| < draft-ietf-oauth-v2-05.txt | draft-ietf-oauth-v2-06.txt > | |||
|---|---|---|---|---|
| Network Working Group E. Hammer-Lahav, Ed. | Network Working Group E. Hammer-Lahav, Ed. | |||
| Internet-Draft Yahoo! | Internet-Draft Yahoo! | |||
| Intended status: Standards Track D. Recordon | Intended status: Standards Track D. Recordon | |||
| Expires: November 14, 2010 Facebook | Expires: December 11, 2010 Facebook | |||
| D. Hardt | D. Hardt | |||
| May 13, 2010 | Microsoft | |||
| June 9, 2010 | ||||
| The OAuth 2.0 Protocol | The OAuth 2.0 Protocol | |||
| draft-ietf-oauth-v2-05 | draft-ietf-oauth-v2-06 | |||
| Abstract | Abstract | |||
| This specification describes the OAuth 2.0 protocol. OAuth provides | This specification describes the OAuth 2.0 protocol. OAuth provides | |||
| a method for making authenticated HTTP requests using a token - an | a method for making authenticated HTTP requests using a token - an | |||
| identifier used to denote an access grant with specific scope, | string used to denote an access grant with specific scope, duration, | |||
| duration, and other attributes. Tokens are issued to third-party | and other attributes. Tokens are issued to third-party clients by an | |||
| clients by an authorization server with the approval of the resource | authorization server with the approval of the resource owner. OAuth | |||
| owner. OAuth defines multiple flows for obtaining a token to support | defines multiple flows for obtaining a token to support a wide range | |||
| a wide range of client types and user experience. | of client types and user experience. | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on November 14, 2010. | This Internet-Draft will expire on December 11, 2010. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2010 IETF Trust and the persons identified as the | Copyright (c) 2010 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 | 1.2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 2.2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 1.3. Example . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 2.3. Example . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 1.4. Notational Conventions . . . . . . . . . . . . . . . . . . 8 | |||
| 2.4. Notational Conventions . . . . . . . . . . . . . . . . . . 8 | 2. Obtaining an Access Token . . . . . . . . . . . . . . . . . . 8 | |||
| 2.5. Conformance . . . . . . . . . . . . . . . . . . . . . . . 8 | 2.1. Client Credentials . . . . . . . . . . . . . . . . . . . . 9 | |||
| 3. Obtaining an Access Token . . . . . . . . . . . . . . . . . . 9 | 2.2. End-User Endpoint . . . . . . . . . . . . . . . . . . . . 9 | |||
| 3.1. Client Credentials . . . . . . . . . . . . . . . . . . . . 9 | 2.3. Token Endpoint . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 3.2. End-User Endpoint . . . . . . . . . . . . . . . . . . . . 9 | 2.3.1. Client Authentication . . . . . . . . . . . . . . . . 10 | |||
| 3.3. Token Endpoint . . . . . . . . . . . . . . . . . . . . . . 10 | 2.3.2. Response Format . . . . . . . . . . . . . . . . . . . 11 | |||
| 3.3.1. Client Authentication . . . . . . . . . . . . . . . . 11 | 2.4. Flow Parameters . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 3.3.2. Response Format . . . . . . . . . . . . . . . . . . . 12 | 2.5. Web Server Flow . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 3.4. Flow Parameters . . . . . . . . . . . . . . . . . . . . . 14 | 2.5.1. Client Requests Authorization . . . . . . . . . . . . 16 | |||
| 3.5. User-Agent Flow . . . . . . . . . . . . . . . . . . . . . 15 | 2.5.2. Client Requests Access Token . . . . . . . . . . . . . 18 | |||
| 3.5.1. Client Requests Authorization . . . . . . . . . . . . 16 | 2.6. User-Agent Flow . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 3.5.2. Client Extracts Access Token . . . . . . . . . . . . . 19 | 2.6.1. Client Requests Authorization . . . . . . . . . . . . 22 | |||
| 3.6. Web Server Flow . . . . . . . . . . . . . . . . . . . . . 20 | 2.6.2. Client Extracts Access Token . . . . . . . . . . . . . 25 | |||
| 3.6.1. Client Requests Authorization . . . . . . . . . . . . 21 | 2.7. Device Flow . . . . . . . . . . . . . . . . . . . . . . . 25 | |||
| 3.6.2. Client Requests Access Token . . . . . . . . . . . . . 24 | 2.7.1. Client Requests Authorization . . . . . . . . . . . . 27 | |||
| 3.7. Device Flow . . . . . . . . . . . . . . . . . . . . . . . 25 | 2.7.2. Client Requests Access Token . . . . . . . . . . . . . 29 | |||
| 3.7.1. Client Requests Authorization . . . . . . . . . . . . 27 | 2.8. Username and Password Flow . . . . . . . . . . . . . . . . 31 | |||
| 3.7.2. Client Requests Access Token . . . . . . . . . . . . . 29 | 2.8.1. Client Requests Access Token . . . . . . . . . . . . . 32 | |||
| 3.8. Username and Password Flow . . . . . . . . . . . . . . . . 31 | 2.9. Client Credentials Flow . . . . . . . . . . . . . . . . . 34 | |||
| 3.8.1. Client Requests Access Token . . . . . . . . . . . . . 33 | 2.9.1. Client Requests Access Token . . . . . . . . . . . . . 35 | |||
| 3.9. Client Credentials Flow . . . . . . . . . . . . . . . . . 35 | 2.10. Assertion Flow . . . . . . . . . . . . . . . . . . . . . . 36 | |||
| 3.9.1. Client Requests Access Token . . . . . . . . . . . . . 35 | 2.10.1. Client Requests Access Token . . . . . . . . . . . . . 37 | |||
| 3.10. Assertion Flow . . . . . . . . . . . . . . . . . . . . . . 37 | 2.11. Native Application Considerations . . . . . . . . . . . . 39 | |||
| 3.10.1. Client Requests Access Token . . . . . . . . . . . . . 38 | 3. Refreshing an Access Token . . . . . . . . . . . . . . . . . . 40 | |||
| 4. Refreshing an Access Token . . . . . . . . . . . . . . . . . . 40 | 4. Accessing a Protected Resource . . . . . . . . . . . . . . . . 42 | |||
| 5. Accessing a Protected Resource . . . . . . . . . . . . . . . . 42 | 4.1. The Authorization Request Header . . . . . . . . . . . . . 43 | |||
| 5.1. The Authorization Request Header . . . . . . . . . . . . . 43 | 4.2. URI Query Parameter . . . . . . . . . . . . . . . . . . . 44 | |||
| 5.2. Bearer Token Requests . . . . . . . . . . . . . . . . . . 44 | 4.3. Form-Encoded Body Parameter . . . . . . . . . . . . . . . 44 | |||
| 5.2.1. URI Query Parameter . . . . . . . . . . . . . . . . . 45 | 5. Identifying a Protected Resource . . . . . . . . . . . . . . . 45 | |||
| 5.2.2. Form-Encoded Body Parameter . . . . . . . . . . . . . 45 | 5.1. The WWW-Authenticate Response Header . . . . . . . . . . . 45 | |||
| 5.3. Cryptographic Tokens Requests . . . . . . . . . . . . . . 46 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 46 | |||
| 5.3.1. The 'hmac-sha256' Algorithm . . . . . . . . . . . . . 47 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 46 | |||
| 6. Identifying a Protected Resource . . . . . . . . . . . . . . . 50 | Appendix A. Contributors . . . . . . . . . . . . . . . . . . . . 46 | |||
| 6.1. The WWW-Authenticate Response Header . . . . . . . . . . . 50 | Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 47 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 51 | Appendix C. Differences from OAuth 1.0a . . . . . . . . . . . . . 47 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 51 | Appendix D. Document History . . . . . . . . . . . . . . . . . . 47 | |||
| 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 52 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 49 | |||
| Appendix A. Differences from OAuth 1.0a . . . . . . . . . . . . . 52 | 8.1. Normative References . . . . . . . . . . . . . . . . . . . 49 | |||
| Appendix B. Document History . . . . . . . . . . . . . . . . . . 52 | 8.2. Informative References . . . . . . . . . . . . . . . . . . 50 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 53 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 51 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . . 53 | ||||
| 10.2. Informative References . . . . . . . . . . . . . . . . . . 55 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 55 | ||||
| 1. Authors | ||||
| This specification was authored with the participation and based on | ||||
| the work of Allen Tom (Yahoo!), Brian Eaton (Google), Brent Goldman | ||||
| (Facebook), Luke Shepard (Facebook), Raffi Krikorian (Twitter), and | ||||
| Yaron Goland (Microsoft). | ||||
