[OAUTH-WG] OAuth 2.0 JWT Secured Authorization Request (JAR) updates addressing remaining review comments

Mike Jones <Michael.Jones@microsoft.com> Fri, 19 March 2021 20:41 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A75C43A0EEF for <oauth@ietfa.amsl.com>; Fri, 19 Mar 2021 13:41:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.348
X-Spam-Level:
X-Spam-Status: No, score=-2.348 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yyYX3eErrMV5 for <oauth@ietfa.amsl.com>; Fri, 19 Mar 2021 13:41:44 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650121.outbound.protection.outlook.com [40.107.65.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A4003A0EED for <oauth@ietf.org>; Fri, 19 Mar 2021 13:41:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fFFQocPsZwNXwmy+7gbdTiUpHClRTZHFpIeN4vUCA+pckkrFMHJJobjT8xYvfxjYpQhITE5Aar38hEdmpH4RHXeXyYz6blPvn6GLSMLSaoSLXXi/e+yOubJ/EEfbJx5XsO6mo4GfW2wk18XYYkSBQmdL0Cy9R1JXBDfr89M0HtnsFRoTLnmjBr7Go04kl9cP444ew33SCYuhWp/DdvxaBLU+8u1Cg12a1nA0ImrSCCRRlPEOmMhCuK2/779q9GYBO+gBedQI5l+YV6d5oS+lZlTJwrqt+YZ0yRIPnDbgfCBLHPyc5IC0XztVAWUA6OrYTVWgQxaV4+C0BiVJxBQNJA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QwwtmTXSYLIQEnomP/CH4CDOTRoQpNa9VPU1Ob65GGM=; b=frJo/D+WRi5VPh4gT/r+ryVHPhgETSVdrAQahOffHybcJ4PRA0+dsDGpeA3UNby0njIbSWIRWTk2vg1eGfPCbgg3vDFEsPIdZKhAha1Jg++FTPq2zSSC7wKTiwsFR+H2xbAfvO+STPmHSyNMoNc3m6M9gZwgB9x3dANlDLlEKJYH97SChqqIai/pxkky+xb3R6pJ6RnCTz50Nct7NW6O4ZBy/LVL2ouDOmLGPLz9iYC5jA5AXGNqZT7ztcJEZEJvu7WGZe4OG0/WlcauoFJuEgLv5O9a6J3L6l7j7E+KtQnr3i47oJnslQy90hqdS/L3QfjSu1k1MA/kmHsymq5x2w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QwwtmTXSYLIQEnomP/CH4CDOTRoQpNa9VPU1Ob65GGM=; b=VawTU4Wyb0AkpLebE0qpQ4tP30e/GPRlFUr1OUhX3+EH1RaRq0lN3X2ZTuugmVre+3uzym+7gMZY48Fo4AvkuOgT+UKVRGLEQox46mUvCpmcsxbCGwMTbFDMf2GQw5Asa6Inb2jK7djYz56AKUqjkI6qfp26+jd85urgfJjFpVI=
Received: from DM5PR00MB0421.namprd00.prod.outlook.com (2603:10b6:4:a0::33) by DM6PR00MB0749.namprd00.prod.outlook.com (2603:10b6:5:1b6::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4003.0; Fri, 19 Mar 2021 20:41:42 +0000
Received: from DM5PR00MB0421.namprd00.prod.outlook.com ([fe80::f12c:ddb8:c6ac:ac5]) by DM5PR00MB0421.namprd00.prod.outlook.com ([fe80::f12c:ddb8:c6ac:ac5%6]) with mapi id 15.20.4000.000; Fri, 19 Mar 2021 20:41:42 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: OAuth 2.0 JWT Secured Authorization Request (JAR) updates addressing remaining review comments
Thread-Index: Adcc+1VJPHV/JfPdRgSAzTMhHRxuFQ==
Date: Fri, 19 Mar 2021 20:41:42 +0000
Message-ID: <DM5PR00MB04213296B787B23EDF42764AF5689@DM5PR00MB0421.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-03-18T18:27:02Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=2cc88de2-8f27-4e81-9c71-a5fbbe237273; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2607:fb90:9ebc:fede:486d:6539:c1f1:4cc]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: d1a64427-72ce-4430-14a9-08d8eb17674d
x-ms-traffictypediagnostic: DM6PR00MB0749:
x-microsoft-antispam-prvs: <DM6PR00MB074914736504C83F8DCB8C8DF5689@DM6PR00MB0749.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: bI3RFjNXVBO4uu9ITuTikEYckgE9LBec1lo//CwCZXAYxEvHTfhnA4uX8jC4QIwPQKlFdt3QdW4w1fE6uBA5o/pQ5hlMAeVpoGwvc0+0naq11I2SiAvgVi68LQeTuzd+yaCclPVGVOAy30lj8jcBSnhuyQ+az3XtktP85C7lGkjGvzEOhD2MRA+dZJlU6G/kVs/Wob81zMs6eU8z0yy4/BjZEoO5iql5HOvotfRY7Qfqe9Uz/6jr1FlgkqrNteM1BdaxFCTAnLBVUlm8Ajx+GXZq9qBJIAQI6OngpVSx344fUhTIZDp0Ya3EHzdthy8GAWItR0NUk/zUO9Z7ICvROhEaG578e6TpqczQsHADfW2dKzdnQamdx1+ObbSc6XQ6rI76ydcZxYEeVKEODjwcO7/S/eHJpDApPk2fyqSGs3EmEj501wztc4NwlPpwqK5CvQ9RNqUgR7bq0033YM6yEIj/YA0VzYLK/tlD9YH+BB7g536x0gWuk5cnqKg5h+RmN/x6b0ZTvblXHFFARTmvuv0rKfZCbInJUUmSXZX2sOCT/QQTL8Gu4r54wwXjbkctNvdlHySNv6GwBIHLy+6y825kGK/kwdRJNBIhoI4qImgKTXI1gXzkic1D088TUYImXH+0XkHzmz6BbCW5OiwJ2ELCKFEwDbEqDfEWR5HuVwqWiiTx86zByS42tAgOXydxv7e4ViIyqo//rQvMXCRsYaW7fYgUnUtpaPZE+1ypUx3H2E4cdTsc8P8O4sOk+gfsk69p/xOnXWhLsIwjDqLheg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM5PR00MB0421.