| Internet-Draft | Additional Hashes for OAuth PoP and PKCE | February 2026 |
| Skokan | Expires 30 August 2026 | [Page] |
This document defines SHA-512 as an additional hash algorithm for OAuth 2.0 Proof Key for Code Exchange (PKCE), mutual-TLS certificate-bound access tokens, and Demonstrating Proof of Possession (DPoP), for use in deployments operating under security policies that prohibit the use of SHA-256, which is otherwise mandated or the only option in these mechanisms.¶
This note is to be removed before publishing as an RFC.¶
Status information for this document may be found at https://datatracker.ietf.org/doc/draft-skokan-oauth-additional-hashes/.¶
Source for this draft and an issue tracker can be found at https://github.com/panva/draft-oauth-additional-hashes.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 30 August 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Several OAuth 2.0 mechanisms exclusively mandate the use of SHA-256: Proof Key for Code Exchange (PKCE) [RFC7636], mutual-TLS certificate-bound access tokens [RFC8705], and Demonstrating Proof of Possession (DPoP) [RFC9449].¶
Security policies, such as the US Commercial National Security Algorithm (CNSA 2.0) Suite [cnsafaq], prohibit the use of SHA-256 and require SHA-384 or SHA-512. This prevents the deployment of these OAuth 2.0 mechanisms in such environments.¶
This document addresses this gap by defining SHA-512 alternatives
for each of these mechanisms, for use in deployments operating
under such constrained policies. For PKCE, a new S512 code challenge
method is defined. For mutual-TLS certificate-bound access tokens,
a new x5t#S512 confirmation method is defined. For DPoP, this
document defines SHA-512 alternatives for the JWK Thumbprint
confirmation method (jkt#S512) and the access token hash claim
(ath#S512), as well as an extensible framework for
authorization code binding and access token hash algorithm
negotiation.¶
[[TODO: The hash algorithm chosen by this document is currently SHA-512. The working group should determine whether to define SHA-384 or SHA-512.]]¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
All references to "CNSA 2.0" in this document refer to CNSA 2.0 [cnsafaq], unless stated otherwise.¶
The sole purpose of this document is to enable deployments operating under security policies that prohibit SHA-256 to use PKCE, mutual-TLS certificate-bound access tokens, and DPoP. In such constrained deployments, the SHA-512 alternatives defined herein are used in place of their SHA-256 counterparts, since those deployments cannot use SHA-256 at all.¶
This document does not deprecate the SHA-256 based methods defined in existing specifications. The SHA-256 based methods remain the widely deployed, interoperable and recommended defaults for all mechanisms addressed by this document. Deployments that are not subject to such security policies SHOULD NOT offer or use the SHA-512 based methods defined herein.¶
The negotiation mechanisms defined herein may however facilitate a broader transition away from SHA-256 in the future, should that become necessary.¶
Proof Key for Code Exchange (PKCE) [RFC7636] defines plain and
S256 as code challenge methods, with S256 being the only method
that applies a
cryptographic hash to the code verifier. The specification
establishes the "PKCE Code Challenge Methods" registry, which this
document uses to register the S512 code challenge method.¶
S512 Code Challenge Method
This document defines a new code challenge method for use with PKCE [RFC7636]. The client creates a code challenge derived from the code verifier by using the following transformation on the code verifier:¶
code_challenge = BASE64URL(SHA-512(ASCII(code_verifier)))¶
The server-side verification of the code verifier follows Section 4.6 of [RFC7636], using SHA-512 as the hash algorithm.¶
An Authorization Server that supports the S512 code challenge
method MUST advertise its support by including S512 in the
code_challenge_methods_supported metadata parameter value, as
defined in OAuth 2.0 Authorization Server Metadata [RFC8414] or
OpenID Connect Discovery 1.0 [OpenID.Discovery].¶
A Client intending to use the S512 code challenge method MUST
first confirm that the Authorization Server supports it by checking
the code_challenge_methods_supported metadata value. A Client MUST NOT use the S512 code challenge method if the Authorization Server
does not advertise support for it.¶
OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound
Access Tokens [RFC8705] exclusively uses SHA-256 for
certificate-bound access tokens via the x5t#S256 confirmation
method. No alternative hash algorithms or extension points for hash
algorithm negotiation are defined. This document defines the
x5t#S512 confirmation method and a Resource Server metadata
parameter for negotiating the confirmation method.¶
x5t#S512 Confirmation Method
RFC 8705 [RFC8705] defines the x5t#S256 confirmation method
member for binding access tokens to a client certificate using a
SHA-256 hash of the DER-encoded X.509 certificate.¶
This document defines an analogous confirmation method member
x5t#S512 that uses SHA-512 as the hash algorithm:¶
The value is a base64url-encoded SHA-512 hash of the DER encoding of the X.509 certificate.¶
When using x5t#S512, the Authorization Server computes the
SHA-512 hash of the client certificate presented during mutual-TLS
and includes the result as the x5t#S512 member of the cnf
claim in the access token (for JWT access tokens) or associates
it with the token for later retrieval via token introspection
[RFC7662].¶
The Resource Server MUST compute the SHA-512 hash of the client
certificate presented during mutual-TLS and compare it with the
x5t#S512 value in the cnf claim. If the values do not match,
the Resource Server MUST reject the request.¶
The choice of x5t#S512 over x5t#S256 is a deployment decision.
