Re: [OAUTH-WG] JWK Thumbprint URI Specification

David Chadwick <> Thu, 25 November 2021 10:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 65DF23A053E for <>; Thu, 25 Nov 2021 02:37:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.648
X-Spam-Status: No, score=-3.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, NICE_REPLY_A=-1.852, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id m4AShxD6RemF for <>; Thu, 25 Nov 2021 02:37:01 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 780403A0541 for <>; Thu, 25 Nov 2021 02:37:01 -0800 (PST)
Received: from ([]) by with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <>) id 1mqC7d-000FGr-6P; Thu, 25 Nov 2021 10:36:58 +0000
Received: from [] (helo=[]) by with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from <>) id 1mqC7Z-000OCc-Q1; Thu, 25 Nov 2021 10:36:58 +0000
Message-ID: <>
Date: Thu, 25 Nov 2021 10:36:51 +0000
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.3.2
Content-Language: en-GB
To: Mike Jones <>, "" <>
References: <>
From: David Chadwick <>
Organization: University of Kent
In-Reply-To: <>
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-Kent-Spam-Score: -4.9
X-Kent-Spam-Bar: ----
X-Kent-Spam-Report: No, tests=ALL_TRUSTED=-1, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, NICE_REPLY_A=-3.999
Archived-At: <>
Subject: Re: [OAUTH-WG] JWK Thumbprint URI Specification
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 25 Nov 2021 10:37:06 -0000

Yes this will work for SIOPv2 that is sending VPs as JWKs, because they can use the "sub_jwk" claim to send the public key parameters as you say. Thanks

On 24/11/2021 21:18, Mike Jones wrote:

The JWK Thumbprint is typically used as a key identifier. Yes, the key needs to be known by other means if you’re going to use it.  Some protocols work that way, which is what this spec is intended to enable.  For instance, the Self-Issued OpenID Provider (SIOP) v1 and v2 protocols send the public key separately in a “sub_jwk” claim.  In other use cases, it may already be known to the receiving party – for instance, from a prior discovery step.


It would be fine to separately also define a URI representation communicating an entire JWK, but that would be for different use cases, and not the goal of this (intentionally narrowly scoped) specification.



                                                       -- Mike


From: OAuth <> On Behalf Of David Chadwick
Sent: Wednesday, November 24, 2021 12:36 PM
Subject: Re: [OAUTH-WG] JWK Thumbprint URI Specification


On 24/11/2021 20:07, Mike Jones wrote:

The JSON Web Key (JWK) Thumbprint specification [" rel="nofollow">RFC 7638] defines a method for computing a hash value over a JSON Web Key (JWK) [" rel="nofollow">RFC 7517] and encoding that hash in a URL-safe manner." rel="nofollow">Kristina Yasuda and I have just created the" rel="nofollow">JWK Thumbprint URI specification, which defines how to represent JWK Thumbprints as URIs. This enables JWK Thumbprints to be communicated in contexts requiring URIs, including in specific JSON Web Token (JWT) [" rel="nofollow">RFC 7519] claims.


My immediate observation is why are you sending the thumbprint of the JSON Web Key and not sending the actual key value in the URI?

Sending the thumbprint means the recipient still has to have some other way of obtaining the actual public key, whereas sending the public key as a URI means that no other way is needed.

Kind regards



Use cases for this specification were developed in the" rel="nofollow">OpenID Connect Working Group of the OpenID Foundation. Specifically, its use is planned in future versions of the" rel="nofollow">Self-Issued OpenID Provider v2 specification.


The specification is available at:

1." rel="nofollow">


                                                       -- Mike


P.S.  This note was also published at" class="moz-txt-link-freetext" rel="nofollow"> and as" rel="nofollow"> @selfissued.



OAuth mailing list" class="moz-txt-link-freetext" rel="nofollow">