Technical Summary
The authorization request in OAuth 2.0 described in RFC 6749 utilizes
query parameter serialization, which means that Authorization Request
parameters are encoded in the URI of the request and sent through
user agents such as web browsers. While it is easy to implement, it
means that (a) the communication through the user agents is not
integrity protected and thus the parameters can be tainted, and (b)
the source of the communication is not authenticated. Because of
these weaknesses, several attacks to the protocol have now been put
forward.
This document introduces the ability to send request parameters in a
JSON Web Token (JWT) instead, which allows the request to be signed
with JSON Web Signature (JWS) and encrypted with JSON Web Encryption
(JWE) so that the integrity, source authentication and
confidentiality property of the Authorization Request is attained.
The request can be sent by value or by reference.
Working Group Summary
The document changes the encoding of the parameters in the
authorization request to a JSON-based encoding.
After the second IESG review, the WG removed the faceted media type
registration.
This document has history of multiple IESG reviews:
2021-04 => returned for third IESG telechat (AD#3)
2020-09 => returned to WG
2020-09 => procedural issues raised on the requested IANA actions
2020-08 => returned for second IESG telechat (AD#3); enough positions to pass; in RFCeditor queue
[responsible AD changes to AD#3]
[note: mistakes in state changes between approved/IESG review made in datatracker]
[responsible AD change to AD#2]
2017-07 => First telechat review (AD#1)
Document Quality
The request object and the request uri is an optional feature in
the OpenID Connect Core specification and two working groups
in the OpenID Foundation (namely the Modrna WG and the FAPI WG)
are considering using this extension.
The following implementations are available.
As part of the OpenID Foundation certification program the following
implementations of OpenID Connect Core indicate support for this
functionality:
* CZ.NIC mojeID,
* Thierry Habart's SimpleIdentitySever v.2.0.0,
* Roland Hedberg's pyoidc 0.7.7,
* Peercraft ApS's Peercarft,
* MIT's MITREidConnect,
* Gluue Server 2.3,
* Filip Skokan's node-oidc pre supports.
Authlete (https://www.authlete.com/), a commerical, closed source
server implementation, has also implemented this specification and
is offering it.
There is an open source implementation from NRI in PHP and Scala.
NRI's Open Source PHP: https://bitbucket.org/PEOFIAMP/phpoidc
IdentityServer implements JAR: https://github.com/IdentityServer
Personnel
Hannes Tschofenig is the document shepherd
Roman Danyliw is the responsible area director