draft-ietf-oauth-jwsreq-22.txt   draft-ietf-oauth-jwsreq-23.txt 
OAuth Working Group N. Sakimura OAuth Working Group N. Sakimura
Internet-Draft NAT.Consulting Internet-Draft NAT.Consulting
Intended status: Standards Track J. Bradley Intended status: Standards Track J. Bradley
Expires: November 8, 2020 Yubico Expires: November 13, 2020 Yubico
May 07, 2020 May 12, 2020
The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request
(JAR) (JAR)
draft-ietf-oauth-jwsreq-22 draft-ietf-oauth-jwsreq-23
Abstract Abstract
The authorization request in OAuth 2.0 described in RFC 6749 utilizes The authorization request in OAuth 2.0 described in RFC 6749 utilizes
query parameter serialization, which means that Authorization Request query parameter serialization, which means that Authorization Request
parameters are encoded in the URI of the request and sent through parameters are encoded in the URI of the request and sent through
user agents such as web browsers. While it is easy to implement, it user agents such as web browsers. While it is easy to implement, it
means that (a) the communication through the user agents are not means that (a) the communication through the user agents are not
integrity protected and thus the parameters can be tainted, and (b) integrity protected and thus the parameters can be tainted, and (b)
the source of the communication is not authenticated. Because of the source of the communication is not authenticated. Because of
skipping to change at page 1, line 47 skipping to change at page 1, line 47
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 8, 2020. This Internet-Draft will expire on November 13, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 12, line 10 skipping to change at page 12, line 10
5.2.2. Request using the "request_uri" Request Parameter 5.2.2. Request using the "request_uri" Request Parameter
The Client sends the Authorization Request to the Authorization The Client sends the Authorization Request to the Authorization
Endpoint. Endpoint.
The following is an example of an Authorization Request using the The following is an example of an Authorization Request using the
"request_uri" parameter (with line wraps within values for display "request_uri" parameter (with line wraps within values for display
purposes only): purposes only):
https://server.example.com/authorize? https://server.example.com/authorize?
response_type=code%20id_token client_id=s6BhdRkqt3
&client_id=s6BhdRkqt3
&request_uri=https%3A%2F%2Ftfp.example.org%2Frequest.jwt &request_uri=https%3A%2F%2Ftfp.example.org%2Frequest.jwt
%2FGkurKxf5T0Y-mnPFCHqWOMiZi4VS138cQO_V7PZHAdM %2FGkurKxf5T0Y-mnPFCHqWOMiZi4VS138cQO_V7PZHAdM
5.2.3. Authorization Server Fetches Request Object 5.2.3. Authorization Server Fetches Request Object
Upon receipt of the Request, the Authorization Server MUST send an Upon receipt of the Request, the Authorization Server MUST send an
HTTP "GET" request to the "request_uri" to retrieve the referenced HTTP "GET" request to the "request_uri" to retrieve the referenced
Request Object, unless it is stored in a way so that it can retrieve Request Object, unless it is stored in a way so that it can retrieve
it through other mechanism securely, and parse it to recreate the it through other mechanism securely, and parse it to recreate the
Authorization Request parameters. Authorization Request parameters.
 End of changes. 4 change blocks. 
6 lines changed or deleted 5 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/