draft-ietf-oauth-jwsreq-20.txt   draft-ietf-oauth-jwsreq-21.txt 
OAuth Working Group N. Sakimura OAuth Working Group N. Sakimura
Internet-Draft Nomura Research Institute Internet-Draft Nomura Research Institute
Intended status: Standards Track J. Bradley Intended status: Standards Track J. Bradley
Expires: April 22, 2020 Yubico Expires: October 20, 2020 Yubico
October 20, 2019 April 18, 2020
The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request
(JAR) (JAR)
draft-ietf-oauth-jwsreq-20 draft-ietf-oauth-jwsreq-21
Abstract Abstract
The authorization request in OAuth 2.0 described in RFC 6749 utilizes The authorization request in OAuth 2.0 described in RFC 6749 utilizes
query parameter serialization, which means that Authorization Request query parameter serialization, which means that Authorization Request
parameters are encoded in the URI of the request and sent through parameters are encoded in the URI of the request and sent through
user agents such as web browsers. While it is easy to implement, it user agents such as web browsers. While it is easy to implement, it
means that (a) the communication through the user agents are not means that (a) the communication through the user agents are not
integrity protected and thus the parameters can be tainted, and (b) integrity protected and thus the parameters can be tainted, and (b)
the source of the communication is not authenticated. Because of the source of the communication is not authenticated. Because of
skipping to change at page 1, line 47 skipping to change at page 1, line 47
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 22, 2020. This Internet-Draft will expire on October 20, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 8, line 24 skipping to change at page 8, line 24
pJNZubINPpmgHh3J1aD9WRwS05ucmFq3CfFsluLt13_7oX5yDRSKX7poXmT_5 pJNZubINPpmgHh3J1aD9WRwS05ucmFq3CfFsluLt13_7oX5yDRSKX7poXmT_5
ko8k4NJZPMAO8fPToDTH7kHYbONSE2FYa5GZ60CUsFhSonI-dcMDJ0Ary9lxI ko8k4NJZPMAO8fPToDTH7kHYbONSE2FYa5GZ60CUsFhSonI-dcMDJ0Ary9lxI
w5k2z4TAdARVWcS7sD07VhlMMshrwsPHBQgTatlkxyIHXbYdtak8fqvNAwr7O w5k2z4TAdARVWcS7sD07VhlMMshrwsPHBQgTatlkxyIHXbYdtak8fqvNAwr7O
lVEvM_Ipf5OfmdB8Sd-wjzaBsyP4VhJKoi_qdgSzpC694XZeYPq45Sw-q51iF lVEvM_Ipf5OfmdB8Sd-wjzaBsyP4VhJKoi_qdgSzpC694XZeYPq45Sw-q51iF
UlcOlTCI7z6jltUtnR6ySn6XDGFnzH5Fe5ypw", UlcOlTCI7z6jltUtnR6ySn6XDGFnzH5Fe5ypw",
"e":"AQAB" "e":"AQAB"
} }
5. Authorization Request 5. Authorization Request
The client constructs the authorization request URI by adding one of The client constructs the authorization request URI by adding the
the following parameters but not both to the query component of the following parameters to the query component of the authorization
authorization endpoint URI using the "application/x-www-form- endpoint URI using the "application/x-www-form-urlencoded" format:
urlencoded" format:
request The Request Object (Section 2.1) that holds authorization request REQUIRED unless "request_uri" is specified. The Request
request parameters stated in section 4 of OAuth 2.0 [RFC6749]. Object (Section 2.1) that holds authorization request parameters
stated in section 4 of OAuth 2.0 [RFC6749].
request_uri The absolute URI as defined by RFC3986 [RFC3986] that request_uri REQUIRED unless "request" is specified. The absolute
points to the Request Object (Section 2.1) that holds URI as defined by RFC3986 [RFC3986] that points to the Request
authorization request parameters stated in section 4 of OAuth 2.0 Object (Section 2.1) that holds authorization request parameters
[RFC6749]. stated in section 4 of OAuth 2.0 [RFC6749].
client_id REQUIRED. OAuth 2.0 [RFC6749] "client_id". The value
MUST match the "request" or "request_uri" Request Object's
(Section 2.1) "client_id".
The client directs the resource owner to the constructed URI using an The client directs the resource owner to the constructed URI using an
HTTP redirection response, or by other means available to it via the HTTP redirection response, or by other means available to it via the
user-agent. user-agent.
For example, the client directs the end user's user-agent to make the For example, the client directs the end user's user-agent to make the
following HTTPS request: following HTTPS request:
GET /authz?request=eyJhbG..AlMGzw HTTP/1.1 GET /authz?client_id=s6BhdRkqt3&request=eyJhbG..AlMGzw HTTP/1.1
Host: server.example.com Host: server.example.com
The value for the request parameter is abbreviated for brevity. The value for the request parameter is abbreviated for brevity.
The authorization request object MUST be one of the following: The authorization request object MUST be one of the following:
(a) JWS signed (a) JWS signed
(b) JWS signed and JWE encrypted (b) JWS signed and JWE encrypted
The client MAY send the parameters included in the request object The client MAY send the parameters included in the request object
duplicated in the query parameters as well for the backward duplicated in the query parameters as well for the backward
compatibility etc. However, the authorization server supporting this compatibility etc. However, the authorization server supporting this
specification MUST only use the parameters included in the request specification MUST only use the parameters included in the request
object. object.
