[OAUTH-WG] Protocol Action: 'The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)' to Proposed Standard (draft-ietf-oauth-jwsreq-34.txt)
The IESG <firstname.lastname@example.org> Thu, 15 April 2021 20:41 UTC
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C23B3A2E2B; Thu, 15 Apr 2021 13:41:23 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
From: The IESG <email@example.com>
To: "IETF-Announce" <firstname.lastname@example.org>
Cc: Hannes.Tschofenig@gmx.net, The IESG <email@example.com>, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org
Content-Type: text/plain; charset="utf-8"
Date: Thu, 15 Apr 2021 13:41:23 -0700
Subject: [OAUTH-WG] Protocol Action: 'The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)' to Proposed Standard (draft-ietf-oauth-jwsreq-34.txt)
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:email@example.com?subject=unsubscribe>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:firstname.lastname@example.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Apr 2021 20:41:24 -0000
The IESG has approved the following document: - 'The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)' (draft-ietf-oauth-jwsreq-34.txt) as Proposed Standard This document is the product of the Web Authorization Protocol Working Group. The IESG contact persons are Benjamin Kaduk and Roman Danyliw. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/ Technical Summary The authorization request in OAuth 2.0 described in RFC 6749 utilizes query parameter serialization, which means that Authorization Request parameters are encoded in the URI of the request and sent through user agents such as web browsers. While it is easy to implement, it means that (a) the communication through the user agents is not integrity protected and thus the parameters can be tainted, and (b) the source of the communication is not authenticated. Because of these weaknesses, several attacks to the protocol have now been put forward. This document introduces the ability to send request parameters in a JSON Web Token (JWT) instead, which allows the request to be signed with JSON Web Signature (JWS) and encrypted with JSON Web Encryption (JWE) so that the integrity, source authentication and confidentiality property of the Authorization Request is attained. The request can be sent by value or by reference. Working Group Summary The document changes the encoding of the parameters in the authorization request to a JSON-based encoding. After the second IESG review, the WG removed the faceted media type registration. This document has history of multiple IESG reviews: 2021-04 => returned for third IESG telechat (AD#3) 2020-09 => returned to WG 2020-09 => procedural issues raised on the requested IANA actions 2020-08 => returned for second IESG telechat (AD#3); enough positions to pass; in RFCeditor queue [responsible AD changes to AD#3] [note: mistakes in state changes between approved/IESG review made in datatracker] [responsible AD change to AD#2] 2017-07 => First telechat review (AD#1) Document Quality The request object and the request uri is an optional feature in the OpenID Connect Core specification and two working groups in the OpenID Foundation (namely the Modrna WG and the FAPI WG) are considering using this extension. The following implementations are available. As part of the OpenID Foundation certification program the following implementations of OpenID Connect Core indicate support for this functionality: * CZ.NIC mojeID, * Thierry Habart's SimpleIdentitySever v.2.0.0, * Roland Hedberg's pyoidc 0.7.7, * Peercraft ApS's Peercarft, * MIT's MITREidConnect, * Gluue Server 2.3, * Filip Skokan's node-oidc pre supports. Authlete (https://www.authlete.com/), a commerical, closed source server implementation, has also implemented this specification and is offering it. There is an open source implementation from NRI in PHP and Scala. NRI's Open Source PHP: https://bitbucket.org/PEOFIAMP/phpoidc IdentityServer implements JAR: https://github.com/IdentityServer Personnel Hannes Tschofenig is the document shepherd Roman Danyliw is the responsible area director