| 2. Introduction | 1. Introduction | |||
| With the increasing use of distributed web services and cloud | With the increasing use of distributed web services and cloud | |||
| computing, third-party applications require access to server-hosted | computing, third-party applications require access to server-hosted | |||
| resources. These resources are usually protected and require | resources. These resources are usually protected and require | |||
| authentication using the resource owner's credentials (typically a | authentication using the resource owner's credentials (typically a | |||
| username and password). In the traditional client-server | username and password). In the traditional client-server | |||
| authentication model, a client accessing a protected resource on a | authentication model, a client accessing a protected resource on a | |||
| server presents the resource owner's credentials in order to | server presents the resource owner's credentials in order to | |||
| authenticate and gain access. | authenticate and gain access. | |||
| skipping to change at page 4, line 37 ¶ | skipping to change at page 4, line 30 ¶ | |||
| duration, or to limit access to the HTTP methods supported by these | duration, or to limit access to the HTTP methods supported by these | |||
| resources. | resources. | |||
| OAuth provides a method for making authenticated HTTP requests using | OAuth provides a method for making authenticated HTTP requests using | |||
| a token - an identifier used to denote an access grant with specific | a token - an identifier used to denote an access grant with specific | |||
| scope, duration, and other attributes. Tokens are issued to third- | scope, duration, and other attributes. Tokens are issued to third- | |||
| party clients by an authorization server with the approval of the | party clients by an authorization server with the approval of the | |||
| resource owner. Instead of sharing their credentials with the | resource owner. Instead of sharing their credentials with the | |||
| client, resource owners grant access by authenticating directly with | client, resource owners grant access by authenticating directly with | |||
| the authorization server which in turn issues a token to the client. | the authorization server which in turn issues a token to the client. | |||
| The client uses the token (and optional secret) to authenticate with | The client uses the token to authenticate with the resource server | |||
| the resource server and gain access. | and gain access. | |||
| For example, a web user (resource owner) can grant a printing service | For example, a web user (resource owner) can grant a printing service | |||
| (client) access to her protected photos stored at a photo sharing | (client) access to her protected photos stored at a photo sharing | |||
| service (resource server), without sharing her username and password | service (resource server), without sharing her username and password | |||
| with the printing service. Instead, she authenticates directly with | with the printing service. Instead, she authenticates directly with | |||
| the photo sharing service (authorization server) which issues the | the photo sharing service (authorization server) which issues the | |||
| printing service delegation-specific credentials (token). | printing service delegation-specific credentials (token). | |||
| This specification defines the use of OAuth over HTTP [RFC2616] (or | This specification defines the use of OAuth over HTTP [RFC2616] (or | |||
| HTTP over TLS 1.0 as defined by [RFC2818]. Other specifications may | HTTP over TLS as defined by [RFC2818]). Other specifications may | |||
| extend it for use with other transport protocols. | extend it for use with other transport protocols. | |||
| 2.1. Terminology | 1.1. Terminology | |||
| resource server | resource server | |||
| An HTTP [RFC2616] server capable of accepting authenticated | An HTTP [RFC2616] server capable of accepting authenticated | |||
| resource requests using the OAuth protocol. | resource requests using the OAuth protocol. | |||
| protected resource | protected resource | |||
| An access-restricted resource which can be obtained from a | An access-restricted resource which can be obtained from a | |||
| resource server using an OAuth-authenticated request. | resource server using an OAuth-authenticated request. | |||
| client | client | |||
| An HTTP client capable of making authenticated requests for | An HTTP client capable of making authenticated requests for | |||
| protected resources using the OAuth protocol. | protected resources using the OAuth protocol. | |||
| resource owner | resource owner | |||
| An entity capable of granting access to a protected resource. | An entity capable of granting access to a protected resource. | |||
| end-user | end-user | |||
| A human resource owner. | A human resource owner. | |||
| token | ||||
| A string representing an access grant issued to the client. | ||||
| The string is usually opaque to the client and can self-contain | ||||
| the authorization information in a verifiable manner (i.e. | ||||
| signed), or denotes an identifier used to retrieve the | ||||
| authorization information. | ||||
| access token | access token | |||
| A unique identifier used by the client to make authenticated | A token used by the client to make authenticated requests on | |||
| requests on behalf of the resource owner. Access tokens may | behalf of the resource owner. | |||
| have a matching secret. | ||||
| bearer token An access token without a matching secret, used to | refresh token | |||
| obtain access to a protected resource by simply presenting the | A token used by the client to replace an expired access token | |||
| access token as-is to the resource server. | with a new access token without having to involve the resource | |||
| owner. A refresh token is used when the access token is valid | ||||
| for a shorter time period than the duration of the access grant | ||||
| approved by the resource owner. | ||||
| authorization server | authorization server | |||
| An HTTP server capable of issuing tokens after successfully | An HTTP server capable of issuing tokens after successfully | |||
| authenticating the resource owner and obtaining authorization. | authenticating the resource owner and obtaining authorization. | |||
| The authorization server may be the same server as the resource | The authorization server may be the same server as the resource | |||
| server, or a separate entity. | server, or a separate entity. | |||
| end-user endpoint | end-user endpoint | |||
| The authorization server's HTTP endpoint capable of | The authorization server's HTTP endpoint capable of | |||
| authenticating the end-user and obtaining authorization. | authenticating the end-user and obtaining authorization. | |||
| token endpoint | token endpoint | |||
| The authorization server's HTTP endpoint capable of issuing | The authorization server's HTTP endpoint capable of issuing | |||
| tokens and refreshing expired tokens. | tokens and refreshing expired tokens. | |||
| client identifier | client identifier | |||
| An unique identifier issued to the client to identify itself to | An unique identifier issued to the client to identify itself to | |||
| the authorization server. Client identifiers may have a | the authorization server. Client identifiers may have a | |||
| matching secret. | matching secret. | |||
| refresh token | 1.2. Overview | |||
| A unique identifier used by the client to replace an expired | ||||
| access token with a new access token without having to involve | ||||
| the resource owner. A refresh token is used when the access | ||||
| token is valid for a shorter time period than the duration of | ||||
| the access grant approved by the resource owner. | ||||
| 2.2. Overview | ||||
| Clients interact with a protected resource, first by requesting | Clients interact with a protected resource, first by requesting | |||
| access (which is granted in the form of an access token) from the | access (which is granted in the form of an access token) from the | |||
| authorization server, and then by authenticating with the resource | authorization server, and then by authenticating with the resource | |||
