The IESG has approved the following document: - 'Updates to OAuth 2.0 JSON Web Token (JWT) Client Authentication and Assertion-Based Authorization Grants' (draft-ietf-oauth-rfc7523bis-11.txt) as Proposed Standard
This document is the product of the Web Authorization Protocol Working Group. The IESG contact persons are Christopher Inacio and Deb Cooley. A URL of this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-rfc7523bis/ Technical Summary This specification updates the requirements for audience values in OAuth 2.0 Client Assertion Authentication and Assertion-based Authorization Grants to address a security vulnerability identified in the previous requirements for those audience values in multiple OAuth 2.0 specifications. Working Group Summary There was strong support and broad consensus. This draft is in response to this vulnerability disclosure documented in this paper: https://eprint.iacr.org/2025/629 . Document Quality JSONLint was used to validate the JSON examples. media-type request: https://mailarchive.ietf.org/arch/msg/media-types/WR74LiJR7hW2PVwZI0x74HCxAR4/ No other special reviews required. Implementations: OAuth4WebAPI https://github.com/panva/oauth4webapi https://github.com/panva/openid-client HelseID ecosystem Duende IdentityServer https://docs.duendesoftware.com/identityserver/ Personnel The Document Shepherd for this document is Rifaat Shekh-Yusef. The Responsible Area Director is Deb Cooley. _______________________________________________ IETF-Announce mailing list -- [email protected] To unsubscribe send an email to [email protected]
