| < draft-ietf-oauth-device-flow-04.txt | draft-ietf-oauth-device-flow-05.txt > | |||
|---|---|---|---|---|
| OAuth W. Denniss | OAuth W. Denniss | |||
| Internet-Draft Google | Internet-Draft Google | |||
| Intended status: Standards Track J. Bradley | Intended status: Standards Track J. Bradley | |||
| Expires: August 31, 2017 Ping Identity | Expires: September 14, 2017 Ping Identity | |||
| M. Jones | M. Jones | |||
| Microsoft | Microsoft | |||
| H. Tschofenig | H. Tschofenig | |||
| ARM Limited | ARM Limited | |||
| February 27, 2017 | March 13, 2017 | |||
| OAuth 2.0 Device Flow for Browserless and Input Constrained Devices | OAuth 2.0 Device Flow for Browserless and Input Constrained Devices | |||
| draft-ietf-oauth-device-flow-04 | draft-ietf-oauth-device-flow-05 | |||
| Abstract | Abstract | |||
| This OAuth 2.0 authorization flow for browserless and input | This OAuth 2.0 authorization flow for browserless and input | |||
| constrained devices, often referred to as the device flow, enables | constrained devices, often referred to as the device flow, enables | |||
| OAuth clients to request user authorization from devices that have an | OAuth clients to request user authorization from devices that have an | |||
| Internet connection, but don't have an easy input method (such as a | Internet connection, but don't have an easy input method (such as a | |||
| smart TV, media console, picture frame, or printer), or lack a | smart TV, media console, picture frame, or printer), or lack a | |||
| suitable browser for a more traditional OAuth flow. This | suitable browser for a more traditional OAuth flow. This | |||
| authorization flow instructs the user to perform the authorization | authorization flow instructs the user to perform the authorization | |||
| skipping to change at page 1, line 44 ¶ | skipping to change at page 1, line 44 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on August 31, 2017. | This Internet-Draft will expire on September 14, 2017. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2017 IETF Trust and the persons identified as the | Copyright (c) 2017 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 28 ¶ | skipping to change at page 2, line 28 ¶ | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3. Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 3. Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.1. Device Authorization Request . . . . . . . . . . . . . . 5 | 3.1. Device Authorization Request . . . . . . . . . . . . . . 5 | |||
| 3.2. Device Authorization Response . . . . . . . . . . . . . . 6 | 3.2. Device Authorization Response . . . . . . . . . . . . . . 6 | |||
| 3.3. User Instruction . . . . . . . . . . . . . . . . . . . . 7 | 3.3. User Instruction . . . . . . . . . . . . . . . . . . . . 7 | |||
| 3.4. Device Access Token Request . . . . . . . . . . . . . . . 7 | 3.4. Device Access Token Request . . . . . . . . . . . . . . . 8 | |||
| 3.5. Device Access Token Response . . . . . . . . . . . . . . 8 | 3.5. Device Access Token Response . . . . . . . . . . . . . . 9 | |||
| 4. Discovery Metadata . . . . . . . . . . . . . . . . . . . . . 9 | 4. Discovery Metadata . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | |||
| 5.1. User Code Brute Forcing . . . . . . . . . . . . . . . . . 10 | 5.1. User Code Brute Forcing . . . . . . . . . . . . . . . . . 10 | |||
| 5.2. Device Trustworthiness . . . . . . . . . . . . . . . . . 10 | 5.2. Device Trustworthiness . . . . . . . . . . . . . . . . . 10 | |||
| 5.3. Remote Phishing . . . . . . . . . . . . . . . . . . . . . 10 | 5.3. Remote Phishing . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 5.4. Non-confidential Clients . . . . . . . . . . . . . . . . 10 | 5.4. Non-confidential Clients . . . . . . . . . . . . . . . . 11 | |||
| 5.5. Non-Visual Code Transmission . . . . . . . . . . . . . . 10 | 5.5. Non-Visual Code Transmission . . . . . . . . . . . . . . 11 | |||
| 6. Usability Considerations . . . . . . . . . . . . . . . . . . 11 | 6. Usability Considerations . . . . . . . . . . . . . . . . . . 11 | |||
| 6.1. User Code Recommendations . . . . . . . . . . . . . . . . 11 | 6.1. User Code Recommendations . . . . . . . . . . . . . . . . 11 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | 6.2. Non-Browser User Interaction . . . . . . . . . . . . . . 12 | |||
| 7.1. OAuth URI Registration . . . . . . . . . . . . . . . . . 11 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 7.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 11 | 7.1. OAuth URI Registration . . . . . . . . . . . . . . . . . 12 | |||
| 7.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 12 | ||||
| 7.2. OAuth Extensions Error Registration . . . . . . . . . . . 12 | 7.2. OAuth Extensions Error Registration . . . . . . . . . . . 12 | |||
| 7.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 12 | 7.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 12 | |||
| 7.3. OAuth 2.0 Authorization Server Metadata . . . . . . . . . 12 | 7.3. OAuth 2.0 Authorization Server Metadata . . . . . . . . . 13 | |||
