| TOC |
|
While OAuth 2.0's Form Encoded requests are simple to code, it has a disadvantage that it is not being signed and thus pronte to the tampering. Also, no method to encrypt the payload is defined so the confidentiality of the request is not warranted.
This specification defines an alternative request format based on JSON Web Token. It can be signed and encrypted to achieve integrity, non-repudiation, and confidentiality. Since such requests are largely static, such a request can be created once and used many times.
Further, it defines a method that passes such request via reference. In this case, the signed request can be created once and registered to the server and the client can chose from one of them by specifying the URI of the request, making the request small as well as allowing the serverside optimization.
1.
Introduction
1.1.
Requirements Notation and Conventions
2.
Terminology
3.
Authorization Request by JSON
3.1.
Passing the Request Object by value
3.2.
Passing the Request Object by Reference
3.2.1.
"request_uri" Rationale
4.
Validation
4.1.
Authorization Request Validation
4.1.1.
Encrypted Request Object
4.1.2.
Signed Request Object
4.1.3.
Parameter Validation
5.
Authorization Error Response
6.
Security Considerations
7.
Privacy Considerations
8.
IANA Considerations
8.1.
OAuth Parameters Registry
8.1.1.
Registry Contents
8.2.
OAuth Extensions Error Registry
8.2.1.
Registry Contents
9.
References
9.1.
Normative References
9.2.
Informative References
Appendix A.
Acknowledgements
Appendix B.
Notices
Appendix C.
Document History
§
Authors' Addresses
| TOC |
Once the Client obtained the Access Token through OpenID Connect Authentication, it MAY use it against a OAuth 2.0 Bearer Token Usage (Jones, M. and D. Hardt, “The OAuth 2.0 Authorization Framework: Bearer Token Usage,” October 2012.) [RFC6750] Protected Resource called UserInfo Endpoint to obtain the information about the End-User.
| TOC |
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.) .
Throughout this document, values are quoted to indicate that they are to be taken literally. When using these values in protocol messages, the quotes MUST NOT be used as part of the value.
All uses of JSON Web Signature (JWS) (Jones, M., Bradley, J., and N. Sakimura, “JSON Web Signature (JWS),” May 2013.) [JWS] and JSON Web Encryption (JWE) (Jones, M., Rescorla, E., and J. Hildebrand, “JSON Web Encryption (JWE),” May 2013.) [JWE] data structures in this specification utilize the JWS Compact Serialization or the JWE Compact Serialization; the JWS JSON Serialization and the JWE JSON Serialization are not used.
| TOC |
This specification strives to make itself readable without constantly referring to the term definitions. Defined terms are shown with its first letters capitalized. When in doubt, refer to OpenID Connect Messages 1.0 for the authoritative definition of the defined terms.
| TOC |
This specification defines following OAuth 2.0 extension parameters to send the Authorization Request by JWT encoded JSON by value and by reference. If one of them is used, the other MUST NOT be used in the same request.
- request
- This parameter enables OpenID Connect requests to be passed in a single, self-contained parameter and to be signed and optionally encrypted. The parameter value is a Request Object value, as specified in Section 3.1 (Passing the Request Object by value). It represents the request as a JWT whose Claims are the request parameters above.
- When the request parameter is used, the OpenID Connect request parameter values contained in the JWT supersede those passed using the OAuth 2.0 request syntax. Even if a scope parameter is present in the Request Object value, a scope parameter MUST always be passed using the OAuth 2.0 request syntax containing the openid scope value to indicate to the underlying OAuth 2.0 logic that this is an OpenID Connect request.
- request_uri
- This parameter enables OpenID Connect requests to be passed by reference, rather than by value. The request_uri value is a URL using the https scheme referencing a resource containing a Request Object value, which is a JWT containing the request parameters. This parameter is used identically to the request parameter, other than that the Request Object value is retrieved from the specified URL, rather than passed by value. See Section 3.2 (Passing the Request Object by Reference) for more information on using the request_uri parameter.
| TOC |
The request parameter enables OpenID Connect requests to be passed in a single, self-contained parameter and to be signed and optionally encrypted. It represents the request as a JWT whose Claims are the request parameters to the Authorization Endpoint. This JWT is called a Request Object.
Support for the request parameter is OPTIONAL. The request_parameter_supported Discovery result indicates whether the OP supports this parameter. Should an OP not support this parameter and an RP uses it, the OP MUST return the request_not_supported error.
