Web Authorization Protocol F. Skokan Internet-Draft Okta Intended status: Standards Track 26 February 2026 Expires: 30 August 2026 Additional Hash Algorithms for OAuth 2.0 PKCE and Proof-of-Possession draft-skokan-oauth-additional-hashes-00 Abstract This document defines SHA-384 as an additional hash algorithm option for OAuth 2.0 Proof Key for Code Exchange (PKCE), Demonstrating Proof of Possession (DPoP), and mutual-TLS certificate-bound access tokens. These mechanisms currently mandate the use of SHA-256. About This Document This note is to be removed before publishing as an RFC. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-skokan-oauth-additional- hashes/. Source for this draft and an issue tracker can be found at https://github.com/panva/draft-oauth-additional-hashes. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 30 August 2026. Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. Skokan Expires 30 August 2026 [Page 1] Internet-Draft Additional Hashes for OAuth PoP and PKCE February 2026 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 3. SHA-384 PKCE Code Challenge Method . . . . . . . . . . . . . 3 3.1. S384 Code Challenge Method . . . . . . . . . . . . . . . 3 3.2. Authorization Server Metadata . . . . . . . . . . . . . . 3 4. DPoP Authorization Code Binding Methods . . . . . . . . . . . 4 4.1. dpop_jkt_method Authorization Request Parameter . . . . . 4 4.2. DPoP Authorization Server Metadata . . . . . . . . . . . 4 5. SHA-384 DPoP Hash Algorithms . . . . . . . . . . . . . . . . 4 5.1. jkt#S384 Confirmation Method . . . . . . . . . . . . . . 5 5.2. ath#S384 Access Token Hash . . . . . . . . . . . . . . . 5 5.3. Resource Server Metadata . . . . . . . . . . . . . . . . 6 6. SHA-384 Mutual-TLS Certificate Hash . . . . . . . . . . . . . 6 6.1. x5t#S384 Confirmation Method . . . . . . . . . . . . . . 6 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 8.1. PKCE Code Challenge Method Registration . . . . . . . . . 7 8.2. DPoP Authorization Code Binding Methods Registry . . . . 7 8.3. OAuth Parameters Registrations . . . . . . . . . . . . . 8 8.4. OAuth Authorization Server Metadata Registration . . . . 8 8.5. JWT Claims Registration . . . . . . . . . . . . . . . . . 8 8.6. OAuth Protected Resource Metadata Registration . . . . . 9 8.7. JWT Confirmation Methods Registrations . . . . . . . . . 9 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 9.1. Normative References . . . . . . . . . . . . . . . . . . 9 9.2. Informative References . . . . . . . . . . . . . . . . . 11 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 11 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11 1. Introduction Several OAuth 2.0 mechanisms exclusively mandate the use of SHA-256: Proof Key for Code Exchange (PKCE) [RFC7636], Demonstrating Proof of Possession (DPoP) [RFC9449], and mutual-TLS certificate-bound access tokens [RFC8705]. Skokan Expires 30 August 2026 [Page 2] Internet-Draft Additional Hashes for OAuth PoP and PKCE February 2026 Security policies, such as the US Commercial National Security Algorithm (CNSA 2.0) Suite [cnsafaq], prohibit the use of SHA-256 and mandate SHA-384 as the minimum acceptable hash algorithm. This prevents the deployment of these OAuth 2.0 mechanisms in such environments. This document addresses this gap by defining SHA-384 alternatives for each of these mechanisms. For PKCE, a new S384 code challenge method is defined. For mutual-TLS certificate-bound access tokens, a new x5t#S384 confirmation method is defined. For DPoP, this document defines SHA-384 alternatives for the JWK Thumbprint confirmation method (jkt#S384) and the access token hash claim (ath#S384), as well as an extensible framework for DPoP authorization code binding and access token hash algorithm negotiation. 2. Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. All references to "CNSA 2.0" in this document refer to CNSA 2.0 [cnsafaq], unless stated otherwise. 3. SHA-384 PKCE Code Challenge Method 3.1. S384 Code Challenge Method This document defines a new code challenge method for use with PKCE [RFC7636]. The client creates a code challenge derived from the code verifier by using the following transformation on the code verifier: S384: code_challenge = BASE64URL(SHA-384(ASCII(code_verifier))) The server-side verification of the code verifier follows Section 4.6 of [RFC7636], using SHA-384 as the hash algorithm. 