| 7.3.1. Registry Contents . . . . . . . . . . . . . . . . . . 12 | 7.3.1. Registry Contents . . . . . . . . . . . . . . . . . . 13 | |||
| 8. Normative References . . . . . . . . . . . . . . . . . . . . 12 | 8. Normative References . . . . . . . . . . . . . . . . . . . . 13 | |||
| Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 13 | Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 14 | |||
| Appendix B. Document History . . . . . . . . . . . . . . . . . . 13 | Appendix B. Document History . . . . . . . . . . . . . . . . . . 14 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 1. Introduction | 1. Introduction | |||
| This OAuth 2.0 protocol flow for browserless and input constrained | This OAuth 2.0 protocol flow for browserless and input constrained | |||
| devices, often referred to as the device flow, enables OAuth clients | devices, often referred to as the device flow, enables OAuth clients | |||
| to request user authorization from devices that have an internet | to request user authorization from devices that have an internet | |||
| connection, but don't have an easy input method (such as a smart TV, | connection, but don't have an easy input method (such as a smart TV, | |||
| media console, picture frame, or printer), or lack a suitable browser | media console, picture frame, or printer), or lack a suitable browser | |||
| for a more traditional OAuth flow. This authorization flow instructs | for a more traditional OAuth flow. This authorization flow instructs | |||
| the user to perform the authorization request on a secondary device, | the user to perform the authorization request on a secondary device, | |||
| skipping to change at page 5, line 22 ¶ | skipping to change at page 5, line 22 ¶ | |||
| validates the verification code provided by the client and | validates the verification code provided by the client and | |||
| responds back with the access token. | responds back with the access token. | |||
| 2. Terminology | 2. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
| [RFC2119]. | [RFC2119]. | |||
| Device Endpoint: | Device Authorization Endpoint: | |||
| The authorization server's endpoint capable of issuing | The authorization server's endpoint capable of issuing device | |||
| verification codes, user codes, and verification URLs. | verification codes, user codes, and verification URLs. | |||
| Device Verification Code: | Device Verification Code: | |||
| A short-lived token representing an authorization session. | A short-lived token representing an authorization session. | |||
| End-User Verification Code: | End-User Verification Code: | |||
| A short-lived token which the device displays to the end user, is | A short-lived token which the device displays to the end user, is | |||
| entered by the end-user on the authorization server, and is thus | entered by the end-user on the authorization server, and is thus | |||
| used to bind the device to the end-user. | used to bind the device to the end-user. | |||
| 3. Protocol | 3. Protocol | |||
| 3.1. Device Authorization Request | 3.1. Device Authorization Request | |||
| The client initiates the flow by requesting a set of verification | The client initiates the flow by requesting a set of verification | |||
| codes from the authorization server by making an HTTP "POST" request | codes from the authorization server by making an HTTP "POST" request | |||
| to the device endpoint. The client constructs a request URI by | to the device authorization endpoint. The client constructs the | |||
| adding the following parameters to the request: | request with the following parameters, encoded with the "application/ | |||
| x-www-form-urlencoded" content type: | ||||
| response_type | ||||
| REQUIRED. The parameter value MUST be set to "device_code". | ||||
| client_id | client_id | |||
| REQUIRED. The client identifier as described in Section 2.2 of | REQUIRED. The client identifier as described in Section 2.2 of | |||
| [RFC6749]. | [RFC6749]. | |||
| scope | scope | |||
| OPTIONAL. The scope of the access request as described by | OPTIONAL. The scope of the access request as described by | |||
| Section 3.3 of [RFC6749]. | Section 3.3 of [RFC6749]. | |||
| For example, the client makes the following HTTPS request (line | For example, the client makes the following HTTPS request (line | |||
| breaks are for display purposes only): | breaks are for display purposes only): | |||
| POST /token HTTP/1.1 | POST /device_authorization HTTP/1.1 | |||
| Host: server.example.com | Host: server.example.com | |||
| Content-Type: application/x-www-form-urlencoded | Content-Type: application/x-www-form-urlencoded | |||
| response_type=device_code&client_id=459691054427 | client_id=459691054427 | |||
| Parameters sent without a value MUST be treated as if they were | ||||
| omitted from the request. The authorization server MUST ignore | ||||
| unrecognized request parameters. Request and response parameters | ||||
| MUST NOT be included more than once. | ||||
| 3.2. Device Authorization Response | 3.2. Device Authorization Response | |||