| server by presenting the access token. Figure 1 demonstrates the | server by presenting the access token. Figure 1 demonstrates the | |||
| flow between the client and authorization server (A, B), and the flow | flow between the client and authorization server (A, B), and the flow | |||
| between the client and resource server (C, D), when the client is | between the client and resource server (C, D), when the client is | |||
| acting autonomously (the client is also the resource owner). | acting autonomously (the client is also the resource owner). | |||
| +--------+ +---------------+ | +--------+ +---------------+ | |||
| skipping to change at page 6, line 34 ¶ | skipping to change at page 6, line 32 ¶ | |||
| | | | Server | | | | | Server | | |||
| | |<-(B)------ Access Token ---------| | | | |<-(B)------ Access Token ---------| | | |||
| | | (w/ Optional Refresh Token) +---------------+ | | | (w/ Optional Refresh Token) +---------------+ | |||
| | Client | | | Client | | |||
| | | HTTP Request +---------------+ | | | HTTP Request +---------------+ | |||
| | |--(C)--- with Access Token ------>| Resource | | | |--(C)--- with Access Token ------>| Resource | | |||
| | | | Server | | | | | Server | | |||
| | |<-(D)------ HTTP Response --------| | | | |<-(D)------ HTTP Response --------| | | |||
| +--------+ +---------------+ | +--------+ +---------------+ | |||
| Figure 1 | Figure 1: Generic Client-Server Flow | |||
| Access token strings can use any internal structure agreed upon | Access token strings can use any internal structure agreed upon | |||
| between the authorization server and the resource server, but their | between the authorization server and the resource server, but their | |||
| structure is opaque to the client. Since the access token provides | structure is opaque to the client. Since the access token provides | |||
| the client access to the protected resource for the life of the | the client access to the protected resource for the life of the | |||
| access token (or until revoked), the authorization server should | access token (or until revoked), the authorization server should | |||
| issue access tokens which expire within an appropriate time, usually | issue access tokens which expire within an appropriate time, usually | |||
| much shorter than the duration of the access grant. | much shorter than the duration of the access grant. | |||
| When an access token expires, the client can request a new access | When an access token expires, the client can request a new access | |||
| token from the authorization server by presenting its credentials | token from the authorization server by presenting its credentials | |||
| again (Figure 1), or by using the refresh token (if issued with the | again (Figure 1), or by using the refresh token (if issued with the | |||
| access token) as shown in Figure 2. Once an expired access token has | access token) as shown in Figure 2. Once an expired access token has | |||
| been replaced with a new access token (A, B), the client uses the new | been replaced with a new access token (A, B), the client uses the new | |||
| access token as before (C, D). | access token as before (C, D). | |||
| +--------+ +---------------+ | +--------+ +---------------+ | |||
| | |--(A)------ Refresh Token ------->| Authorization | | | |--(A)------ Refresh Token ------->| Authorization | | |||
| | | | Server | | | | | Server | | |||
| | |<-(B)------ Access Token ---------| | | | |<-(B)------ Access Token ---------| | | |||
| | | (with Optional Secret) +---------------+ | | | +---------------+ | |||
| | Client | | | Client | | |||
| | | HTTP Request +---------------+ | | | HTTP Request +---------------+ | |||
| | |--(C)--- with Access Token ------>| Resource | | | |--(C)--- with Access Token ------>| Resource | | |||
| | | | Server | | | | | Server | | |||
| | |<-(D)----- HTTP Response ---------| | | | |<-(D)----- HTTP Response ---------| | | |||
| +--------+ +---------------+ | +--------+ +---------------+ | |||
| Figure 2 | Figure 2: Refreshing an Access Token | |||
| This specification defines a number of authorization flows to support | This specification defines a number of authorization flows to support | |||
| different client types and scenarios. These authorization flows can | different client types and scenarios. These authorization flows can | |||
| be separated into three groups: user delegation flows, direct | be separated into three groups: user delegation flows, direct | |||
| credentials flows, and autonomous flows. | credentials flows, and autonomous flows. | |||
| Additional authorization flows may be defined by other specifications | Additional authorization flows may be defined by other specifications | |||
| to cover different scenarios and client types. | to cover different scenarios and client types. | |||
| User delegation flows are used to grant client access to protected | User delegation flows are used to grant client access to protected | |||
| resources by the end-user without sharing the end-user credentials | resources by the end-user without sharing the end-user credentials | |||
| (e.g. a username and password) with the client. Instead, the end- | (e.g. a username and password) with the client. Instead, the end- | |||
| user authenticates directly with the authorization server, and grants | user authenticates directly with the authorization server, and grants | |||
| client access to its protected resources. The user delegation flows | client access to its protected resources. The user delegation flows | |||
| defined by this specifications are: | defined by this specifications are: | |||
| o User-Agent Flow - This flow is designed for clients running inside | ||||
| a user-agent (typically a web browser). This flow is described in | ||||
| Section 3.5. | ||||
| o Web Server Flow - This flow is optimized for clients that are part | o Web Server Flow - This flow is optimized for clients that are part | |||
| of a web server application, accessible via HTTP requests. This | of a web server application, accessible via HTTP requests. This | |||
| flow is described in Section 3.6. | flow is described in Section 2.5. | |||
| o User-Agent Flow - This flow is designed for clients running inside | ||||
| a user-agent (typically a web browser). This flow is described in | ||||
| Section 2.6. | ||||
| o Device Flow - This flow is suitable for clients executing on | o Device Flow - This flow is suitable for clients executing on | |||
| limited devices, but where the end-user has separate access to a | limited devices, but where the end-user has separate access to a | |||
| user-agent on another computer or device. This flow is described | user-agent on another computer or device. This flow is described | |||
| in Section 3.7. | in Section 2.7. | |||
| Direct credentials flows enable clients to obtain an access token | Direct credentials flows enable clients to obtain an access token | |||
| with a single request using the client credentials or end-user | with a single request using the client credentials or end-user | |||
| credentials without seeking additional resource owner authorization. | credentials without seeking additional resource owner authorization. | |||
| The direct credentials flows defined by this specification are: | The direct credentials flows defined by this specification are: | |||
| o Username and Password Flow - This flow is used in cases where the | o Username and Password Flow - This flow is used in cases where the | |||
| end-user trusts the client to handle its credentials but it is | end-user trusts the client to handle its credentials but it is | |||
| still undesirable for the client to store the end-user's username | still undesirable for the client to store the end-user's username | |||
| and password. This flow is only suitable when there is a high | and password. This flow is only suitable when there is a high | |||
| degree of trust between the end-user and the client. This flow is | degree of trust between the end-user and the client. This flow is | |||
| described in Section 3.8. | described in Section 2.8. | |||
