draft-ietf-oauth-par-05.txt   draft-ietf-oauth-par-06.txt 
Web Authorization Protocol T. Lodderstedt Web Authorization Protocol T. Lodderstedt
Internet-Draft yes.com Internet-Draft yes.com
Intended status: Standards Track B. Campbell Intended status: Standards Track B. Campbell
Expires: 17 June 2021 Ping Identity Expires: 6 August 2021 Ping Identity
N. Sakimura N. Sakimura
NAT.Consulting NAT.Consulting
D. Tonge D. Tonge
Moneyhub Financial Technology Moneyhub Financial Technology
F. Skokan F. Skokan
Auth0 Auth0
14 December 2020 2 February 2021
OAuth 2.0 Pushed Authorization Requests OAuth 2.0 Pushed Authorization Requests
draft-ietf-oauth-par-05 draft-ietf-oauth-par-06
Abstract Abstract
This document defines the pushed authorization request endpoint, This document defines the pushed authorization request endpoint,
which allows clients to push the payload of an OAuth 2.0 which allows clients to push the payload of an OAuth 2.0
authorization request to the authorization server via a direct authorization request to the authorization server via a direct
request and provides them with a request URI that is used as request and provides them with a request URI that is used as
reference to the data in a subsequent call to the authorization reference to the data in a subsequent call to the authorization
endpoint. endpoint.
skipping to change at page 1, line 42 skipping to change at page 1, line 42
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 17 June 2021. This Internet-Draft will expire on 6 August 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License. provided without warranty as described in the Simplified BSD License.
skipping to change at page 2, line 31 skipping to change at page 2, line 31
2.2. Successful Response . . . . . . . . . . . . . . . . . . . 8 2.2. Successful Response . . . . . . . . . . . . . . . . . . . 8
2.3. Error Response . . . . . . . . . . . . . . . . . . . . . 9 2.3. Error Response . . . . . . . . . . . . . . . . . . . . . 9
2.4. Management of Client Redirect URIs . . . . . . . . . . . 10 2.4. Management of Client Redirect URIs . . . . . . . . . . . 10
3. The "request" Request Parameter . . . . . . . . . . . . . . . 11 3. The "request" Request Parameter . . . . . . . . . . . . . . . 11
4. Authorization Request . . . . . . . . . . . . . . . . . . . . 13 4. Authorization Request . . . . . . . . . . . . . . . . . . . . 13
5. Authorization Server Metadata . . . . . . . . . . . . . . . . 14 5. Authorization Server Metadata . . . . . . . . . . . . . . . . 14
6. Client Metadata . . . . . . . . . . . . . . . . . . . . . . . 15 6. Client Metadata . . . . . . . . . . . . . . . . . . . . . . . 15
7. Security Considerations . . . . . . . . . . . . . . . . . . . 15 7. Security Considerations . . . . . . . . . . . . . . . . . . . 15
7.1. Request URI Guessing . . . . . . . . . . . . . . . . . . 15 7.1. Request URI Guessing . . . . . . . . . . . . . . . . . . 15
7.2. Open Redirection . . . . . . . . . . . . . . . . . . . . 15 7.2. Open Redirection . . . . . . . . . . . . . . . . . . . . 15
7.3. Request Object Replay . . . . . . . . . . . . . . . . . . 15 7.3. Request Object Replay . . . . . . . . . . . . . . . . . . 16
7.4. Client Policy Change . . . . . . . . . . . . . . . . . . 16 7.4. Client Policy Change . . . . . . . . . . . . . . . . . . 16
7.5. Request URI Swapping . . . . . . . . . . . . . . . . . . 16 7.5. Request URI Swapping . . . . . . . . . . . . . . . . . . 16
8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 16 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 16
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 16 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 16
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17
10.1. OAuth Authorization Server Metadata . . . . . . . . . . 17 10.1. OAuth Authorization Server Metadata . . . . . . . . . . 17
10.2. OAuth Dynamic Client Registration Metadata . . . . . . . 17 10.2. OAuth Dynamic Client Registration Metadata . . . . . . . 17
10.3. OAuth URI Registration . . . . . . . . . . . . . . . . . 17 10.3. OAuth URI Registration . . . . . . . . . . . . . . . . . 17
11. Normative References . . . . . . . . . . . . . . . . . . . . 17 11. Normative References . . . . . . . . . . . . . . . . . . . . 18
12. Informative References . . . . . . . . . . . . . . . . . . . 18 12. Informative References . . . . . . . . . . . . . . . . . . . 18
Appendix A. Document History . . . . . . . . . . . . . . . . . . 20 Appendix A. Document History . . . . . . . . . . . . . . . . . . 20
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22
1. Introduction 1. Introduction
Pushed authorization requests (PAR), defined by this document, enable Pushed authorization requests (PAR), defined by this document, enable
OAuth [RFC6749] clients to push the payload of an authorization OAuth [RFC6749] clients to push the payload of an authorization
request directly to the authorization server in exchange for a request directly to the authorization server in exchange for a
request URI value, which is used as reference to the authorization request URI value, which is used as reference to the authorization
request payload data in a subsequent call to the authorization request payload data in a subsequent call to the authorization
endpoint via the user-agent. endpoint via the user-agent.