| In response, the authorization server generates a verification code | In response, the authorization server generates a device verification | |||
| and an end-user code and includes them in the HTTP response body | code and an end-user code that are valid for a limited time, and | |||
| using the "application/json" format with a 200 (OK) status code. The | includes them in the HTTP response body using the "application/json" | |||
| response contains the following parameters: | format with a 200 (OK) status code. The response contains the | |||
| following parameters: | ||||
| device_code | device_code | |||
| REQUIRED. The verification code. | REQUIRED. The device verification code. | |||
| user_code | user_code | |||
| REQUIRED. The end-user verification code. | REQUIRED. The end-user verification code. | |||
| verification_uri | verification_uri | |||
| REQUIRED. The end-user verification URI on the authorization | REQUIRED. The end-user verification URI on the authorization | |||
| server. The URI should be short and easy to remember as end- | server. The URI should be short and easy to remember as end- | |||
| users will be asked to manually type it into their user-agent. | users will be asked to manually type it into their user-agent. | |||
| expires_in | expires_in | |||
| OPTIONAL. The duration in seconds of the verification code | OPTIONAL. The lifetime in seconds of the "device_code" and | |||
| lifetime. | "user_code". | |||
| interval | interval | |||
| OPTIONAL. The minimum amount of time in seconds that the client | OPTIONAL. The minimum amount of time in seconds that the client | |||
| SHOULD wait between polling requests to the token endpoint. | SHOULD wait between polling requests to the token endpoint. | |||
| For example: | For example: | |||
| HTTP/1.1 200 OK | HTTP/1.1 200 OK | |||
| Content-Type: application/json | Content-Type: application/json | |||
| Cache-Control: no-store | Cache-Control: no-store | |||
| skipping to change at page 7, line 21 ¶ | skipping to change at page 7, line 33 ¶ | |||
| on their mobile phone), and enter the user code. | on their mobile phone), and enter the user code. | |||
| The end-user navigates to the "verification_uri" and authenticates | The end-user navigates to the "verification_uri" and authenticates | |||
| with the authorization server. The authorization server prompts the | with the authorization server. The authorization server prompts the | |||
| end-user to identify the device authorization session by entering the | end-user to identify the device authorization session by entering the | |||
| "user_code" provided by the client. The authorization server should | "user_code" provided by the client. The authorization server should | |||
| then inform the user about the action they are undertaking, and ask | then inform the user about the action they are undertaking, and ask | |||
| them to approve or deny the request. Once the user interaction is | them to approve or deny the request. Once the user interaction is | |||
| complete, the server informs the user to return to their device. | complete, the server informs the user to return to their device. | |||
| During this user interaction, the device continuously polls the token | Clients MAY additionally present the verification URI in a non- | |||
| textual manner using any method that results in a the browser being | ||||
| opened with the URI, like QR codes, or NFC, to save the user typing | ||||
| the URI. For such shortcuts, the client MAY include the user code | ||||
| with the parameter "user_code" on the verification URI, as a hint for | ||||
| the authorization server. The server MAY accept this hint, and skip | ||||
| the user code input step, however the client MUST still display the | ||||
| user code, as the server MAY also ignore the hint or require visual | ||||
| confirmation. Clients SHOULD still display the unmodified | ||||
| verification URI for users not able to use such a shortcut. | ||||
| During the user interaction, the device continuously polls the token | ||||
| endpoint with the "device_code", as detailed in Section 3.4, until | endpoint with the "device_code", as detailed in Section 3.4, until | |||
| the user completes the interaction, the code expires, or another | the user completes the interaction, the code expires, or another | |||
| error occurs. | error occurs. | |||
| Authorization servers supporting this specification MUST implement a | Authorization servers supporting this specification MUST implement a | |||
| user interaction sequence that starts with the user navigating to | user interaction sequence that starts with the user navigating to | |||
| "verification_uri" and continues with them supplying the "user_code" | "verification_uri" and continues with them supplying the "user_code" | |||
| at some stage during the interaction. Other than that, the exact | at some stage during the interaction. Other than that, the exact | |||
| sequence and implementation of the user interaction is up to the | sequence and implementation of the user interaction is up to the | |||
