token_ endpoint_ auth_ signing_ alg_ values_ supported
Registry Context
Lists the JWS signing algorithms an authorization server supports for JWT-based client authentication at its token endpoint using `private_key_jwt` or `client_secret_jwt`.
Technical Summary
An optional authorization server metadata parameter containing a JSON array of supported JWS `alg` values for JWT signatures used to authenticate clients at the token endpoint. It must be present when `token_endpoint_auth_methods_supported` specifies `private_key_jwt` or `client_secret_jwt`. Servers should support `RS256`, and `none` must not be used.
When Used
When publishing OAuth authorization server metadata describing JWT-based client authentication capabilities at the token endpoint.
Normative Requirements
Authorization servers
RFC 8414 - Section 2
include `none` as a supported algorithm.
Condition: when populating this metadata entry
The value "none" MUST NOT be used.
RFC 8414 - Section 2
include this metadata entry.
Condition: if `private_key_jwt` or `client_secret_jwt` is specified in `token_endpoint_auth_methods_supported`
This metadata entry MUST be present if either of these authentication methods are specified.
RFC 8414 - Section 2
support `RS256`.
Condition: for JWT client authentication at the token endpoint
Servers SHOULD support "RS256".
RFC 8414 - Section 2
include this metadata entry.
Condition: except where its presence is required because `token_endpoint_auth_methods_supported` specifies `private_key_jwt` or `client_secret_jwt`
This metadata entry is OPTIONAL.
Validation Guidance
Verify that the value is a JSON array containing JWS `alg` values supported for JWT client authentication at the token endpoint.
If `token_endpoint_auth_methods_supported` contains `private_key_jwt` or `client_secret_jwt`, require `token_endpoint_auth_signing_alg_values_supported` to be present.
Reject metadata values that include `none` in the algorithm array.
Flag the absence of advertised `RS256` support for review.
Reference
Details
- Entry Id
token_endpoint_ auth_ signing_ alg_ values_ supported - Metadata Name
token_endpoint_ auth_ signing_ alg_ values_ supported - Metadata Description
JSON array containing a list of the JWS signing algorithms supported by the token endpoint for the signature on the JWT used to authenticate the client at the token endpoint- Change Controller
IESG- Reference
RFC8414 - Section 2