OAuth 2.0 Authorization Server Issuer Identification
draft-ietf-oauth-iss-auth-resp-05

Approval announcement
Draft of message to be sent after approval:

Announcement

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: The IESG <iesg@ietf.org>, draft-ietf-oauth-iss-auth-resp@ietf.org, oauth-chairs@ietf.org, oauth@ietf.org, rdd@cert.org, rfc-editor@rfc-editor.org, rifaat.s.ietf@gmail.com
Subject: Protocol Action: 'OAuth 2.0 Authorization Server Issuer Identification' to Proposed Standard (draft-ietf-oauth-iss-auth-resp-04.txt)

The IESG has approved the following document:
- 'OAuth 2.0 Authorization Server Issuer Identification'
  (draft-ietf-oauth-iss-auth-resp-04.txt) as Proposed Standard

This document is the product of the Web Authorization Protocol Working Group.

The IESG contact persons are Benjamin Kaduk and Roman Danyliw.

A URL of this Internet Draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/

Ballot Text

Technical Summary

   This document specifies a new parameter iss that is used to
   explicitly include the issuer identifier of the authorization server
   in the authorization response of an OAuth authorization flow.  The
   iss parameter serves as an effective countermeasure to "mix-up
   attacks".

Working Group Summary

This work is useful to address a specific attack when an OAuth Client interacts with multiple authorization servers.  It hardens prior OAuth works.

Document Quality

A number of people reviewed the document over several rounds of reviews and
provided feedback during meetings and on the mailing list, with no blocking
comments.

Implementations:

Duende Software
    https://duendesoftware.com/products/identityserver

Authlete
    https://www.authlete.com/developers/relnotes/2.2.2/#oauth-2-0-authorization-server-issuer-identifier-in-authorization-response

Authress
    https://authress.io/


Personnel

The document shepherd is Rifaat Shekh-Yusef.

The responsible Area Director is Roman Danyliw.

RFC Editor Note