Skip to main content

The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)
RFC 9101

Revision differences

Document history

Date By Action
2022-05-27
Pete Resnick Closed request for Last Call review by I18NDIR with state 'Overtaken by Events'
2021-08-21
(System)
Received changes through RFC Editor sync (created alias RFC 9101, changed title to 'The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)', changed abstract …
Received changes through RFC Editor sync (created alias RFC 9101, changed title to 'The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)', changed abstract to 'The authorization request in OAuth 2.0 described in RFC 6749 utilizes query parameter serialization, which means that authorization request parameters are encoded in the URI of the request and sent through user agents such as web browsers. While it is easy to implement, it means that a) the communication through the user agents is not integrity protected and thus, the parameters can be tainted, b) the source of the communication is not authenticated, and c) the communication through the user agents can be monitored. Because of these weaknesses, several attacks to the protocol have now been put forward.

This document introduces the ability to send request parameters in a JSON Web Token (JWT) instead, which allows the request to be signed with JSON Web Signature (JWS) and encrypted with JSON Web Encryption (JWE) so that the integrity, source authentication, and confidentiality properties of the authorization request are attained. The request can be sent by value or by reference.', changed pages to 25, changed standardization level to Proposed Standard, changed state to RFC, added RFC published event at 2021-08-21, changed IESG state to RFC Published)
2021-08-21
(System) RFC published