%% You should probably cite rfc9101 instead of this I-D. @techreport{ietf-oauth-jwsreq-24, number = {draft-ietf-oauth-jwsreq-24}, type = {Internet-Draft}, institution = {Internet Engineering Task Force}, publisher = {Internet Engineering Task Force}, note = {Work in Progress}, url = {https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/24/}, author = {Nat Sakimura and John Bradley}, title = {{The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)}}, pagetotal = 33, year = , month = , day = , abstract = {The authorization request in OAuth 2.0 described in RFC 6749 utilizes query parameter serialization, which means that Authorization Request parameters are encoded in the URI of the request and sent through user agents such as web browsers. While it is easy to implement, it means that (a) the communication through the user agents are not integrity protected and thus the parameters can be tainted, and (b) the source of the communication is not authenticated. Because of these weaknesses, several attacks to the protocol have now been put forward. This document introduces the ability to send request parameters in a JSON Web Token (JWT) instead, which allows the request to be signed with JSON Web Signature (JWS) and encrypted with JSON Web Encryption (JWE) so that the integrity, source authentication and confidentiality property of the Authorization Request is attained. The request can be sent by value or by reference.}, }