3.2. Authorization Server Metadata An Authorization Server that supports the S384 code challenge method MUST advertise its support by including S384 in the code_challenge_methods_supported metadata parameter value, as defined in OAuth 2.0 Authorization Server Metadata [RFC8414] or OpenID Connect Discovery 1.0 [OpenID.Discovery]. Skokan Expires 30 August 2026 [Page 3] Internet-Draft Additional Hashes for OAuth PoP and PKCE February 2026 A Client intending to use the S384 code challenge method MUST first confirm that the Authorization Server supports it by checking the code_challenge_methods_supported metadata value. A Client MUST NOT use the S384 code challenge method if the Authorization Server does not advertise support for it. 4. DPoP Authorization Code Binding Methods 4.1. dpop_jkt_method Authorization Request Parameter RFC 9449 [RFC9449] defines the dpop_jkt authorization request parameter as the JWK Thumbprint [RFC7638] of the DPoP public key using SHA-256. This document defines the dpop_jkt_method authorization request parameter, sent alongside dpop_jkt, to indicate the hash algorithm used to compute the JWK Thumbprint. The following method values are defined: S256: JWK Thumbprint [RFC7638] using SHA-256, as originally defined in Section 10 of [RFC9449]. S384: JWK Thumbprint [RFC7638] using SHA-384. When dpop_jkt_method is absent from the authorization request, the Authorization Server MUST assume the value S256. The value of dpop_jkt MUST be computed using the hash algorithm indicated by dpop_jkt_method. 4.2. DPoP Authorization Server Metadata This document defines the dpop_jkt_methods_supported Authorization Server metadata parameter. Its value is a JSON array containing the dpop_jkt_method values that the Authorization Server supports. An Authorization Server that supports dpop_jkt_method values beyond S256 MUST advertise its support by including the supported values in the dpop_jkt_methods_supported metadata parameter. A Client intending to use a dpop_jkt_method value other than S256 MUST first confirm that the Authorization Server supports it by checking the dpop_jkt_methods_supported metadata value. A Client MUST NOT use a dpop_jkt_method value that the Authorization Server does not advertise support for. 5. SHA-384 DPoP Hash Algorithms Skokan Expires 30 August 2026 [Page 4] Internet-Draft Additional Hashes for OAuth PoP and PKCE February 2026 5.1. jkt#S384 Confirmation Method RFC 9449 [RFC9449] defines the jkt confirmation method member for binding access tokens to a DPoP public key using a SHA-256 JWK Thumbprint [RFC7638]. This document defines an analogous confirmation method member jkt#S384 that uses SHA-384 as the hash algorithm: jkt#S384: The value is the base64url encoding of the JWK Thumbprint [RFC7638] computed using SHA-384 of the DPoP public key (in JWK format) to which the access token is bound. When using jkt#S384, the Authorization Server computes the SHA-384 JWK Thumbprint of the DPoP public key and includes the result as the jkt#S384 member of the cnf claim in the access token (for JWT access tokens) or associates it with the token for later retrieval via token introspection. The Resource Server MUST compute the SHA-384 JWK Thumbprint of the DPoP public key and compare it with the jkt#S384 value in the cnf claim. If the values do not match, the Resource Server MUST reject the request. The choice of jkt#S384 over jkt is a deployment decision based on the Resource Server configuration at the Authorization Server. 