When the request parameter is used, the OpenID Connect request parameter values contained in the JWT supersede those passed using the OAuth 2.0 request syntax. However, some parameters MAY be passed using the OAuth 2.0 request syntax even when a Request Object is used; this would typically be done to enable a cached, pre-signed (and possibly pre-encrypted) Request Object value to be used containing the fixed request parameters, while parameters that can vary with each request, such as state and nonce, are passed as OAuth 2.0 parameters.
Even if a scope parameter is present in the Request Object value, a scope parameter MUST always be passed using the OAuth 2.0 request syntax containing the openid scope value to indicate to the underlying OAuth 2.0 logic that this is an OpenID Connect request.
The Request Object MAY be signed or unsigned (plaintext). When it is plaintext, this is indicated by use of the none algorithm [JWA] (Jones, M., “JSON Web Algorithms (JWA),” May 2013.) in the JWS header. If signed, the Request Object SHOULD contain the Claims iss (issuer) and aud (audience) as members, with their semantics being as defined in the JWT (Jones, M., Bradley, J., and N. Sakimura, “JSON Web Token (JWT),” May 2013.) [JWT] specification.
The Request Object MAY also be encrypted using JWE (Jones, M., Rescorla, E., and J. Hildebrand, “JSON Web Encryption (JWE),” May 2013.) [JWE], with nested signing and encryption performed as described in the JWT [JWT] (Jones, M., Bradley, J., and N. Sakimura, “JSON Web Token (JWT),” May 2013.) specification.
request and request_uri parameters MUST NOT be included in Request Objects.
An example set of Request Object Claims before base64url encoding and JWS signing is as follows:
{
"response_type": "code id_token",
"client_id": "s6BhdRkqt3",
"redirect_uri": "https://client.example.org/cb",
"scope": "openid",
"state": "af0ifjsldkj",
"login_hint": "janedoe@example.org",
"max_age": 86400,
"claims":
{
"userinfo":
{
"given_name": {"essential": true},
"nickname": null,
"email": {"essential": true},
"email_verified": {"essential": true},
"picture": null
},
"id_token":
{
"auth_time": {"essential": true},
"acr": { "values":["urn:mace:incommon:iap:silver"] }
}
}
}
| TOC |
The request_uri parameter enables OpenID Connect requests to be passed by reference, rather than by value. This parameter is used identically to the request parameter, other than that the Request Object value is retrieved from the resource at the specified URL, rather than passed by value.
The request_uri_parameter_supported Discovery result indicates whether the OP supports this parameter. Should an OP not support this parameter and an RP uses it, the OP MUST return the request_uri_not_supported error.
When the request_uri parameter is used, the OpenID Connect request parameter values contained in the referenced JWT supersede those passed using the OAuth 2.0 request syntax. However, some parameters MAY be passed using the OAuth 2.0 request syntax even when a request_uri is used; this would typically be done to enable a cached, pre-signed (and possibly pre-encrypted) Request Object value to be used containing the fixed request parameters, while parameters that can vary with each request, such as state and nonce, are passed as OAuth 2.0 parameters.
Even if a scope parameter is present in the referenced Request Object, a scope parameter MUST always be passed using the OAuth 2.0 request syntax containing the openid scope value to indicate to the underlying OAuth 2.0 logic that this is an OpenID Connect request.
Servers MAY cache the contents of the resources referenced by request URIs. If the contents of the referenced resource could ever change, the URI SHOULD include the base64url encoded SHA-256 hash of the referenced resource contents as the fragment component of the URI. If the fragment value used for a URI changes, that signals the server that any cached value for that URI with the old fragment value is no longer valid.
Note that Clients MAY pre-register request_uri values using the request_uris parameter defined in Section 2 of the OpenID Connect Dynamic Client Registration 1.0 (Sakimura, N., Bradley, J., and M. Jones, “OpenID Connect Dynamic Client Registration 1.0,” July 2013.) [OpenID.Registration] specification.
| TOC |
There are several reasons that one might choose to use the request_uri parameter:
| TOC |
If any of the validation procedures defined in this specification fail, any operations requiring the information that failed to correctly validate MUST be aborted and the information that failed to validate MUST NOT be used.
| TOC |
Authorization Request Validation consists of two main steps: (1) decryption and signature validation of the value of request or the content of request_uri, and (2) parameter validation. If a Request Object value was sent in the request parameter or by reference in the request_uri parameter, the Request Object MUST validate as JWS (Jones, M., Bradley, J., and N. Sakimura, “JSON Web Signature (JWS),” May 2013.) [JWS] or JWE (Jones, M., Rescorla, E., and J. Hildebrand, “JSON Web Encryption (JWE),” May 2013.) [JWE] encoded objects, for which nested encryption and signing can be utilized in the manner described in the JWT (Jones, M., Bradley, J., and N. Sakimura, “JSON Web Token (JWT),” May 2013.) [JWT] specification.
| TOC |
If the Authorization Server has advertised JWE encryption algorithms in the request_object_encryption_alg_values_supported and request_object_encryption_enc_values_supported elements of its Discovery Document, these are used by the Client to encrypt the JWT.
