< draft-ietf-oauth-device-flow-10.txt		draft-ietf-oauth-device-flow-11.txt >
	OAuth W. Denniss		OAuth W. Denniss
	Internet-Draft Google		Internet-Draft Google
	Intended status: Standards Track J. Bradley		Intended status: Standards Track J. Bradley
	Expires: December 3, 2018 Ping Identity		Expires: January 18, 2019 Ping Identity
	M. Jones		M. Jones
	Microsoft		Microsoft
	H. Tschofenig		H. Tschofenig
	ARM Limited		ARM Limited
	June 01, 2018		July 17, 2018
	OAuth 2.0 Device Flow for Browserless and Input Constrained Devices		OAuth 2.0 Device Flow for Browserless and Input Constrained Devices
	draft-ietf-oauth-device-flow-10		draft-ietf-oauth-device-flow-11
	Abstract		Abstract
	This OAuth 2.0 authorization flow for browserless and input		This OAuth 2.0 authorization flow for browserless and input
	constrained devices, often referred to as the device flow, enables		constrained devices, often referred to as the device flow, enables
	OAuth clients to request user authorization from devices that have an		OAuth clients to request user authorization from devices that have an
	Internet connection, but don't have an easy input method (such as a		Internet connection, but don't have an easy input method (such as a
	smart TV, media console, picture frame, or printer), or lack a		smart TV, media console, picture frame, or printer), or lack a
	suitable browser for a more traditional OAuth flow. This		suitable browser for a more traditional OAuth flow. This
	authorization flow instructs the user to perform the authorization		authorization flow instructs the user to perform the authorization
	skipping to change at page 1, line 44 ¶		skipping to change at page 1, line 44 ¶
	Internet-Drafts are working documents of the Internet Engineering		Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute		Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-		working documents as Internet-Drafts. The list of current Internet-
	Drafts is at https://datatracker.ietf.org/drafts/current/.		Drafts is at https://datatracker.ietf.org/drafts/current/.
	Internet-Drafts are draft documents valid for a maximum of six months		Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any		and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference		time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."		material or to cite them other than as "work in progress."
	This Internet-Draft will expire on December 3, 2018.		This Internet-Draft will expire on January 18, 2019.
	Copyright Notice		Copyright Notice
	Copyright (c) 2018 IETF Trust and the persons identified as the		Copyright (c) 2018 IETF Trust and the persons identified as the
	document authors. All rights reserved.		document authors. All rights reserved.
	This document is subject to BCP 78 and the IETF Trust's Legal		This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents		Provisions Relating to IETF Documents
	(https://trustee.ietf.org/license-info) in effect on the date of		(https://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents		publication of this document. Please review these documents
	skipping to change at page 11, line 13 ¶		skipping to change at page 11, line 13 ¶
	this flow useful in many scenarios. For example, an HTML application		this flow useful in many scenarios. For example, an HTML application
	on a TV that can only make outbound requests. If a return channel		on a TV that can only make outbound requests. If a return channel
	were to exist for the chosen user interaction interface, then the		were to exist for the chosen user interaction interface, then the
	device MAY wait until notified on that channel that the user has		device MAY wait until notified on that channel that the user has
	completed the action before initiating the token request. Such		completed the action before initiating the token request. Such
	behavior is, however, outside the scope of this specification.		behavior is, however, outside the scope of this specification.
	4. Discovery Metadata		4. Discovery Metadata
	Support for the device flow MAY be declared in the OAuth 2.0		Support for the device flow MAY be declared in the OAuth 2.0
	Authorization Server Metadata [I-D.ietf-oauth-discovery] with the		Authorization Server Metadata [RFC8414] with the following metadata:
	following metadata:
	device_authorization_endpoint		device_authorization_endpoint
	OPTIONAL. URL of the authorization server's device authorization		OPTIONAL. URL of the authorization server's device authorization
	endpoint defined in Section 3.1.		endpoint defined in Section 3.1.
	5. Security Considerations		5. Security Considerations
	5.1. User Code Brute Forcing		5.1. User Code Brute Forcing
	Since the user code is typed by the user, shorter codes are more		Since the user code is typed by the user, shorter codes are more
	skipping to change at page 15, line 41 ¶		skipping to change at page 15, line 41 ¶
	o Error name: expired_token		o Error name: expired_token
	o Error usage location: Token endpoint response		o Error usage location: Token endpoint response
	o Related protocol extension: [[ this specification ]]		o Related protocol extension: [[ this specification ]]
	o Change controller: IETF		o Change controller: IETF
	o Specification Document: Section 3.5 of [[ this specification ]]		o Specification Document: Section 3.5 of [[ this specification ]]
	7.3. OAuth 2.0 Authorization Server Metadata		7.3. OAuth 2.0 Authorization Server Metadata
	This specification registers the following values in the IANA "OAuth		This specification registers the following values in the IANA "OAuth
	2.0 Authorization Server Metadata" registry [IANA.OAuth.Parameters]		2.0 Authorization Server Metadata" registry [IANA.OAuth.Parameters]
	established by [I-D.ietf-oauth-discovery].		established by [RFC8414].
