Minutes from IETF 93

2) OAuth 2.0 JWT Authorization Request (Nat) http://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/

Nat goes through the issues raised during the WGLC reviews from

Brian and Hannes.

It was noted that the document could offer more background

information about why a new serialization mechanism is offered. John mentioned that it could be noted that the request object travels through the browser and can therefore be modified.

    Brian raised a question whether the request object is only encrypted.

This lead to a discussion of the difference between encryption and integrity protection (using symmetric and asymmetric cryptography). The conclusion was reached that the security consideration section needs to be updated to explain what properties the different methods for using JWS/JWE provide.

    Nat was also asked to provide additional text regarding replay attacks

since third party signing does not allow the sender of the request object to compute a digital signature or a MAC (since Section 5.2 should make normative reference to OpenID Connect.

    Brian also pointed out that there is a conflict with the PoP key

distribution draft that uses the 'aud' parameter. John noted that currently the 'aud' parameter is used towards a different endpoint, used as a query parameter, but it would probably be good to take this into account now.

    Justin noted that there is general utility to indicate the audience.

Today people are forced to use the scope for WHAT, HOW and HOW LONG the client wants to access a protected resource. The 'aud' describes the WHAT aspect. He suggested to take it a general utility extension that is indepdent of the PoP document.

    Hannes added a remark that the 'aud' parameter / claim was a separate

document and then we added it to the PoP document.

    John said that we didn't had the wide-enough picture and we now

understand things better.

Section 5.2: Discussion about where to register parameters -- in the

IETF document or in the OIDC spec.

    Section 4.2.1 defines the precedence rules. It was unclear whether this

is OIDC specific or whether this is OAuth related.

Nat will make a update within two weeks.

Kepeng and Mike volunteered to review the draft.