oauth2.dev

jwks_uri

IESG

Registry Context

`jwks_uri` is client metadata containing a URL for the client's JWK Set document. It can be used in dynamic client registration requests and responses.

Technical Summary

RFC 7591 defines `jwks_uri` as a URL string referencing a JWK Set document containing the client's public keys. The URL must point to a valid JWK Set document, and `jwks_uri` cannot appear together with `jwks` in the same request or response.

When Used

During OAuth 2.0 dynamic client registration when communicating the location of a client's public keys.

Normative Requirements

Implementations

OPTIONAL
1
  1. RFC 7591 - Section 2

    implement and use the `jwks_uri` client metadata field.

    Condition: unless stated otherwise

    The implementation and use of all client metadata fields is OPTIONAL, unless stated otherwise.

the `jwks_uri` and `jwks` parameters

MUST NOT
1
  1. RFC 7591 - Section 2

    both be present in the same request or response.

    The "jwks_uri" and "jwks" parameters MUST NOT both be present in the same request or response.

the value of `jwks_uri`

MUST
1
  1. RFC 7591 - Section 2

    point to a valid JWK Set document.

    The value of this field MUST point to a valid JWK Set document.

Validation Guidance

error

Verify that `jwks_uri` is a URL pointing to a valid JWK Set document.

error

Reject a request or response containing both `jwks_uri` and `jwks`.

Security Notes

RFC 7591 - Section 2

The referenced JWK Set contains the client's public keys, which higher-level protocols can use for signing or encryption, including validation of signed client-authentication requests.

Reference

Details

Entry Id
jwks_uri
Client Metadata Name
jwks_uri
Client Metadata Description
URL referencing the client's JSON Web Key Set RFC7517 document representing the client's public keys
Change Controller
IESG
Reference
RFC7591