The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)
draft-ietf-oauth-jwsreq-19

Approval announcement
Draft of message to be sent after approval:

From: The IESG <iesg-secretary@ietf.org>
To: "IETF-Announce" <ietf-announce@ietf.org>
Cc: oauth-chairs@ietf.org, rfc-editor@rfc-editor.org, Kathleen.Moriarty.ietf@gmail.com, "The IESG" <iesg@ietf.org>, Hannes.Tschofenig@gmx.net, oauth@ietf.org, draft-ietf-oauth-jwsreq@ietf.org
Subject: Protocol Action: 'The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)' to Proposed Standard (draft-ietf-oauth-jwsreq-11.txt)

The IESG has approved the following document:
- 'The OAuth 2.0 Authorization Framework: JWT Secured Authorization
   Request (JAR)'
  (draft-ietf-oauth-jwsreq-11.txt) as Proposed Standard

This document is the product of the Web Authorization Protocol Working
Group.

The IESG contact persons are Stephen Farrell and Kathleen Moriarty.

A URL of this Internet Draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/


Technical Summary

   The authorization request in OAuth 2.0 [RFC6749] utilizes query
   parameter serialization, which means that Authorization Request
   parameters are encoded in the URI of the request and sent through
   user agents such as web browsers.  While it is easy to implement, it
   means that (a) the communication through the user agents are not
   integrity protected and thus the parameters can be tainted, and (b)
   the source of the communication is not authentciated.  Because of
   these weaknesses, several attacks to the protocol have now been put
   forward.

   This document introduces the ability to send request parameters in a
   JSON Web Token (JWT) instead, which allows the request to be JWS
   signed and/or JWE encrypted so that the integrity, source
   authentication and confidentiallity property of the Authorization
   Request is attained.  The request can be sent by value or by
   reference.

Working Group Summary

   Was there anything in the WG process that is worth noting?
   For example, was there controversy about particular points 
   or were there decisions where the consensus was
   particularly rough? 

Document Quality

   There are a number of implementations, both vendor and
   open source and there was good support in the working group.

Personnel

 Hannes Tschofenig is the document shepherd and the responsible area 
director is Kathleen Moriarty.