UNLIMITED FREE ACCESS TO THE WORLD'S BEST IDEAS

SUBMIT
Already a GlobalSpec user? Log in.

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

Customize Your GlobalSpec Experience

Select Your Free Newsletters

Industry Newsletters

Select Your Free Product Alerts

Finish!
Privacy Policy

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

IETF - RFC 9101

The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)

active, Most Current
Organization: IETF
Publication Date: 1 August 2021
Status: active
Page Count: 25
scope:

Abstract

The authorization request in OAuth 2.0 described in RFC 6749 utilizes query parameter serialization, which means that authorization request parameters are encoded in the URI of the request and sent through user agents such as web browsers. While it is easy to implement, it means that a) the communication through the user agents is not integrity protected and thus, the parameters can be tainted, b) the source of the communication is not authenticated, and c) the communication through the user agents can be monitored. Because of these weaknesses, several attacks to the protocol have now been put forward.

This document introduces the ability to send request parameters in a JSON Web Token (JWT) instead, which allows the request to be signed with JSON Web Signature (JWS) and encrypted with JSON Web Encryption (JWE) so that the integrity, source authentication, and confidentiality properties of the authorization request are attained. The request can be sent by value or by reference.

Document History

RFC 9101
August 1, 2021
The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)
Abstract The authorization request in OAuth 2.0 described in RFC 6749 utilizes query parameter serialization, which means that authorization request parameters are encoded in the URI of the request...

References

This document references:
RFC 2046 - Multipurpose Internet Mail Extensions (MIME) Part Two: Media Types
Published by IETF on November 1, 1996
A description is not available for this item.
This document references:
IETF RFC 3629 - UTF-8, a transformation format of ISO 10646
Published by IETF on November 1, 2003
A description is not available for this item.
This document references:
IETF RFC 6125 - Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)
Published by IETF on March 1, 2011
Many application technologies enable secure communication between two entities by means of Internet Public Key Infrastructure Using X.509 (PKIX) certificates in the context of Transport Layer...
This document references:
IETF RFC 6749 - The OAuth 2.0 Authorization Framework
Published by IETF on October 1, 2012
The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction...
This document is referenced by:
RFC 9207 - OAuth 2.0 Authorization Server Issuer Identification
Published by IETF on March 1, 2022
Abstract This document specifies a new parameter called iss. This parameter is used to explicitly include the issuer identifier of the authorization server in the authorization response of an OAuth...
This document is referenced by:
RFC 9396 - OAuth 2.0 Rich Authorization Requests
Published by IETF on May 1, 2023
This document specifies a new parameter authorization_details that is used to carry finegrained authorization data in OAuth messages.
View Less
View All
Advertisement