Attestation token validation endpoint fields

Which validation endpoint you use depends on the type of token that you requested:

OIDC tokens

The following table describes the high-level fields returned at the OIDC token validation endpoint, https://confidentialcomputing.googleapis.com/.well-known/openid-configuration.

Key Description
claims_supported The keys in the attestation token. For more details, see Attestation token claims.
id_token_signing_alg_values_supported The signing algorithms (alg values) supported by the token. Confidential Space supports the RS256 algorithm.
issuer

The HTTPS scheme that Confidential Space uses as its issuer identifier.

The value is https://confidentialcomputing.googleapis.com.

jwks_uri

The path to the public keys used to verify the token signature. You can publish these keys in a Cloud Storage bucket.

You can find the jwks_uri keys at https://www.googleapis.com/service_accounts/v1/metadata/jwk/[email protected].

An example value is https://example.storage.googleapis.com/jwks.json.

response_types_supported A list of supported Confidential Space response types. Confidential Space supports id_token.
scopes_supported The OAuth 2.0 scope values that the Confidential VM instance supports. Confidential Space supports openid only.
subject_types_supported The subject identifier types that Confidential Space supports. Confidential Space supports public.

PKI tokens

The following table describes the high-level fields returned at the PKI token validation endpoint, https://confidentialcomputing.googleapis.com/.well-known/attestation-pki-root.

root_ca_uri The path to the root certificate that is used to verify a PKI token type signature.