[OAUTH-WG] PAR: pushed requests must become JWTs

"Richard Backman, Annabelle" <richanna@amazon.com> Wed, 08 January 2020 22:42 UTC

Return-Path: <prvs=269947d74=richanna@amazon.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 24DA712010C for <oauth@ietfa.amsl.com>; Wed, 8 Jan 2020 14:42:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.799
X-Spam-Status: No, score=-11.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id omnoIvD4t9rh for <oauth@ietfa.amsl.com>; Wed, 8 Jan 2020 14:42:09 -0800 (PST)
Received: from smtp-fw-6002.amazon.com (smtp-fw-6002.amazon.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D28081200C7 for <oauth@ietf.org>; Wed, 8 Jan 2020 14:42:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1578523329; x=1610059329; h=from:to:subject:date:message-id:mime-version; bh=bWCDw4S2CxJtRHwWnFuTpAQNWtLdv/3bhc5r9LCXjjk=; b=aAJuxc8D360sVPZu1iscG22vzLErmOfUHadn6dUmAas3iaOH+GLkvWFL KnS+YW78dulIqe7l2wLKYk7BFs1u6IBoSr2oOVZ8f+eQs1GS/ntc9Ty52 Eq94FhWVN+wVnkxFXhIgk3zIvHpG/a+uX3+eLVTUO7lh47xC1oZDVdLW7 Y=;
IronPort-SDR: BDBqJ2nDr36plgMe/ILs0NeEzuYZzxVnTPZWBo2LNAqXfBX83Kc6s4JfOZmORIRgbpTSV0CPgq +BFYY7NkKNWw==
X-IronPort-AV: E=Sophos; i="5.69,411,1571702400"; d="scan'208,217"; a="10676100"
Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-2c-2225282c.us-west-2.amazon.com) ([]) by smtp-border-fw-out-6002.iad6.amazon.com with ESMTP; 08 Jan 2020 22:42:07 +0000
Received: from EX13MTAUWC001.ant.amazon.com (pdx4-ws-svc-p6-lb7-vlan3.pdx.amazon.com []) by email-inbound-relay-2c-2225282c.us-west-2.amazon.com (Postfix) with ESMTPS id C2388A2592 for <oauth@ietf.org>; Wed, 8 Jan 2020 22:42:06 +0000 (UTC)
Received: from EX13D11UWC002.ant.amazon.com ( by EX13MTAUWC001.ant.amazon.com ( with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 8 Jan 2020 22:42:06 +0000
Received: from EX13D11UWC004.ant.amazon.com ( by EX13D11UWC002.ant.amazon.com ( with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 8 Jan 2020 22:42:06 +0000
Received: from EX13D11UWC004.ant.amazon.com ([]) by EX13D11UWC004.ant.amazon.com ([]) with mapi id 15.00.1367.000; Wed, 8 Jan 2020 22:42:06 +0000
From: "Richard Backman, Annabelle" <richanna@amazon.com>
To: oauth <oauth@ietf.org>
Thread-Topic: pushed requests must become JWTs
Thread-Index: AQHVxnTaORGbHwf5mEa8/ZfGf3dw2Q==
Date: Wed, 08 Jan 2020 22:42:06 +0000
Message-ID: <5F125471-39B2-4CF9-B5C0-353E83BC8702@amazon.com>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/10.1d.0.190908
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_5F12547139B24CF9B5C0353E83BC8702amazoncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/yMIwXcimzZ3FVRSJYRoF5Vczdng>
Subject: [OAUTH-WG] PAR: pushed requests must become JWTs
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2020 22:42:11 -0000

Hi all,

The current drafts of PAR (-00) and JAR (-20) require that the AS transform all pushed requests into JWTs. This requirement arises from the following:

  1.  PAR uses the request_uri parameter defined in JAR to communicate the pushed request to the authorization endpoint.
  2.  According to JAR, the resource referenced by request_uri MUST be a Request Object. (Section 5.2<https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20#section-5.2>)
  3.  Request Object is defined to be a JWT containing all the authorization request parameters. (Section 2.1<https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20#section-2.1>)

There is no need for this requirement to support interoperability, as this is internal to the AS. It is also inconsistent with the rest of JAR, which avoids attempting to define the internal communications between the two AS endpoints. Worse, this restriction makes it harder for the authorization endpoint to leverage validation and other work performed at the PAR endpoint, as the state or outcome of that work must be forced into the JWT format (or retrieved via a subsequent service call or database lookup).

Annabelle Richard Backman
AWS Identity