Skip to main content

OAuth 2.0 Authorization Server Issuer Identification
draft-ietf-oauth-iss-auth-resp-05

Revision differences

Document history

Date Rev. By Action
2024-01-26
05 Gunter Van de Velde Request closed, assignment withdrawn: Joel Jaeggli Last Call OPSDIR review
2024-01-26
05 Gunter Van de Velde Closed request for Last Call review by OPSDIR with state 'Overtaken by Events': Cleaning up stale OPSDIR queue
2022-03-18
05 (System) RFC Editor state changed to AUTH48-DONE from AUTH48
2022-02-24
05 (System) RFC Editor state changed to AUTH48
2022-01-27
05 (System) IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor
2022-01-27
05 (System) RFC Editor state changed to RFC-EDITOR from IANA
2022-01-26
05 (System) IANA Action state changed to Waiting on RFC Editor from In Progress
2022-01-26
05 (System) IANA Action state changed to In Progress from Waiting on Authors
2022-01-26
05 (System) IANA Action state changed to Waiting on Authors from In Progress
2022-01-26
05 Amanda Baber IANA Action state changed to In Progress from On Hold
2022-01-26
05 Amanda Baber IANA Review state changed to IANA OK - Actions Needed from IANA - Not OK
2022-01-26
05 Amanda Baber IANA Experts State changed to Expert Reviews OK from Reviews assigned
2022-01-26
05 Amanda Baber Both expert approvals received.
2022-01-26
05 (System) IANA Action state changed to In Progress from Waiting on Authors
2022-01-21
05 (System) RFC Editor state changed to IANA from EDIT
2022-01-12
05 (System) RFC Editor state changed to EDIT from MISSREF
2022-01-11
05 Daniel Fett New version available: draft-ietf-oauth-iss-auth-resp-05.txt
2022-01-11
05 (System) New version approved
2022-01-11
05 (System) Request for posting confirmation emailed to previous authors: Daniel Fett , Karsten zu Selhausen
2022-01-11
05 Daniel Fett Uploaded new revision
2022-01-07
04 (System) IANA Action state changed to On Hold from Waiting on Authors
2022-01-06
04 (System) IANA Action state changed to Waiting on Authors from On Hold
2022-01-06
04 Amanda Baber OAuth Authorization Server Metadata registration has been approved. Still waiting for OAuth Parameter approval.
2022-01-06
04 (System) IANA Action state changed to On Hold from In Progress
2022-01-05
04 (System) RFC Editor state changed to MISSREF
2022-01-05
04 (System) IESG state changed to RFC Ed Queue from Approved-announcement sent
2022-01-05
04 (System) Announcement was received by RFC Editor
2022-01-05
04 (System) IANA Action state changed to In Progress
2022-01-05
04 Amy Vezza IESG state changed to Approved-announcement sent from Approved-announcement to be sent
2022-01-05
04 Amy Vezza IESG has approved the document
2022-01-05
04 Amy Vezza Closed "Approve" ballot
2022-01-05
04 Amy Vezza Ballot approval text was generated
2022-01-05
04 Roman Danyliw IESG state changed to Approved-announcement to be sent from Approved-announcement to be sent::AD Followup
2021-12-02
04 Jean Mahoney Closed request for Last Call review by GENART with state 'Overtaken by Events'
2021-12-02
04 Jean Mahoney Assignment of request for Last Call review by GENART to Jouni Korhonen was marked no-response
2021-12-02
04 (System) Removed all action holders (IESG state changed)
2021-12-02
04 Cindy Morgan IESG state changed to Approved-announcement to be sent::AD Followup from IESG Evaluation
2021-12-02
04 Sabrina Tanamal IANA Review state changed to IANA - Not OK from Version Changed - Review Needed
2021-12-02
04 Zaheduzzaman Sarker [Ballot Position Update] New position, No Objection, has been recorded for Zaheduzzaman Sarker
2021-12-02
04 Francesca Palombini
[Ballot comment]
Thank you for the work on this document, and for addressing my DISCUSS.

Many thanks to Julian Reschke for the ART ART review: …
[Ballot comment]
Thank you for the work on this document, and for addressing my DISCUSS.

Many thanks to Julian Reschke for the ART ART review: https://mailarchive.ietf.org/arch/msg/art/XfLbtK1eLb7s0Z6e_AqGgkoWny0/.

