Protocol Action: 'OAuth 2.0 Authorization Server Issuer Identification' to Proposed Standard (draft-ietf-oauth-iss-auth-resp-04.txt)
The IESG <iesg-secretary@ietf.org> Wed, 05 January 2022 18:35 UTC
Return-Path: <iesg-secretary@ietf.org>
X-Original-To: ietf-announce@ietf.org
Delivered-To: ietf-announce@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id B91B63A0ACD; Wed, 5 Jan 2022 10:35:20 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Subject: Protocol Action: 'OAuth 2.0 Authorization Server Issuer Identification' to Proposed Standard (draft-ietf-oauth-iss-auth-resp-04.txt)
X-Test-IDTracker: no
X-IETF-IDTracker: 7.41.0
Auto-Submitted: auto-generated
Precedence: bulk
Cc: The IESG <iesg@ietf.org>, draft-ietf-oauth-iss-auth-resp@ietf.org, oauth-chairs@ietf.org, oauth@ietf.org, rdd@cert.org, rfc-editor@rfc-editor.org, rifaat.s.ietf@gmail.com
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-ID: <164140772074.25534.8480915836918476022@ietfa.amsl.com>
Date: Wed, 05 Jan 2022 10:35:20 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-announce/aAVLqjY3zcoxCysnELqqV7THhsg>
X-BeenThere: ietf-announce@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "IETF announcement list. No discussions." <ietf-announce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-announce/>
List-Post: <mailto:ietf-announce@ietf.org>
List-Help: <mailto:ietf-announce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jan 2022 18:35:21 -0000
The IESG has approved the following document: - 'OAuth 2.0 Authorization Server Issuer Identification' (draft-ietf-oauth-iss-auth-resp-04.txt) as Proposed Standard This document is the product of the Web Authorization Protocol Working Group. The IESG contact persons are Benjamin Kaduk and Roman Danyliw. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/ Technical Summary This document specifies a new parameter iss that is used to explicitly include the issuer identifier of the authorization server in the authorization response of an OAuth authorization flow. The iss parameter serves as an effective countermeasure to "mix-up attacks". Working Group Summary This work is useful to address a specific attack when an OAuth Client interacts with multiple authorization servers. It hardens prior OAuth works. Document Quality A number of people reviewed the document over several rounds of reviews and provided feedback during meetings and on the mailing list, with no blocking comments. Implementations: Duende Software https://duendesoftware.com/products/identityserver Authlete https://www.authlete.com/developers/relnotes/2.2.2/#oauth-2-0-authorization-server-issuer-identifier-in-authorization-response Authress https://authress.io/ Personnel The document shepherd is Rifaat Shekh-Yusef. The responsible Area Director is Roman Danyliw.