The Authorization Server MUST decode the JWT in accordance with the JSON Web Encryption (Jones, M., Rescorla, E., and J. Hildebrand, “JSON Web Encryption (JWE),” May 2013.) [JWE] specification. The result MAY be either a signed or unsigned (plaintext) Request Object. In the former case, signature validation MUST be performed as defined in Section 4.1.2 (Signed Request Object).
The Authorization Server MUST return the error if there is a decryption error.
| TOC |
To perform Signature Validation, the alg parameter in the JWS header MUST match the value of the request_object_signing_alg set during Client Registration (Sakimura, N., Bradley, J., and M. Jones, “OpenID Connect Dynamic Client Registration 1.0,” July 2013.) [OpenID.Registration] or a value that was pre-registered by other means.
The signature MUST be validated against the key registered for that client_id and algorithm, in accordance with the JSON Web Signature (Jones, M., Bradley, J., and N. Sakimura, “JSON Web Signature (JWS),” May 2013.) [JWS] specification.
The Authorization Server MUST return the Authorization Error Response if there is a signature validation error.
| TOC |
The Authorization Server MUST construct the Authorization Request Message from the Request Object value and the OAuth 2.0 Authorization Request parameters. If the same parameter exists both in the Request Object and the OAuth Authorization Request parameters, the parameter in the Request Object is used. Using this Authorization Request Message, the Authorization Server performs the following steps of the request validation:
If the Authorization Server encounters any error, it MUST return the error response.
| TOC |
If the End-User denies the access request or if the request fails, the OP (Authorization Server) informs the RP (Client) by using the Error Response parameters defined in Sections 4.1.2.1 of OAuth 2.0 (Hardt, D., “The OAuth 2.0 Authorization Framework,” October 2012.) [RFC6749].
In addition to the error codes defined in Sections 4.1.2.1 and 4.2.2.1 of OAuth 2.0 and that of OpenID Connect Authentication Core 1.0, this specification also defines the following error codes:
- invalid_request_uri
- The request_uri in the Authorization Request returns an error or contains invalid data.
- invalid_request_object
- The request parameter contains an invalid Request Object.
- request_not_supported
- The OP does not support use of the request parameter.
- request_uri_not_supported
- The OP does not support use of the request_uri parameter.
| TOC |
For Security Considerations, refer to OpenID Connect Consolidated Security and Privacy Considerations document.
| TOC |
For Privacy Considerations, refer to OpenID Connect Consolidated Security and Privacy Considerations document.
| TOC |
| TOC |
This specification registers the following parameters in the IANA OAuth Parameters registry defined in RFC 6749 (Hardt, D., “The OAuth 2.0 Authorization Framework,” October 2012.) [RFC6749].
| TOC |
| TOC |
This specification registers the following errors in the IANA OAuth Extensions Error registry defined in RFC 6749 (Hardt, D., “The OAuth 2.0 Authorization Framework,” October 2012.) [RFC6749].
