Skip to main content

Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants

Approval announcement
Draft of message to be sent after approval:


From: The IESG <>
To: IETF-Announce <>
Cc: RFC Editor <>,
    oauth mailing list <>,
    oauth chair <>
Subject: Protocol Action: 'Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants' to Proposed Standard (draft-ietf-oauth-assertions-18.txt)

The IESG has approved the following document:
- 'Assertion Framework for OAuth 2.0 Client Authentication and
   Authorization Grants'
  (draft-ietf-oauth-assertions-18.txt) as Proposed Standard

This document is the product of the Web Authorization Protocol Working

The IESG contact persons are Kathleen Moriarty and Stephen Farrell.

A URL of this Internet Draft is:

Ballot Text

Technical Summary

  The Assertion Framework for OAuth 2.0 allows the use of assertions
  in the form of a new client authentication mechanism
  and a new authorization grant type.  Mechanisms are specified for
  transporting assertions during interactions with a token endpoint, as
  well as general processing rules.

  The intent of this specification is to provide a common framework for
  OAuth 2.0 to interwork with other identity systems using assertions,
  and to provide alternative client authentication mechanisms.

  Note that this specification only defines abstract message flows and
  processing rules.  In order to be implementable, companion
  specifications are necessary to provide the corresponding concrete

Working Group Summary

  There was no controversy around this document. 

Document Quality
  The working group decided to separate the framework for assertion
  handling from instance documents supporting SAML assertion and JSON-
  based encoded tokens. Readers who want to implement the functionality
  also need to consult one of the extension documents, such as 

  The draft previously went through IESG review and was sent back to the WG
  to improve interoperability.  Updates have been made to address the prior concerns.


  The document shepherd is Hannes Tschofenig and the responsible-ish
  area director is Kathleen Moriarty. 

RFC Editor Note: This draft is part of a set of drafts that cross 2
working groups. I am working through the reviews (shepherd just
confirmed them for the OAuth ones) and would like them processed as a
set. The JOSE drafts will hopefully be ready shortly as well. The
set includes (in order):

1 draft-ietf-jose-json-web-signature
2 draft-ietf-jose-json-web-encryption
3 draft-ietf-jose-json-web-key
4 draft-ietf-jose-json-web-algorithms
5 draft-ietf-oauth-json-web-token
6 draft-ietf-jose-cookbook
7 draft-ietf-oauth-assertions
8 draft-ietf-oauth-saml2-bearer
9 draft-ietf-oauth-jwt-bearer

RFC Editor Note