Requirements for cryptography
The followng algorithms are supported for signing Json Web Tokens (JWT) for
- Client assertions (
private_key_jwt
) - Request objects
- DPoP proofs
JSON Web Algorithm | Signature algorithm family | Hashing algorithm |
---|---|---|
RS256 | RSASSA-PKCS1-v1_5 | SHA-256 |
RS384 | RSASSA-PKCS1-v1_5 | SHA-384 |
RS512 | RSASSA-PKCS1-v1_5 | SHA-512 |
ES256 | ECDSA | SHA-256 |
ES384 | ECDSA | SHA-384 |
ES512 | ECDSA | SHA-512 |
PS256 | RSASSA-PSS | SHA-256 |
PS384 | RSASSA-PSS | SHA-384 |
PS512 | RSASSA-PSS | SHA-512 |
The recommended choice is either PS256, or PS512.
RSA keys must have a minimum bit length of 2048.
Elliptic curve keys must have a minimum bit length of 160.