oauth2.dev

jwks

IESG

Registry Context

`jwks` lets a client provide its public keys directly as a JWK Set instead of referencing a hosted JWK Set with `jwks_uri`.

Technical Summary

RFC 7591 defines `jwks` as client metadata whose value is a JSON object containing a valid JWK Set. The `jwks` and `jwks_uri` parameters cannot both appear in the same registration request or response.

When Used

Use it for clients that cannot use `jwks_uri`, such as native clients that cannot host public URLs.

Normative Requirements

Implementations

OPTIONAL
1
  1. RFC 7591 - Section 2

    implement and use the `jwks` client metadata field.

    Condition: unless otherwise stated by the specification

    The implementation and use of all client metadata fields is OPTIONAL, unless stated otherwise.

The `jwks_uri` and `jwks` parameters

MUST NOT
1
  1. RFC 7591 - Section 2

    both be present in the same request or response.

    The "jwks_uri" and "jwks" parameters MUST NOT both be present in the same request or response.

The value of `jwks`

MUST
1
  1. RFC 7591 - Section 2

    be a JSON object containing a valid JWK Set.

    Condition: when the field is supplied

    The value of this field MUST be a JSON object containing a valid JWK Set.

Validation Guidance

error

When `jwks` is present, verify that its value is a JSON object containing a valid JWK Set.

error

Reject a registration request or response containing both `jwks` and `jwks_uri`.

Reference

Details

Entry Id
jwks
Client Metadata Name
jwks
Client Metadata Description
Client's JSON Web Key Set RFC7517 document representing the client's public keys
Change Controller
IESG
Reference
RFC7591