Francesca
2021-12-02
04 Francesca Palombini [Ballot Position Update] Position for Francesca Palombini has been changed to No Objection from Discuss
2021-12-02
04 (System) IANA Review state changed to Version Changed - Review Needed from IANA - Not OK
2021-12-02
04 Daniel Fett New version available: draft-ietf-oauth-iss-auth-resp-04.txt
2021-12-02
04 (System) New version approved
2021-12-02
04 (System) Request for posting confirmation emailed to previous authors: Daniel Fett , Karsten zu Selhausen
2021-12-02
04 Daniel Fett Uploaded new revision
2021-12-01
03 Murray Kucherawy
[Ballot comment]
I support Francesca's DISCUSS.

I also concur with Eric's observations about the shepherd writeup.  Those important details are missing.

Please quote "iss" wherever …
[Ballot comment]
I support Francesca's DISCUSS.

I also concur with Eric's observations about the shepherd writeup.  Those important details are missing.

Please quote "iss" wherever you use it.  Every time I ran into it, my first thought was that it's a typo and I had to re-parse it a couple of times.
2021-12-01
03 Murray Kucherawy [Ballot Position Update] New position, No Objection, has been recorded for Murray Kucherawy
2021-12-01
03 Amanda Baber IANA Review state changed to IANA - Not OK from Version Changed - Review Needed
2021-12-01
04 (System) IANA Review state changed to IANA - Not OK from Version Changed - Review Needed
2021-12-01
03 John Scudder [Ballot Position Update] New position, No Objection, has been recorded for John Scudder
2021-12-01
03 Francesca Palombini
[Ballot discuss]
Thank you for the work on this document.

Many thanks to Julian Reschke for the ART ART review: https://mailarchive.ietf.org/arch/msg/art/XfLbtK1eLb7s0Z6e_AqGgkoWny0/.

I have one …
[Ballot discuss]
Thank you for the work on this document.

Many thanks to Julian Reschke for the ART ART review: https://mailarchive.ietf.org/arch/msg/art/XfLbtK1eLb7s0Z6e_AqGgkoWny0/.

I have one DISCUSS point that has to do with IANA considerations, and is hopefully easy to resolve.

As noted in https://www.ietf.org/blog/handling-iesg-ballot-positions/, a
DISCUSS ballot is a request to have a discussion; I really think that the
document would be improved with a change here, but can be convinced otherwise.

Francesca


1. -----

FP: I am sure the Designated Expert will bring this up, but "iss" is already defined as a OAuth Parameter, for authorization requests. I don't think it's a good idea to use the same parameter name, although in a different message of the exchange, for something different, as the registration defined in Section 5.2 seems to imply. I strongly recommend to change the name in this document. Or, if we can agree that the meaning is similar enough to the original "iss", merge the two IANA registrations (this would not be my preferred choice).
2021-12-01
03 Francesca Palombini Ballot discuss text updated for Francesca Palombini
2021-12-01
03 Warren Kumari
[Ballot comment]
Thank you for this document, and also writing it in a manner that even someone unfamiliar with OAuth can understand :-)  -- I …
[Ballot comment]
Thank you for this document, and also writing it in a manner that even someone unfamiliar with OAuth can understand :-)  -- I use it, but the internals are very much a black box to me...
2021-12-01
03 Warren Kumari [Ballot Position Update] New position, No Objection, has been recorded for Warren Kumari
2021-12-01
03 Martin Vigoureux [Ballot Position Update] New position, No Objection, has been recorded for Martin Vigoureux
2021-11-30
03 Erik Kline [Ballot Position Update] New position, No Objection, has been recorded for Erik Kline
2021-11-30
03 Benjamin Kaduk
[Ballot comment]
Is the authorization endpoint the only one that would benefit from the
added "iss" protection?  Should we say anything about the utility of …
[Ballot comment]
Is the authorization endpoint the only one that would benefit from the
added "iss" protection?  Should we say anything about the utility of the
"iss" parameter in other responses?

Section 2

                                              If the authorization
  server provides metadata as defined in [RFC8414], the value of the
  parameter iss MUST be identical to the authorization server metadata
  value issuer.

Does it ever make sense to implement this document but not provide
metadata as in RFC 8414?  Should this document give any guidance (e.g.,
SHOULD or MUST) about also implementing RFC 8414 if this document is
implemented?

