9.4. Token Introspection Response Registration

"Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)" [RFC7800] defined the cnf (confirmation) claim that enables confirmation key information to be carried in a JWT. However, the same proof-of-possession semantics are also useful for introspected access tokens whereby the protected resource obtains the confirmation key data as metainformation of a token introspection response and uses that information in verifying proof-of-possession. Therefore, this specification defines and registers proof-of-possession semantics for OAuth 2.0 Token Introspection [RFC7662] using the cnf structure. When included as a top-level member of an OAuth token introspection response, cnf has the same semantics and format as the claim of the same name defined in [RFC7800]. While this specification only explicitly uses the x5t#S256 confirmation method member (see Section 3.2), it needs to define and register the higher-level cnf structure as an introspection response member in order to define and use the more specific certificate thumbprint confirmation method.

As such, the following values have been registered in the IANA "OAuth Token Introspection Response" registry [IANA.OAuth.Parameters] established by [RFC7662].

Claim Name: cnf

Claim Description: Confirmation

Change Controller: IESG

Specification Document(s): [RFC7800] and RFC 8705