oauth2.dev

introspection_encrypted_response_alg

IETF

Registry Context

This optional client metadata parameter requests encryption of JWT introspection responses.

Technical Summary

`introspection_encrypted_response_alg` selects the JWE `alg` value used for content key encryption. When specified, the introspection response is encrypted using JWE and the content encryption algorithm configured by `introspection_encrypted_response_enc`.

When Used

Used when a resource server, acting as a client during dynamic client registration, wants encrypted JWT introspection responses.

Normative Requirements

Unspecified actor

MUST NOT
1
  1. RFC 9701 - Section 6

    The `introspection_encrypted_response_enc` parameter must not be specified unless `introspection_encrypted_response_alg` is also set..

    This parameter MUST NOT be specified without setting introspection_encrypted_response_alg.

OPTIONAL
1
  1. RFC 9701 - Section 6

    The `introspection_encrypted_response_alg` client metadata parameter is optional..

    introspection_encrypted_response_alg OPTIONAL.

Validation Guidance

error

If present, verify that the value identifies a JWE `alg` value defined in JWA for content key encryption.

error

If `introspection_encrypted_response_enc` is present, require `introspection_encrypted_response_alg` to also be present.

info

If omitted, no encryption is performed by default.

Security Notes

RFC 9701 - Section 6

When both signing and encryption are requested, the response is signed and then encrypted as a Nested JWT.

Reference

Details

Entry Id
introspection_encrypted_response_alg
Client Metadata Name
introspection_encrypted_response_alg
Client Metadata Description
String value specifying the desired introspection response content key encryption algorithm (alg value)
Change Controller
IETF
Reference
RFC9701 - Section 6