RFC 9278

RFC9278 defines the JWK Thumbprint URI, an extension to RFC 7638 (JWK Thumbprint). It provides a standard way to represent a JWK Thumbprint as a URI, enabling stable, comparable key identifiers that can be referenced externally.

Definition

RFC 9278 builds on RFC 7638 by specifying how a JWK Thumbprint (Base64URL-encoded SHA-256 digest of a key’s canonical JSON form) can be expressed as a URI. This allows JWK-based key identifiers to be used in contexts where a URI is required.

The JWK Thumbprint URI uses the following format:

urn:ietf:params:oauth:jwk-thumbprint:sha-256:<base64url-thumbprint>

Implementation

joserfc implements JWK thumbprint support according to RFC7638. The functionality is exposed through:

• joserfc.jwk.thumbprint_uri()

• joserfc.jwk.OctKey.thumbprint_uri()

• joserfc.jwk.RSAKey.thumbprint_uri()

• joserfc.jwk.ECKey.thumbprint_uri()

• joserfc.jwk.OKPKey.thumbprint_uri()

from joserfc import jwk

key = jwk.generate_key("RSA")
key.thumbprint_uri()
# 'urn:ietf:params:oauth:jwk-thumbprint:sha-256:OLO1-f_Vl8mishRR_ZuXJFqZn1geoCXGsJdmKlW13Oc'

This provides a standards-compliant identifier suitable for use in any URI field across OAuth and JOSE-related specifications.