| o Client Credentials Flow - The client uses its credentials to | o Client Credentials Flow - The client uses its credentials to | |||
| obtain an access token. This flow is described in Section 3.9. | obtain an access token. This flow is described in Section 2.9. | |||
| Autonomous flows enable clients to use utilize existing trust | Autonomous flows enable clients to use utilize existing trust | |||
| relationships or different authorization constructs to obtain an | relationships or different authorization constructs to obtain an | |||
| access token. They provide a bridge between OAuth and other trust | access token. They provide a bridge between OAuth and other trust | |||
| frameworks. The autonomous authorization flow defined by this | frameworks. The autonomous authorization flow defined by this | |||
| specifications is: | specifications is: | |||
| o Assertion Flow - The client presents an assertion such as a SAML | o Assertion Flow - The client presents an assertion such as a SAML | |||
| [OASIS.saml-core-2.0-os] assertion to the authorization server in | [OASIS.saml-core-2.0-os] assertion to the authorization server in | |||
| exchange for an access token. This flow is described in | exchange for an access token. This flow is described in | |||
| Section 3.10. | Section 2.10. | |||
| 2.3. Example | 1.3. Example | |||
| [[ Todo ]] | [[ Todo ]] | |||
| 2.4. Notational Conventions | 1.4. Notational Conventions | |||
| The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', | The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', | |||
| 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and 'OPTIONAL' in this | 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and 'OPTIONAL' in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| This document uses the Augmented Backus-Naur Form (ABNF) notation of | This document uses the Augmented Backus-Naur Form (ABNF) notation of | |||
| [I-D.ietf-httpbis-p1-messaging]. Additionally, the realm and auth- | [I-D.ietf-httpbis-p1-messaging]. Additionally, the realm and auth- | |||
| param rules are included from [RFC2617], and the URI-Reference rule | param rules are included from [RFC2617], and the URI-Reference rule | |||
| from [RFC3986]. | from [RFC3986]. | |||
| 2.5. Conformance | 2. Obtaining an Access Token | |||
| An implementation is not compliant if it fails to satisfy one or more | ||||
| of the MUST or REQUIRED level requirements for the flows it | ||||
| implements. An implementation that satisfies all the MUST or | ||||
| REQUIRED level and all the SHOULD level requirements for its flows is | ||||
| said to be "unconditionally compliant"; one that satisfies all the | ||||
| MUST level requirements but not all the SHOULD level requirements for | ||||
| its flows is said to be "conditionally compliant." | ||||
| 3. Obtaining an Access Token | ||||
| The client obtains an access token by using one of the authorization | The client obtains an access token by using one of the authorization | |||
| flows supported by the authorization server. The authorization flows | flows supported by the authorization server. The authorization flows | |||
| all use the same authorization and token endpoints, each with a | all use the same authorization and token endpoints, each with a | |||
| different set of request parameters and values. | different set of request parameters and values. | |||
| Access tokens have a scope, duration, and other access attributes | Access tokens have a scope, duration, and other access attributes | |||
| granted by the resource owner. These attributes MUST be enforced by | granted by the resource owner. These attributes MUST be enforced by | |||
| the resource server when receiving a protected resource request, and | the resource server when receiving a protected resource request, and | |||
| by the authorization server when receiving a token refresh request. | by the authorization server when receiving a token refresh request. | |||
| In many cases it is desirable to issue access tokens with a shorter | In many cases it is desirable to issue access tokens with a shorter | |||
| lifetime than the duration of the authorization grant. However, it | lifetime than the duration of the authorization grant. However, it | |||
| may be undesirable to require the resource owner to authorize the | may be undesirable to require the resource owner to authorize the | |||
| request again. Instead, the authorization server issues a refresh | request again. Instead, the authorization server issues a refresh | |||
| token in addition to the access token. When the access token | token in addition to the access token. When the access token | |||
| expires, the client can request a new access token without involving | expires, the client can request a new access token without involving | |||
| the resource owner as long as the authorization grant is still valid. | the resource owner as long as the authorization grant is still valid. | |||
| The token refresh method is described in Section 4. | The token refresh method is described in Section 3. | |||
| 3.1. Client Credentials | 2.1. Client Credentials | |||
| When requesting access from the authorization server, the client | When requesting access from the authorization server, the client | |||
| identifies itself using a set of client credentials. The client | identifies itself using a set of client credentials. The client | |||
| credentials include a client identifier and an OPTIONAL symmetric | credentials include a client identifier and an OPTIONAL symmetric | |||
| shared secret. The means through which the client obtains these | shared secret. The means through which the client obtains these | |||
| credentials are beyond the scope of this specification, but usually | credentials are beyond the scope of this specification, but usually | |||
| involve registration with the authorization server. | involve registration with the authorization server. | |||
| The client identifier is used by the authorization server to | The client identifier is used by the authorization server to | |||
| establish the identity of the client for the purpose of presenting | establish the identity of the client for the purpose of presenting | |||
| skipping to change at page 9, line 48 ¶ | skipping to change at page 9, line 36 ¶ | |||
| as for providing different service levels to different clients. They | as for providing different service levels to different clients. They | |||
| can also be used to block unauthorized clients from requesting | can also be used to block unauthorized clients from requesting | |||
| access. | access. | |||
| Due to the nature of some clients, authorization servers SHOULD NOT | Due to the nature of some clients, authorization servers SHOULD NOT | |||
| make assumptions about the confidentiality of client credentials | make assumptions about the confidentiality of client credentials | |||
| without establishing trust with the client operator. Authorization | without establishing trust with the client operator. Authorization | |||
| servers SHOULD NOT issue client secrets to clients incapable of | servers SHOULD NOT issue client secrets to clients incapable of | |||
| keeping their secrets confidential. | keeping their secrets confidential. | |||
| 3.2. End-User Endpoint | 2.2. End-User Endpoint | |||
| In flows that involved an end-user, clients direct the end-user to | In flows that involved an end-user, clients direct the end-user to | |||
| the end-user endpoint to approve their access request. When | the end-user endpoint to approve their access request. When | |||
| accessing the end-user endpoint, the end-user first authenticates | accessing the end-user endpoint, the end-user first authenticates | |||
| with the authorization server, and then approves or denies the access | with the authorization server, and then approves or denies the access | |||
| request. | request. | |||
| The way in which the authorization server authenticates the end-user | The way in which the authorization server authenticates the end-user | |||
| (e.g. username and password login, OpenID, session cookies) and in | (e.g. username and password login, OpenID, session cookies) and in | |||
| which the authorization server obtains the end-user's authorization, | which the authorization server obtains the end-user's authorization, | |||
