]> AWS

Canada jeffsec@amazon.com

IndyKite

Canada alex.babeanu@indykite.com

Web Authorization Protocol security trust This specification defines new claims for JWT profiled access tokens so that resource providers can benefit from more granular information about the client: its authentication methods as well as the grant flow and the grant flow extensions used as part of the issuance of the associated tokens. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Web Authorization Protocol mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction Resource providers need information about the subject, the action, the resource, and the context involved in the request in order to be able to determine properly if a resource can be disclosed. This decision may also involve the help of a Policy Decision Point (PDP). When accessed with a JWT profiled OAuth2 Access Token presented as a bearer token , a resource provider receives mainly information about the subject in the form of: - The sub claim, - Any user profile claim set by the Authorization Server if applicable, - Any Authentication Information claims like the user class of authentication (acrclaim) or user method of authentication (claim amr ) - Any Authorization Information if applicable The resource provider has very little information about the client, mainly in the form of the client_id claim. It falls short in several important circumstances, for instance, in or regulated APIs when they require peculiar client authentication mechanisms to be enforced or transaction specific details to be present in the token. This document defines 4 new claims allowing to describe with more precise information the client and metadata on how it interacted with the authorization server during the issuance of the access token. It respects description of how to encode access tokens in JWT format. The process by which the client interacts with the authorization server is out of scope.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

JWT access token:

An OAuth 2.0 access token encoded in JWT format and complying to the requirements described in .

This specification uses the terms "access token", "authorization server", "authorization endpoint", "authorization request", "client", "protected resource", and "resource server" defined by "The OAuth 2.0 Authorization Framework" .

JWT Access Token Client Extensions Data Structure The following claims extend the access token payload data structure:

Client Flow Information Claims The claims listed in this section MUST be issued and reflect grant type and extensions used with authorization server as part of the authorization request from the client. Their values are dynamic across all access tokens that derive from a given authorization response to reflect the elements used in the process that lead to their issuance.

gty:

REQUIRED - defines the OAuth2 authorization grant type the client used for the issuance of the access token. String that is an identifier for an OAuth2 Grant type. Values used in the gty Claim MUST be from those registered in the IANA Grant Type Reference Values registry TODO established by this RFC and referencing, without being limited to, values established through section 2. of , section 2.1 of , and section 4 of .

cxt:

REQUIRED - defines the list of extensions the client used in conjunction with the OAuth2 authorization grant type used for the issuance of the access token. For example but not limited to: Proof Key for Code Exchange by OAuth Public Clients (or PKCE) as defined in , Demonstrating Proof of Possession (or DPoP) as defined in . JSON array of strings that are identifiers for extensions used. Values used in the cxt Claim MUST be from those registered in the IANA Client Context Reference Values registry TODO established by this RFC and referencing, without being limited to, values established through section 2 of , and Section 5.1 of .

Client Authentication Information Claims The claims listed in this section MAY be issued and reflect the types and strength of client authentication in the access token that the authentication server enforced prior to returning the authorization response to the client. Their values are fixed and remain the same across all access tokens that derive from a given authorization response, whether the access token was obtained directly in the response (e.g., via the implicit flow) or after obtaining a fresh access token using a refresh token. Those values may change if an access token is exchanged for another via an procedure in order to reflect the specificities of this request.

ccr:

OPTIONAL - defines the authentication context class reference the client satisfied when authenticating to the authorization server. An absolute URI or registered name from future RFC SHOULD be used as the ccr value; registered names MUST NOT be used with a different meaning than that which is registered. Parties using this claim will need to agree upon the meanings of the values used, which may be context specific.

cmr:

OPTIONAL - defines the authentication methods the client used when authenticating to the authorization server. String that is an identifier for an authentication method used in the authentication of the client. For instance, a value might indicate the usage of private JWT as defined in and or HTTP message signature as defined in . The cmr value is a case-sensitive string. Values used in the cmr Claim SHOULD be from those registered in the IANA OAuth Token Endpoint Authentication Methods Values registry defined by ; parties using this claim will need to agree upon the meanings of any unregistered values used, which may be context specific.

Authorization Server Metadata The following authorization server metadata parameters are introduced as an extension of , in order to describe the server's capabilities.

support_client_extentison_claims:

Boolean parameter indicating to clients and resource servers whether the authorization server will return the extension claims described in this document.

