[OAUTH-WG] Protocol Action: 'JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens' to Proposed Standard (draft-ietf-oauth-access-token-jwt-13.txt)
The IESG <iesg-secretary@ietf.org> Tue, 31 August 2021 14:34 UTC
Return-Path: <iesg-secretary@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id EAB323A172B; Tue, 31 Aug 2021 07:34:23 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 7.36.0
Auto-Submitted: auto-generated
Precedence: bulk
Cc: Hannes Tschofenig <hannes.tschofenig@arm.com>, The IESG <iesg@ietf.org>, draft-ietf-oauth-access-token-jwt@ietf.org, hannes.tschofenig@arm.com, oauth-chairs@ietf.org, oauth@ietf.org, rdd@cert.org, rfc-editor@rfc-editor.org
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-ID: <163042046385.28274.741156475326206340@ietfa.amsl.com>
Date: Tue, 31 Aug 2021 07:34:23 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/KuoVBatoISmvxyiz1HSEnnnvELo>
Subject: [OAUTH-WG] Protocol Action: 'JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens' to Proposed Standard (draft-ietf-oauth-access-token-jwt-13.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Aug 2021 14:34:24 -0000
The IESG has approved the following document: - 'JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens' (draft-ietf-oauth-access-token-jwt-13.txt) as Proposed Standard This document is the product of the Web Authorization Protocol Working Group. The IESG contact persons are Benjamin Kaduk and Roman Danyliw. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-access-token-jwt/ Technical Summary This specification defines a profile for issuing OAuth 2.0 access tokens in JSON web token (JWT) format. Authorization servers and resource servers from different vendors can leverage this profile to issue and consume access tokens in an interoperable manner. Working Group Summary The OAuth working group has defined an encoding format for access tokens in RFC 7519. This document takes deployment practice and summarizes it in this document with regards to the content in the JWT access token. Based on SECDIR review, an MTI signature algorithms was added. Document Quality The JWT access token is widely used in industry. Here is a list of implementations based on feedback on the mailing list: Node.js project oidc-provider (https://github.com/panva/node-oidc-provider) has an option to issue Access Tokens conforming to this profile. IdentityServer implements this functionality: https://github.com/IdentityServer Connect2id server implements this specification: https://connect2id.com/products/server/docs/datasheet#access-token-encoding-jwt Glewlwyd's OIDC plugin implements an earlier version of the specification: https://github.com/babelouest/glewlwyd/blob/master/docs/OIDC.md#access-token-format https://github.com/babelouest/glewlwyd The working group has received feedback from the deployment community and there is consensus on the content of the document. Personnel Hannes Tschofenig is the document shepherd Roman Danyliw is the responsible area director