Document: draft-ietf-oauth-rfc7523bis Title: Updates to OAuth 2.0 JSON Web Token (JWT) Client Authentication and Assertion-Based Authorization Grants Reviewer: Luigi Iannone Review result: Has Issues
Hi, I have been selected as the Operational Directorate (opsdir) reviewer for this Internet-Draft. The Operational Directorate reviews all operational and management-related Internet-Drafts to ensure alignment with operational best practices and that adequate operational considerations are covered. A complete set of _"Guidelines for Considering Operations and Management in IETF Specifications"_ can be found at https://datatracker.ietf.org/doc/draft-ietf-opsawg-rfc5706bis/. While these comments are primarily for the Operations and Management Area Directors (Ops ADs), the authors should consider them alongside other feedback received. - Document: draft-ietf-oauth-rfc7523bis-07 - Reviewer: Luigi Iannone - Review Date: 15 April 2026 - Intended Status: Standards Track --- ## Summary - Has Issues: I have some minor concerns about this document that I think should be resolved before publication. ## General Operational Comments Alignment with RFC 5706bis This document is basically a security fix for RFC7521, RFC7522, RFC7523 and RFC 9126, all of them are updated by this document. In particular it fixes ambiguities in the audience values in tokens sent from a client to an authorization server. Beside the specifications themselves, there are clear operational consequences, and while RFC7521, RFC7522, RFC7523 have an "Interoperability Considerations" this document (at revision -07) does discuss at all operational aspects. ## Major Issues I suggest (in accordance to 5706bis - see link above) to add an "Operational Considerations" section covering the following missing points: - Interoperability aspects. Discuss any interoperability aspect that changes (or not) with respect to the RFCs that are updated. - Migration path: How to make sure that both client and server both support this document? What happens if it is not the case (only one end supports this document but the other end does not)? - Any change in the management aspects (parameters agreement)? Is there any operational change that needs to be explicitly stated? --- ## Minor Issues In the IANA Section it is requested to register a new media type, but the document does explicitly states where and when to use such media type. Please add a short description with references to the relevant RFCs. --- _______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
