Protocol Action: 'The OAuth 2.0 Authorization Framework: Bearer Token Usage' to Proposed Standard (draft-ietf-oauth-v2-bearer-23.txt)
The IESG <iesg-secretary@ietf.org> Thu, 02 August 2012 00:10 UTC
Return-Path: <iesg-secretary@ietf.org>
X-Original-To: ietf-announce@ietfa.amsl.com
Delivered-To: ietf-announce@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCE8821F898C; Wed, 1 Aug 2012 17:10:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.561
X-Spam-Level:
X-Spam-Status: No, score=-102.561 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B1vVIhAR0fzC; Wed, 1 Aug 2012 17:10:18 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7DAE21F87F7; Wed, 1 Aug 2012 17:10:02 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Subject: Protocol Action: 'The OAuth 2.0 Authorization Framework: Bearer Token Usage' to Proposed Standard (draft-ietf-oauth-v2-bearer-23.txt)
X-Test-IDTracker: no
X-IETF-IDTracker: 4.33
Message-ID: <20120802001002.21023.57516.idtracker@ietfa.amsl.com>
Date: Wed, 01 Aug 2012 17:10:02 -0700
Cc: oauth chair <oauth-chairs@tools.ietf.org>, oauth mailing list <oauth@ietf.org>, RFC Editor <rfc-editor@rfc-editor.org>
X-BeenThere: ietf-announce@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IETF announcement list. No discussions." <ietf-announce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf-announce>
List-Post: <mailto:ietf-announce@ietf.org>
List-Help: <mailto:ietf-announce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Aug 2012 00:10:25 -0000
The IESG has approved the following document: - 'The OAuth 2.0 Authorization Framework: Bearer Token Usage' (draft-ietf-oauth-v2-bearer-23.txt) as Proposed Standard This document is the product of the Web Authorization Protocol Working Group. The IESG contact persons are Stephen Farrell and Sean Turner. A URL of this Internet Draft is: http://datatracker.ietf.org/doc/draft-ietf-oauth-v2-bearer/ Technical Summary This specification describes how to use bearer tokens in HTTP requests to access OAuth 2.0 protected resources. Any party in possession of a bearer token (a "bearer") can use it to get access to granted resources (without demonstrating possession of a cryptographic key). To prevent misuse, the bearer token MUST be protected from disclosure in storage and in transport. Working Group Summary The working group decided to develop two types of mechanisms for a client to access a protected resource. The second specification is being worked on with draft-ietf-oauth-v2-http-mac. The two specifications offer different security properties to allow deployments to meet their specific needs. Document Quality This specification is implemented, deployed and used by Microsoft Access Control Service (ACS), Google Apps, Facebook Connect and the Graph API, Salesforce, Mitre, and many others. Source code is available as well. For example http://static.springsource.org/spring-security/oauth/ http://incubator.apache.org/projects/amber.html https://github.com/nov/rack-oauth2 + many more, including those listed at https://github.com/teohm/teohm.github.com/wiki/OAuth Personnel Hannes Tschofenig is the document shepherd. Stephen Farrell is the responsible AD. RFC Editor Note 1) Please replace text in section 2.1 as follows: OLD: The "Authorization" header field uses the framework defined by HTTP/1.1 [RFC2617] as follows: NEW: The syntax of the "Authorization" header field for this scheme follows the usage of the Basic scheme defined in Section 2 of [RFC2617]. Note that, as with Basic, it does not conform to the generic syntax defined in Section 1.2 of [RFC2617], but that it is compatible with the the general authentication framework being developed for HTTP 1.1 [I-D.ietf-httpbis-p7-auth], although it does not follow the preferred practice outlined therein in order to reflect existing deployments. The syntax for Bearer credentials is as follows: 2) Please add the informative reference needed by the above in section 7.2, to this Internet draft: http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth