RFC 9101
The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR), August 2021
- File formats:
- Also available: XML file for editing
- Status:
- PROPOSED STANDARD
- Authors:
- N. Sakimura
J. Bradley
M. Jones - Stream:
- IETF
- Source:
- oauth (sec)
Cite this RFC: TXT | XML | BibTeX
DOI: https://doi.org/10.17487/RFC9101
Discuss this RFC: Send questions or comments to the mailing list oauth@ietf.org
Other actions: Submit Errata | Find IPR Disclosures from the IETF | View History of RFC 9101
Abstract
The authorization request in OAuth 2.0 described in RFC 6749 utilizes query parameter serialization, which means that authorization request parameters are encoded in the URI of the request and sent through user agents such as web browsers. While it is easy to implement, it means that a) the communication through the user agents is not integrity protected and thus, the parameters can be tainted, b) the source of the communication is not authenticated, and c) the communication through the user agents can be monitored. Because of these weaknesses, several attacks to the protocol have now been put forward.
This document introduces the ability to send request parameters in a JSON Web Token (JWT) instead, which allows the request to be signed with JSON Web Signature (JWS) and encrypted with JSON Web Encryption (JWE) so that the integrity, source authentication, and confidentiality properties of the authorization request are attained. The request can be sent by value or by reference.
For the definition of Status, see RFC 2026.
For the definition of Stream, see RFC 8729.