cnf
Registry Context
In ACE token responses, cnf conveys the proof-of-possession key selected by the authorization server for the access token.
Technical Summary
cnf is an OAuth token response parameter whose value follows the cnf claim syntax and semantics from RFC 8747 for CBOR or RFC 7800 for JSON.
When Used
In an ACE authorization server response when an access token is bound to a proof-of-possession key.
Normative Requirements
Resource servers
RFC 9201 - Section 5
reject a proof of possession that uses an incompatible key with a response code equivalent to CoAP 4.00 (Bad Request)..
Condition: When the key's alg or key_ops parameters are incompatible with the applicable profile or proof-of-possession algorithm.
An RS MUST reject a proof of possession using such a key with a response code equivalent to the CoAP code 4.00 (Bad Request).
Implementations
RFC 7800 - Section 3.1
ignore confirmation members they do not understand..
Condition: For a JSON-encoded cnf value, absent application-specific requirements for processing those members.
all confirmation members that are not understood by implementations MUST be ignored.
A client
RFC 9201 - Section 5
use a key that is incompatible with the applicable profile or proof-of-possession algorithm according to its alg or key_ops parameters..
Condition: When the key in a confirmation claim or parameter contains an alg or key_ops parameter.
a client MUST NOT use a key that is incompatible with the profile or PoP algorithm according to those parameters.
The authorization server
RFC 9201 - Section 5
include the cnf parameter in the token response..
Condition: When the client did not specify req_cnf and symmetric keys are used.
REQUIRED if the client didn't specify a "req_cnf" and symmetric keys are used.
RFC 9201 - Section 5
include the cnf parameter in the token response..
Condition: When an asymmetric key is used or the client requested the key using a key identifier.
"cnf" in the token response AS -> C, OPTIONAL if using an asymmetric key or a key that the client requested via a key identifier
The JSON cnf value
RFC 7800 - Section 3.1
represent only one proof-of-possession key, with at most one of jwk, jwe, and jku present..
Condition: When cnf uses the JSON syntax and semantics defined by RFC 7800.
The "cnf" claim value MUST represent only a single proof-of-possession key
Validation Guidance
Require cnf when the client did not supply req_cnf and the authorization server selected a symmetric proof-of-possession key.
When alg or key_ops is present, verify that the key is compatible with the applicable profile and proof-of-possession algorithm.
For JSON cnf values, ignore unrecognized confirmation members unless an application-specific rule requires their processing.
For JSON cnf values, ensure that no more than one of jwk, jwe, and jku is present.
Select the cnf value syntax according to the encoding: RFC 8747 for CBOR or RFC 7800 for JSON.
Security Notes
RFC 7800 - Section 4
Proof-of-possession private and symmetric key values need protection from unintended disclosure.
RFC 7800 - Section 4
Symmetric keys carried in cnf require confidentiality protection as well as integrity protection.
Reference
Details
- Entry Id
cnf- Name
cnf- Parameter Usage Location
token response- Change Controller
IETF- Reference
RFC9201 - Section 5