{"draft":"draft-ietf-oauth-jwsreq-34","doc_id":"RFC9101","title":"The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)","authors":["N. Sakimura","J. Bradley","M. Jones"],"format":["HTML","TEXT","PDF","XML"],"page_count":"25","pub_status":"PROPOSED STANDARD","status":"PROPOSED STANDARD","source":"Web Authorization Protocol","abstract":"The authorization request in OAuth 2.0 described in RFC 6749 utilizes\r\nquery parameter serialization, which means that authorization request\r\nparameters are encoded in the URI of the request and sent through\r\nuser agents such as web browsers.  While it is easy to implement, it\r\nmeans that a) the communication through the user agents is not\r\nintegrity protected and thus, the parameters can be tainted, b) the\r\nsource of the communication is not authenticated, and c) the\r\ncommunication through the user agents can be monitored.  Because of\r\nthese weaknesses, several attacks to the protocol have now been put\r\nforward.\r\n\r\nThis document introduces the ability to send request parameters in a\r\nJSON Web Token (JWT) instead, which allows the request to be signed\r\nwith JSON Web Signature (JWS) and encrypted with JSON Web Encryption\r\n(JWE) so that the integrity, source authentication, and\r\nconfidentiality properties of the authorization request are attained.\r\n The request can be sent by value or by reference.","pub_date":"August 2021","keywords":["Assertion","Claim","Security Token","OAuth","JavaScript Object Notation","JSON","JSON Web Token","JWT","JSON Web Signature","JWS","JSON Web Encryption","JWE"],"obsoletes":[],"obsoleted_by":[],"updates":[],"updated_by":[],"see_also":[],"doi":"10.17487\/RFC9101","errata_url":null}