Search RFCs
RFC 9101
The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR),August 2021
- File formats:
- Also available:XML file for editing
- Status:
- PROPOSED STANDARD
- Authors:
- N. Sakimura
J. Bradley
M. Jones - Stream:
- IETF
- Source:
- oauth (sec)
Cite this RFC:TXT | XML | BibTeX
DOI: https://doi.org/10.17487/RFC9101
Discuss this RFC: Send questions or comments to the mailing listoauth@ietf.org
Other actions:Submit Errata | Find IPR Disclosures from the IETF | View History of RFC 9101
Abstract
The authorization request in OAuth 2.0 described in RFC 6749 utilizesquery parameter serialization, which means that authorization requestparameters are encoded in the URI of the request and sent throughuser agents such as web browsers. While it is easy to implement, itmeans that a) the communication through the user agents is notintegrity protected and thus, the parameters can be tainted, b) thesource of the communication is not authenticated, and c) thecommunication through the user agents can be monitored. Because ofthese weaknesses, several attacks to the protocol have now been putforward.
This document introduces the ability to send request parameters in aJSON Web Token (JWT) instead, which allows the request to be signedwith JSON Web Signature (JWS) and encrypted with JSON Web Encryption(JWE) so that the integrity, source authentication, andconfidentiality properties of the authorization request are attained. The request can be sent by value or by reference.
For the definition ofStatus,seeRFC 2026.
For the definition ofStream, seeRFC 8729.