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(366004)(346002)(136003)(39860400002)(396003)(55016002)(52536014)(33656002)(71200400001)(9686003)(83380400001)(21615005)(316002)(478600001)(166002)(66446008)(66556008)(38100700001)(86362001)(966005)(64756008)(6916009)(66946007)(66476007)(186003)(8936002)(76116006)(2906002)(7696005)(15650500001)(8990500004)(8676002)(6506007)(82960400001)(82950400001)(5660300002)(10290500003)(6606295002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?us-ascii?Q?mrt1tY8duZpu1dnwOEGJ14oBFavIDJqmbdx2mLTUmKt6dWK8b5bBpoGuPXM1?= =?us-ascii?Q?mEHryHVkX5rX9w3h9BKKKnij2PIsza7Z2E9mM0JKIboHdLKJoDQDdVKpxczb?= =?us-ascii?Q?ZApm2hoV3vtf23AQs7eaet5J0WGN6vdzd1Jlzxd00i6D9wB4UqsSceZ2PNnL?= =?us-ascii?Q?GcWqRrpocm1fd29HMi0c6xfZlYTaHbl21xB34lDA4cHD1QS01LJh1XIoY5jm?= =?us-ascii?Q?REQKrxTfcxmEk6f1hAS7s7/VLfA7HqQx+vBnpubvD9nPSzpuHGzvGvdL5CqG?= =?us-ascii?Q?67cm9plGMMNfwEWJvxtyYUAPdCjjN7I2kX9RR48lPIS0gMsLpHVe2tco48Y/?= =?us-ascii?Q?X6Z8DqknzvatKBTDHf/krodQN8+qwZ3WnCo5+rSHQGnrC05bj4UlnEH6wrQ0?= =?us-ascii?Q?ag2s8FvrVcB1lNL/UEMfBMl+bVokwDK1JaIIl/Pj4ayMuG8ziAqj6PM25Xq5?= =?us-ascii?Q?aOCadiyGyr/lG5SVq0YMwvIaEYHzXmlUI4n7f0bw2cP26Au/Da3zOtxANsPh?= =?us-ascii?Q?1lntvf6VyK6df46el0Z4fxbPBxrafUw7yPuDryyAzslncfnHlirQ0ucjA00S?= =?us-ascii?Q?wml6T7q7YyaVDdIS8YUDKzpoiZRRD1Tkb7C8wr/6yeOG/Oq9PwUiDJMmHVyB?= =?us-ascii?Q?Ra5X1A4VvHOmyMwrzznGz1BOcA/ZvV/Zs87LBPsGba5OpH+XwiOW3EJH6C7A?= =?us-ascii?Q?p2mR4DFhTxLE9wYUAE/YDWAlpEsJF/faoKSJYt41iEH9QGI+EmISQmXF6BUZ?= =?us-ascii?Q?PiOGkAW5Rxbq2mmOGhytskMlcy/+lybM3J07Krtj3kWsFg6FxCP6PovwLRlz?= =?us-ascii?Q?PdbODa9M0mQlhI5FQpVACDU9mZIx1KXM0U9hmrvNwFQHErbgUBPkfNW1MZNE?= =?us-ascii?Q?DwCvMiGD4n4X4RbkknvxFsedjcFvjnLPaaykVMIl0TJ2W+MqhEANK1OtY6UR?= =?us-ascii?Q?13ubTHk+h5qYCx8P094hh/Y0T41LzDXM9QRO4bVePAlRvwnCeU8jk6pkC6MJ?= =?us-ascii?Q?bH7p4y4QykptdVmmuXkex27RLMWQpzPopux4pqsqTOlkN+3UA08CD7ylbQDZ?= =?us-ascii?Q?MkLTj73FGBl3tp7coObn9tod8B9wmdw7BxPQ7TKlFHPbJ0alfy1ysUa7kpOa?= =?us-ascii?Q?AoiZKO2jq8fYFOSAEErvn5WTARU1GOebnbcYIB5Yz/pTL4knG+Kxyfvzzf7J?= =?us-ascii?Q?EUOrE7XVi/O36LYojmcC2xxO+YX3TX7FO11yPk1+SUikh3GY6jxfYf5ijay1?= =?us-ascii?Q?7pi2gXv53onDCkJj6RWPrsT7/WJN7VmWj/gRc6OlBDUgnaf4peLZsvl29Kbq?= =?us-ascii?Q?PJ704XBc+BobHuKpMRHqCuJ9ASqzIhO5pISV1Pr12V1TTMzu0010HxsuN05S?= =?us-ascii?Q?Oi4i6ylFfTvsu2/Po4jRqRr+DhAs?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM5PR00MB04213296B787B23EDF42764AF5689DM5PR00MB0421namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM5PR00MB0421.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d1a64427-72ce-4430-14a9-08d8eb17674d
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Mar 2021 20:41:42.1525 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 4PLSnoRZo+LtZy+dUzjvizEGfcXfNAUL0aiaFfMt/UdjOGEvJYx9Anb9N+diVsrtU4KHGoEuiR9z79DVIGNoEg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR00MB0749
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/qEkyGJGbytH9L0HnyFRvzdA-Bt4>
Subject: [OAUTH-WG] OAuth 2.0 JWT Secured Authorization Request (JAR) updates addressing remaining review comments
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Mar 2021 20:41:47 -0000

