IETF-88 Proceedings

Introduction  |  Area, Working Goup & BoF Reports  |  Plenaries  |  Training  |  Internet Research Task Force

Web Authorization Protocol (oauth) (WG)

Minutes   |   Audio Archives  |   Jabber Logs  |   Mailing List Archives

Additional information is available at tools.ietf.org/wg/oauth

Chair(s): Hannes Tschofenig Derek Atkins Security Area Area Director(s): Stephen Farrell Sean Turner Security Area Advisor Stephen Farrell Technical Advisor(s) Peter Saint-Andre

Meeting Slides:

• Agenda Slides
• Proof of Possession
• ActsOn-OnBehalfOf
• Registration Proposal

Blue Sheets:

• bluesheets-88-oauth-01.pdf

Internet-Drafts:

• OAuth 2.0 Message Authentication Code (MAC) Tokens (81130 bytes)
• OAuth 2.0 Dynamic Client Registration Protocol (87745 bytes)
• Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants (50370 bytes)
• JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (28270 bytes)
• SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants (42351 bytes)
• JSON Web Token (JWT) (61242 bytes)

Request for Comments:

• The OAuth 2.0 Authorization Framework (RFC 6749) (163498 bytes) obsoletes rfc5849
• The OAuth 2.0 Authorization Framework: Bearer Token Usage (RFC 6750) (38949 bytes)
• An IETF URN Sub-Namespace for OAuth (RFC 6755) (8336 bytes)
• OAuth 2.0 Threat Model and Security Considerations (RFC 6819) (158332 bytes)
• OAuth 2.0 Token Revocation (RFC 7009) (23517 bytes)

Charter (as of 2009-05-12):

The Web Authorization (OAuth) protocol allows a user to grant a
third-party Web site or application access to the user's protected
resources, without necessarily revealing their long-term credentials,
or even their identity. For example, a photo-sharing site that
supports OAuth could allow its users to use a third-party printing Web
site to print their private pictures, without allowing the printing
site to gain full control of the user's account and without having the
user share his or her photo-sharing sites' long-term credential with
the printing site.

The OAuth protocol suite encompasses

* a procedure for allowing a client to discover an authorization
server,
* a protocol for obtaining authorization tokens from an authorization
server with the resource owner's consent,
* protocols for presenting these authorization tokens to protected
resources for access to a resource, and
* consequently for sharing data in a security and privacy respective
way.

The working group also developed security schemes for presenting
authorization tokens to access a protected resource. This led to the
publication of the bearer token, as well as work that remains to be
completed on message authentication code (MAC) access authentication
and SAML assertions to interwork with existing identity management
solutions. The working group will complete those remaining documents,
and will also complete documentation of the OAuth threat model that
was started under the previous charter.

The ongoing standardization effort within the OAuth working group will
focus on enhancing interoperability of OAuth deployments. A standard
for a token revocation service, which can be separated from the
existing web tokens to the token repertoire will enable wider
deployment of OAuth. Extended documentation of OAuth use cases will
enhance the understanding of the OAuth framework and provide
assistance to implementors. And dynamic client registration will make
it easier to broadly deploy OAuth clients (performing services to
users).

Home - Tools Team - Datatracker - Web Site Usage Statistics - IASA - IAB - RFC Editor - IANA - IRTF - IETF Trust - ISOC - Store - Contact Us
Secretariat services provided by Association Management Solutions, LLC (AMS).
Please send problem reports to: ietf-action@ietf.org.