draft-ietf-oauth-jwsreq-03.txt   draft-ietf-oauth-jwsreq-04.txt 
OAuth Working Group N. Sakimura, Ed. OAuth Working Group N. Sakimura, Ed.
Internet-Draft Nomura Research Institute Internet-Draft Nomura Research Institute
Intended status: Standards Track J. Bradley Intended status: Standards Track J. Bradley
Expires: January 6, 2016 Ping Identity Expires: January 7, 2016 Ping Identity
July 05, 2015 July 06, 2015
Request by JWS ver.1.0 for OAuth 2.0 Request by JWS ver.1.0 for OAuth 2.0
draft-ietf-oauth-jwsreq-03 draft-ietf-oauth-jwsreq-04
Abstract Abstract
The authorization request in OAuth 2.0 utilizes query parameter The authorization request in OAuth 2.0 utilizes query parameter
serialization. This specification defines the authorization request serialization. This specification defines the authorization request
using JWT serialization. The request is sent through "request" using JWT serialization. The request is sent through "request"
parameter or by reference through "request_uri" parameter that points parameter or by reference through "request_uri" parameter that points
to the JWT, allowing the request to be optionally signed and to the JWT, allowing the request to be optionally signed and
encrypted. encrypted.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 6, 2016. This Internet-Draft will expire on January 7, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 20 skipping to change at page 2, line 20
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Request Object . . . . . . . . . . . . . . . . . . . . . 3 2.1. Request Object . . . . . . . . . . . . . . . . . . . . . 3
2.2. Request Object URI . . . . . . . . . . . . . . . . . . . 3 2.2. Request Object URI . . . . . . . . . . . . . . . . . . . 3
3. Request Object . . . . . . . . . . . . . . . . . . . . . . . 4 3. Request Object . . . . . . . . . . . . . . . . . . . . . . . 4
4. Request Object URI . . . . . . . . . . . . . . . . . . . . . 5 4. Request Object URI . . . . . . . . . . . . . . . . . . . . . 5
5. Authorization Request . . . . . . . . . . . . . . . . . . . . 6 5. Authorization Request . . . . . . . . . . . . . . . . . . . . 6
6. Authorization Server Response . . . . . . . . . . . . . . . . 7 6. Authorization Server Response . . . . . . . . . . . . . . . . 7
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . 7 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . 7
8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 8. Security Considerations . . . . . . . . . . . . . . . . . . . 7
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
10. Revision History . . . . . . . . . . . . . . . . . . . . . . 8 10. Revision History . . . . . . . . . . . . . . . . . . . . . . 8
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
11.1. Normative References . . . . . . . . . . . . . . . . . . 8 11.1. Normative References . . . . . . . . . . . . . . . . . . 8
11.2. Informative References . . . . . . . . . . . . . . . . . 9 11.2. Informative References . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction 1. Introduction
The parameters "request" and "request_uri" are introduced as The parameters "request" and "request_uri" are introduced as
additional authorization request parameters for the OAuth 2.0 additional authorization request parameters for the OAuth 2.0
skipping to change at page 7, line 15 skipping to change at page 7, line 15
6. Authorization Server Response 6. Authorization Server Response
Authorization Server Response is created and sent to the client as in Authorization Server Response is created and sent to the client as in
Section 4 of OAuth 2.0 [RFC6749] . Section 4 of OAuth 2.0 [RFC6749] .
In addition, this document defines additional 'error' values as In addition, this document defines additional 'error' values as
follows: follows:
invalid_request_uri The provided request_uri was not available. invalid_request_uri The provided request_uri was not available.
invalid_request_format The Request Object format was invalid. invalid_request_object The Request Object was invalid.
invalid_request_params The parameter set provided in the Request
Object was invalid.
7. IANA Considerations 7. IANA Considerations
This document registers following error strings to the OAuth Error None.
Registry.
invalid_request_uri The provided request_uri was not available.
invalid_request_format The Request Object format was invalid.
invalid_request_params The parameter set provided in the Request
Object was invalid.
8. Security Considerations 8. Security Considerations
In addition to the all the security considerations discussed in OAuth In addition to the all the security considerations discussed in OAuth
2.0 [RFC6819], the following security considerations SHOULD be taken 2.0 [RFC6819], the following security considerations SHOULD be taken
into account. into account.
When sending the authorization request object through "request" When sending the authorization request object through "request"
parameter, it SHOULD be signed with then considered appropriate parameter, it SHOULD be signed with then considered appropriate
algorithm using [RFC7515]. The "alg=none" SHOULD NOT be used in such algorithm using [RFC7515]. The "alg=none" SHOULD NOT be used in such
skipping to change at page 8, line 13 skipping to change at page 7, line 46
recommended. recommended.
9. Acknowledgements 9. Acknowledgements
Following people contributed to creating this document through the Following people contributed to creating this document through the
OpenID Connect 1.0 [openid_ab]. OpenID Connect 1.0 [openid_ab].
Breno de Medeiros (Google), Hideki Nara (TACT), John Bradley ( Ping Breno de Medeiros (Google), Hideki Nara (TACT), John Bradley ( Ping
Identity) <author>, Nat Sakimura (NRI) <author/editor>, Ryo Itou Identity) <author>, Nat Sakimura (NRI) <author/editor>, Ryo Itou
(Yahoo! Japan), George Fletcher (AOL), Justin Richer (MITRE), Edmund (Yahoo! Japan), George Fletcher (AOL), Justin Richer (MITRE), Edmund
Jay (Illumila), (add yourself). Jay (Illumila), Michael B. Jones (Microsoft), (add yourself).
In addition following people contributed to this and previous In addition following people contributed to this and previous
versions through The OAuth Working Group. versions through The OAuth Working Group.
David Recordon (Facebook), Luke Shepard (Facebook), James H. Manger David Recordon (Facebook), Luke Shepard (Facebook), James H. Manger
(Telstra), Marius Scurtescu (Google), John Panzer (Google), Dirk (Telstra), Marius Scurtescu (Google), John Panzer (Google), Dirk
Balfanz (Google), (add yourself). Balfanz (Google), (add yourself).
10. Revision History 10. Revision History
-04
o Changed invalid_request_* to align with OpenID Connect.
o Removed entry in the IANA considerations.
-03 -03
o Fixed the non-normative description about the advantage of static o Fixed the non-normative description about the advantage of static
signature. signature.
o Changed the requement for the parameter values in the request o Changed the requement for the parameter values in the request
iteself and the request object from 'MUST MATCH" to 'Req Obj takes iteself and the request object from 'MUST MATCH" to 'Req Obj takes
precedence. precedence.
-02 -02
 End of changes. 8 change blocks. 
19 lines changed or deleted 14 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/