oauth2.dev

introspection_encrypted_response_enc

IETF

Registry Context

This optional client metadata parameter specifies the JWE content encryption algorithm for encrypted introspection responses. When encryption is configured and this parameter is omitted, the default is A128CBC-HS256. It cannot be specified unless `introspection_encrypted_response_alg` is also set.

Technical Summary

Optional dynamic client registration metadata containing the JWE `enc` value used for content encryption of introspection responses. Its default is A128CBC-HS256, and it MUST NOT be specified without `introspection_encrypted_response_alg`.

When Used

When a resource server, acting as a client during dynamic registration, configures encryption for JWT introspection responses.

Normative Requirements

Resource servers

MUST NOT
1
  1. RFC 9701 - Section 6

    Specify `introspection_encrypted_response_enc` without setting `introspection_encrypted_response_alg`..

    "This parameter MUST NOT be specified without setting introspection_encrypted_response_alg."

OPTIONAL
1
  1. RFC 9701 - Section 6

    Include the `introspection_encrypted_response_enc` client metadata parameter..

    For `introspection_encrypted_response_enc`: "OPTIONAL."

Validation Guidance

error

Report an error when `introspection_encrypted_response_enc` is specified without `introspection_encrypted_response_alg`.

info

When introspection-response encryption is configured and `introspection_encrypted_response_enc` is omitted, use the documented default of A128CBC-HS256.

info

Accept omission of `introspection_encrypted_response_enc`; the parameter is optional.

Reference

Details

Entry Id
introspection_encrypted_response_enc
Client Metadata Name
introspection_encrypted_response_enc
Client Metadata Description
String value specifying the desired introspection response content encryption algorithm (enc value)
Change Controller
IETF
Reference
RFC9701 - Section 6