Section 2.1

Thank you for using a nice random code with 256 bits of entropy in the
example :)

Section 2.2

Should we use a different 'state' value for the example successful
response and example error response?

Section 2.3

  *  The issuer identifier included in the server's metadata value
      issuer MUST be identical to the iss parameter's value.

I think we attempted to impose this requirement using the BCP 14 MUST
keyword up in toplevel section 2 as well.  Generally my advice is to
only use the normative keywords in one place for any given requirement,
to avoid any risk of conflicting guidance that could lead to different
implementation behaviors.  (In this case, putting the MUST here seems to
make more sense, since it's an explicit listing of "the following rules
apply".)

NITS

Section 2.4

  If clients interact with both authorization servers supporting this
  specification and authorization servers not supporting this
  specification, clients MUST store the information which authorization
  server supports the iss parameter.  Clients MUST reject authorization

I think there's a missing word here, for "the information about" or even
a broader rewording to "MUST retain state about whether each
authorization server supports the iss parameter".

  support in their metadata.  Local policy or configuration can 
  determine whether to accept such responses and specific guidance is
  out of scope for this specification.

I'd suggest s/whether/when/, since we already do give default guidance
("SHOULD discard") earlier.
2021-11-30
03 Benjamin Kaduk [Ballot Position Update] New position, Yes, has been recorded for Benjamin Kaduk
2021-11-30
03 Robert Wilton
[Ballot comment]
Hi,

Thanks for this document, just one comment on a couple of sentences in the security section that I found unclear in this …
[Ballot comment]
Hi,

Thanks for this document, just one comment on a couple of sentences in the security section that I found unclear in this paragraph:

  There are also alternative countermeasures to mix-up attacks.  When
  an authorization response already includes an authorization server's
  issuer identifier by other means, and this identifier is checked as
  laid out in Section 2.4, the use and verification of the iss
  parameter is not necessary and MAY be omitted.  This is the case when
  OpenID Connect response types that return an ID token from the
  authorization endpoint (e.g., response_type=code id_token) or JARM
  response mode are used, for example.  However, if a client receives
  an authorization response that contains multiple issuer identifiers,
  the client MUST reject the response if these issuer identifiers do
  not match.  The details of alternative countermeasures are outside of
  the scope of this specification.

I'm probably missing something but this seems to suggest both:
- the use and verification of the iss parameter is not necessary and MAY be omitted.
- if a client receives an authorization response that contains multiple issuer identifiers,
  the client MUST reject the response if these issuer identifiers do not match.

These seems to conflict to me, but perhaps I'm misunderstanding their intent?

Regards,
Rob
2021-11-30
03 Robert Wilton [Ballot Position Update] New position, No Objection, has been recorded for Robert Wilton
2021-11-29
03 Francesca Palombini
[Ballot discuss]
Thank you for the work on this document.

Many thanks to Julian Reschke for the ART ART review: https://mailarchive.ietf.org/arch/msg/art/XfLbtK1eLb7s0Z6e_AqGgkoWny0/.

I have one …
[Ballot discuss]
Thank you for the work on this document.

Many thanks to Julian Reschke for the ART ART review: https://mailarchive.ietf.org/arch/msg/art/XfLbtK1eLb7s0Z6e_AqGgkoWny0/.

I have one DISCUSS point that has to do with IANA considerations, and is hopefully easy to resolve.

Francesca


1. -----

FP: I am sure the Designated Expert will bring this up, but "iss" is already defined as a OAuth Parameter, for authorization requests. I don't think it's a good idea to use the same parameter name, although in a different message of the exchange, for something different, as the registration defined in Section 5.2 seems to imply. I strongly recommend to change the name in this document. Or, if we can agree that the meaning is similar enough to the original "iss", merge the two IANA registrations (this would not be my preferred choice).
2021-11-29
03 Francesca Palombini [Ballot Position Update] New position, Discuss, has been recorded for Francesca Palombini
2021-11-29
03 Lars Eggert
[Ballot comment]
All comments below are about very minor potential issues that you may choose to
address in some way - or ignore - as …
[Ballot comment]
All comments below are about very minor potential issues that you may choose to
address in some way - or ignore - as you see fit. Some were flagged by
automated tools (via https://github.com/larseggert/ietf-reviewtool), so there
will likely be some false positives. There is no need to let me know what you
did with these suggestions.

Section 2.3. , paragraph 2, nit:
> s by any other mechanism which is outside of the scope of this specification.
>                                  ^^^^^^^^^^
This phrase is redundant. Consider using "outside".

