Requirements for cryptography
The followng algorithms are supported for signing Json Web Tokens (JWT) for
- Client assertions (
private_key_jwt) - Request objects
- DPoP proofs
| JSON Web Algorithm | Signature algorithm family | Hashing algorithm |
|---|---|---|
| RS256 | RSASSA-PKCS1-v1_5 | SHA-256 |
| RS384 | RSASSA-PKCS1-v1_5 | SHA-384 |
| RS512 | RSASSA-PKCS1-v1_5 | SHA-512 |
| ES256 | ECDSA | SHA-256 |
| ES384 | ECDSA | SHA-384 |
| ES512 | ECDSA | SHA-512 |
| PS256 | RSASSA-PSS | SHA-256 |
| PS384 | RSASSA-PSS | SHA-384 |
| PS512 | RSASSA-PSS | SHA-512 |
The recommended choice is either PS256, or PS512.
RSA keys must have a minimum bit length of 2048.
Elliptic curve keys must have a minimum bit length of 160.