It can be configured out of band or by the Authorization Server
using the Resource Server's metadata (Section 5.2).¶
[[TODO: Section 3.1 of [RFC7800] does not preclude
the presence of both x5t#S256 and x5t#S512 in the same cnf
claim. Including both would not represent confirmations for two
different keys but rather two different hash confirmations of the
same certificate. This may actually be useful during a transition
period in possible future non-constrained deployment scenarios.
The working group should determine whether to prohibit or allow
this.]]¶
This document defines the mtls_confirmation_methods_supported
Resource Server metadata parameter [RFC9728]. Its value is a JSON
array containing the mutual-TLS confirmation method names that the
Resource Server supports. Defined values are x5t#S256 and
x5t#S512. If omitted, the default is ["x5t#S256"].¶
OAuth 2.0 Demonstrating Proof of Possession (DPoP) [RFC9449]
exclusively uses SHA-256 for all of its hash
operations: the jkt confirmation method, the ath access token
hash claim, and the dpop_jkt authorization code binding parameter.
No alternative hash algorithms or extension points for hash
algorithm negotiation are defined.¶
Section 11.10 of [RFC9449] anticipated the need for hash algorithm
agility and foresaw that a future specification would define a new
confirmation method, JWT claim, and authorization request parameter
for use as alternatives to their SHA-256 counterparts. This document
defines those DPoP mechanisms: the dpop_jkt_method authorization
request parameter, the jkt#S512 confirmation method, and the
ath#S512 JWT claim. In constrained deployments where SHA-256 is
prohibited, these are used in place of their SHA-256 counterparts
rather than alongside them.¶
jkt#S512 Confirmation Method
RFC 9449 [RFC9449] defines the jkt confirmation method member
for binding access tokens to a DPoP public key using a SHA-256
JWK Thumbprint [RFC7638].¶
This document defines an analogous confirmation method member
jkt#S512 that uses SHA-512 as the hash algorithm:¶
The value is the base64url encoding of the JWK Thumbprint [RFC7638] computed using SHA-512 of the DPoP public key (in JWK format) to which the access token is bound.¶
When using jkt#S512, the Authorization Server computes the
SHA-512 JWK Thumbprint of the DPoP public key and includes the
result as the jkt#S512 member of the cnf claim in the access
token (for JWT access tokens) or associates it with the token
for later retrieval via token introspection [RFC7662].¶
The Resource Server MUST compute the SHA-512 JWK Thumbprint of
the DPoP public key and compare it with the jkt#S512 value in
the cnf claim. If the values do not match, the Resource Server
MUST reject the request.¶
The choice of jkt#S512 over jkt is a deployment decision. It
can be configured out of band or by the Authorization Server using
the Resource Server's metadata (Section 6.2.3).¶
[[TODO: Section 3.1 of [RFC7800] does not preclude
the presence of both jkt and jkt#S512 in the same cnf claim.
Including both would not represent confirmations for two different
keys but rather two different hash confirmations of the same key.
This may actually be useful during a transition period in possible
future non-constrained deployment scenarios. The working group
should determine whether to prohibit or allow this.]]¶
ath#S512 Access Token Hash
RFC 9449 [RFC9449] defines the ath claim in the DPoP proof JWT
as the base64url-encoded SHA-256 hash of the ASCII encoding of the
access token value.¶
This document defines an analogous claim ath#S512 that uses
SHA-512 as the hash algorithm:¶
The value is the base64url encoding of the SHA-512 hash of the ASCII encoding of the associated access token's value.¶
When used, ath#S512 is included in the DPoP proof JWT in place
of ath.¶
[[TODO: Including both ath and ath#S512 in the same DPoP proof
JWT would not represent hashes of two different access tokens but
rather two different hash confirmations of the same access token.