| TOC |
Error name: request_not_supported
Error name: request_uri_not_supported
| TOC |
| TOC |
| [JWA] | Jones, M., “JSON Web Algorithms (JWA),” draft-ietf-jose-json-web-algorithms (work in progress), May 2013 (HTML). |
| [JWE] | Jones, M., Rescorla, E., and J. Hildebrand, “JSON Web Encryption (JWE),” draft-ietf-jose-json-web-encryption (work in progress), May 2013 (HTML). |
| [JWS] | Jones, M., Bradley, J., and N. Sakimura, “JSON Web Signature (JWS),” draft-ietf-jose-json-web-signature (work in progress), May 2013 (HTML). |
| [JWT] | Jones, M., Bradley, J., and N. Sakimura, “JSON Web Token (JWT),” draft-ietf-oauth-json-web-token (work in progress), May 2013 (HTML). |
| [OpenID.Messages] | Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., Mortimore, C., and E. Jay, “OpenID Connect Messages 1.0,” July 2013. |
| [OpenID.Registration] | Sakimura, N., Bradley, J., and M. Jones, “OpenID Connect Dynamic Client Registration 1.0,” July 2013. |
| [RFC2119] | Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” BCP 14, RFC 2119, March 1997 (TXT, HTML, XML). |
| [RFC2246] | Dierks, T. and C. Allen, “The TLS Protocol Version 1.0,” RFC 2246, January 1999 (TXT). |
| [RFC2616] | Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, “Hypertext Transfer Protocol -- HTTP/1.1,” RFC 2616, June 1999 (TXT, PS, PDF, HTML, XML). |
| [RFC3986] | Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifier (URI): Generic Syntax,” STD 66, RFC 3986, January 2005 (TXT, HTML, XML). |
| [RFC5246] | Dierks, T. and E. Rescorla, “The Transport Layer Security (TLS) Protocol Version 1.2,” RFC 5246, August 2008 (TXT). |
| [RFC5646] | Phillips, A. and M. Davis, “Tags for Identifying Languages,” BCP 47, RFC 5646, September 2009 (TXT). |
| [RFC6125] | Saint-Andre, P. and J. Hodges, “Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS),” RFC 6125, March 2011 (TXT). |
| [RFC6749] | Hardt, D., “The OAuth 2.0 Authorization Framework,” RFC 6749, October 2012 (TXT). |
| [RFC6750] | Jones, M. and D. Hardt, “The OAuth 2.0 Authorization Framework: Bearer Token Usage,” RFC 6750, October 2012 (TXT). |
| [RFC6819] | Lodderstedt, T., McGloin, M., and P. Hunt, “OAuth 2.0 Threat Model and Security Considerations,” RFC 6819, January 2013 (TXT). |
| [W3C.REC-html401-19991224] | Hors, A., Raggett, D., and I. Jacobs, “HTML 4.01 Specification,” World Wide Web Consortium Recommendation REC-html401-19991224, December 1999 (HTML). |
| TOC |
| [CORS] | Opera Software ASA, “Cross-Origin Resource Sharing,” July 2010. |
| TOC |
The OpenID Community would like to thank the following people for the work they've done in the drafting and editing of this specification.
Naveen Agarwal (naa@google.com), Google
Amanda Anganes (aanganes@mitre.org), Mitre
John Bradley (ve7jtb@ve7jtb.com), Ping Identity
Tim Bray (tbray@textuality.com), Google
Brian Campbell (bcampbell@pingidentity.com), Ping Identity
Blaine Cook (romeda@gmail.com), Independent
Breno de Medeiros (breno@gmail.com), Google
Vladimir Dzhuvinov (vladimir@nimbusds.com), Nimbus Directory Services
George Fletcher (gffletch@aol.com), AOL
Roland Hedberg (roland.hedberg@adm.umu.se), University of Umea
Ryo Ito (ryo.ito@mixi.co.jp), mixi, Inc.
Michael B. Jones (mbj@microsoft.com), Microsoft
Torsten Lodderstedt (t.lodderstedt@telecom.de), Deutsche Telekom
Hideki Nara (hdknr@ic-tact.co.jp), Tact Communications
Axel Nennker (axel.nennker@telekom.de), Deutsche Telekom
Justin Richer (jricher@mitre.org), Mitre
Nat Sakimura (n-sakimura@nri.co.jp), Nomura Research Institute, Ltd.
| TOC |
Copyright (c) 2013 The OpenID Foundation.
The OpenID Foundation (OIDF) grants to any Contributor, developer, implementer, or other interested party a non-exclusive, royalty free, worldwide copyright license to reproduce, prepare derivative works from, distribute, perform and display, this Implementers Draft or Final Specification solely for the purposes of (i) developing specifications, and (ii) implementing Implementers Drafts and Final Specifications based on such documents, provided that attribution be made to the OIDF as the source of the material, but that such attribution does not indicate an endorsement by the OIDF.
The technology described in this specification was made available from contributions from various sources, including members of the OpenID Foundation and others. Although the OpenID Foundation has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this specification or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights. The OpenID Foundation and the contributors to this specification make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to this specification, and the entire risk as to implementing this specification is assumed by the implementer. The OpenID Intellectual Property Rights policy requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers. The OpenID Foundation invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that may cover technology that may be required to practice this specification.
| TOC |
[[ To be removed from the final specification ]]
00-
| TOC |
| Nat Sakimura | |
| Nomura Research Institute, Ltd. | |
| Email: | n-sakimura@nri.co.jp |
| John Bradley | |
| Ping Identity | |
| Email: | ve7jtb@ve7jtb.com |
| Michael B. Jones | |
| Microsoft | |
| Email: | mbj@microsoft.com |
| Breno de Medeiros | |
| Email: | breno@google.com |
| Edmund Jay | |
| Illumila | |
| Email: | ejay@mgi1.com |