5.1. Passing a Request Object by Value 5.1. Passing a Request Object by Value
skipping to change at page 9, line 21 skipping to change at page 9, line 26
5.1. Passing a Request Object by Value 5.1. Passing a Request Object by Value
The Client sends the Authorization Request as a Request Object to the The Client sends the Authorization Request as a Request Object to the
Authorization Endpoint as the "request" parameter value. Authorization Endpoint as the "request" parameter value.
The following is an example of an Authorization Request using the The following is an example of an Authorization Request using the
"request" parameter (with line wraps within values for display "request" parameter (with line wraps within values for display
purposes only): purposes only):
https://server.example.com/authorize? https://server.example.com/authorize?client_id=s6BhdRkqt3&
request=eyJhbGciOiJSUzI1NiIsImtpZCI6ImsyYmRjIn0.ewogICAgImlzcyI6 request=eyJhbGciOiJSUzI1NiIsImtpZCI6ImsyYmRjIn0.ewogICAgImlzcyI6
ICJzNkJoZFJrcXQzIiwKICAgICJhdWQiOiAiaHR0cHM6Ly9zZXJ2ZXIuZXhhbXBs ICJzNkJoZFJrcXQzIiwKICAgICJhdWQiOiAiaHR0cHM6Ly9zZXJ2ZXIuZXhhbXBs
ZS5jb20iLAogICAgInJlc3BvbnNlX3R5cGUiOiAiY29kZSBpZF90b2tlbiIsCiAg ZS5jb20iLAogICAgInJlc3BvbnNlX3R5cGUiOiAiY29kZSBpZF90b2tlbiIsCiAg
ICAiY2xpZW50X2lkIjogInM2QmhkUmtxdDMiLAogICAgInJlZGlyZWN0X3VyaSI6 ICAiY2xpZW50X2lkIjogInM2QmhkUmtxdDMiLAogICAgInJlZGlyZWN0X3VyaSI6
ICJodHRwczovL2NsaWVudC5leGFtcGxlLm9yZy9jYiIsCiAgICAic2NvcGUiOiAi ICJodHRwczovL2NsaWVudC5leGFtcGxlLm9yZy9jYiIsCiAgICAic2NvcGUiOiAi
b3BlbmlkIiwKICAgICJzdGF0ZSI6ICJhZjBpZmpzbGRraiIsCiAgICAibm9uY2Ui b3BlbmlkIiwKICAgICJzdGF0ZSI6ICJhZjBpZmpzbGRraiIsCiAgICAibm9uY2Ui
OiAibi0wUzZfV3pBMk1qIiwKICAgICJtYXhfYWdlIjogODY0MDAKfQ.Nsxa_18VU OiAibi0wUzZfV3pBMk1qIiwKICAgICJtYXhfYWdlIjogODY0MDAKfQ.Nsxa_18VU
ElVaPjqW_ToI1yrEJ67BgKb5xsuZRVqzGkfKrOIX7BCx0biSxYGmjK9KJPctH1OC ElVaPjqW_ToI1yrEJ67BgKb5xsuZRVqzGkfKrOIX7BCx0biSxYGmjK9KJPctH1OC
0iQJwXu5YVY-vnW0_PLJb1C2HG-ztVzcnKZC2gE4i0vgQcpkUOCpW3SEYXnyWnKz 0iQJwXu5YVY-vnW0_PLJb1C2HG-ztVzcnKZC2gE4i0vgQcpkUOCpW3SEYXnyWnKz
uKzqSb1wAZALo5f89B_p6QA6j6JwBSRvdVsDPdulW8lKxGTbH82czCaQ50rLAg3E uKzqSb1wAZALo5f89B_p6QA6j6JwBSRvdVsDPdulW8lKxGTbH82czCaQ50rLAg3E
skipping to change at page 31, line 9 skipping to change at page 31, line 9
[RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
Morris, J., Hansen, M., and R. Smith, "Privacy Morris, J., Hansen, M., and R. Smith, "Privacy
Considerations for Internet Protocols", RFC 6973, Considerations for Internet Protocols", RFC 6973,
DOI 10.17487/RFC6973, July 2013, DOI 10.17487/RFC6973, July 2013,
<https://www.rfc-editor.org/info/rfc6973>. <https://www.rfc-editor.org/info/rfc6973>.
Authors' Addresses Authors' Addresses
Nat Sakimura Nat Sakimura
Nomura Research Institute Nomura Research Institute
Otemachi Financial City Grand Cube, 1-9-2 Otemachi 2-22-17 Naka
Chiyoda-ku, Tokyo 100-0004 Kunitachi, Tokyo 186-0004
Japan Japan
Phone: +81-3-5533-2111 Phone: +81-42-580-7401
Email: n-sakimura@nri.co.jp Email: nat@nat.consulting
URI: http://nat.sakimura.org/ URI: http://nat.sakimura.org/
John Bradley John Bradley
Yubico Yubico
Casilla 177, Sucursal Talagante Casilla 177, Sucursal Talagante
Talagante, RM Talagante, RM
Chile Chile
Phone: +1.202.630.5272 Phone: +1.202.630.5272
Email: ve7jtb@ve7jtb.com Email: ve7jtb@ve7jtb.com
 End of changes. 12 change blocks. 
21 lines changed or deleted 26 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/