| including whether it uses a secure channel such as TLS/SSL, is beyond | including whether it uses a secure channel such as TLS, is beyond the | |||
| the scope of this specification. However, the authorization server | scope of this specification. However, the authorization server MUST | |||
| MUST first verify the identity of the end-user. | first verify the identity of the end-user. | |||
| The URI of the end-user endpoint can be found in the service | The URI of the end-user endpoint can be found in the service | |||
| documentation, or can be obtained by the client by making an | documentation, or can be obtained by using [[ OAuth Discovery ]]. | |||
| unauthorized protected resource request (from the "WWW-Authenticate" | ||||
| response header "user-uri" attribute as described by Section 5.1). | ||||
| The end-user endpoint advertised by the resource server MAY include a | The end-user endpoint advertised by the resource server MAY include a | |||
| query component as defined by [RFC3986] section 3, which must be | query component as defined by [RFC3986] section 3, which must be | |||
| retained when adding additional query parameters. | retained when adding additional query parameters. | |||
| Since requests to the end-user endpoint result in user authentication | Since requests to the end-user endpoint result in user authentication | |||
| and the transmission of sensitive values, the authorization server | and the transmission of sensitive values, the authorization server | |||
| SHOULD require the use of a transport-layer mechanism such as TLS/SSL | SHOULD require the use of a transport-layer mechanism such as TLS | |||
| (or a secure channel with equivalent protections) when sending | when sending requests to the end-user endpoint. | |||
| requests to the end-user endpoint. | ||||
| 3.3. Token Endpoint | 2.3. Token Endpoint | |||
| After obtaining authorization from the resource owner, clients | After obtaining authorization from the resource owner, clients | |||
| request an access token from the authorization server's token | request an access token from the authorization server's token | |||
| endpoint. | endpoint. | |||
| The URI of the token endpoint can be found in the service | The URI of the token endpoint can be found in the service | |||
| documentation, or can be obtained by the client by making an | documentation, or can be obtained by using [[ OAuth Discovery ]]. | |||
| unauthorized protected resource request (from the "WWW-Authenticate" | ||||
| response header "token-uri" attribute as described by Section 5.1). | ||||
| The token endpoint advertised by the resource server MAY include a | The token endpoint advertised by the resource server MAY include a | |||
| query component as defined by [RFC3986] section 3. | query component as defined by [RFC3986] section 3. | |||
| Since requests to the token endpoint result in the transmission of | Since requests to the token endpoint result in the transmission of | |||
| plain text credentials in the HTTP request and response, the | plain text credentials in the HTTP request and response, the | |||
| authorization server MUST require the use of a transport-layer | authorization server MUST require the use of a transport-layer | |||
| mechanism such as TLS/SSL (or a secure channel with equivalent | mechanism when sending requests to the token endpoints. Servers MUST | |||
| protections) when sending requests to the token endpoints. | support TLS 1.2 as defined in [RFC5246] and MAY support addition | |||
| mechanisms with equivalent protections. | ||||
| 3.3.1. Client Authentication | 2.3.1. Client Authentication | |||
| The token endpoint requires the client to authenticate itself to the | The token endpoint requires the client to authenticate itself to the | |||
| authorization server. This is done by including the client | authorization server. This is done by including the client | |||
| identifier (and optional secret) in the request. The client | identifier (and optional secret) in the request. The client | |||
| identifier and secret are included in the request using two request | identifier and secret are included in the request using two request | |||
| parameters: "client_id" and "client_secret". | parameters: "client_id" and "client_secret". | |||
| For example (line breaks are for display purposes only): | For example (line breaks are for display purposes only): | |||
| POST /token HTTP/1.1 | POST /token HTTP/1.1 | |||
| Host: server.example.com | Host: server.example.com | |||
| Content-Type: application/x-www-form-urlencoded | Content-Type: application/x-www-form-urlencoded | |||
| type=web_server&client_id=s6BhdRkqt3& | type=web_server&client_id=s6BhdRkqt3& | |||
| client_secret=gX1fBat3bV&code=i1WsRn1uB1& | client_secret=gX1fBat3bV&code=i1WsRn1uB1& | |||
| redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb | redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb | |||
| The client MAY include the client credentials using an HTTP | The client MAY include the client credentials using an HTTP | |||
| authentication scheme instead of using the "client_id" and | authentication scheme which supports authenticating using a username | |||
| "client_secret" request parameters. Including the client credentials | and password, instead of using the "client_id" and "client_secret" | |||
| using an HTTP authentication scheme fullfills the requirements of | request parameters. Including the client credentials using an HTTP | |||
| including the parameters as defined by the various flows. The client | authentication scheme fulfills the requirements of including the | |||
| MUST NOT include the client credentials using more than one | parameters as defined by the various flows. | |||
| mechanism. | ||||
| The client MUST NOT include the client credentials using more than | ||||
| one mechanism. If more than one mechanism is used, regardless if the | ||||
| credentials are identical, the server MUST reply with an HTTP 400 | ||||
| status code (Bad Request) and include the "multiple-credentials" | ||||
| error message. | ||||
| The authorization server MUST accept the client credentials using | The authorization server MUST accept the client credentials using | |||
| both the request parameters, and the HTTP Basic authentication scheme | both the request parameters, and the HTTP Basic authentication scheme | |||
| as defined in [RFC2617]. The authorization server MAY support | as defined in [RFC2617]. The authorization server MAY support | |||
| additional HTTP authentication schemes. | additional HTTP authentication schemes. | |||
| For example (line breaks are for display purposes only): | For example (line breaks are for display purposes only): | |||
| POST /token HTTP/1.1 | POST /token HTTP/1.1 | |||
| Host: server.example.com | Host: server.example.com | |||
| Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW | Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW | |||
| Content-Type: application/x-www-form-urlencoded | Content-Type: application/x-www-form-urlencoded | |||
| type=web_server&code=i1WsRn1uB1& | type=web_server&code=i1WsRn1uB1& | |||
| redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb | redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb | |||
| 3.3.2. Response Format | 2.3.2. Response Format | |||
| Authorization servers respond to client requests by including a set | Authorization servers respond to client requests by including a set | |||
| of response parameters in the entity body of the HTTP response. The | of response parameters in the entity body of the HTTP response. The | |||
| response uses one of three formats based on the format requested by | response uses one of three formats based on the format requested by | |||
| the client (using the "format" request parameter): | the client (using the "format" request parameter or the HTTP "Accept" | |||
| header field): | ||||
| o The "application/json" media type as defined by [RFC4627]. The | o The "application/json" media type as defined by [RFC4627]. The | |||
| parameters are serialized into a JSON structure by adding each | parameters are serialized into a JSON structure by adding each | |||
