Internet Engineering Task Force | N. Sakimura, Ed. |
Internet-Draft | Nomura Research Institute |
Intended status: Standards Track | J. Bradley |
Expires: May 10, 2013 | Ping Identity |
November 06, 2012 |
Request by JWS ver.1.0 for OAuth 2.0
draft-sakimura-oauth-requrl-03
The authorization request in OAuth 2.0 utilizes query parameter serizalization. This specification defines the authorization request using JWT serialization. The request is sent thorugh 'request' parameter or by reference through 'request_url' that points to the JWT, allowing the request to be optionally signed and encrypted.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http:/⁠/⁠datatracker.ietf.org/⁠drafts/⁠current/⁠.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 10, 2013.
Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http:/⁠/⁠trustee.ietf.org/⁠license-⁠info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
The parameters 'request' and 'request_url' are introduced as additional authorization request parameters for the OAuth 2.0 [RFC6749] flows. The 'request' parameter is a JSON Web Token (JWT) [JWT] whose body holds the JSON encoded OAuth 2.0 authorization request parameters. The [JWT] can be passed to the authorization endpoint by reference, in which case the parameter 'request_uri' is used instead of the 'request'.
Using [JWT] as the request encoding instead of query parameters has several advantages:
There are a few cases that request by reference is useful such as:
This capability is in use by OpenID Connect.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
Following parameters are defined as a request and response parameter.
The Authorization Request object is used to provide authorization request parameters. It contains OAuth 2.0 authorization request parameters including extension parameters. It is a JSON Web Signature (JWS) [JWS] signed JWT [JWT] that has the JSON object that holds the OAuth 2.0 authorization request parameters. The parameters are included as the top level members of JSON [RFC4627]. Parameter names and string values are included as JSON strings. Numerical values are included as JSON numbers. It MAY include any extension parameters. This JSON [RFC4627] constitues the body of the [JWT].
The Authorization Request Object MAY be signed or unsigned (plaintext). When it is plaintext, this is indicated by use of the none algorithm [JWA] in the JWS header. If signed, the Authorization Request Object SHOULD contain the Claims iss (issuer) and aud (audience) as members, with their semantics being the same as defined in the JWT [JWT] specification.
The Authorization Request Object MAY also be encrypted using JWE [JWE] after signing, with nesting performed in the same manner as specified for JWTs [JWT]. The Authorization Request Object MAY alternatively be sent by reference using request_uri parameter.
OAuth 2.0 Authorization Request parameters that are not included in the Authorization Request Object MAY be sent as a query parameter. If the parameter exists both in the query string and the Authorization Request Object, they MUST exactly match.
If a required parameter is not present in neither the query parameter or the Authorization Request Object, it forms a malformed request.
Following is the example of the JSON which consitutes the body of the [JWT].
{ "redirect_url":"https://example.com/rp/endpoint_url", "cliend_id":"http://example.com/rp/" }
The following is a non-normative example of a [JWT] encoded authorization request object. It includes extension variables such as "nonce", "userinfo", and "id_token". Note that the line wraps within the values are for display purpose only:
JWT algorithm = HS256 HMAC HASH Key = 'aaa' JSON Encoded Header = "{"alg":"HS256","typ":"JWT"}" JSON Encoded Payload = "{"response_type":"code id_token", "client_id":"s6BhdRkqt3", "redirect_uri":"https://client.example.com/cb", "scope":"openid profile", "state":"af0ifjsldkj", "nonce":"n-0S6_WzA2Mj", "userinfo":{"claims":{"name":null,"nickname":{"optional":true}, "email":null,"verified":null, "picture":{"optional":true}},"format":"signed"}, "id_token":{"max_age":86400,"iso29115":"2"}}" JWT = eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyZXNwb25zZV90eXBlIjoiY29kZ SBpZF90b2tlbiIsImNsaWVudF9pZCI6InM2QmhkUmtxdDMiLCJyZWRpcmVjdF91cmkiO iJodHRwczpcL1wvY2xpZW50LmV4YW1wbGUuY29tXC9jYiIsInNjb3BlIjoib3BlbmlkI HByb2ZpbGUiLCJzdGF0ZSI6ImFmMGlmanNsZGtqIiwidXNlcmluZm8iOnsiY2xhaW1zI jp7Im5hbWUiOm51bGwsIm5pY2tuYW1lIjp7Im9wdGlvbmFsIjp0cnVlfSwiZW1haWwiO m51bGwsInZlcmlmaWVkIjpudWxsLCJwaWN0dXJlIjp7Im9wdGlvbmFsIjp0cnVlfX0sI mZvcm1hdCI6InNpZ25lZCJ9LCJpZF90b2tlbiI6eyJtYXhfYWdlIjo4NjQwMCwiaXNvM jkxMTUiOiIyIn19.2OiqRgrbrHkA1FZ5p_7bc_RSdTbH-wo_Agk-ZRpD3wY
The client constructs the request URI by adding the following parameters to the query component of the authorization endpoint URI using the "application/x-www-form-urlencoded" format:
The client directs the resource owner to the constructed URI using an HTTP redirection response, or by other means available to it via the user-agent.
For example, the client directs the end-user's user-agent to make the following HTTPS request (line breaks are for display purposes only):
GET /authorize?request_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 Host: server.example.com
The autorization request object MAY be signed AND/OR encrypted.
Upon receipt of request_uri in the request, the authorization server MUST send a GET request to the request_uri to retrieve the authorization request object unless it is already cached at the Authorization Server.
If the response was signed AND/OR encrypted, it has to be decoded accordingly before being processed.
Then, the Authorization Server MUST reconstruct the complete client request from the original HTTP request and the content of the request object. Then, the process continues as described in Section 3 of OAuth 2.0 [RFC6749] .
Authorization Server Response is created and sent to the client as in Section 4 of OAuth 2.0 [RFC6749] .
In addition, this document defines additional 'error' values as follows:
This document registers following error strings to the OAuth Error Registry.
In addition to the all the security considerations discussed in OAuth 2.0 [RFC6749], the following security considerations SHOULD be taken into account.
When sending the authorization request object through request parameter, it SHOULD be signed with [JWS].
When obtaining the Request FIle, the Authorization Server SHOULD use either HTTP over TLS 1.2 as defined in RFC5246 [RFC5246] AND/OR [JWS].
If the request object contains personally identifiable or sensitive information, the "request_uri" MUST be of one-time use and MUST have large enough entropy deemed necessary with applicable security policy. For higher security requirement, using [JWE] is strongly recommended.
[[ToDo]]
Following people contributed to creating this document through the OpenID Connect 1.0 [openid_ab] .
Breno de Medeiros (Google), Hideki Nara (TACT), John Bradley (Ping Identity) <author>, Nat Sakimura (NRI) <author/editor>, Ryo Itou (Yahoo! Japan), George Fletcher (AOL), Justin Richer (Mitre), Edmund Jay (MGI1), (add yourself).
In addition following people contributed to this and previous versions through The OAuth Working Group.
David Recordon (Facebook), Luke Shepard (Facebook), James H. Manger (Telstra), Marius Scurtescu (Google), John Panzer (Google), Dirk Balfanz (Google), (add yourself).
[openid_ab] | openid-specs-ab@openid.net, , "OpenID Connect 1.0", October 2011. |