| RFC 9749 | Use of VAPID in JMAP Web Push | March 2025 |
| Gultsch | Standards Track | [Page] |
This document defines a method for JSON Meta Application Protocol (JMAP) servers to advertise their capability to authenticate Web Push notifications using the Voluntary Application Server Identification (VAPID) protocol.¶
This is an Internet Standards Track document.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc9749.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
JMAP[RFC8620] specifies how clients can subscribe to events using a protocol that is compatible with Web Push[RFC8030]. Some push services require that the application server authenticate all push messages using the VAPID protocol[RFC8292]. To facilitate that, the client (or user agent in Web Push terminology) needs the VAPID public key of the application server to pass along to the push service when retrieving a new endpoint.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14[RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The JMAP capabilities object is returned as part of the standard JMAP session object (seeSection 2 of [RFC8620]). Servers supporting this specificationMUST add a property calledurn:ietf:params:jmap:webpush-vapid to the capabilities object. The value of this property is an object thatMUST contain the following information:¶
applicationServerKey: "String"Informative Note: The format of the application server key was chosen to ensure compatibility with the browser API (Section 7.2 of[PUSH-API]), allowing the key to be directly copied and used without additional transformation. Additionally, as noted inSection 3.2 of [RFC8292], the X9.62 encoding (which is compatible with SEC1 encoding) simplifies key comparisons and is more compact than alternative formats.¶
Every time the server sends a push message to aPushSubscription URL, itMUST authenticate the POST request using the protocol outlined in[RFC8292]. This includes bothStateChange events andPushVerification notifications. To authenticate the request, the serverMUST use a JSON Web Token (JWT) signed by the private key corresponding to the application server key. This application server keyMUST be the one that was advertised in the capabilities object at the time thePushSubscription was created.¶
When a server needs to replace its VAPID key, itMUST update thesessionState per[RFC8620]. The clientMUST monitor the JMAP session object for changes to the VAPID key andMUST recreate its push subscription when it detects such a change.¶
After key rotation, the serverMAY continue to send push notifications for existing push subscriptions using the old application server key for a transitional period. This allows clients time to recreate their respective push subscriptions. At the end of the transitional period (or immediately for implementations that do not have one), the serverMUST destroy push subscriptions that use the old key.¶
When destroying push subscriptions that include the data typePushSubscription, the serverMAY issue one finalStateChange push notification using the old URL and application server key to notify the client of changes to thePushSubscription data type. This prompts the client to make aPushSubscription/changes method call. The response to this call will contain an updatedsessionState, which refers to a session object that contains the new VAPID key.¶
A race condition can occur when the server updates its VAPID key after the client has refreshed the session object but before calling thePushSubscription/set method. This situation causes the server to send aPushVerification object to a push resource URL that is now associated with an outdated VAPID key. Consequently, the push service will reject thePushVerification with a 403 (Forbidden) status code, as specified inSection 4.2 of [RFC8292].¶
To alleviate this problem, the clientMUST check if thesessionState in the response from thePushSubscription/set method points to a session object with anapplicationServerKey that matches their expectations. If there is a mismatch, the clientMAY retry creating thePushSubscription. Additionally, the clientMAY destroy thePushSubscription from the earlier, failed attempt.¶
During the key rotation process, synchronization issues between the client and server may arise. Specifically, a client might restrict a push subscription with the push service to an outdated key, while the server sends thePushVerification object authenticated with the newly rotated key. This mismatch leads to the push service rejecting thePushVerification request with a 403 (Forbidden) status code, as specified inSection 4.2 of [RFC8292].¶
Per the requirements ofSection 7.2 of [RFC8620], the serverMUST NOT retry the rejectedPushVerification request. Consequently, thePushVerification object will not be delivered to the client.¶
To mitigate such issues, the client is responsible for detecting and resolving any synchronization discrepancies, as outlined inSection 5 of this document.¶
The inclusion of theurn:ietf:params:jmap:webpush-vapid property in the JMAP capabilities object is limited to providing information about the server's support for VAPID. This property does not reveal sensitive information, nor does it introduce new security or privacy risks beyond those inherent to JMAP and Web Push. The security considerations for JMAP[RFC8620] (especially Sections8.6 and8.7), Web Push[RFC8030], and VAPID[RFC8292] apply to this document.¶
IANA has registered the following new capability in the "JMAP Capabilities" registry:¶