Section 4. , paragraph 4, nit:
> f alternative countermeasures are outside of the scope of this specification.
>                                  ^^^^^^^^^^
This phrase is redundant. Consider using "outside".

These URLs in the document can probably be converted to HTTPS:
* http://arxiv.org/abs/1508.04324
* http://www.iana.org/assignments/oauth-parameters
* http://openid.net/specs/openid-connect-core-1_0.html
2021-11-29
03 Lars Eggert [Ballot Position Update] New position, No Objection, has been recorded for Lars Eggert
2021-11-29
03 Éric Vyncke
[Ballot comment]
Thank you for the work put into this document.

Special thanks to Rifaat Shekh-Yusef for the shepherd's write-up, but alas it does not …
[Ballot comment]
Thank you for the work put into this document.

Special thanks to Rifaat Shekh-Yusef for the shepherd's write-up, but alas it does not include ANY comments about the WG consensus and this it the most important point in the write-up. I am trusting the responsible AD and the WG chairs about the consensus.

I have no special comments to add: it looks

Regards,

-éric
2021-11-29
03 Éric Vyncke [Ballot Position Update] New position, No Objection, has been recorded for Éric Vyncke
2021-11-18
03 Martin Duke [Ballot Position Update] New position, No Objection, has been recorded for Martin Duke
2021-11-18
03 Cindy Morgan Placed on agenda for telechat - 2021-12-02
2021-11-18
03 Roman Danyliw Ballot has been issued
2021-11-18
03 Roman Danyliw [Ballot Position Update] New position, Yes, has been recorded for Roman Danyliw
2021-11-18
03 Roman Danyliw Created "Approve" ballot
2021-11-18
03 Roman Danyliw IESG state changed to IESG Evaluation from Waiting for Writeup::AD Followup
2021-11-18
03 Roman Danyliw Ballot writeup was changed
2021-11-18
03 (System) Changed action holders to Roman Danyliw (IESG state changed)
2021-11-18
03 (System) Sub state has been changed to AD Followup from Revised ID Needed
2021-11-18
03 (System) IANA Review state changed to Version Changed - Review Needed from IANA - Not OK
2021-11-18
03 Karsten zu Selhausen New version available: draft-ietf-oauth-iss-auth-resp-03.txt
2021-11-18
03 (System) New version approved
2021-11-18
03 (System) Request for posting confirmation emailed to previous authors: Daniel Fett , Karsten zu Selhausen
2021-11-18
03 Karsten zu Selhausen Uploaded new revision
2021-11-17
02 Roman Danyliw Please publish an update to address the ARTDIR and SECDIR reviews (as already discussed in the associated threads)
2021-11-17
02 (System) Changed action holders to Roman Danyliw, Daniel Fett, Karsten zu Selhausen (IESG state changed)
2021-11-17
02 Roman Danyliw IESG state changed to Waiting for Writeup::Revised I-D Needed from Waiting for Writeup
2021-11-17
02 (System) IESG state changed to Waiting for Writeup from In Last Call
2021-11-16
02 Michelle Cotton IANA Experts State changed to Reviews assigned
2021-11-16
02 (System) IANA Review state changed to IANA - Not OK from IANA - Review Needed
2021-11-16
02 Michelle Cotton
(Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs:

The IANA Functions Operator has completed its review of draft-ietf-oauth-iss-auth-resp-02.txt. If any part of this review is inaccurate, please let …
(Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs:

The IANA Functions Operator has completed its review of draft-ietf-oauth-iss-auth-resp-02.txt. If any part of this review is inaccurate, please let us know.

The IANA Functions Operator understands that, upon approval of this document, there are two actions which we must complete.

First, in the OAuth Authorization Server Metadata registry on the OAuth Parameters registry page located at:

https://www.iana.org/assignments/oauth-parameters/

a single, new registration is to be made as follows:

Metadata Name: authorization_response_iss_parameter_supported
Metadata Description: Boolean value indicating whether the authorization server provides the iss parameter in the authorization response.
Change Controller: IESG
Reference: [ RFC-to-be; Section 3 ]

As this section requests registrations in a Specification Required (see RFC 8126) registry, the IESG-designated experts for the OAuth Authorization Server Metadata registry have asked that a review request be sent to the mailing list described in [RFC8414]. If this request had not yet been submitted, we will initiate it.  This review must be completed before the document's IANA state can be changed to "IANA OK."