Note: that the non presence of support_client_extentison_claims is sufficient for the client to determine that the server is not capable and therefore will not return the extension claims described in this RFC.

Requesting a JWT Access Token with Client Extensions This specification does not change how clients interacts with authorization servers. An authorization server supporting this specification MUST issue a JWT access token with client extensions claims described in this RFC in response to any authorization grant defined by and subsequent extensions meant to result in an access token and as along as the authorization server support this capability.

Validating JWT Access Tokens with Client Extensions This specification follows the requirements of the section 4 of .

Security Considerations

Validation Of Token The JWT access token data format described here is the same as JWT access token defined by .

Processing Of Claims Defined By This Document Any processor, client or resource server, MUST only process claims described in this document that it understands. If a processor does not understand a claim described in this document or its value, it SHOULD ignore it.

Security Best Practice The security current best practices described in MUST be applied.

IANA Considerations The following registration procedure is used for the registry established by this specification. Values are registered on a Specification Required [RFC8126] basis after a two-week review period on the oauth-ext-review@ietf.org mailing list, on the advice of one or more Designated Experts. However, to allow for the allocation of values prior to publication of the final version of a specification, the Designated Experts may approve registration once they are satisfied that the specification will be completed and published. However, if the specification is not completed and published in a timely manner, as determined by the Designated Experts, the Designated Experts may request that IANA withdraw the registration. Registration requests sent to the mailing list for review should use an appropriate subject (e.g., "Request to register JWT profiled OAuth2 Access Token client extensions: example"). Within the review period, the Designated Experts will either approve or deny the registration request, communicating this decision to the review list and IANA. Denials should include an explanation and, if applicable, suggestions as to how to make the request successful. The IANA escalation process is followed when the Designated Experts are not responsive within 14 days. Criteria that should be applied by the Designated Experts includes determining whether the proposed registration duplicates existing functionality, determining whether it is likely to be of general applicability or whether it is useful only for a single application, and whether the registration makes sense. IANA must only accept registry updates from the Designated Experts and should direct all requests for registration to the review mailing list. It is suggested that multiple Designated Experts be appointed who are able to represent the perspectives of different applications using this specification, in order to enable broadly-informed review of registration decisions. In cases where a registration decision could be perceived as creating a conflict of interest for a particular Expert, that Expert should defer to the judgment of the other Experts. The reason for the use of the mailing list is to enable public review of registration requests, enabling both Designated Experts and other interested parties to provide feedback on proposed registrations. The reason to allow the Designated Experts to allocate values prior to publication as a final specification is to enable giving authors of specifications proposing registrations the benefit of review by the Designated Experts before the specification is completely done, so that if problems are identified, the authors can iterate and fix them before publication of the final specification.

OAuth Grant Type Registration This specification registers the following grant type in the OAuth Grant Type registry.

authorization_code grant type

Type name:

authorization_code

Change controller:

IETF

Specification document(s):

section 2. of

implicit grant type

Type name:

implicit

Change controller:

IETF

Specification document(s):

section 2. of

password grant type

Type name:

password

Change controller:

IETF

Specification document(s):

section 2. of

client_credentials grant type

Type name:

client_credentials

Change controller:

IETF

Specification document(s):

section 2. of

refresh_token grant type

Type name:

refresh_token

Change controller:

IETF

Specification document(s):

section 2. of

jwt-bearer grant type

Type name:

urn:ietf:params:oauth:grant-type:jwt-bearer

Change controller:

IETF

Specification document(s):

section 2. of and section 6 of

saml2-bearer grant type

Type name:

urn:ietf:params:oauth:grant-type:saml2-bearer

Change controller:

IETF

Specification document(s):

section 2. of

token-exchange grant type

Type name:

urn:ietf:params:oauth:grant-type:token-exchange

Change controller:

IETF

Specification document(s):

section 2.1. of

device_code grant type

Type name:

urn:ietf:params:oauth:grant-type:device_code

Change controller:

IETF

Specification document(s):

section 3.4. of

ciba grant type

Type name:

urn:openid:params:grant-type:ciba

Change controller:

IETF

Specification document(s):

section 4. of

OAuth Grant Extension Type Registration This specification registers the following grant extension type in the OAuth Grant Extension Type registry.

pkce grant extension type

Type name:

pkce

Change controller:

IETF

Specification document(s):