skipping to change at page 15, line 5 skipping to change at page 15, line 5
"pushed_authorization_request_endpoint" The URL of the pushed "pushed_authorization_request_endpoint" The URL of the pushed
authorization request endpoint at which a client can post an authorization request endpoint at which a client can post an
authorization request in exchange for a "request_uri" value usable authorization request in exchange for a "request_uri" value usable
at the authorization server. at the authorization server.
"require_pushed_authorization_requests" Boolean parameter indicating "require_pushed_authorization_requests" Boolean parameter indicating
whether the authorization server accepts authorization request whether the authorization server accepts authorization request
data only via the pushed authorization request method. If data only via the pushed authorization request method. If
omitted, the default value is "false". omitted, the default value is "false".
Note that the presence of "pushed_authorization_request_endpoint" is
sufficient for a client to determine that it may use the pushed
authorization request flow. A "request_uri" value obtained from the
PAR endpoint is usable at the authorization endpoint regardless of
other authorization server metadata such as
"request_uri_parameter_supported" or
"require_request_uri_registration".
6. Client Metadata 6. Client Metadata
The Dynamic Client Registration Protocol [RFC7591] defines an API for The Dynamic Client Registration Protocol [RFC7591] defines an API for
dynamically registering OAuth 2.0 client metadata with authorization dynamically registering OAuth 2.0 client metadata with authorization
servers. The metadata defined by [RFC7591], and registered servers. The metadata defined by [RFC7591], and registered
extensions to it, also imply a general data model for clients that is extensions to it, also imply a general data model for clients that is
useful for authorization server implementations even when the Dynamic useful for authorization server implementations even when the Dynamic
Client Registration Protocol isn't in play. Such implementations Client Registration Protocol isn't in play. Such implementations
will typically have some sort of user interface available for will typically have some sort of user interface available for
managing client configuration. The following client metadata managing client configuration. The following client metadata
skipping to change at page 18, line 37 skipping to change at page 18, line 42
errata set 1", 8 November 2014, errata set 1", 8 November 2014,
<http://openid.net/specs/openid-connect-core-1_0.html>. <http://openid.net/specs/openid-connect-core-1_0.html>.
[RFC8414] Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0 [RFC8414] Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0
Authorization Server Metadata", RFC 8414, Authorization Server Metadata", RFC 8414,
DOI 10.17487/RFC8414, June 2018, DOI 10.17487/RFC8414, June 2018,
<https://www.rfc-editor.org/info/rfc8414>. <https://www.rfc-editor.org/info/rfc8414>.
12. Informative References 12. Informative References
[RFC8707] Campbell, B., Bradley, J., and H. Tschofenig, "Resource
Indicators for OAuth 2.0", RFC 8707, DOI 10.17487/RFC8707,
February 2020, <https://www.rfc-editor.org/info/rfc8707>.
[RFC7591] Richer, J., Ed., Jones, M., Bradley, J., Machulak, M., and
P. Hunt, "OAuth 2.0 Dynamic Client Registration Protocol",
RFC 7591, DOI 10.17487/RFC7591, July 2015,
<https://www.rfc-editor.org/info/rfc7591>.
[IANA.OAuth.Parameters]
IANA, "OAuth Parameters",
<http://www.iana.org/assignments/oauth-parameters>.
[RFC7523] Jones, M., Campbell, B., and C. Mortimore, "JSON Web Token [RFC7523] Jones, M., Campbell, B., and C. Mortimore, "JSON Web Token
(JWT) Profile for OAuth 2.0 Client Authentication and (JWT) Profile for OAuth 2.0 Client Authentication and
Authorization Grants", RFC 7523, DOI 10.17487/RFC7523, May Authorization Grants", RFC 7523, DOI 10.17487/RFC7523, May
2015, <https://www.rfc-editor.org/info/rfc7523>. 2015, <https://www.rfc-editor.org/info/rfc7523>.
[I-D.ietf-oauth-v2-1] [RFC6755] Campbell, B. and H. Tschofenig, "An IETF URN Sub-Namespace
Hardt, D., Parecki, A., and T. Lodderstedt, "The OAuth 2.1 for OAuth", RFC 6755, DOI 10.17487/RFC6755, October 2012,
Authorization Framework", Work in Progress, Internet- <https://www.rfc-editor.org/info/rfc6755>.
Draft, draft-ietf-oauth-v2-1-00, 30 July 2020,
<https://tools.ietf.org/html/draft-ietf-oauth-v2-1-00>.
[RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517,
DOI 10.17487/RFC7517, May 2015,
<https://www.rfc-editor.org/info/rfc7517>.
[RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
(JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
<https://www.rfc-editor.org/info/rfc7519>. <https://www.rfc-editor.org/info/rfc7519>.
[RFC6755] Campbell, B. and H. Tschofenig, "An IETF URN Sub-Namespace
for OAuth", RFC 6755, DOI 10.17487/RFC6755, October 2012,
<https://www.rfc-editor.org/info/rfc6755>.
[RFC7636] Sakimura, N., Ed., Bradley, J., and N. Agarwal, "Proof Key [RFC7636] Sakimura, N., Ed., Bradley, J., and N. Agarwal, "Proof Key
for Code Exchange by OAuth Public Clients", RFC 7636, for Code Exchange by OAuth Public Clients", RFC 7636,
DOI 10.17487/RFC7636, September 2015, DOI 10.17487/RFC7636, September 2015,
<https://www.rfc-editor.org/info/rfc7636>. <https://www.rfc-editor.org/info/rfc7636>.
[RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally [RFC8707] Campbell, B., Bradley, J., and H. Tschofenig, "Resource
Unique IDentifier (UUID) URN Namespace", RFC 4122, Indicators for OAuth 2.0", RFC 8707, DOI 10.17487/RFC8707,
DOI 10.17487/RFC4122, July 2005, February 2020, <https://www.rfc-editor.org/info/rfc8707>.
<https://www.rfc-editor.org/info/rfc4122>.
[I-D.ietf-oauth-security-topics] [I-D.ietf-oauth-security-topics]
Lodderstedt, T., Bradley, J., Labunets, A., and D. Fett, Lodderstedt, T., Bradley, J., Labunets, A., and D. Fett,
"OAuth 2.0 Security Best Current Practice", Work in "OAuth 2.0 Security Best Current Practice", Work in
Progress, Internet-Draft, draft-ietf-oauth-security- Progress, Internet-Draft, draft-ietf-oauth-security-
topics-16, 5 October 2020, <https://tools.ietf.org/html/ topics-16, 5 October 2020, <https://tools.ietf.org/html/
draft-ietf-oauth-security-topics-16>. draft-ietf-oauth-security-topics-16>.
[I-D.ietf-oauth-v2-1]
Hardt, D., Parecki, A., and T. Lodderstedt, "The OAuth 2.1
Authorization Framework", Work in Progress, Internet-
Draft, draft-ietf-oauth-v2-1-00, 30 July 2020,
<https://tools.ietf.org/html/draft-ietf-oauth-v2-1-00>.
[IANA.OAuth.Parameters]
IANA, "OAuth Parameters",
<http://www.iana.org/assignments/oauth-parameters>.
[RFC7591] Richer, J., Ed., Jones, M., Bradley, J., Machulak, M., and
P. Hunt, "OAuth 2.0 Dynamic Client Registration Protocol",
RFC 7591, DOI 10.17487/RFC7591, July 2015,
<https://www.rfc-editor.org/info/rfc7591>.
[RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally
Unique IDentifier (UUID) URN Namespace", RFC 4122,
DOI 10.17487/RFC4122, July 2005,
<https://www.rfc-editor.org/info/rfc4122>.
[RFC8705] Campbell, B., Bradley, J., Sakimura, N., and T. [RFC8705] Campbell, B., Bradley, J., Sakimura, N., and T.
Lodderstedt, "OAuth 2.0 Mutual-TLS Client Authentication Lodderstedt, "OAuth 2.0 Mutual-TLS Client Authentication
and Certificate-Bound Access Tokens", RFC 8705, and Certificate-Bound Access Tokens", RFC 8705,
DOI 10.17487/RFC8705, February 2020, DOI 10.17487/RFC8705, February 2020,
<https://www.rfc-editor.org/info/rfc8705>. <https://www.rfc-editor.org/info/rfc8705>.
[RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517,
DOI 10.17487/RFC7517, May 2015,
<https://www.rfc-editor.org/info/rfc7517>.
Appendix A. Document History Appendix A. Document History
[[ To be removed from the final specification ]] [[ To be removed from the final specification ]]
-06
* Add a note clarifying that the presence of
"pushed_authorization_request_endpoint" is sufficient for a client
to know that it can use the PAR flow
-05 -05
* Mention use of "invalid_request" error code for cases, like a bad * Mention use of "invalid_request" error code for cases, like a bad
"redirect_uri", that don't have a more specific one "redirect_uri", that don't have a more specific one
-04 -04
* Edits to address WGLC comments * Edits to address WGLC comments
* Replace I-D.ietf-oauth-mtls reference with now published RFC8705 * Replace I-D.ietf-oauth-mtls reference with now published RFC8705
 End of changes. 16 change blocks. 
38 lines changed or deleted 52 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/