| parameter at the highest structure level. Parameter names and | parameter at the highest structure level. Parameter names and | |||
| string values are included as JSON strings. Numerical values are | string values are included as JSON strings. Numerical values are | |||
| included as JSON numbers. | included as JSON numbers. | |||
| For example: | For example: | |||
| { | { | |||
| skipping to change at page 12, line 41 ¶ | skipping to change at page 12, line 28 ¶ | |||
| For example: | For example: | |||
| <?xml version='1.0' encoding="utf-8"?> | <?xml version='1.0' encoding="utf-8"?> | |||
| <OAuth> | <OAuth> | |||
| <access_token>SlAV32hkKG</access_token> | <access_token>SlAV32hkKG</access_token> | |||
| <expires_in>3600</expires_in> | <expires_in>3600</expires_in> | |||
| <refresh_token>8xLOxBtZp8</refresh_token> | <refresh_token>8xLOxBtZp8</refresh_token> | |||
| </OAuth> | </OAuth> | |||
| o The "application/x-www-form-urlencoded" media type as defined by | o The "application/x-www-form-urlencoded" media type as defined by | |||
| [W3C.REC-html40-19980424]. | [W3C.REC-html401-19991224]. | |||
| For example (line breaks are for display purposes only): | For example (line breaks are for display purposes only): | |||
| access_token=SlAV32hkKG&expires_in=3600& | access_token=SlAV32hkKG&expires_in=3600& | |||
| refresh_token=8xLOxBtZp8 | refresh_token=8xLOxBtZp8 | |||
| The authorization server MUST include the HTTP "Cache-Control" | The authorization server MUST include the HTTP "Cache-Control" | |||
| response header field with a value of "no-store" in any response | response header field with a value of "no-store" in any response | |||
| containing tokens, secrets, or other sensitive information. | containing tokens, secrets, or other sensitive information. | |||
| 3.3.2.1. Access Token Response | 2.3.2.1. Access Token Response | |||
| After receiving and verifying a valid and authorized access token | After receiving and verifying a valid and authorized access token | |||
| request from the client (as described in each of the flows below), | request from the client (as described in each of the flows below), | |||
| the authorization server constructs the response using the format | the authorization server constructs the response using the format | |||
| requested by the client, which includes the common parameters set as | requested by the client, which includes the parameters listed below, | |||
| well as additional flow-specific parameters. The formatted | as well as additional flow-specific parameters. The formatted | |||
| parameters are sent to the client in the entity body of the HTTP | parameters are sent to the client in the entity body of the HTTP | |||
| response with a 200 status code (OK). | response with a 200 status code (OK). | |||
| The token response contains the following common parameters: | The token response contains the following common parameters: | |||
| access_token | access_token | |||
| REQUIRED. The access token issued by the authorization server. | REQUIRED. The access token issued by the authorization server. | |||
| expires_in | expires_in | |||
| OPTIONAL. The duration in seconds of the access token | OPTIONAL. The duration in seconds of the access token | |||
| lifetime. | lifetime. | |||
| refresh_token | refresh_token | |||
| OPTIONAL. The refresh token used to obtain new access tokens | OPTIONAL. The refresh token used to obtain new access tokens | |||
| using the same end-user access grant as described in Section 4. | using the same end-user access grant as described in Section 3. | |||
| access_token_secret | ||||
| REQUIRED if requested by the client. The corresponding access | ||||
| token secret as requested by the client. | ||||
| scope | scope | |||
| OPTIONAL. The scope of the access token as a list of space- | OPTIONAL. The scope of the access token as a list of space- | |||
| delimited strings. The value of the "scope" parameter is | delimited strings. The value of the "scope" parameter is | |||
| defined by the authorization server. If the value contains | defined by the authorization server. If the value contains | |||
| multiple space-delimited strings, their order does not matter, | multiple space-delimited strings, their order does not matter, | |||
| and each string adds an additional access range to the | and each string adds an additional access range to the | |||
| requested scope. | requested scope. | |||
| For example: | For example: | |||
| skipping to change at page 14, line 17 ¶ | skipping to change at page 13, line 39 ¶ | |||
| HTTP/1.1 200 OK | HTTP/1.1 200 OK | |||
| Content-Type: application/json | Content-Type: application/json | |||
| Cache-Control: no-store | Cache-Control: no-store | |||
| { | { | |||
| "access_token":"SlAV32hkKG", | "access_token":"SlAV32hkKG", | |||
| "expires_in":3600, | "expires_in":3600, | |||
| "refresh_token":"8xLOxBtZp8" | "refresh_token":"8xLOxBtZp8" | |||
| } | } | |||
| 3.3.2.2. Error Response | 2.3.2.2. Error Response | |||
| If the token request is invalid or unauthorized, the authorization | If the token request is invalid or unauthorized, the authorization | |||
| server constructs a JSON-formatted response which includes the common | server constructs the response using the format requested by the | |||
| parameters set as well as additional flow-specific parameters. The | client which includes the parameters listed below, as well as | |||
| formatted parameters are sent to the client in the entity body of the | additional flow-specific parameters. The formatted parameters are | |||
| HTTP response with a 400 status code (Bad Request). | sent to the client in the entity body of the HTTP response with a 400 | |||
| status code (Bad Request). | ||||
| The response contains the following common parameter: | The response contains the following common parameter: | |||
| error | error | |||
| REQUIRED. The parameter value MUST be set to one of the values | REQUIRED. The parameter value MUST be set to one of the values | |||
| specified by each flow. | specified by each flow. | |||
| For example: | For example: | |||
| HTTP/1.1 400 Bad Request | HTTP/1.1 400 Bad Request | |||
| Content-Type: application/json | Content-Type: application/json | |||
| Cache-Control: no-store | Cache-Control: no-store | |||
| { | { | |||
| "error":"incorrect_client_credentials" | "error":"incorrect_client_credentials" | |||
| } | } | |||
| 3.4. Flow Parameters | 2.4. Flow Parameters | |||
| The sizes of tokens and other values received from the authorization | The sizes of tokens and other values received from the authorization | |||
| server, are left undefined by this specification. Clients should | server, are left undefined by this specification. Clients should | |||
| avoid making assumptions about value sizes. Servers should document | avoid making assumptions about value sizes. Servers should document | |||
| the expected size of any value they issue. | the expected size of any value they issue. | |||
| Unless otherwise noted, all the protocol parameter names and values | Unless otherwise noted, all the protocol parameter names and values | |||
| are case sensitive. | are case sensitive. | |||
| 3.5. User-Agent Flow | 2.5. Web Server Flow | |||
| The user-agent flow is a user delegation flow suitable for client | ||||
| applications residing in a user-agent, typically implemented in a | ||||
| browser using a scripting language such as JavaScript. These clients | ||||
| cannot keep client secrets confidential and the authentication of the | ||||
| client is based on the user-agent's same-origin policy. | ||||
| Unlike other flows in which the client makes separate authorization | ||||
| and access token requests, the client received the access token as a | ||||
| result of the authorization request in the form of an HTTP | ||||
| redirection. The client requests the authorization server to | ||||
| redirect the user-agent to another web server or local resource | ||||
| accessible to the browser which is capable of extracting the access | ||||
| token from the response and passing it to the client. | ||||
| This user-agent flow does not utilize the client secret since the | ||||
| client executables reside on the end-user's computer or device which | ||||
