Protocol Action: 'OAuth 2.0 Pushed Authorization Requests' to Proposed Standard (draft-ietf-oauth-par-10.txt)
The IESG <iesg-secretary@ietf.org> Fri, 30 July 2021 00:50 UTC
Return-Path: <iesg-secretary@ietf.org>
X-Original-To: ietf-announce@ietf.org
Delivered-To: ietf-announce@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E1EC3A0F3A; Thu, 29 Jul 2021 17:50:31 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Subject: Protocol Action: 'OAuth 2.0 Pushed Authorization Requests' to Proposed Standard (draft-ietf-oauth-par-10.txt)
X-Test-IDTracker: no
X-IETF-IDTracker: 7.35.0
Auto-Submitted: auto-generated
Precedence: bulk
Cc: The IESG <iesg@ietf.org>, draft-ietf-oauth-par@ietf.org, hannes.tschofenig@arm.com, oauth-chairs@ietf.org, oauth@ietf.org, rdd@cert.org, rfc-editor@rfc-editor.org
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-ID: <162760623116.13261.9917316154179845168@ietfa.amsl.com>
Date: Thu, 29 Jul 2021 17:50:31 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-announce/eGfTw7PyVA6JCdM2y3RQj2m280o>
X-BeenThere: ietf-announce@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "IETF announcement list. No discussions." <ietf-announce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-announce/>
List-Post: <mailto:ietf-announce@ietf.org>
List-Help: <mailto:ietf-announce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2021 00:50:31 -0000
The IESG has approved the following document: - 'OAuth 2.0 Pushed Authorization Requests' (draft-ietf-oauth-par-10.txt) as Proposed Standard This document is the product of the Web Authorization Protocol Working Group. The IESG contact persons are Benjamin Kaduk and Roman Danyliw. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-par/ Technical Summary This document defines the pushed authorization request endpoint, which allows clients to push the payload of an OAuth 2.0 authorization request to the authorization server via a direct request and provides them with a request URI that is used as reference to the data in a subsequent call to the authorization endpoint. Working Group Summary The document changes the way to interact with the authorization request endpoint. The use of this work is envisioned within the finance sector. Document Quality Based on feedback provided by participants of the OAuth working group the following implementations of PAR are available: Open source framework implementing PAR (with optional JWSREQ) in Golang: https://github.com/zntrio/solid Authlete supports PAR and has passed the PAR test cases in the OpenID conformance suite. Documents mentioning Authlete's PAR support are here: https://www.authlete.com/news/20210204_authlete_2_2/ https://www.authlete.com/developers/relnotes/2.2/ The Node.js open source openid-client project: https://github.com/panva/node-openid-client Glewlwyd 2.5.2 supports PAR: https://github.com/babelouest/glewlwyd PAR is supported by the Connect2id server and the the open source OAuth 2.0 / OIDC SDK, which has also been picked up by some downstream security frameworks and projects: https://connect2id.com/blog/pushed-authorisation-request-in-oauth-sdk The Yes Signing Flow is based on PAR and therefore implemented by our banks (> 1000). A python client for the yes signing flow is publicly available that uses PAR: https://github.com/yescom/pyyes Authress supports PAR. The Node.js open source oidc-provider project implements PAR behind a feature flag: https://github.com/panva/node-oidc-provider The open source project "Loginbuddy" implements PAR and the functionality is documented here: https://github.com/SaschaZeGerman/loginbuddy/wiki/Protocols-and-APIs PingFederate has officially released PAR, see https://docs.pingidentity.com/bundle/pingfederate-102/page/qem1584122852896.html Finally, ForgeRock plans to implement PAR. Personnel Hannes Tschofenig is the document shepherd Roman Danyliw is the the responsible area director