This RFC as a reference to

dpop grant extension type

Type name:

dpop

Change controller:

IETF

Specification document(s):

This RFC as a reference to

wpt grant extension type

Type name:

wpt

Change controller:

IETF

Specification document(s):

This RFC as a reference to section 4.2 of

rar grant extension type

Type name:

rar

Change controller:

IETF

Specification document(s):

This RFC as a reference to

par grant extension type

Type name:

par

Change controller:

IETF

Specification document(s):

This RFC as a reference to

jar grant extension type

Type name:

jar

Change controller:

IETF

Specification document(s):

This RFC as a reference to

OAuth Token Endpoint Authentication Methods Registration This specification registers additional token endpoint authentication methods in the OAuth Token Endpoint Authentication Methods registry.

jwt-bearer token endpoint authentication method

Type name:

jwt-bearer

Change controller:

IETF

Specification document(s):

This RFC as a reference to and

jwt-svid token endpoint authentication method

Type name:

jwt-svid

Change controller:

IETF

Specification document(s):

This RFC as a reference to SPIFFE JWT-SVID

wit token endpoint authentication method

Type name:

wit

Change controller:

IETF

Specification document(s):

This RFC as a reference to

txn_token token endpoint authentication method

Type name:

txn_token

Change controller:

IETF

Specification document(s):

This RFC as a reference to

Claims Registration Section X.Y of this specification refers to the attributes gty, cxt, ccr, and cmr to express client metadata JWT access tokens. This section registers those attributes as claims in the registry introduced in .

gty claim definition

Claim Name:

gty

Claim Description:

OAuth2 Grant Type used

Change Controller:

IETF

Specification Document(s): Section X.Y of this document

cxt claim definition

Claim Name:

cxt

Claim Description:

Client Extensions used on top of the OAuth2 Grant Type

Change Controller:

IETF

Specification Document(s):

Section X.Y of this document

ccr claim definition

Claim Name:

ccr

Claim Description:

Client Authentication Class Reference

Change Controller:

IETF

Specification Document(s):

Section X.Y of this document

cmr claim definition

Claim Name:

cmr

Claim Description:

Client Authentication Methods Reference

Change Controller:

IETF

Specification Document(s):

