jwkThumbprint

If the response is encrypted, e.g., using direct_post.jwt, this MUST be the JWK SHA-256 Thumbprint as defined in RFC 7638, encoded as a Byte String, of the Verifier's public key used to encrypt the response. Otherwise, this MUST be null.