[Openid-specs-ab] OAuth JAR's final improvements

Nat Sakimura sakimura at gmail.com
Fri Apr 12 02:53:28 UTC 2019

As noted in the last meeting note, we had a discussion on OAuth JAR
draft at the OAuth Security Workshop 2019. The draft has gone through
the telechat but needs one fix pointed out by Ekr.

That is

a) to add an explanatory text to what `aud` shall be.

In OIDC Core 1.0, `aud` here is defined as

The aud value SHOULD be or include the OP's Issuer Identifier URL.

In -17 of the OAuth JAR draft, it is saying:

   the Authorization Request
   Object SHOULD contain the Claims "iss" (issuer) and "aud" (audience)
   as members, with their semantics being the same as defined in the JWT
   [RFC7519] specification.

Apparently, it is less specific than OIDC.

We discussed this a bit in the OAuth Security Workshop 2019 and what
the room concluded was that it should be a value in the OAuth Server
There are two candidates for this.

* issuer
* authorization_endpoint

The discussion there concluded that since the request really should be
going to the authorization_endpoint and not the token endpoint, the
value of `aud` should be the value of `authorization_endpoint` as in

Then, there were a bunch of other features that people wanted were discussed.

They were:

b) Additional AS metadata, e.g,
* authorization_endpoint_jar_signing_alg_values_supported
* authorization_endpoint_jar_encryption_alg_values_supported

c) Client registration parameter to indicate always sign, and always encrypt.

d) Take 7.5 from FAPI Part 2.

It was agreed that pushing b), c) and d) above would mean pushing the
draft back to WG and as FAPI wants to have the spec published ASAP, it
was agreed just to do a) for this document and leave b) - d) in
another spec or bi OAuth JAR bis.

Nat Sakimura (=nat)
Chairman, OpenID Foundation

More information about the Openid-specs-ab mailing list