Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-22.txt

Nat Sakimura <sakimura@gmail.com> Mon, 11 May 2020 23:50 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADA6E3A0DB9 for <oauth@ietfa.amsl.com>; Mon, 11 May 2020 16:50:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ubw6Y9tcL_0 for <oauth@ietfa.amsl.com>; Mon, 11 May 2020 16:50:54 -0700 (PDT)
Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D58C3A0DC9 for <oauth@ietf.org>; Mon, 11 May 2020 16:50:50 -0700 (PDT)
Received: by mail-wr1-x42f.google.com with SMTP id i15so13091771wrx.10 for <oauth@ietf.org>; Mon, 11 May 2020 16:50:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=w0187EbWcChcpUoCiJGvjybrjQPJrUKyVHisD0iu59M=; b=fqojC5lQw3sJ0pTMelJ4/FJQqFTT702POQ2nQC7GR9bgap/G0nhS8bbfVsRTzO9Fpn YOcGmiUuD7ujRrYlxKEpDEjOwfGQHam42YqU2Pn9Ro5ESMHIjLlKpXCRUFsLVO9nScce nNMebsDQIOSlhr4E2ESyJawIs2reyiyG1kHrZxLfA0UoxXMVzvGmX9cqdgI2fI/cpD/l qCi6Uqc2RhOPSANnP4ew+0WVyWVHmH41N6ZWBeY2WKQmxoGASHZqIHsNHKjuYKVajG5m qqWI2xwimIfmpIk+CqZlTE2p27xN7qXP/07R9aXflMsly/j61SxTdVIoo2EzrEqBSs4n 9LvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=w0187EbWcChcpUoCiJGvjybrjQPJrUKyVHisD0iu59M=; b=DQkGO5uwDbg8dE3nGfL7TAYL0CIp2tr6jpwIYUCSOEjuhHk/Vw6rZMQ1Qlhce03J4y iREqs6OA+RXgpRzSJB5f93zFAqazyA9ucdN/81XeJzDc3lf80bOT1P3ACrHWV0+UNs1q 3Y1h2sxmJhm0C+/clZRfFcWJ4+jWCosMVhvYVfsl1tmDh1lOppOzO+AEfeEF952YiAgN EhIqsG/LLNoQpzm/5xUKLv7qL6riKjQn2jua0QBy70we/PKAoQjB99xuK/bHptQWjMEv em3bOsSRn/maJKjw4qu67yJEJeq04TRpzj/NnRoJumWKr0dhYILk8jzS41Unf4K7yC8a 0Aeg==
X-Gm-Message-State: AGi0PuaS+Du9NTs5gCj9K+tHiB+XAWcfd6+w8gLOP2Us8HEtP2N5+QSG CSUbMmcSkxrNgWYAACuBktL0RCfj2p2Xt3ixU+5w8JVn
X-Google-Smtp-Source: APiQypIfrwStdWLpmzi0BruKS5HhlBbK/c84m99CMWXwcUzVtIIfk5XhQayGti3wT5KS/24knJyvi47phbe+Mtqx1RI=
X-Received: by 2002:adf:a1cb:: with SMTP id v11mr23300882wrv.39.1589241048501; Mon, 11 May 2020 16:50:48 -0700 (PDT)
MIME-Version: 1.0
References: <158907186941.32364.3855329773244277548@ietfa.amsl.com> <0F682743-D799-4773-A1E7-09701CEB2BD1@lodderstedt.net>
In-Reply-To: <0F682743-D799-4773-A1E7-09701CEB2BD1@lodderstedt.net>
From: Nat Sakimura <sakimura@gmail.com>
Date: Tue, 12 May 2020 08:50:36 +0900
Message-ID: <CABzCy2BnkOy_Lu-ZpaMA6HZwdreQ0d7XA5ssKrF2RYV1c4--vw@mail.gmail.com>
To: Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002891ac05a568046b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/sEV3s84o6oWybVnQHJDLNtPgQSI>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-22.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 May 2020 23:50:58 -0000

Torsten,

Thanks. I just updated the draft.

Best,

Nat Sakimura

On Sun, May 10, 2020 at 10:26 PM Torsten Lodderstedt <torsten=
40lodderstedt.net@dmarc.ietf.org> wrote:

> I just read over the diff between -21 and -22 and realised the example in
> Section 5.2.2.
>
> https://server.example.com/authorize?
>        response_type=code%20id_token
>        &client_id=s6BhdRkqt3
>        &request_uri=https%3A%2F%2Ftfp.example.org%2Frequest.jwt
>        %2FGkurKxf5T0Y-mnPFCHqWOMiZi4VS138cQO_V7PZHAdM
>
>  still has the “response_type" parameter. I think this parameter should be
> removed.
>
>
>
> > On 10. May 2020, at 02:51, internet-drafts@ietf.org wrote:
> >
> >
> > A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> > This draft is a work item of the Web Authorization Protocol WG of the
> IETF.
> >
> >        Title           : The OAuth 2.0 Authorization Framework: JWT
> Secured Authorization Request (JAR)
> >        Authors         : Nat Sakimura
> >                          John Bradley
> >       Filename        : draft-ietf-oauth-jwsreq-22.txt
> >       Pages           : 32
> >       Date            : 2020-05-07
> >
> > Abstract:
> >   The authorization request in OAuth 2.0 described in RFC 6749 utilizes
> >   query parameter serialization, which means that Authorization Request
> >   parameters are encoded in the URI of the request and sent through
> >   user agents such as web browsers.  While it is easy to implement, it
> >   means that (a) the communication through the user agents are not
> >   integrity protected and thus the parameters can be tainted, and (b)
> >   the source of the communication is not authenticated.  Because of
> >   these weaknesses, several attacks to the protocol have now been put
> >   forward.
> >
> >   This document introduces the ability to send request parameters in a
> >   JSON Web Token (JWT) instead, which allows the request to be signed
> >   with JSON Web Signature (JWS) and encrypted with JSON Web Encryption
> >   (JWE) so that the integrity, source authentication and
> >   confidentiality property of the Authorization Request is attained.
> >   The request can be sent by value or by reference.
> >
> >
> > The IETF datatracker status page for this draft is:
> > https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/
> >
> > There are also htmlized versions available at:
> > https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-22
> > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-22
> >
> > A diff from the previous version is available at:
> > https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-jwsreq-22
> >
> >
> > Please note that it may take a couple of minutes from the time of
> submission
> > until the htmlized version and diff are available at tools.ietf.org.
> >
> > Internet-Drafts are also available by anonymous FTP at:
> > ftp://ftp.ietf.org/internet-drafts/
> >
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en