oauth2.dev

cnf

IESG

Registry Context

A top-level token introspection response member containing confirmation data that identifies the proof-of-possession key associated with an access token.

Technical Summary

OAuth Token Introspection Response member `cnf`; when present at the top level, it has the same format and semantics as the RFC 7800 `cnf` claim.

When Used

When a protected resource obtains proof-of-possession confirmation key data through token introspection, including for mutual-TLS certificate-bound access tokens.

Normative Requirements

Implementations

MUST
1
  1. RFC 7800 - Section 3.1

    Ignore confirmation members that they do not understand..

    Condition: In the absence of application-specific requirements governing those confirmation members.

    all confirmation members that are not understood by implementations MUST be ignored

Unspecified actor

MUST
1
  1. RFC 7800 - Section 3.1

    The `cnf` value must represent only one proof-of-possession key; at most one of `jwk`, `jwe`, and `jku` may be present..

    Condition: When producing or processing the `cnf` value.

    The "cnf" claim value MUST represent only a single proof-of-possession key

Validation Guidance

info

Process a top-level introspection response `cnf` member using the RFC 7800 confirmation claim format and semantics.

error

Report an error if `cnf` contains more than one of `jwk`, `jwe`, and `jku`.

warning

In the absence of application-specific requirements, do not fail processing solely because `cnf` contains an unrecognized confirmation member.

Security Notes

RFC 8705 - Section 3.2

A protected resource uses the confirmation key data obtained from the introspection response to verify proof-of-possession. For mutual-TLS certificate-bound tokens, it compares the conveyed certificate hash with the client certificate hash and rejects the request if they differ.

Reference

Details

Entry Id
cnf
Name
cnf
Description
Confirmation
Change Controller
IESG
Reference
RFC7800, RFC8705