[OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-par-00.txt

Torsten Lodderstedt <torsten@lodderstedt.net> Sat, 21 September 2019 11:02 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id AB8EB120100 for <oauth@ietfa.amsl.com>; Sat, 21 Sep 2019 04:02:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id B5DMbi3_rq9c for <oauth@ietfa.amsl.com>; Sat, 21 Sep 2019 04:02:05 -0700 (PDT)
Received: from smtprelay03.ispgateway.de (smtprelay03.ispgateway.de []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAC59120935 for <oauth@ietf.org>; Sat, 21 Sep 2019 04:02:04 -0700 (PDT)
Received: from [] (helo=[]) by smtprelay03.ispgateway.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) (envelope-from <torsten@lodderstedt.net>) id 1iBd9N-0004yX-Vh for oauth@ietf.org; Sat, 21 Sep 2019 13:02:02 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_DD801DFE-1038-44E7-BCA9-E58EAFD8B99D"; protocol="application/pkcs7-signature"; micalg="sha-256"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Message-Id: <1842D9CD-1B5B-420A-AA43-7B30F3CE13B8@lodderstedt.net>
References: <156906284888.22977.8893219801768603786.idtracker@ietfa.amsl.com>
To: oauth <oauth@ietf.org>
Date: Sat, 21 Sep 2019 13:02:01 +0200
X-Mailer: Apple Mail (2.3445.104.11)
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/_X9JXW_d2ntS3P7YpONA9SjZSbw>
Subject: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-par-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Sep 2019 11:02:16 -0000

Hi all, 

I just published a new draft that Brian Campbell, Dave Tonge, Filip Skokan, Nat Sakimura and I wrote. 


It proposes a new endpoint, called "pushed authorization request endpoint”, that allows the client to push the Authorization Request payload with the AS on a backchannel connection instead of a front channel interaction. The AS provides the client with a request URI (according to draft-ietf-oauth-jwsreq) that the client uses in a subsequent authorization requests to refer to the pushed request data. 

We believe this simple mechanism will significantly increase OAuth security and robustness since any application can use it by just sending the parameters in the same encoding as used at the authorisation endpoint over a HTTPS-protected and (for confidential clients) mutually authenticated connection to the AS. It can also be used to push signed and encrypted request objects to the AS, i.e. it provides an interoperable way to use request objects managed at the AS for use cases requiring an even higher security level.

We look forward to getting your feedback. 

kind regards,

> Begin forwarded message:
> From: internet-drafts@ietf.org
> Subject: New Version Notification for draft-lodderstedt-oauth-par-00.txt
> Date: 21. September 2019 at 12:47:28 CEST
> To: "Nat Sakimura" <nat@sakimura.org>, "Brian Campbell" <bcampbell@pingidentity.com>, "Torsten Lodderstedt" <torsten@lodderstedt.net>, "Dave Tonge" <dave@tonge.org>, "Filip Skokan" <panva.ip@gmail.com>
> A new version of I-D, draft-lodderstedt-oauth-par-00.txt
> has been successfully submitted by Torsten Lodderstedt and posted to the
> IETF repository.
> Name:		draft-lodderstedt-oauth-par
> Revision:	00
> Title:		OAuth 2.0 Pushed Authorization Requests
> Document date:	2019-09-21
> Group:		Individual Submission
> Pages:		12
> URL:            https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-par-00.txt
> Status:         https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-par/
> Htmlized:       https://tools.ietf.org/html/draft-lodderstedt-oauth-par-00
> Htmlized:       https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-par
> Abstract:
>   This document defines the pushed authorization request endpoint,
>   which allows clients to push the payload of an OAuth 2.0
>   authorization request to the authorization server via a direct
>   request and provides them with a request URI that is used as
>   reference to the data in a subsequent authorization request.
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> The IETF Secretariat