[OAUTH-WG] Protocol Action: 'The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)' to Proposed Standard (draft-ietf-oauth-jwsreq-34.txt)

The IESG <iesg-secretary@ietf.org> Thu, 15 April 2021 20:41 UTC

Return-Path: <iesg-secretary@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C23B3A2E2B; Thu, 15 Apr 2021 13:41:23 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: The IESG <iesg-secretary@ietf.org>
To: "IETF-Announce" <ietf-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 7.28.0
Auto-Submitted: auto-generated
Precedence: bulk
Cc: Hannes.Tschofenig@gmx.net, The IESG <iesg@ietf.org>, draft-ietf-oauth-jwsreq@ietf.org, oauth-chairs@ietf.org, oauth@ietf.org, rdd@cert.org, rfc-editor@rfc-editor.org
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-ID: <161851928337.13297.1994990913988085366@ietfa.amsl.com>
Date: Thu, 15 Apr 2021 13:41:23 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/InVLFT9ihDAsOpgJXFl2bGG0CPU>
Subject: [OAUTH-WG] Protocol Action: 'The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)' to Proposed Standard (draft-ietf-oauth-jwsreq-34.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Apr 2021 20:41:24 -0000

The IESG has approved the following document:
- 'The OAuth 2.0 Authorization Framework: JWT Secured Authorization
   Request (JAR)'
  (draft-ietf-oauth-jwsreq-34.txt) as Proposed Standard

This document is the product of the Web Authorization Protocol Working Group.

The IESG contact persons are Benjamin Kaduk and Roman Danyliw.

A URL of this Internet Draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/





Technical Summary

   The authorization request in OAuth 2.0 described in RFC 6749 utilizes
   query parameter serialization, which means that Authorization Request
   parameters are encoded in the URI of the request and sent through
   user agents such as web browsers.  While it is easy to implement, it
   means that (a) the communication through the user agents is not
   integrity protected and thus the parameters can be tainted, and (b)
   the source of the communication is not authenticated.  Because of
   these weaknesses, several attacks to the protocol have now been put
   forward.

   This document introduces the ability to send request parameters in a
   JSON Web Token (JWT) instead, which allows the request to be signed
   with JSON Web Signature (JWS) and encrypted with JSON Web Encryption
   (JWE) so that the integrity, source authentication and
   confidentiality property of the Authorization Request is attained.
   The request can be sent by value or by reference.

Working Group Summary

The document changes the encoding of the parameters in the 
authorization request to a JSON-based encoding.

After the second IESG review, the WG removed the faceted media type 
registration.

This document has history of multiple IESG reviews:
2021-04 => returned for third IESG telechat (AD#3)
2020-09 => returned to WG
2020-09 => procedural issues raised on the requested IANA actions
2020-08 => returned for second IESG telechat (AD#3); enough positions to pass; in RFCeditor queue
[responsible AD changes to AD#3]
[note: mistakes in state changes between approved/IESG review made in datatracker]
[responsible AD change to AD#2]
2017-07 => First telechat review  (AD#1)

Document Quality

The request object and the request uri is an optional feature in 
the OpenID Connect Core specification and two working groups 
in the OpenID Foundation (namely the Modrna WG and the FAPI WG) 
are considering using this extension.

The following implementations are available. 

As part of the OpenID Foundation certification program the following
implementations of OpenID Connect Core indicate support for this 
functionality:
 * CZ.NIC mojeID, 
 * Thierry Habart's SimpleIdentitySever v.2.0.0, 
 * Roland Hedberg's pyoidc 0.7.7, 
 * Peercraft ApS's Peercarft, 
 * MIT's MITREidConnect, 
 * Gluue Server 2.3,
 * Filip Skokan's node-oidc pre supports.

Authlete (https://www.authlete.com/), a commerical, closed source 
server implementation, has also implemented this specification and 
is offering it.

There is an open source implementation from NRI in PHP and Scala.
NRI's Open Source PHP: https://bitbucket.org/PEOFIAMP/phpoidc

IdentityServer implements JAR: https://github.com/IdentityServer


Personnel

Hannes Tschofenig is the document shepherd 
Roman Danyliw is the responsible area director