| authorization server, and is out of scope of this specification. | authorization server, and is out of scope of this specification. | |||
| Devices and authorization servers MAY negotiate an alternative code | ||||
| transmission and user interaction method in addition to the one | ||||
| described here. Such an alternative user interaction flow could | ||||
| obviate the need for a browser and manual input of the code, for | ||||
| example, by using Bluetooth to transmit the code to the authorization | ||||
| server's companion app. Such interaction methods can utilize this | ||||
| protocol, as ultimately, the user just needs to identify the | ||||
| authorization session to the authorization server, however user | ||||
| interaction other than via the "verification_uri" is outside the | ||||
| scope of this specification. | ||||
| 3.4. Device Access Token Request | 3.4. Device Access Token Request | |||
| After displaying instructions to the user, the client makes an Access | After displaying instructions to the user, the client makes an Access | |||
| Token Request to the token endpoint with a "grant_type" of | Token Request to the token endpoint with a "grant_type" of | |||
| "urn:ietf:params:oauth:grant-type:device_code". This is an extension | "urn:ietf:params:oauth:grant-type:device_code". This is an extension | |||
| grant type (as defined by Section 4.5 of [RFC6749]) with the | grant type (as defined by Section 4.5 of [RFC6749]) with the | |||
| following parameters: | following parameters: | |||
| grant_type | grant_type | |||
| REQUIRED. Value MUST be set to "urn:ietf:params:oauth:grant- | REQUIRED. Value MUST be set to "urn:ietf:params:oauth:grant- | |||
| skipping to change at page 9, line 23 ¶ | skipping to change at page 9, line 36 ¶ | |||
| Device Authorization Request. | Device Authorization Request. | |||
| The error codes "authorization_pending" and "slow_down" are | The error codes "authorization_pending" and "slow_down" are | |||
| considered soft errors. The client should continue to poll the token | considered soft errors. The client should continue to poll the token | |||
| endpoint by repeating the Device Token Request (Section 3.4) when | endpoint by repeating the Device Token Request (Section 3.4) when | |||
| receiving soft errors, increasing the time between polls if a | receiving soft errors, increasing the time between polls if a | |||
| "slow_down" error is received. Other error codes are considered hard | "slow_down" error is received. Other error codes are considered hard | |||
| errors; the client should stop polling and react accordingly, for | errors; the client should stop polling and react accordingly, for | |||
| example, by displaying an error to the user. | example, by displaying an error to the user. | |||
| If the verification codes have expired, the server SHOULD respond | ||||
| with the standard OAuth error "invalid_grant". Clients MAY then | ||||
| choose to start a new device authorization session. | ||||
| The interval at which the client polls MUST NOT be more frequent than | The interval at which the client polls MUST NOT be more frequent than | |||
| the "interval" parameter returned in the Device Authorization | the "interval" parameter returned in the Device Authorization | |||
| Response (see Section 3.2). | Response (see Section 3.2). | |||
| The assumption of this specification is that the secondary device the | The assumption of this specification is that the secondary device the | |||
| user is authorizing the request on does not have a way to communicate | user is authorizing the request on does not have a way to communicate | |||
| back to the OAuth client. Only a one-way channel is required to make | back to the OAuth client. Only a one-way channel is required to make | |||
| this flow useful in many scenarios. For example, an HTML application | this flow useful in many scenarios. For example, an HTML application | |||
| on a TV that can only make outbound requests. If a return channel | on a TV that can only make outbound requests. If a return channel | |||
| were to exist for the chosen user interaction interface, then the | were to exist for the chosen user interaction interface, then the | |||
| skipping to change at page 11, line 27 ¶ | skipping to change at page 11, line 41 ¶ | |||
| For many users, their nearest Internet-connected device will be their | For many users, their nearest Internet-connected device will be their | |||
| mobile phone, and typically these devices offer input methods that | mobile phone, and typically these devices offer input methods that | |||
| are more time consuming than a computer keyboard to change the case | are more time consuming than a computer keyboard to change the case | |||
| or input numbers. To improve usability (improving entry speed, and | or input numbers. To improve usability (improving entry speed, and | |||
| reducing retries), these limitations should be taken into account | reducing retries), these limitations should be taken into account | |||
| when selecting the user-code character set. | when selecting the user-code character set. | |||