This may actually be useful during a transition period in possible
future non-constrained deployment scenarios. The working group
should determine whether to prohibit or allow this.]]¶
The Resource Server MUST compute the SHA-512 hash of the ASCII
encoding of the access token value and compare it with the
ath#S512 value in the DPoP proof JWT. If the values do not
match, the Resource Server MUST reject the request.¶
A Resource Server MAY signal the required access token hash method
by including the ath_method parameter in the WWW-Authenticate:
DPoP challenge. The value of ath_method is the name of the claim
the Client MUST use: ath for SHA-256 or ath#S512 for SHA-512.
When ath_method is absent, the Client MUST use ath.
Additionally, Resource Server metadata for the supported access
token hash methods is defined in Section 6.2.3.¶
The following is a non-normative example of an HTTP response
signalling the client to use ath#S512:¶
This document defines the following Resource Server metadata parameters [RFC9728]:¶
JSON array containing the DPoP confirmation method names
that the Resource Server supports. Defined values are jkt
and jkt#S512. If omitted, the default is ["jkt"].¶
JSON array containing the access token hash claim names
that the Resource Server supports. Defined values are ath
and ath#S512. If omitted, the default is ["ath"].¶
The S512 code challenge method provides the same structural
security properties as S256. It is a one-way transformation of
the code verifier that prevents an attacker who intercepts the
authorization code from computing the code verifier needed to exchange
it for tokens.¶
The x5t#S512 confirmation method provides the same structural
security properties as x5t#S256 defined in [RFC8705].¶
The jkt#S512 confirmation method, dpop_jkt combined with
dpop_jkt_method parameter, and ath#S512 claim provide the same
structural security properties as their SHA-256 counterparts
defined in DPoP [RFC9449].¶
SHA-512 provides a 256-bit collision resistance and 512-bit preimage resistance, exceeding the 128-bit and 256-bit levels provided by SHA-256. The use of SHA-512 is suitable for deployments with elevated security requirements.¶
Deployments that do not have restrictions on use of SHA-256 do not need to migrate away from the established SHA-256 based mechanisms.¶
This document requests registration of the following value in the "PKCE Code Challenge Methods" registry established by Section 6.2 of [RFC7636]:¶
S512¶
IETF¶
Section 4.1 of this document¶
This document establishes the "DPoP Authorization Code Binding
Methods" registry for dpop_jkt_method values.¶
New entries are registered using the Specification Required policy [RFC5226].¶
The initial contents of the registry are:¶
S256¶
IETF¶
Section 10 of [RFC9449]¶
S512¶
IETF¶
Section 6.1.1 of this document¶
This document requests registration of the following value in the "OAuth Parameters" registry established by [RFC6749]:¶
dpop_jkt_method¶
authorization request¶
IETF¶
Section 6.1.1 of this document¶
This document requests registration of the following value in the "JSON Web Token Claims" registry established by [RFC7519]:¶
ath#S512¶
The base64url-encoded SHA-512 hash of the ASCII encoding of the associated access token's value¶
IETF¶
Section 6.2.2 of this document¶
This document requests registration of the following values in the "OAuth Protected Resource Metadata" registry established by [RFC9728]:¶
dpop_confirmation_methods_supported¶
JSON array containing a list of the DPoP confirmation method names supported by the Resource Server¶
IETF¶
Section 6.2.3 of this document¶
dpop_access_token_hash_methods_supported¶
JSON array containing a list of the access token hash claim names supported by the Resource Server¶
IETF¶
Section 6.2.3 of this document¶
mtls_confirmation_methods_supported¶
JSON array containing a list of the mutual-TLS confirmation method names supported by the Resource Server¶
IETF¶
Section 5.2 of this document¶
This document requests registration of the following values in the "JWT Confirmation Methods" registry established by [RFC7800]:¶
x5t#S512¶
X.509 Certificate SHA-512 Thumbprint¶
IETF¶
Section 5.1 of this document¶
jkt#S512¶
JWK SHA-512 Thumbprint¶
IETF¶
Section 6.2.1 of this document¶
TODO acknowledge.¶