Section X.Y of this document

References Normative References The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK] JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted. This specification defines a profile for issuing OAuth 2.0 access tokens in JSON Web Token (JWT) format. Authorization servers and resource servers from different vendors can leverage this profile to issue and consume access tokens in an interoperable manner. This specification defines mechanisms for dynamically registering OAuth 2.0 clients with authorization servers. Registration requests send a set of desired client metadata values to the authorization server. The resulting registration responses return a client identifier to use at the authorization server and the client metadata values registered for the client. The client can then use this registration information to communicate with the authorization server using the OAuth 2.0 protocol. This specification also defines a set of common client metadata fields and values for clients to use during registration. This specification defines a protocol for an HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation. The OAuth 2.0 device authorization grant is designed for Internet- connected devices that either lack a browser to perform a user-agent- based authorization or are input constrained to the extent that requiring the user to input text in order to authenticate during the authorization flow is impractical. It enables OAuth clients on such devices (like smart TVs, media consoles, digital picture frames, and printers) to obtain user authorization to access protected resources by using a user agent on a separate device. Telefonica Deutsche Telekom AG Deutsche Telekom AG Moneyhub Ping Identity This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities. IANA In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References This specification describes how to use bearer tokens in HTTP requests to access OAuth 2.0 protected resources. Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens need to be protected from disclosure in storage and in transport. [STANDARDS-TRACK] This specification provides a framework for the use of assertions with OAuth 2.0 in the form of a new client authentication mechanism and a new authorization grant type. Mechanisms are specified for transporting assertions during interactions with a token endpoint; general processing rules are also specified. The intent of this specification is to provide a common framework for OAuth 2.0 to interwork with other identity systems using assertions and to provide alternative client authentication mechanisms. Note that this specification only defines abstract message flows and processing rules. In order to be implementable, companion specifications are necessary to provide the corresponding concrete instantiations. This specification defines the use of a JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for client authentication. The "amr" (Authentication Methods References) claim is defined and registered in the IANA "JSON Web Token Claims" registry, but no standard Authentication Method Reference values are currently defined. This specification establishes a registry for Authentication Method Reference values and defines an initial set of Authentication Method Reference values. OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. This specification describes the attack as well as a technique to mitigate against the threat through the use of Proof Key for Code Exchange (PKCE, pronounced "pixy"). This document specifies a new parameter authorization_details that is used to carry fine-grained authorization data in OAuth messages. This document defines the pushed authorization request (PAR) endpoint, which allows clients to push the payload of an OAuth 2.0 authorization request to the authorization server via a direct request and provides them with a request URI that is used as reference to the data in a subsequent call to the authorization endpoint. The authorization request in OAuth 2.0 described in RFC 6749 utilizes query parameter serialization, which means that authorization request parameters are encoded in the URI of the request and sent through user agents such as web browsers. While it is easy to implement, it means that a) the communication through the user agents is not integrity protected and thus, the parameters can be tainted, b) the source of the communication is not authenticated, and c) the communication through the user agents can be monitored. Because of these weaknesses, several attacks to the protocol have now been put forward. This document introduces the ability to send request parameters in a JSON Web Token (JWT) instead, which allows the request to be signed with JSON Web Signature (JWS) and encrypted with JSON Web Encryption (JWE) so that the integrity, source authentication, and confidentiality properties of the authorization request are attained. The request can be sent by value or by reference. This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens. This document describes OAuth client authentication and certificate-bound access and refresh tokens using mutual Transport Layer Security (TLS) authentication with X.509 certificates. OAuth clients are provided a mechanism for authentication to the authorization server using mutual TLS, based on either self-signed certificates or public key infrastructure (PKI). OAuth authorization servers are provided a mechanism for binding access tokens to a client's mutual-TLS certificate, and OAuth protected resources are provided a method for ensuring that such an access token presented to it was issued to the client presenting the token. This document describes a mechanism for creating, encoding, and verifying digital signatures or message authentication codes over components of an HTTP message. This mechanism supports use cases where the full HTTP message may not be known to the signer and where the message may be transformed (e.g., by intermediaries) before reaching the verifier. This document also describes a means for requesting that a signature be applied to a subsequent HTTP message in an ongoing HTTP exchange. This document describes best current security practice for OAuth 2.0. It updates and extends the threat model and security advice given in RFCs 6749, 6750, and 6819 to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0. Further, it deprecates some modes of operation that are deemed less secure or even insecure. Okta Independent Ping Identity This specification provides a mechanism for an application to use an identity assertion to obtain an access token for a third-party API by coordinating through a common enterprise identity provider using Token Exchange [RFC8693] and JWT Profile for OAuth 2.0 Authorization Grants [RFC7523]. Ping Identity Venafi SPIRL Intuit The WIMSE architecture defines authentication and authorization for software workloads in a variety of runtime environments, from the most basic ones up to complex multi-service, multi-cloud, multi- tenant deployments. This document defines the simplest, atomic unit of this architecture: the protocol between two workloads that need to verify each other's identity in order to communicate securely. The scope of this protocol is a single HTTP request-and-response pair. To address the needs of different setups, we propose two protocols, one at the application level and one that makes use of trusted TLS transport. These two protocols are compatible, in the sense that a single call chain can have some calls use one protocol and some use the other. Workload A can call Workload B with mutual TLS authentication, while the next call from Workload B to Workload C would be authenticated at the application level. SGNL Capital One SPIRL Transaction Tokens (Txn-Tokens) enable workloads in a trusted domain to ensure that user identity and authorization context of an external programmatic request, such as an API invocation, are preserved and available to all workloads that are invoked as part of processing such a request. Txn-Tokens also enable workloads within the trusted domain to initiate transactions with protected user identity an authorization context throughout the call chain of the workloads required to complete the request. IANA IANA Authlete Moneyhub Financial Technology Authlete n.d. n.d.

Acknowledgments The authors wants to acknowledge the support and work of the following individuals: George Fletcher (Practical Identity), Christopher Langton (Vulnetix). The authors wants also to recognize the trail blazers and thought leaders that created the ecosystem without which this draft proposal would not be able to solve customer pain points and secure usage of digital services, especially without being limited to: Vittorio Bertocci†, Brian Campbell (Ping Identity), Justin Richer (MongoDB), Aaron Parecki (Okta), Pieter Kasselman (SPRL), Dr Mike Jones (Self-Issued Consulting, LLC), Dr Daniel Fett (Authlete).