| makes the client secret accessible and exploitable. Because the | ||||
| access token is encoded into the redirection URI, it may be exposed | ||||
| to the end-user and other applications residing on the computer or | ||||
| device. | ||||
| +----------+ Client Identifier +----------------+ | ||||
| | |>---(A)-- & Redirection URI --->| | | ||||
| | | | | | ||||
| End <--+ - - - +----(B)-- User authenticates -->| Authorization | | ||||
| User | | | Server | | ||||
| | |<---(C)-- Redirect URI --------<| | | ||||
| | Client | with Access Token | | | ||||
| | in | (w/ Optional Refresh Token) +----------------+ | ||||
| | Browser | in Fragment | ||||
| | | +----------------+ | ||||
| | |>---(D)-- Redirect URI -------->| | | ||||
| | | without Fragment | Web Server | | ||||
| | | | with Client | | ||||
| | (F) |<---(E)-- Web Page with -------<| Resource | | ||||
| | Access | Script | | | ||||
| | Token | +----------------+ | ||||
| +----------+ | ||||
| Figure 3 | ||||
| The user-agent flow illustrated in Figure 3 includes the following | ||||
| steps: | ||||
| (A) The client sends the user-agent to the authorization server and | ||||
| includes its client identifier and redirection URI in the | ||||
| request. | ||||
| (B) The authorization server authenticates the end-user (via the | ||||
| user-agent) and establishes whether the end-user grants or | ||||
| denies the client's access request. | ||||
| (C) Assuming the end-user granted access, the authorization server | ||||
| redirects the user-agent to the redirection URI provided | ||||
| earlier. The redirection URI includes the access token in the | ||||
| URI fragment. | ||||
| (D) The user-agent follows the redirection instructions by making a | ||||
| request to the web server which does not include the fragment. | ||||
| The user-agent retains the fragment information locally. | ||||
| (E) The web server returns a web page containing a script capable of | ||||
| extracting the access token from the URI fragment retained by | ||||
| the user-agent. | ||||
| (F) The user-agent executes the script provided by the web server | ||||
| which extracts the access token and passes it to the client. | ||||
| 3.5.1. Client Requests Authorization | ||||
| In order for the end-user to grant the client access, the client | ||||
| sends the end-user to the authorization server. The client | ||||
| constructs the request URI by adding the following URI query | ||||
| parameters to the end-user endpoint URI: | ||||
| type | ||||
| REQUIRED. The parameter value MUST be set to "user_agent". | ||||
| client_id | ||||
| REQUIRED. The client identifier as described in Section 3.1. | ||||
| redirect_uri | ||||
| REQUIRED unless a redirection URI has been established between | ||||
| the client and authorization server via other means. An | ||||
| absolute URI to which the authorization server will redirect | ||||
| the user-agent to when the end-user authorization step is | ||||
| completed. The authorization server SHOULD require the client | ||||
| to pre-register their redirection URI. Authorization servers | ||||
| MAY restrict the redirection URI to not include a query | ||||
| component as defined by [RFC3986] section 3. | ||||
| state | ||||
| OPTIONAL. An opaque value used by the client to maintain state | ||||
| between the request and callback. The authorization server | ||||
| includes this value when redirecting the user-agent back to the | ||||
| client. | ||||
| scope | ||||
| OPTIONAL. The scope of the access request expressed as a list | ||||
| of space-delimited strings. The value of the "scope" parameter | ||||
| is defined by the authorization server. If the value contains | ||||
| multiple space-delimited strings, their order does not matter, | ||||
| and each string adds an additional access range to the | ||||
| requested scope. | ||||
| immediate | ||||
| OPTIONAL. The parameter value must be set to "true" or | ||||
| "false". If set to "true", the authorization server MUST NOT | ||||
| prompt the end-user to authenticate or approve access. | ||||
| Instead, the authorization server attempts to establish the | ||||
| end-user's identity via other means (e.g. browser cookies) and | ||||
| checks if the end-user has previously approved an identical | ||||
| access request by the same client and if that access grant is | ||||
| still active. If the authorization server does not support an | ||||
| immediate check or if it is unable to establish the end-user's | ||||
| identity or approval status, it MUST deny the request without | ||||
| prompting the end-user. Defaults to "false" if omitted. | ||||
| secret_type | ||||
| OPTIONAL. The access token secret type as described by | ||||
| Section 5.3. If omitted, the authorization server will issue a | ||||
| bearer token (an access token without a matching secret) as | ||||
| described by Section 5.2. | ||||
| The client directs the end-user to the constructed URI using an HTTP | ||||
| redirection response, or by other means available to it via the end- | ||||
| user's user-agent. The request MUST use the HTTP "GET" method. | ||||
| For example, the client directs the end-user's user-agent to make the | ||||
| following HTTPS request (line breaks are for display purposes only): | ||||
| GET /authorize?type=user_agent&client_id=s6BhdRkqt3& | ||||
| redirect_uri=https%3A%2F%2FEexample%2Ecom%2Frd HTTP/1.1 | ||||
| Host: server.example.com | ||||
| If the client has previously registered a redirection URI with the | ||||
| authorization server, the authorization server MUST verify that the | ||||
| redirection URI received matches the registered URI associated with | ||||
| the client identifier. | ||||
| The authorization server authenticates the end-user and obtains an | ||||
| authorization decision (by asking the end-user or establishing | ||||
| approval via other means). The authorization server sends the end- | ||||
| user's user-agent to the provided client redirection URI using an | ||||
| HTTP redirection response. | ||||
| 3.5.1.1. End-user Grants Authorization | ||||
| If the end-user authorizes the access request, the authorization | ||||
| server issues an access token and delivers it to the client by adding | ||||
| the following parameters, using the | ||||
| "application/x-www-form-urlencoded" format as defined by | ||||
| [W3C.REC-html40-19980424], to the redirection URI fragment: | ||||
| access_token | ||||
| REQUIRED. The access token. | ||||
| expires_in | ||||
| OPTIONAL. The duration in seconds of the access token | ||||
| lifetime. | ||||
| refresh_token | ||||
| OPTIONAL. The refresh token. | ||||
| state | ||||
| REQUIRED if the "state" parameter was present in the client | ||||
| authorization request. Set to the exact value received from | ||||
| the client. | ||||
| access_token_secret | ||||
| REQUIRED if requested by the client. The corresponding access | ||||
| token secret as requested by the client. | ||||
| For example, the authorization server redirects the end-user's user- | ||||
| agent by sending the following HTTP response: | ||||
| HTTP/1.1 302 Found | ||||
| Location: http://example.com/rd#access_token=FJQbwq9&expires_in=3600 | ||||
| 3.5.1.2. End-user Denies Authorization | ||||
| If the end-user denied the access request, the authorization server | ||||
| responds to the client by adding the following parameters, using the | ||||
| "application/x-www-form-urlencoded" format as defined by | ||||
| [W3C.REC-html40-19980424], to the redirection URI fragment: | ||||
| error | ||||
| REQUIRED. The parameter value MUST be set to "user_denied". | ||||
| state | ||||
| REQUIRED if the "state" parameter was present in the client | ||||
| authorization request. Set to the exact value received from | ||||
| the client. | ||||
| For example, the authorization server responds with the following: | ||||
| HTTP/1.1 302 Found | ||||
| Location: http://example.com/rd#error=user_denied | ||||
| The authorization flow concludes unsuccessfully. To extract the | ||||
| error message, the client follows the steps described in | ||||
| Section 3.5.2. | ||||
| 3.5.2. Client Extracts Access Token | ||||
| The user-agent follows the authorization server redirection response | ||||