5.2. ath#S384 Access Token Hash RFC 9449 [RFC9449] defines the ath claim in the DPoP proof JWT as the base64url-encoded SHA-256 hash of the ASCII encoding of the access token value. This document defines an analogous claim ath#S384 that uses SHA-384 as the hash algorithm: ath#S384: The value is the base64url encoding of the SHA-384 hash of the ASCII encoding of the associated access token's value. When used, ath#S384 is included in the DPoP proof JWT in place of ath. A Client that used a dpop_jkt_method value of S384 during the authorization request MUST use ath#S384 in DPoP proofs sent to Resource Servers. Skokan Expires 30 August 2026 [Page 5] Internet-Draft Additional Hashes for OAuth PoP and PKCE February 2026 A Resource Server MAY signal the required access token hash method by including the ath_method parameter in the WWW-Authenticate: DPoP challenge. The value of ath_method is the name of the claim the Client MUST use: ath for SHA-256 or ath#S384 for SHA-384. When ath_method is absent, the Client MUST use ath. 5.3. Resource Server Metadata This document defines the dpop_ath_methods_supported Resource Server metadata parameter [RFC9728]. Its value is a JSON array containing the access token hash claim names that the Resource Server supports. Defined values are ath and ath#S384. When this metadata parameter is absent, the Client MUST assume that the Resource Server supports only ath. 6. SHA-384 Mutual-TLS Certificate Hash 6.1. x5t#S384 Confirmation Method RFC 8705 [RFC8705] defines the x5t#S256 confirmation method member for binding access tokens to a client certificate using a SHA-256 hash of the DER-encoded X.509 certificate. This document defines an analogous confirmation method member x5t#S384 that uses SHA-384 as the hash algorithm: x5t#S384: The value is a base64url-encoded SHA-384 hash of the DER encoding of the X.509 certificate. When using x5t#S384, the Authorization Server computes the SHA-384 hash of the client certificate presented during mutual-TLS and includes the result as the x5t#S384 member of the cnf claim in the access token (for JWT access tokens) or associates it with the token for later retrieval via token introspection. The Resource Server MUST compute the SHA-384 hash of the client certificate presented during mutual-TLS and compare it with the x5t#S384 value in the cnf claim. If the values do not match, the Resource Server MUST reject the request. The choice of x5t#S384 over x5t#S256 is a deployment decision based on the Resource Server configuration at the Authorization Server. Skokan Expires 30 August 2026 [Page 6] Internet-Draft Additional Hashes for OAuth PoP and PKCE February 2026 7. Security Considerations The S384 code challenge method provides the same structural security properties as S256. It is a one-way transformation of the code verifier that prevents an attacker who intercepts the authorization code from computing the code verifier needed to exchange it for tokens. The jkt#S384 confirmation method, dpop_jkt_method parameter, and ath#S384 claim provide the same structural security properties as their SHA-256 counterparts defined in DPoP [RFC9449]. The authorization code binding via dpop_jkt and the access token binding via ath remain intact regardless of the hash algorithm used. SHA-384 provides a 192-bit collision resistance and 384-bit preimage resistance, exceeding the 128-bit and 256-bit levels provided by SHA- 256. The use of SHA-384 is suitable for deployments with elevated security requirements. Deployments that do not have specific requirements mandating SHA-384 do not need to migrate away from the established SHA-256 based mechanisms. 8. IANA Considerations 8.1. PKCE Code Challenge Method Registration This document requests registration of the following value in the "PKCE Code Challenge Methods" registry established by Section 6.2 of [RFC7636]: Code Challenge Method Parameter Name: S384 Change Controller: IETF Specification Document(s): Section 3.1 of this document 8.2. DPoP Authorization Code Binding Methods Registry This document establishes the "DPoP Authorization Code Binding Methods" registry for dpop_jkt_method values. New entries are registered using the Specification Required policy [RFC5226]. The initial contents of the registry are: Method Name: S256 Skokan Expires 30 August 2026 [Page 7] Internet-Draft Additional Hashes for OAuth PoP and PKCE February 2026 Change Controller: IETF Specification Document(s): Section 10 of [RFC9449] Method Name: S384 Change Controller: IETF Specification Document(s): Section 4.1 of this document 8.3. OAuth Parameters Registrations This document requests registration of the following value in the "OAuth Parameters" registry established by [RFC6749]: Parameter Name: dpop_jkt_method Parameter Usage Location: authorization request Change Controller: IETF Specification Document(s): Section 4.1 of this document 8.4. OAuth Authorization Server Metadata Registration This document requests registration of the following value in the "OAuth Authorization Server Metadata" registry established by [RFC8414]: Metadata Name: dpop_jkt_methods_supported Metadata Description: JSON array containing a list of the dpop_jkt_method values supported by the Authorization Server Change Controller: IETF Specification Document(s): Section 4.2 of this document 8.5. JWT Claims Registration This document requests registration of the following value in the "JSON Web Token Claims" registry established by [RFC7519]: Claim Name: ath#S384 Claim Description: The base64url-encoded SHA-384 hash of the ASCII encoding of the associated access token's value Skokan Expires 30 August 2026 [Page 8] Internet-Draft Additional Hashes for OAuth PoP and PKCE February 2026 Change Controller: IETF Specification Document(s): Section 5.2 of this document 8.6. OAuth Protected Resource Metadata Registration This document requests registration of the following value in the "OAuth Protected Resource Metadata" registry established by [RFC9728]: Metadata Name: dpop_ath_methods_supported Metadata Description: JSON array containing a list of the access token hash claim names supported by the Resource Server Change Controller: IETF Specification Document(s): Section 5.3 of this document 8.7. JWT Confirmation Methods Registrations This document requests registration of the following values in the "JWT Confirmation Methods" registry established by [RFC7800]: Confirmation Method Value: x5t#S384 Confirmation Method Description: X.509 Certificate SHA-384 Thumbprint Change Controller: IETF Specification Document(s): Section 6.1 of this document Confirmation Method Value: jkt#S384 Confirmation Method Description: JWK SHA-384 Thumbprint Change Controller: IETF Specification Document(s): Section 5.1 of this document 9. References 9.1. Normative References Skokan Expires 30 August 2026 [Page 9] Internet-Draft Additional Hashes for OAuth PoP and PKCE February 2026 [OpenID.Discovery] Sakimura, N., Bradley, J., Jones, M., and E. Jay, "OpenID Connect Discovery 1.0 incorporating errata set 2", December 2023, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", RFC 5226, DOI 10.17487/RFC5226, May 2008, . [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", RFC 6749, DOI 10.17487/RFC6749, October 2012, . [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, . [RFC7636] Sakimura, N., Ed., Bradley, J., and N. Agarwal, "Proof Key for Code Exchange by OAuth Public Clients", RFC 7636, DOI 10.17487/RFC7636, September 2015, . [RFC7638] Jones, M. and N. Sakimura, "JSON Web Key (JWK) Thumbprint", RFC 7638, DOI 10.17487/RFC7638, September 2015, . [RFC7800] Jones, M., Bradley, J., and H. Tschofenig, "Proof-of- Possession Key Semantics for JSON Web Tokens (JWTs)", RFC 7800, DOI 10.17487/RFC7800, April 2016, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8414] Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0 Authorization Server Metadata", RFC 8414, DOI 10.17487/RFC8414, June 2018, . Skokan Expires 30 August 2026 [Page 10] Internet-Draft Additional Hashes for OAuth PoP and PKCE February 2026 [RFC8705] Campbell, B., Bradley, J., Sakimura, N., and T. Lodderstedt, "OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens", RFC 8705, DOI 10.17487/RFC8705, February 2020, . [RFC9449] Fett, D., Campbell, B., Bradley, J., Lodderstedt, T., Jones, M., and D. Waite, "OAuth 2.0 Demonstrating Proof of Possession (DPoP)", RFC 9449, DOI 10.17487/RFC9449, September 2023, . [RFC9728] Jones, M.B., Hunt, P., and A. Parecki, "OAuth 2.0 Protected Resource Metadata", RFC 9728, DOI 10.17487/RFC9728, April 2025, . 9.2. Informative References [cnsafaq] National Security Agency, "The Commercial National Security Algorithm Suite 2.0 and Quantum Computing FAQ", December 2024, . Acknowledgments TODO acknowledge. Author's Address Filip Skokan Okta Email: panva.ip@gmail.com Skokan Expires 30 August 2026 [Page 11]