[rfc-dist] RFC 9101 on The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)

rfc-editor at rfc-editor.org rfc-editor at rfc-editor.org
Sat Aug 21 00:29:24 PDT 2021

A new Request for Comments is now available in online RFC libraries.

        RFC 9101

        Title:      The OAuth 2.0 Authorization Framework: 
                    JWT-Secured Authorization Request (JAR) 
        Author:     N. Sakimura,
                    J. Bradley,
                    M. Jones
        Status:     Standards Track
        Stream:     IETF
        Date:       August 2021
        Mailbox:    nat at nat.consulting,
                    rfc9101 at ve7jtb.com,
                    mbj at microsoft.com
        Pages:      25
        Updates/Obsoletes/SeeAlso:   None

        I-D Tag:    draft-ietf-oauth-jwsreq-34.txt

        URL:        https://www.rfc-editor.org/info/rfc9101

        DOI:        10.17487/RFC9101

The authorization request in OAuth 2.0 described in RFC 6749 utilizes
query parameter serialization, which means that authorization request
parameters are encoded in the URI of the request and sent through
user agents such as web browsers.  While it is easy to implement, it
means that a) the communication through the user agents is not
integrity protected and thus, the parameters can be tainted, b) the
source of the communication is not authenticated, and c) the
communication through the user agents can be monitored.  Because of
these weaknesses, several attacks to the protocol have now been put

This document introduces the ability to send request parameters in a
JSON Web Token (JWT) instead, which allows the request to be signed
with JSON Web Signature (JWS) and encrypted with JSON Web Encryption
(JWE) so that the integrity, source authentication, and
confidentiality properties of the authorization request are attained.
 The request can be sent by value or by reference.

This document is a product of the Web Authorization Protocol Working Group of the IETF.

This is now a Proposed Standard.

STANDARDS TRACK: This document specifies an Internet Standards Track
protocol for the Internet community, and requests discussion and suggestions
for improvements.  Please refer to the current edition of the Official
Internet Protocol Standards (https://www.rfc-editor.org/standards) for the 
standardization state and status of this protocol.  Distribution of this 
memo is unlimited.

This announcement is sent to the IETF-Announce and rfc-dist lists.
To subscribe or unsubscribe, see

For searching the RFC series, see https://www.rfc-editor.org/search
For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk

Requests for special distribution should be addressed to either the
author of the RFC in question, or to rfc-editor at rfc-editor.org.  Unless
specifically noted otherwise on the RFC itself, all RFCs are for
unlimited distribution.

The RFC Editor Team
Association Management Solutions, LLC

More information about the rfc-dist mailing list