Mapping the Future of OAuth: Insights from the IETF WG

  • Michel Bonfim UFC
  • Marcelo Santos IFSertãoPE
  • Julião Braga UFABC
DOI: https://doi.org/10.5753/wpietf.2025.17697

Resumo


This paper provides a systematic overview and in-depth analysis of the key active Internet-Drafts within the Internet Engineering Task Force (IETF) OAuth Working Group (WG). By focusing on proposals that have achieved consensus (WG Call for Adoption), we identify the core trends shaping the future of the OAuth 2.0 protocol, with a strong emphasis on security enhancements, user privacy, and granular authorization.

Referências

Fett, D., Campbell, B., Bradley, J., Lodderstedt, T., Jones, M. B., and Waite, D. (2023).

OAuth 2.0 Demonstrating Proof of Possession (DPoP). RFC 9449.

Fett, D., Yasuda, K., and Campbell, B. (2025). Selective Disclosure for JWTs (SD-JWT). Work in Progress.

Hardt, D. (2012). The OAuth 2.0 Authorization Framework. RFC 6749.

Hardt, D., Parecki, A., and Lodderstedt, T. (2025). The OAuth 2.1 Authorization Framework. Work in Progress.

Jones, M. B., Campbell, B., Mortimore, C., and Skokan, F. (2025). Updates to OAuth 2.0 JSON Web Token (JWT) Client Authentication and Assertion-Based Authorization Grants. Work in Progress.

Jones, M. B. and Hardt, D. (2012). The OAuth 2.0 Authorization Framework: Bearer Token Usage. RFC 6750.

Kasselman, P., Fett, D., and Skokan, F. (2025). Cross-Device Flows: Security Best Current Practice. Work in Progress.

Looker, T., Bastian, P., and Bormann, C. (2025a). OAuth 2.0 Attestation-Based Client Authentication. Work in Progress.

Looker, T., Bastian, P., and Bormann, C. (2025b). OAuth 2.0 Attestation-Based Client Authentication (IETF 124 OAuth Session). Presentation Slides. Presented at IETF 124, Montreal.

Looker, T., Bastian, P., and Bormann, C. (2025c). Token Status List (TSL). Work in Progress.

Parecki, A., Fletcher, G., and Kasselman, P. (2025a). OAuth 2.0 for First-Party Applications. Work in Progress.

Parecki, A., Hardt, D., and Lodderstedt, T. (2025b). OAuth 2.1 (IETF 124 OAuth Session). Presentation Slides. Presented at IETF 124, Montreal.

Parecki, A., McGuinness, K., and Campbell, B. (2025c). Identity Assertion Authorization Grant (IETF 124 OAuth Session). Presentation Slides. Presented at IETF 124, Montreal.

Parecki, A., McGuinness, K., and Campbell, B. (2025d). Identity Assertion JWT Authorization Grant. Work in Progress.

Parecki, A., Ryck, P. D., and Waite, D. (2025e). OAuth 2.0 for Browser-Based Applications. Work in Progress.

Parecki, A. and Smith, E. (2025a). Client ID Metadata Document (IETF 124 OAuth Session). Presentation Slides. Presented at IETF 124, Montreal.

Parecki, A. and Smith, E. (2025b). OAuth Client ID Metadata Document. Work in Progress.

Primbs, J. (2025). Browser-Swapping Attacks (IETF 124 OAuth Session). Presentation Slides. Presented at IETF 124, Montreal.

Sakimura, N., Bradley, J., and Agarwal, N. (2015). Proof Key for Code Exchange by OAuth Public Clients. RFC 7636.

Schwenkschuster, A., Kasselman, P., Burgin, K., Jenkins, M. J., and Campbell, B. (2025). OAuth Identity and Authorization Chaining Across Domains. Work in Progress.

Sheffer, Y., Hardt, D., and Jones, M. B. (2025). JSON Web Token Best Current Practices. Work in Progress.

Terbu, O., Fett, D., and Campbell, B. (2025). SD-JWT-based Verifiable Credentials (SD-JWT VC). Work in Progress.

Tulshibagwale, A., Fletcher, G., and Kasselman, P. (2025a). Transaction Tokens. Work in Progress.

Tulshibagwale, A., Fletcher, G., and Kasselman, P. (2025b). Transaction Tokens (IETF 124 OAuth Session). Presentation Slides. Presented at IETF 124, Montreal.
Publicado
19/12/2025
Como Citar

Selecione um Formato
BONFIM, Michel; SANTOS, Marcelo; BRAGA, Julião. Mapping the Future of OAuth: Insights from the IETF WG. In: WORKSHOP PRÉ-IETF (WPIETF), 10. , 2025, São Paulo/SP. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2025 . p. 43-56. ISSN 2595-6388. DOI: https://doi.org/10.5753/wpietf.2025.17697.