Second, in the OAuth Parameters registry also on the OAuth Parameters registry page located at:

https://www.iana.org/assignments/oauth-parameters/

a single, new registration is to be made as follows:

Name: iss
Parameter Usage Location: authorization response
Change Controller: IESG
Reference: [ RFC-to-be; Section 2 ]

As this section requests registrations in a Specification Required (see RFC 8126) registry, the IESG-designated experts for the OAuth Authorization Server Metadata registry have asked that a review request be sent to the mailing list described in [RFC6749]. If this request had not yet been submitted, we will initiate it.  This review must be completed before the document's IANA state can be changed to "IANA OK."

The IANA Functions Operator understands that these are the only actions required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed.

Thank you,

Michelle Cotton
IANA Services
2021-11-06
02 Yoav Nir Request for Last Call review by SECDIR Completed: Ready. Reviewer: Yoav Nir. Sent review to list.
2021-11-03
02 Gunter Van de Velde Request for Last Call review by OPSDIR is assigned to Joel Jaeggli
2021-11-03
02 Gunter Van de Velde Request for Last Call review by OPSDIR is assigned to Joel Jaeggli
2021-11-01
02 Julian Reschke Request for Last Call review by ARTART Partially Completed: Almost Ready. Reviewer: Julian Reschke. Sent review to list.
2021-10-29
02 Jean Mahoney Request for Last Call review by GENART is assigned to Jouni Korhonen
2021-10-29
02 Jean Mahoney Request for Last Call review by GENART is assigned to Jouni Korhonen
2021-10-28
02 Tero Kivinen Request for Last Call review by SECDIR is assigned to Yoav Nir
2021-10-28
02 Tero Kivinen Request for Last Call review by SECDIR is assigned to Yoav Nir
2021-10-28
02 Barry Leiba Request for Last Call review by ARTART is assigned to Julian Reschke
2021-10-28
02 Barry Leiba Request for Last Call review by ARTART is assigned to Julian Reschke
2021-10-27
02 Cindy Morgan IANA Review state changed to IANA - Review Needed
2021-10-27
02 Cindy Morgan
The following Last Call announcement was sent out (ends 2021-11-17):

From: The IESG
To: IETF-Announce
CC: draft-ietf-oauth-iss-auth-resp@ietf.org, oauth-chairs@ietf.org, oauth@ietf.org, rdd@cert.org, rifaat.s.ietf@gmail.com …
The following Last Call announcement was sent out (ends 2021-11-17):

From: The IESG
To: IETF-Announce
CC: draft-ietf-oauth-iss-auth-resp@ietf.org, oauth-chairs@ietf.org, oauth@ietf.org, rdd@cert.org, rifaat.s.ietf@gmail.com
Reply-To: last-call@ietf.org
Sender:
Subject: Last Call:  (OAuth 2.0 Authorization Server Issuer Identification) to Proposed Standard


The IESG has received a request from the Web Authorization Protocol WG
(oauth) to consider the following document: - 'OAuth 2.0 Authorization Server
Issuer Identification'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2021-11-17. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


  This document specifies a new parameter iss that is used to
  explicitly include the issuer identifier of the authorization server
  in the authorization response of an OAuth authorization flow.  The
  iss parameter serves as an effective countermeasure to "mix-up
  attacks".




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/



No IPR declarations have been submitted directly on this I-D.




2021-10-27
02 Cindy Morgan IESG state changed to In Last Call from Last Call Requested
2021-10-27
02 Cindy Morgan Last call announcement was changed
2021-10-27
02 Roman Danyliw Last call was requested
2021-10-27
02 Roman Danyliw Last call announcement was generated
2021-10-27
02 Roman Danyliw Ballot approval text was generated
2021-10-27
02 Roman Danyliw Ballot writeup was generated
2021-10-27
02 (System) Changed action holders to Roman Danyliw (IESG state changed)
2021-10-27
02 Roman Danyliw IESG state changed to Last Call Requested from Publication Requested
2021-10-27
02 Roman Danyliw AD Review: https://mailarchive.ietf.org/arch/msg/oauth/HlzumKBfuimwEbt6FtVuYXTdTKI/
2021-10-13
02 Rifaat Shekh-Yusef
(1) What type of RFC is being requested (BCP, Proposed Standard, Internet
Standard, Informational, Experimental, or Historic)? Why is this the proper
type of RFC? …
(1) What type of RFC is being requested (BCP, Proposed Standard, Internet
Standard, Informational, Experimental, or Historic)? Why is this the proper
type of RFC? Is this type of RFC indicated in the title page header?

