[rfc-dist] RFC 9101 on The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)
rfc-editor@rfc-editor.org Sat, 21 August 2021 07:29 UTC
Return-Path: <rfc-dist-bounces@rfc-editor.org>
X-Original-To: ietfarch-rfc-dist-archive@ietfa.amsl.com
Delivered-To: ietfarch-rfc-dist-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 293C43A07DE for <ietfarch-rfc-dist-archive@ietfa.amsl.com>; Sat, 21 Aug 2021 00:29:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.901
X-Spam-Level:
X-Spam-Status: No, score=-2.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SrAq0ZyPl4qU for <ietfarch-rfc-dist-archive@ietfa.amsl.com>; Sat, 21 Aug 2021 00:29:34 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 325803A07E0 for <rfc-dist-archive-yuw6Xa6hiena@ietf.org>; Sat, 21 Aug 2021 00:29:34 -0700 (PDT)
Received: from rfcpa.amsl.com (localhost [IPv6:::1]) by rfc-editor.org (Postfix) with ESMTP id D57A3F40791; Sat, 21 Aug 2021 00:29:25 -0700 (PDT)
X-Original-To: rfc-dist@rfc-editor.org
Delivered-To: rfc-dist@rfc-editor.org
Received: by rfc-editor.org (Postfix, from userid 30) id 6A06DF40790; Sat, 21 Aug 2021 00:29:24 -0700 (PDT)
To: ietf-announce@ietf.org, rfc-dist@rfc-editor.org
X-PHP-Originating-Script: 1005:ams_util_lib.php
From: rfc-editor@rfc-editor.org
Message-Id: <20210821072924.6A06DF40790@rfc-editor.org>
Date: Sat, 21 Aug 2021 00:29:24 -0700
Subject: [rfc-dist] RFC 9101 on The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)
X-BeenThere: rfc-dist@rfc-editor.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: RFC Announcements <rfc-dist.rfc-editor.org>
List-Unsubscribe: <https://www.rfc-editor.org/mailman/options/rfc-dist>, <mailto:rfc-dist-request@rfc-editor.org?subject=unsubscribe>
List-Archive: <http://www.rfc-editor.org/pipermail/rfc-dist/>
List-Post: <mailto:rfc-dist@rfc-editor.org>
List-Help: <mailto:rfc-dist-request@rfc-editor.org?subject=help>
List-Subscribe: <https://www.rfc-editor.org/mailman/listinfo/rfc-dist>, <mailto:rfc-dist-request@rfc-editor.org?subject=subscribe>
Cc: drafts-update-ref@iana.org, oauth@ietf.org, rfc-editor@rfc-editor.org
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: rfc-dist-bounces@rfc-editor.org
Sender: rfc-dist <rfc-dist-bounces@rfc-editor.org>
A new Request for Comments is now available in online RFC libraries. RFC 9101 Title: The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR) Author: N. Sakimura, J. Bradley, M. Jones Status: Standards Track Stream: IETF Date: August 2021 Mailbox: nat@nat.consulting, rfc9101@ve7jtb.com, mbj@microsoft.com Pages: 25 Updates/Obsoletes/SeeAlso: None I-D Tag: draft-ietf-oauth-jwsreq-34.txt URL: https://www.rfc-editor.org/info/rfc9101 DOI: 10.17487/RFC9101 The authorization request in OAuth 2.0 described in RFC 6749 utilizes query parameter serialization, which means that authorization request parameters are encoded in the URI of the request and sent through user agents such as web browsers. While it is easy to implement, it means that a) the communication through the user agents is not integrity protected and thus, the parameters can be tainted, b) the source of the communication is not authenticated, and c) the communication through the user agents can be monitored. Because of these weaknesses, several attacks to the protocol have now been put forward. This document introduces the ability to send request parameters in a JSON Web Token (JWT) instead, which allows the request to be signed with JSON Web Signature (JWS) and encrypted with JSON Web Encryption (JWE) so that the integrity, source authentication, and confidentiality properties of the authorization request are attained. The request can be sent by value or by reference. This document is a product of the Web Authorization Protocol Working Group of the IETF. This is now a Proposed Standard. STANDARDS TRACK: This document specifies an Internet Standards Track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the Official Internet Protocol Standards (https://www.rfc-editor.org/standards) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-editor@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC _______________________________________________ rfc-dist mailing list rfc-dist@rfc-editor.org https://www.rfc-editor.org/mailman/listinfo/rfc-dist http://www.rfc-editor.org