A new -03 revision of draft-ietf-oauth-rfc7523bis, with a new and longer
but hopefully accurate title, "Updates to OAuth 2.0 JSON Web Token (JWT)
Client Authentication and Assertion-Based Authorization Grants" has been
published to datatracker (a couple days ago, sorry for the delay here). The
usual links are in the forwarded message and a summary (taken from the
document history
<https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rfc7523bis-03#appendix-A-2>)
of the changes, largely related to discussions at and around the 123
meeting, are included below. Those of us working closely with the document
believe it is now ready for WGLC. I've requested a brief bit of agenda time
at the upcoming meeting in Montreal <https://www.ietf.org/meeting/124/> to
say basically that. But would happily forfeit that time to other topics, if
the WG and/or co-chairs decide it's appropriate to move this one to WGLC
before the meeting.
-03
* Update OAuth Token Endpoint Authentication Methods IANA entries
with reference to this specification
* Relaxed client requirement to use strong typed JWTs. SHOULD
instead of MUST.
* Do not restrict the "aud" claim's type. Allow it to be an array
with a single member.
* Advise the client to ensure that the audience of an assertion
authorization grant makes sense with respect to where it’s being
sent.
* Updates to the abstract and introduction to (hopefully) better
reflect the more targeted scope of the work.
* Remove JWTs for Client Authentication example replacement (not
worth it for including typ in the encoded JWT header).
* Add request to update existing OAuth URI registrations to add
reference to this specification for the four relevant URNs.
* Fixup the new Client Authentication JWT Example.
---------- Forwarded message ---------
From: <[email protected]>
Date: Tue, Oct 7, 2025 at 10:05 AM
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-rfc7523bis-03.txt
To: <[email protected]>
Cc: <[email protected]>
Internet-Draft draft-ietf-oauth-rfc7523bis-03.txt is now available. It is a
work item of the Web Authorization Protocol (OAUTH) WG of the IETF.
Title: Updates to OAuth 2.0 JSON Web Token (JWT) Client Authentication
and Assertion-Based Authorization Grants
Authors: Michael B. Jones
Brian Campbell
Chuck Mortimore
Filip Skokan
Name: draft-ietf-oauth-rfc7523bis-03.txt
Pages: 14
Dates: 2025-10-07
Abstract:
This specification updates the requirements for audience values in
OAuth 2.0 Client Assertion Authentication and Assertion-based
Authorization Grants to address a security vulnerability identified
in the previous requirements for those audience values in multiple
OAuth 2.0 specifications.
The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-rfc7523bis/
There is also an HTMLized version available at:
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rfc7523bis-03
A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-rfc7523bis-03
Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]
--
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited. If you have
received this communication in error, please notify the sender immediately
by e-mail and delete the message and any file attachments from your
computer. Thank you._
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]