The request is for a Proposed Standard type for the draft-ietf-oauth-iss-auth-resp
document since the document defines a new parameter that is used as a countermeasure to
mix-up attacks.

(2) The IESG approval announcement includes a Document Announcement Write-Up.
Please provide such a Document Announcement Write-Up. Recent examples can be
found in the "Action" announcements for approved documents. The approval
announcement contains the following sections:

Technical Summary:
   This document specifies a new parameter "iss" that is used to
   explicitly include the issuer identifier of the authorization server
   in the authorization response of an OAuth authorization flow.  The
   "iss" parameter serves as an effective countermeasure to "mix-up
   attacks".

Working Group Summary:
This work is useful to address a specific attack when an OAuth Client interacts with
    multiple authorization servers.

Document Quality:
A number of people reviewed the document over several rounds of reviews and
provided feedback during meetings and on the mailing list, with no blocking
comments.

    Implementations:

Duende Software
    https://duendesoftware.com/products/identityserver

Authlete
    https://www.authlete.com/developers/relnotes/2.2.2/#oauth-2-0-authorization-server-issuer-identifier-in-authorization-response

Authress
    https://authress.io/

Personnel:
The document shepherd is Rifaat Shekh-Yusef.
The responsible Area Director is Roman Danyliw.

(3) Briefly describe the review of this document that was performed by the
Document Shepherd. If this version of the document is not ready for
publication, please explain why the document is being forwarded to the IESG.

The document shepherd has reviewed this document and the authors addressed all my concerns. I feel the document is ready.

(4) Does the document Shepherd have any concerns about the depth or breadth of
the reviews that have been performed?

The document shepherd has no concerns with the level of reviews, as the document
was discussed and reviewed by many participants.

(5) Do portions of the document need review from a particular or from broader
perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or
internationalization? If so, describe the review that took place.

Security review is always appreciated.

(6) Describe any specific concerns or issues that the Document Shepherd has with
this document that the Responsible Area Director and/or the IESG should be aware
of? For example, perhaps he or she is uncomfortable with certain parts of the
document, or has concerns whether there really is a need for it. In any event,
if the WG has discussed those issues and has indicated that it still wishes to
advance the document, detail those concerns here.

The document shepherd has no such concerns.

(7) Has each author confirmed that any and all appropriate IPR disclosures
required for full conformance with the provisions of BCP 78 and BCP 79 have
already been filed. If not, explain why?

Karsten
https://mailarchive.ietf.org/arch/msg/oauth/kqnONSCJNfvnL80VD_hatGSOKe0/

Daniel
https://mailarchive.ietf.org/arch/msg/oauth/y_JcCq9sGRlKX3yPame_-25WAR0/

(8) Has an IPR disclosure been filed that references this document? If so,
summarize any WG discussion and conclusion regarding the IPR disclosures.

No such IPR disclosures.

(9) How solid is the WG consensus behind this document? Does it represent the
strong concurrence of a few individuals, with others being silent, or does the
WG as a whole understand and agree with it?

There was a solid WG consensus that included feedback and support from multiple
parties.

(10) Has anyone threatened an appeal or otherwise indicated extreme discontent?
If so, please summarise the areas of conflict in separate email messages to the
Responsible Area Director. (It should be in a separate email because this
questionnaire is publicly available.)

No such threat or discontent.

(11) Identify any ID nits the Document Shepherd has found in this document.
(See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist).
Boilerplate checks are not enough; this check needs to be thorough.

None

(12) Describe how the document meets any required formal review criteria, such
as the MIB Doctor, media type, and URI type reviews.

No such reviews are necessary.

(13) Have all references within this document been identified as either
 normative or informative?

Yes

(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative references
exist, what is the plan for their completion?

No

(15) Are there downward normative references (see RFC 3967)? If so, list these
downward references to support the Area Director in the Last Call procedure.

No

(16) Will publication of this document change the status of any existing RFCs?
Are those RFCs listed on the title page header, listed in the abstract, and
discussed in the introduction? If the RFCs are not listed in the Abstract and
Introduction, explain why, and point to the part of the document where the
relationship of this document to the other RFCs is discussed. If this
information is not in the document, explain why the WG considers it unnecessary.

