Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authorization Request (JAR) vs OIDC request object

Joseph Heenan <> Fri, 17 January 2020 00:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BF1211200C7 for <>; Thu, 16 Jan 2020 16:38:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BeYTnYAW-DRp for <>; Thu, 16 Jan 2020 16:38:09 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::632]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B2DC3120059 for <>; Thu, 16 Jan 2020 16:38:09 -0800 (PST)
Received: by with SMTP id b22so9084147pls.12 for <>; Thu, 16 Jan 2020 16:38:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=HwfmOsoazhSxXl2uRKkTw2hQsvPP14ciWgH7ujJqrk4=; b=vQtGDo/kkO/LRHjlwfb9r6GbaZL1My0w9pRyNJPwnh2XeAcQYHh/3X4tEL34daidR3 teyqCGBktd31QQL3tUoZXnVEaSUuh8sdk0eR13ayw43CcwRGw+6GqAi65Q85pfn65bZi f2VxN8Z8f2ZdM1EulM0yufp8/4GcmgmGdOQ31UNmcXnqYLiWcugd1aiaKukNWsWYsIcH 4ay7WKre/zTnCskRpECgEfL/BwCaTg1IEJBN0RUcr68T3AW3brcccsRa67VYHJxhSaXY /qfPSpjOrmkSDOIRaMM1OQFLqQ/upOoQ9oHUXxyMSIE7g3DMQv7HQnm3MrcYsqXaSKi6 Q5/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=HwfmOsoazhSxXl2uRKkTw2hQsvPP14ciWgH7ujJqrk4=; b=YitS067ohx7Tl6W5GJl/ER8PJUB9jy+pRr88uYiSlRHOxG7El2OoDsisCZ9DA7LBKV RpLmnpZTaTHyimfJX+K92JaGTJwg/TywZSPdIagMBB4UUCzi+Uf5slb/ZY41LeLMKqCA zPzYNESTKJfxKCLlfILOSJQxrOA4ySsXiF84+xO4vkiIzaUhzJVB94hztIDgGFIL0ddF 6wx6YrWT+4Uprip4z4T49Z7SSBaI1EdDgudrRadKN7ivalkl1c/IdaaqkoOg45tjAj9J M30oJYULoxAAKg/RH5AXA6EkJfTNRXzpXLEgo9ho12Jt27jrhDVug7DaBJf2s5vOz/lw apbw==
X-Gm-Message-State: APjAAAXFPa9u+cxs3h7cBnWGhsDtoxX7gudnmwlsKzLTc1La5hLHzhgI VP4YqwPrJcOo1X6txFtBOb9CjcSmmVo=
X-Google-Smtp-Source: APXvYqzwrZ9wq+PW0OqAvLqVCCcpUn6whhHV/EUo9eHoxm762C5fYmjrzZouL8is3LDHHK3KxKa4Ng==
X-Received: by 2002:a17:902:c693:: with SMTP id r19mr37067017plx.25.1579221488695; Thu, 16 Jan 2020 16:38:08 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id g11sm25850704pgd.26.2020. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 16 Jan 2020 16:38:07 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Joseph Heenan <>
In-Reply-To: <>
Date: Fri, 17 Jan 2020 09:38:01 +0900
Cc: oauth <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <> <> <> <> <>
To: John Bradley <>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <>
Subject: Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authorization Request (JAR) vs OIDC request object
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 17 Jan 2020 00:38:13 -0000

I agree with this, particularly the security concerns of merging. If we merge, we can much guarantee there will eventually be a security issue where an attacker is able to gain an advantage by adding a parameter to the url query (which the server would then happily process if that parameter isn’t found inside the request object). Ruling out that case makes security analysis (particularly when creating new OAuth2 parameters) significantly simpler.

Putting the iss in the JWE header and having the client_id duplicated outside the request object seem to address all the concerns I’ve seen raised.

(It seems like it may be unnecessary to have the client_id duplicated outside if the request_uri is a PAR one though.)


> On 16 Jan 2020, at 22:40, John Bradley <> wrote:
> I agree with the IESG reasoning that merging is problimatic.  Once we
> allow that given a unknown list of possible paramaters with diffrent
> security properties it would be quite difficult to specify safely.
> Query paramaters can still be sent outside the JAR, but if they are in
> the OAuth registry the AS MUST ignore them.
> Puting the iss in the JWE headder addresses the encryption issue without
> merging.
> I understand that some existing servers have dependencys on getting the
> clientID as a query paramater.
> Is that the only paramater that people have a issue with as oposed to a
> nice to have?
> Would allowing the AS to not ignore the clientID as a query paramater as
> long as it matches the one inside the JAR, basicly the same as Connect
> request object but for just the one paramater make life easier for the
> servers?
> I am not promising a change but gathering info before proposing something.
> John B.
> On 1/16/2020 1:53 AM, Benjamin Kaduk wrote:
>> On Wed, Jan 15, 2020 at 11:02:33PM +0200, Vladimir Dzhuvinov wrote:
>>> On 14/01/2020 19:20, Takahiko Kawasaki wrote:
>>>> Well, embedding a client_id claim in the JWE header in order to
>>>> achieve "request parameters outside the request object should not be
>>>> referred to" is like "putting the cart before the horse". Why do we
>>>> have to avoid using the traditional client_id request parameter so
>>>> stubbornly?
>>>> The last paragraph of Section 3.2.1
>>>> <> of RFC 6749 says
>>>> as follows.
>>>>    /A client MAY use the "client_id" request parameter to identify
>>>>    itself when sending requests to the token endpoint.  In the
>>>>    "authorization_code" "grant_type" request to the token endpoint,
>>>>    *an unauthenticated client MUST send its "client_id" to prevent
>>>>    itself from inadvertently accepting a code intended for a client
>>>>    with a different "client_id".*  This protects the client from
>>>>    substitution of the authentication code.  (It provides no
>>>>    additional security for the protected resource.)/
>>>> If the same reasoning applies, a client_id must always be sent with
>>>> request / request_uri because client authentication is not performed
>>>> at the authorization endpoint. In other words, */an unauthenticated
>>>> client (every client is unauthenticated at the authorization endpoint)
>>>> MUST send its "client_id" to prevent itself from inadvertently
>>>> accepting a request object for a client with a different "client_id"./*
>>> Identifying the client in JAR request_uri requests can be really useful
>>> so that an AS which requires request_uri registration to prevent DDoS
>>> attacks and other checks can do those without having to index all
>>> request_uris individually. I mentioned this before.
>>> I really wonder what the reasoning of the IESG reviewers was to insist
>>> on no params outside the JAR JWT / request_uri.
>>> I'm beginning to realise this step of the review process isn't
>>> particularly transparent to WG members.
>> Could you expand on that a bit more?  My understanding is that the IESG
>> ballot mail gets copied to the WG precisely so that there is transparency,
>> e.g., the thread starting at
>> Which admittely is from almost three years ago, but that's the earliest
>> that I found that could be seen as the source of this behavior.
>> -Ben
>> P.S. some other discussion at
>> and
>> and
>> so on.
>> _______________________________________________
>> OAuth mailing list
> _______________________________________________
> OAuth mailing list