After the OAuth 2.0 JWT Secured Authorization Request (JAR) specification was sent to the RFC Editor<https://self-issued.info/?p=2121>, the IESG requested an additional round of IETF feedback.  We've published an updated draft addressing the remaining review comments, specifically, SecDir comments from Watson Ladd.  The only normative change made since draft 28 was to change the MIME Type from "oauth.authz.req+jwt" to "oauth-authz-req+jwt", per advice from the designated experts.

As a reminder, this specification takes the JWT Request Object from Section 6 of OpenID Connect Core (Passing Request Parameters as JWTs)<https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests> and makes this functionality available for pure OAuth 2.0 applications - and does so without introducing breaking changes.  This is one of a series of specifications bringing functionality originally developed for OpenID Connect to the OAuth 2.0 ecosystem.  Other such specifications included OAuth 2.0 Dynamic Client Registration Protocol [RFC 7591<https://tools.ietf.org/html/rfc7591>] and OAuth 2.0 Authorization Server Metadata [RFC 8414<https://tools.ietf.org/html/rfc8414>]4>].

The specification is available at:

  *   https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-31

An HTML-formatted version is also available at:

  *   https://self-issued.info/docs/draft-ietf-oauth-jwsreq-31.html

                                                       -- Mike

P.S.  This notice was also posted at https://self-issued.info/?p=2152 and as @selfissued<https://twitter.com/selfissued/>.