IETF Logo Mail Archive

RFC 9101 on The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)

rfc-editor@rfc-editor.org Sat, 21 August 2021 07:29 UTC

Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: ietf-announce@ietfa.amsl.com
Delivered-To: ietf-announce@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B49EE3A07F2; Sat, 21 Aug 2021 00:29:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tPtZRvEbaOHk; Sat, 21 Aug 2021 00:29:32 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D1063A07DB; Sat, 21 Aug 2021 00:29:32 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id 6A06DF40790; Sat, 21 Aug 2021 00:29:24 -0700 (PDT)
To: ietf-announce@ietf.org, rfc-dist@rfc-editor.org
Subject: RFC 9101 on The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)
X-PHP-Originating-Script: 1005:ams_util_lib.php
From: rfc-editor@rfc-editor.org
Cc: rfc-editor@rfc-editor.org, drafts-update-ref@iana.org, oauth@ietf.org
Content-type: text/plain; charset="UTF-8"
Message-Id: <20210821072924.6A06DF40790@rfc-editor.org>
Date: Sat, 21 Aug 2021 00:29:24 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-announce/KKu-lJ4pFIeyuLiZyQiuGaAkd7g>
X-BeenThere: ietf-announce@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IETF announcement list. No discussions." <ietf-announce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-announce/>
List-Post: <mailto:ietf-announce@ietf.org>
List-Help: <mailto:ietf-announce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Aug 2021 07:29:40 -0000

A new Request for Comments is now available in online RFC libraries.

        
        RFC 9101

        Title:      The OAuth 2.0 Authorization Framework: 
                    JWT-Secured Authorization Request (JAR) 
        Author:     N. Sakimura,
                    J. Bradley,
                    M. Jones
        Status:     Standards Track
        Stream:     IETF
        Date:       August 2021
        Mailbox:    nat@nat.consulting,
                    rfc9101@ve7jtb.com,
                    mbj@microsoft.com
        Pages:      25
        Updates/Obsoletes/SeeAlso:   None

        I-D Tag:    draft-ietf-oauth-jwsreq-34.txt

        URL:        https://www.rfc-editor.org/info/rfc9101

        DOI:        10.17487/RFC9101

The authorization request in OAuth 2.0 described in RFC 6749 utilizes
query parameter serialization, which means that authorization request
parameters are encoded in the URI of the request and sent through
user agents such as web browsers.  While it is easy to implement, it
means that a) the communication through the user agents is not
integrity protected and thus, the parameters can be tainted, b) the
source of the communication is not authenticated, and c) the
communication through the user agents can be monitored.  Because of
these weaknesses, several attacks to the protocol have now been put
forward.

This document introduces the ability to send request parameters in a
JSON Web Token (JWT) instead, which allows the request to be signed
with JSON Web Signature (JWS) and encrypted with JSON Web Encryption
(JWE) so that the integrity, source authentication, and
confidentiality properties of the authorization request are attained.
 The request can be sent by value or by reference.

This document is a product of the Web Authorization Protocol Working Group of the IETF.

This is now a Proposed Standard.

STANDARDS TRACK: This document specifies an Internet Standards Track
protocol for the Internet community, and requests discussion and suggestions
for improvements.  Please refer to the current edition of the Official
Internet Protocol Standards (https://www.rfc-editor.org/standards) for the 
standardization state and status of this protocol.  Distribution of this 
memo is unlimited.

This announcement is sent to the IETF-Announce and rfc-dist lists.
To subscribe or unsubscribe, see
  https://www.ietf.org/mailman/listinfo/ietf-announce
  https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist

For searching the RFC series, see https://www.rfc-editor.org/search
For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk

Requests for special distribution should be addressed to either the
author of the RFC in question, or to rfc-editor@rfc-editor.org.  Unless
specifically noted otherwise on the RFC itself, all RFCs are for
unlimited distribution.


The RFC Editor Team
Association Management Solutions, LLC

v2.23.0 | Report a Bug | By Email