supported by the token endpoint for the signature on the JWT used to authenticate the client at the token endpoint
Change Controller
IESG
Reference
RFC8414 - Section 2