Technical Summary
This document specifies a new parameter iss that is used to
explicitly include the issuer identifier of the authorization server
in the authorization response of an OAuth authorization flow. The
iss parameter serves as an effective countermeasure to "mix-up
attacks".
Working Group Summary
This work is useful to address a specific attack when an OAuth Client interacts with multiple authorization servers. It hardens prior OAuth works.
Document Quality
A number of people reviewed the document over several rounds of reviews and
provided feedback during meetings and on the mailing list, with no blocking
comments.
Implementations:
Duende Software
https://duendesoftware.com/products/identityserver
Authlete
https://www.authlete.com/developers/relnotes/2.2.2/#oauth-2-0-authorization-server-issuer-identifier-in-authorization-response
Authress
https://authress.io/
Personnel
The document shepherd is Rifaat Shekh-Yusef.
The responsible Area Director is Roman Danyliw.