A new Request for Comments is now available in online RFC libraries.
RFC 9101
Title: The OAuth 2.0 Authorization Framework:
JWT-Secured Authorization Request (JAR)
Author: N. Sakimura,
J. Bradley,
M. Jones
Status: Standards Track
Stream: IETF
Date: August 2021
Mailbox: nat@nat.consulting,
rfc9...@ve7jtb.com,
m...@microsoft.com
Pages: 25
Updates/Obsoletes/SeeAlso: None
I-D Tag: draft-ietf-oauth-jwsreq-34.txt
URL: https://www.rfc-editor.org/info/rfc9101
DOI: 10.17487/RFC9101
The authorization request in OAuth 2.0 described in RFC 6749 utilizes
query parameter serialization, which means that authorization request
parameters are encoded in the URI of the request and sent through
user agents such as web browsers. While it is easy to implement, it
means that a) the communication through the user agents is not
integrity protected and thus, the parameters can be tainted, b) the
source of the communication is not authenticated, and c) the
communication through the user agents can be monitored. Because of
these weaknesses, several attacks to the protocol have now been put
forward.
This document introduces the ability to send request parameters in a
JSON Web Token (JWT) instead, which allows the request to be signed
with JSON Web Signature (JWS) and encrypted with JSON Web Encryption
(JWE) so that the integrity, source authentication, and
confidentiality properties of the authorization request are attained.
The request can be sent by value or by reference.
This document is a product of the Web Authorization Protocol Working Group of
the IETF.
This is now a Proposed Standard.
STANDARDS TRACK: This document specifies an Internet Standards Track
protocol for the Internet community, and requests discussion and suggestions
for improvements. Please refer to the current edition of the Official
Internet Protocol Standards (https://www.rfc-editor.org/standards) for the
standardization state and status of this protocol. Distribution of this
memo is unlimited.
This announcement is sent to the IETF-Announce and rfc-dist lists.
To subscribe or unsubscribe, see
https://www.ietf.org/mailman/listinfo/ietf-announce
https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist
For searching the RFC series, see https://www.rfc-editor.org/search
For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk
Requests for special distribution should be addressed to either the
author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless
specifically noted otherwise on the RFC itself, all RFCs are for
unlimited distribution.
The RFC Editor Team
Association Management Solutions, LLC
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
