A new version<https://www.ietf.org/archive/id/draft-ietf-oauth-rfc7523bis-02.html> of the Updates to Audience Values for OAuth 2.0 Authorization Servers<https://datatracker.ietf.org/doc/draft-ietf-oauth-rfc7523bis/> specification has been published that incorporates feedback from the OAuth working group<https://datatracker.ietf.org/wg/oauth/about/> during IETF 122. I look forward to a vigorous and useful discussion of the specification at IETF 123<https://www.ietf.org/meeting/123/> in Madrid.
This specification updates a set of existing OAuth specifications to address a security vulnerability<https://openid.net/notice-of-a-security-vulnerability/> identified during formal analysis of a previous version of the OpenID Federation<https://openid.net/specs/openid-federation-1_0.html> specification. The vulnerability resulted from ambiguities in the treatment of the audience values of tokens intended for the authorization server. The updates to these specifications close that vulnerability in the affected OAuth specifications - especially JWT client authentication in RFC 7523<https://www.rfc-editor.org/rfc/rfc7523.html>. In parallel, the OpenID Foundation has also updated affected OpenID specifications, including OpenID Federation<https://openid.net/specs/openid-federation-1_0.html> and FAPI 2.0<https://openid.net/specs/fapi-security-profile-2_0.html>. As summarized in the history entries<https://www.ietf.org/archive/id/draft-ietf-oauth-rfc7523bis-02.html#name-document-history>, the changes in this draft were: * Focused RFC 7523 updates on JWT client authentication case. * Described client responsibilities for the audience value of authorization grants. No longer mandate that the audience for authorization grants be the issuer identifier, so as to make a minimum of breaking changes. * Deprecated the use of SAML assertions for client authentication. Finally, Filip Skokan<https://www.linkedin.com/in/filipskokan/> was added as an author, in recognition of his significant contributions to the work. Thanks to Filip and Brian Campbell<https://www.linkedin.com/in/bcampbell/> for their work with me on this specification. -- Mike P.S. This notice was also posted at https://self-issued.info/?p=2745, https://www.linkedin.com/posts/selfissued_updates-to-audience-values-for-oauth-20-activity-7353373233863151616-Tsd-/, and https://x.com/selfissued/status/1947605074059915327.
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