	7.3.1. Registry Contents		7.3.1. Registry Contents
	o Metadata name: device_authorization_endpoint		o Metadata name: device_authorization_endpoint
	o Metadata Description: The Device Authorization Endpoint.		o Metadata Description: The Device Authorization Endpoint.
	o Change controller: IESG		o Change controller: IESG
	o Specification Document: Section 4 of [[ this specification ]]		o Specification Document: Section 4 of [[ this specification ]]
	8. Normative References		8. Normative References
	[I-D.ietf-oauth-discovery]
	Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0
	Authorization Server Metadata", draft-ietf-oauth-
	discovery-10 (work in progress), March 2018.
	[IANA.OAuth.Parameters]		[IANA.OAuth.Parameters]
	IANA, "OAuth Parameters",		IANA, "OAuth Parameters",
	<http://www.iana.org/assignments/oauth-parameters>.		<http://www.iana.org/assignments/oauth-parameters>.
	[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate		[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
	Requirement Levels", BCP 14, RFC 2119,		Requirement Levels", BCP 14, RFC 2119,
	DOI 10.17487/RFC2119, March 1997,		DOI 10.17487/RFC2119, March 1997,
	<https://www.rfc-editor.org/info/rfc2119>.		<https://www.rfc-editor.org/info/rfc2119>.
	[RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",		[RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
	skipping to change at page 16, line 38 ¶		skipping to change at page 16, line 33 ¶
	[RFC6819] Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0		[RFC6819] Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0
	Threat Model and Security Considerations", RFC 6819,		Threat Model and Security Considerations", RFC 6819,
	DOI 10.17487/RFC6819, January 2013,		DOI 10.17487/RFC6819, January 2013,
	<https://www.rfc-editor.org/info/rfc6819>.		<https://www.rfc-editor.org/info/rfc6819>.
	[RFC8252] Denniss, W. and J. Bradley, "OAuth 2.0 for Native Apps",		[RFC8252] Denniss, W. and J. Bradley, "OAuth 2.0 for Native Apps",
	BCP 212, RFC 8252, DOI 10.17487/RFC8252, October 2017,		BCP 212, RFC 8252, DOI 10.17487/RFC8252, October 2017,
	<https://www.rfc-editor.org/info/rfc8252>.		<https://www.rfc-editor.org/info/rfc8252>.
			[RFC8414] Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0
			Authorization Server Metadata", RFC 8414,
			DOI 10.17487/RFC8414, June 2018,
			<https://www.rfc-editor.org/info/rfc8414>.
	Appendix A. Acknowledgements		Appendix A. Acknowledgements
	The starting point for this document was the Internet-Draft draft-		The starting point for this document was the Internet-Draft draft-
	recordon-oauth-v2-device, authored by David Recordon and Brent		recordon-oauth-v2-device, authored by David Recordon and Brent
	Goldman, which itself was based on content in draft versions of the		Goldman, which itself was based on content in draft versions of the
	OAuth 2.0 protocol specification removed prior to publication due to		OAuth 2.0 protocol specification removed prior to publication due to
	a then lack of sufficient deployment expertise. Thank you to the		a then lack of sufficient deployment expertise. Thank you to the
	OAuth working group members who contributed to those earlier drafts.		OAuth working group members who contributed to those earlier drafts.
	This document was produced in the OAuth working group under the		This document was produced in the OAuth working group under the
	skipping to change at page 17, line 17 ¶		skipping to change at page 17, line 17 ¶
	Brian Campbell, Roshni Chandrashekhar, Eric Fazendin, Torsten		Brian Campbell, Roshni Chandrashekhar, Eric Fazendin, Torsten
	Lodderstedt, James Manger, Breno de Medeiros, Simon Moffatt, Stein		Lodderstedt, James Manger, Breno de Medeiros, Simon Moffatt, Stein
	Myrseth, Justin Richer, Nat Sakimura, Andrew Sciberras, Marius		Myrseth, Justin Richer, Nat Sakimura, Andrew Sciberras, Marius
	Scurtescu, Ken Wang, and Steven E. Wright.		Scurtescu, Ken Wang, and Steven E. Wright.
	Appendix B. Document History		Appendix B. Document History
	[[ to be removed by the RFC Editor before publication as an RFC ]]		[[ to be removed by the RFC Editor before publication as an RFC ]]
			-11
			o Updated reference to OAuth 2.0 Authorization Server Metadata.
	-10		-10
	o Added a missing definition of access_denied for use on the token		o Added a missing definition of access_denied for use on the token
	endpoint.		endpoint.
	o Corrected text documenting which error code should be returned for		o Corrected text documenting which error code should be returned for
	expired tokens (it's "expired_token", not "invalid_grant").		expired tokens (it's "expired_token", not "invalid_grant").
	o Corrected section reference to RFC 8252 (the section numbers had		o Corrected section reference to RFC 8252 (the section numbers had
	changed after the initial reference was made).		changed after the initial reference was made).
	o Fixed line length of one diagram (was causing xml2rfc warnings).		o Fixed line length of one diagram (was causing xml2rfc warnings).
	o Added line breaks so the URN grant_type is presented on an		o Added line breaks so the URN grant_type is presented on an
End of changes. 9 change blocks.
	12 lines changed or deleted		15 lines changed or added
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/