cnf
Registry Context
A top-level token introspection response member containing confirmation data that identifies the proof-of-possession key associated with an access token.
Technical Summary
OAuth Token Introspection Response member `cnf`; when present at the top level, it has the same format and semantics as the RFC 7800 `cnf` claim.
When Used
When a protected resource obtains proof-of-possession confirmation key data through token introspection, including for mutual-TLS certificate-bound access tokens.
Normative Requirements
Implementations
RFC 7800 - Section 3.1
Ignore confirmation members that they do not understand..
Condition: In the absence of application-specific requirements governing those confirmation members.
all confirmation members that are not understood by implementations MUST be ignored
Unspecified actor
RFC 7800 - Section 3.1
The `cnf` value must represent only one proof-of-possession key; at most one of `jwk`, `jwe`, and `jku` may be present..
Condition: When producing or processing the `cnf` value.
The "cnf" claim value MUST represent only a single proof-of-possession key
Validation Guidance
Process a top-level introspection response `cnf` member using the RFC 7800 confirmation claim format and semantics.
Report an error if `cnf` contains more than one of `jwk`, `jwe`, and `jku`.
In the absence of application-specific requirements, do not fail processing solely because `cnf` contains an unrecognized confirmation member.
Security Notes
RFC 8705 - Section 3.2
A protected resource uses the confirmation key data obtained from the introspection response to verify proof-of-possession. For mutual-TLS certificate-bound tokens, it compares the conveyed certificate hash with the client certificate hash and rejects the request if they differ.
Reference
Details
- Entry Id
cnf- Name
cnf- Description
Confirmation- Change Controller
IESG- Reference
RFC7800, RFC8705