The IESG has approved the following document: - 'OAuth 2.0 Authorization Server Issuer Identification' (draft-ietf-oauth-iss-auth-resp-04.txt) as Proposed Standard
This document is the product of the Web Authorization Protocol Working Group. The IESG contact persons are Benjamin Kaduk and Roman Danyliw. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/ Technical Summary This document specifies a new parameter iss that is used to explicitly include the issuer identifier of the authorization server in the authorization response of an OAuth authorization flow. The iss parameter serves as an effective countermeasure to "mix-up attacks". Working Group Summary This work is useful to address a specific attack when an OAuth Client interacts with multiple authorization servers. It hardens prior OAuth works. Document Quality A number of people reviewed the document over several rounds of reviews and provided feedback during meetings and on the mailing list, with no blocking comments. Implementations: Duende Software https://duendesoftware.com/products/identityserver Authlete https://www.authlete.com/developers/relnotes/2.2.2/#oauth-2-0-authorization-server-issuer-identifier-in-authorization-response Authress https://authress.io/ Personnel The document shepherd is Rifaat Shekh-Yusef. The responsible Area Director is Roman Danyliw. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