| One way to improve input speed is to restrict the character set to | One way to improve input speed is to restrict the character set to | |||
| case-insensitive A-Z characters, with no digits. These characters | case-insensitive A-Z characters, with no digits. These characters | |||
| can typically be entered on a mobile keyboard without using modifier | can typically be entered on a mobile keyboard without using modifier | |||
| keys. Further removing the I and O characters due to potential | keys. Further removing vowels to avoid randomly creation valid words | |||
| confusion with numbers results in the base-24 character set: | results in the base-20 character set: "BCDFGHJKLMNPQRSTVWXZ". Dashes | |||
| "ABCDEFGHJKLMNPQRSTUVWXYZ". Dashes or other punctuation may be | or other punctuation may be included for readability. | |||
| included for readability. | ||||
| An example user code following this guideline, with 24^8 bits of | An example user code following this guideline, with an entropy of | |||
| entropy, is "WDJB-MJHT". | 20^8, is "WDJB-MJHT". | |||
| The server should ignore any characters like punctuation that are not | The server should ignore any characters like punctuation that are not | |||
| in the user-code character set. Provided that the character set | in the user-code character set. Provided that the character set | |||
| doesn't include characters of different case, the comparison should | doesn't include characters of different case, the comparison should | |||
| be case insensitive. | be case insensitive. | |||
| 6.2. Non-Browser User Interaction | ||||
| Devices and authorization servers MAY negotiate an alternative code | ||||
| transmission and user interaction method in addition to the one | ||||
| described in Section 3.3. Such an alternative user interaction flow | ||||
| could obviate the need for a browser and manual input of the code, | ||||
| for example, by using Bluetooth to transmit the code to the | ||||
| authorization server's companion app. Such interaction methods can | ||||
| utilize this protocol, as ultimately, the user just needs to identify | ||||
| the authorization session to the authorization server; however, user | ||||
| interaction other than via the "verification_uri" is outside the | ||||
| scope of this specification. | ||||
| 7. IANA Considerations | 7. IANA Considerations | |||
| 7.1. OAuth URI Registration | 7.1. OAuth URI Registration | |||
| This specification registers the following values in the IANA "OAuth | This specification registers the following values in the IANA "OAuth | |||
| URI" registry [IANA.OAuth.Parameters] established by [RFC6755]. | URI" registry [IANA.OAuth.Parameters] established by [RFC6755]. | |||
| 7.1.1. Registry Contents | 7.1.1. Registry Contents | |||
| o URN: urn:ietf:params:oauth:grant-type:device_code | o URN: urn:ietf:params:oauth:grant-type:device_code | |||
| skipping to change at page 13, line 46 ¶ | skipping to change at page 14, line 24 ¶ | |||
| that document was initially part of the OAuth 2.0 protocol | that document was initially part of the OAuth 2.0 protocol | |||
| specification but was later removed due to the lack of sufficient | specification but was later removed due to the lack of sufficient | |||
| deployment expertise at that time. We would therefore also like to | deployment expertise at that time. We would therefore also like to | |||
| thank the OAuth working group for their work on the initial content | thank the OAuth working group for their work on the initial content | |||
| of this specification through 2010. | of this specification through 2010. | |||
| The following individuals contributed ideas, feedback, and wording | The following individuals contributed ideas, feedback, and wording | |||
| that shaped and formed the final specification: | that shaped and formed the final specification: | |||
| Roshni Chandrashekhar, Marius Scurtescu, Breno de Medeiros, Stein | Roshni Chandrashekhar, Marius Scurtescu, Breno de Medeiros, Stein | |||
| Myrseth, and Simon Moffatt. | Myrseth, Simon Moffatt, Brian Campbell, James Manger, and Justin | |||
| Richer. | ||||
| Appendix B. Document History | Appendix B. Document History | |||
| [[ to be removed by the RFC Editor before publication as an RFC ]] | [[ to be removed by the RFC Editor before publication as an RFC ]] | |||
| -05 | ||||
| o response_type parameter removed from authorization request. | ||||
| o Added option for clients to include the user_code on the | ||||
| verification URI. | ||||
| o Clarified token expiry, and other nits. | ||||
| -04 | -04 | |||
| o Security & Usability sections. OAuth Discovery Metadata. | o Security & Usability sections. OAuth Discovery Metadata. | |||
| -03 | -03 | |||
| o device_code is now a URN. Added IANA Considerations | o device_code is now a URN. Added IANA Considerations | |||
| -02 | -02 | |||
| o Added token request & response specification. | o Added token request & response specification. | |||
| End of changes. 24 change blocks. | ||||
| 54 lines changed or deleted | 84 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||