No.

(17) Describe the Document Shepherd's review of the IANA considerations section,
especially with regard to its consistency with the body of the document. Confirm
that all protocol extensions that the document makes are associated with the
appropriate reservations in IANA registries. Confirm that any referenced IANA
registries have been clearly identified. Confirm that newly created IANA
registries include a detailed specification of the initial contents for the
registry, that allocations procedures for future registrations are defined, and
a reasonable name for the new registry has been suggested (see RFC 5226).

The document registers new values with existing registries.
The document does not introduce any new registry.

(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find useful in
selecting the IANA Experts for these new registries.

None.

(19) Describe reviews and automated checks performed by the Document Shepherd to
validate sections of the document written in a formal language, such as XML
code, BNF rules, MIB definitions, etc.

None is needed.
2021-10-13
02 Rifaat Shekh-Yusef Responsible AD changed to Roman Danyliw
2021-10-13
02 Rifaat Shekh-Yusef IETF WG state changed to Submitted to IESG for Publication from WG Consensus: Waiting for Write-Up
2021-10-13
02 Rifaat Shekh-Yusef IESG state changed to Publication Requested from I-D Exists
2021-10-13
02 Rifaat Shekh-Yusef IESG process started in state Publication Requested
2021-10-13
02 Rifaat Shekh-Yusef Changed consensus to Yes from Unknown
2021-10-13
02 Rifaat Shekh-Yusef Intended Status changed to Proposed Standard from None
2021-10-11
02 Rifaat Shekh-Yusef IETF WG state changed to WG Consensus: Waiting for Write-Up from WG Document
2021-10-08
02 Rifaat Shekh-Yusef
(1) What type of RFC is being requested (BCP, Proposed Standard, Internet
Standard, Informational, Experimental, or Historic)? Why is this the proper
type of RFC? …
(1) What type of RFC is being requested (BCP, Proposed Standard, Internet
Standard, Informational, Experimental, or Historic)? Why is this the proper
type of RFC? Is this type of RFC indicated in the title page header?

The request is for a Proposed Standard type for the draft-ietf-oauth-iss-auth-resp
document since the document defines a new parameter that is used as a countermeasure to
mix-up attacks.

(2) The IESG approval announcement includes a Document Announcement Write-Up.
Please provide such a Document Announcement Write-Up. Recent examples can be
found in the "Action" announcements for approved documents. The approval
announcement contains the following sections:

Technical Summary:
   This document specifies a new parameter "iss" that is used to
   explicitly include the issuer identifier of the authorization server
   in the authorization response of an OAuth authorization flow.  The
   "iss" parameter serves as an effective countermeasure to "mix-up
   attacks".

Working Group Summary:
This work is useful to address a specific attack when an OAuth Client interacts with
    multiple authorization servers.

Document Quality:
A number of people reviewed the document over several rounds of reviews and
provided feedback during meetings and on the mailing list, with no blocking
comments.

    Implementations:

Duende Software
    https://duendesoftware.com/products/identityserver

Authlete
    https://www.authlete.com/developers/relnotes/2.2.2/#oauth-2-0-authorization-server-issuer-identifier-in-authorization-response

Authress
    https://authress.io/

Personnel:
The document shepherd is Rifaat Shekh-Yusef.
The responsible Area Director is Roman Danyliw.

(3) Briefly describe the review of this document that was performed by the
Document Shepherd. If this version of the document is not ready for
publication, please explain why the document is being forwarded to the IESG.

The document shepherd has reviewed this document and the authors addressed all my concerns. I feel the document is ready.

(4) Does the document Shepherd have any concerns about the depth or breadth of
the reviews that have been performed?

The document shepherd has no concerns with the level of reviews, as the document
was discussed and reviewed by many participants.

(5) Do portions of the document need review from a particular or from broader
perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or
internationalization? If so, describe the review that took place.

Security review is always appreciated.

(6) Describe any specific concerns or issues that the Document Shepherd has with
this document that the Responsible Area Director and/or the IESG should be aware
of? For example, perhaps he or she is uncomfortable with certain parts of the
document, or has concerns whether there really is a need for it. In any event,
if the WG has discussed those issues and has indicated that it still wishes to
advance the document, detail those concerns here.

The document shepherd has no such concerns.

(7) Has each author confirmed that any and all appropriate IPR disclosures
required for full conformance with the provisions of BCP 78 and BCP 79 have
already been filed. If not, explain why?

Karsten
https://mailarchive.ietf.org/arch/msg/oauth/kqnONSCJNfvnL80VD_hatGSOKe0/

Daniel
https://mailarchive.ietf.org/arch/msg/oauth/y_JcCq9sGRlKX3yPame_-25WAR0/

(8) Has an IPR disclosure been filed that references this document? If so,
summarize any WG discussion and conclusion regarding the IPR disclosures.

No such IPR disclosures.

(9) How solid is the WG consensus behind this document? Does it represent the
strong concurrence of a few individuals, with others being silent, or does the
WG as a whole understand and agree with it?

There was a solid WG consensus that included feedback and support from multiple
parties.

(10) Has anyone threatened an appeal or otherwise indicated extreme discontent?
If so, please summarise the areas of conflict in separate email messages to the
Responsible Area Director. (It should be in a separate email because this
questionnaire is publicly available.)

No such threat or discontent.

(11) Identify any ID nits the Document Shepherd has found in this document.
(See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist).
Boilerplate checks are not enough; this check needs to be thorough.

None

(12) Describe how the document meets any required formal review criteria, such
as the MIB Doctor, media type, and URI type reviews.

No such reviews are necessary.

(13) Have all references within this document been identified as either
 normative or informative?

Yes

(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative references
exist, what is the plan for their completion?

No

(15) Are there downward normative references (see RFC 3967)? If so, list these
downward references to support the Area Director in the Last Call procedure.

No

(16) Will publication of this document change the status of any existing RFCs?
Are those RFCs listed on the title page header, listed in the abstract, and
discussed in the introduction? If the RFCs are not listed in the Abstract and
Introduction, explain why, and point to the part of the document where the
relationship of this document to the other RFCs is discussed. If this
information is not in the document, explain why the WG considers it unnecessary.

No.

(17) Describe the Document Shepherd's review of the IANA considerations section,
especially with regard to its consistency with the body of the document. Confirm
that all protocol extensions that the document makes are associated with the
appropriate reservations in IANA registries. Confirm that any referenced IANA
registries have been clearly identified. Confirm that newly created IANA
registries include a detailed specification of the initial contents for the
registry, that allocations procedures for future registrations are defined, and
a reasonable name for the new registry has been suggested (see RFC 5226).

The document registers new values with existing registries.
The document does not introduce any new registry.

(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find useful in
selecting the IANA Experts for these new registries.

None.

(19) Describe reviews and automated checks performed by the Document Shepherd to
validate sections of the document written in a formal language, such as XML
code, BNF rules, MIB definitions, etc.

None is needed.
2021-10-06
02 Karsten zu Selhausen New version available: draft-ietf-oauth-iss-auth-resp-02.txt
2021-10-06
02 (System) New version approved
2021-10-06
02 (System) Request for posting confirmation emailed to previous authors: Daniel Fett , Karsten zu Selhausen
2021-10-06
02 Karsten zu Selhausen Uploaded new revision
2021-06-08
01 Karsten zu Selhausen New version available: draft-ietf-oauth-iss-auth-resp-01.txt
2021-06-08
01 (System) New version approved
2021-06-08
01 (System) Request for posting confirmation emailed to previous authors: Daniel Fett , Karsten zu Selhausen
2021-06-08
01 Karsten zu Selhausen Uploaded new revision
2021-06-04
00 Rifaat Shekh-Yusef Notification list changed to rifaat.s.ietf@gmail.com because the document shepherd was set
2021-06-04
00 Rifaat Shekh-Yusef Document shepherd changed to Rifaat Shekh-Yusef
2021-01-06
00 Rifaat Shekh-Yusef This document now replaces draft-meyerzuselhausen-oauth-iss-auth-resp instead of None
2021-01-06
00 Karsten zu Selhausen New version available: draft-ietf-oauth-iss-auth-resp-00.txt
2021-01-06
00 (System) WG -00 approved
2021-01-06
00 Karsten zu Selhausen Set submitter to "Karsten Meyer zu Selhausen ", replaces to draft-meyerzuselhausen-oauth-iss-auth-resp and sent approval email to group chairs: oauth-chairs@ietf.org
2021-01-06
00 Karsten zu Selhausen Uploaded new revision