RFC 9101

The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR), August 2021

File formats:

icon for HTML icon for text file icon for v3pdf icon for XML
Also available: XML file for editing
N. Sakimura
J. Bradley
M. Jones
oauth (sec)

Cite this RFC: TXT  |  XML  |   BibTeX

DOI:  https://doi.org/10.17487/RFC9101

Discuss this RFC: Send questions or comments to the mailing list oauth@ietf.org

Other actions: Submit Errata  |  Find IPR Disclosures from the IETF  |  View History of RFC 9101


The authorization request in OAuth 2.0 described in RFC 6749 utilizes query parameter serialization, which means that authorization request parameters are encoded in the URI of the request and sent through user agents such as web browsers. While it is easy to implement, it means that a) the communication through the user agents is not integrity protected and thus, the parameters can be tainted, b) the source of the communication is not authenticated, and c) the communication through the user agents can be monitored. Because of these weaknesses, several attacks to the protocol have now been put forward.

This document introduces the ability to send request parameters in a JSON Web Token (JWT) instead, which allows the request to be signed with JSON Web Signature (JWS) and encrypted with JSON Web Encryption (JWE) so that the integrity, source authentication, and confidentiality properties of the authorization request are attained. The request can be sent by value or by reference.

For the definition of Status, see RFC 2026.

For the definition of Stream, see RFC 8729.

Advanced Search