| by making an HTTP "GET" request to the URI received in the "Location" | ||||
| HTTP response header. The user-agent SHALL NOT include the fragment | ||||
| component with the request. | ||||
| For example, the user-agent makes the following HTTP "GET" request in | ||||
| response to the redirection directive received from the authorization | ||||
| server: | ||||
| GET /rd HTTP/1.1 | ||||
| Host: example.com | ||||
| The HTTP response to the redirection request returns a web page | ||||
| (typically an HTML page with an embedded script) capable of accessing | ||||
| the full redirection URI including the fragment retained by the user- | ||||
| agent, and extracting the access token (and other parameters) | ||||
| contained in the fragment. | ||||
| 3.6. Web Server Flow | ||||
| The web server flow is a user delegation flow suitable for clients | The web server flow is a user delegation flow suitable for clients | |||
| capable of interacting with the end-user's user-agent (typically a | capable of interacting with the end-user's user-agent (typically a | |||
| web browser) and capable of receiving incoming requests from the | web browser) and capable of receiving incoming requests from the | |||
| authorization server (capable of acting as an HTTP server). | authorization server (capable of acting as an HTTP server). | |||
| +----------+ Client Identifier +---------------+ | +----------+ Client Identifier +---------------+ | |||
| | -+----(A)-- & Redirect URI ------->| | | | -+----(A)-- & Redirect URI ------->| | | |||
| | End-user | | Authorization | | | End-user | | Authorization | | |||
| | at |<---(B)-- User authenticates --->| Server | | | at |<---(B)-- User authenticates --->| Server | | |||
| skipping to change at page 20, line 31 ¶ | skipping to change at page 15, line 24 ¶ | |||
| | | | | | | | | | | |||
| ^ v | | | ^ v | | | |||
| +---------+ | | | +---------+ | | | |||
| | |>---(D)-- Client Credentials, --------' | | | |>---(D)-- Client Credentials, --------' | | |||
| | Web | Verification Code, | | | Web | Verification Code, | | |||
| | Client | & Redirect URI | | | Client | & Redirect URI | | |||
| | | | | | | | | |||
| | |<---(E)------- Access Token -----------------' | | |<---(E)------- Access Token -----------------' | |||
| +---------+ (w/ Optional Refresh Token) | +---------+ (w/ Optional Refresh Token) | |||
| Figure 4 | Figure 3: Web Server Flow | |||
| The web server flow illustrated in Figure 4 includes the following | The web server flow illustrated in Figure 3 includes the following | |||
| steps: | steps: | |||
| (A) The web client initiates the flow by redirecting the end-user's | (A) The web client initiates the flow by redirecting the end-user's | |||
| user-agent to the end-user endpoint with its client identifier | user-agent to the end-user endpoint with its client identifier | |||
| and a redirect URI to which the authorization server will send | and a redirect URI to which the authorization server will send | |||
| the end-user back once authorization is received (or denied). | the end-user back once authorization is received (or denied). | |||
| (B) The authorization server authenticates the end-user (via the | (B) The authorization server authenticates the end-user (via the | |||
| user-agent) and establishes whether the end-user grants or | user-agent) and establishes whether the end-user grants or | |||
| denies the client's access request. | denies the client's access request. | |||
| skipping to change at page 21, line 13 ¶ | skipping to change at page 16, line 5 ¶ | |||
| code for the client to use to obtain an access token. | code for the client to use to obtain an access token. | |||
| (D) The client requests an access token from the authorization | (D) The client requests an access token from the authorization | |||
| server by including its client credentials (identifier and | server by including its client credentials (identifier and | |||
| secret), as well as the verification code received in the | secret), as well as the verification code received in the | |||
| previous step. | previous step. | |||
| (E) The authorization server validates the client credentials and | (E) The authorization server validates the client credentials and | |||
| the verification code and responds back with the access token. | the verification code and responds back with the access token. | |||
| 3.6.1. Client Requests Authorization | 2.5.1. Client Requests Authorization | |||
| In order for the end-user to grant the client access, the client | In order for the end-user to grant the client access, the client | |||
| sends the end-user to the authorization server. The client | sends the end-user to the authorization server. The client | |||
| constructs the request URI by adding the following URI query | constructs the request URI by adding the following URI query | |||
| parameters to the end-user endpoint URI: | parameters to the end-user endpoint URI: | |||
| type | type | |||
| REQUIRED. The parameter value MUST be set to "web_server". | REQUIRED. The parameter value MUST be set to "web_server". | |||
| client_id | client_id | |||
| REQUIRED. The client identifier as described in Section 3.1. | REQUIRED. The client identifier as described in Section 2.1. | |||
| redirect_uri | redirect_uri | |||
| REQUIRED unless a redirection URI has been established between | REQUIRED unless a redirection URI has been established between | |||
| the client and authorization server via other means. An | the client and authorization server via other means. An | |||
| absolute URI to which the authorization server will redirect | absolute URI to which the authorization server will redirect | |||
| the user-agent to when the end-user authorization step is | the user-agent to when the end-user authorization step is | |||
| completed. The authorization server MAY require the client to | completed. The authorization server MAY require the client to | |||
| pre-register their redirection URI. Authorization servers MAY | pre-register their redirection URI. Authorization servers MAY | |||
| restrict the redirection URI to not include a query component | restrict the redirection URI to not include a query component | |||
| as defined by [RFC3986] section 3. | as defined by [RFC3986] section 3. | |||
| skipping to change at page 22, line 41 ¶ | skipping to change at page 17, line 29 ¶ | |||
| redirection URI received matches the registered URI associated with | redirection URI received matches the registered URI associated with | |||
| the client identifier. | the client identifier. | |||
| The authorization server authenticates the end-user and obtains an | The authorization server authenticates the end-user and obtains an | |||
| authorization decision (by asking the end-user or establishing | authorization decision (by asking the end-user or establishing | |||
| approval via other means). The authorization server sends the end- | approval via other means). The authorization server sends the end- | |||
| user's user-agent to the provided client redirection URI using an | user's user-agent to the provided client redirection URI using an | |||
| HTTP redirection response, or by other means available to it via the | HTTP redirection response, or by other means available to it via the | |||
| end-user's user-agent. | end-user's user-agent. | |||
| 3.6.1.1. End-user Grants Authorization | 2.5.1.1. End-user Grants Authorization | |||
| If the end-user authorizes the access request, the authorization | If the end-user authorizes the access request, the authorization | |||
| server generates a verification code and associates it with the | server generates a verification code and associates it with the | |||
| client identifier and redirection URI. The authorization server | client identifier and redirection URI. The authorization server | |||
| constructs the request URI by adding the following parameters to the | constructs the request URI by adding the following parameters to the | |||
| query component of redirection URI provided by the client: | query component of redirection URI provided by the client: | |||
| code | code | |||
| REQUIRED. The verification code generated by the authorization | REQUIRED. The verification code generated by the authorization | |||
| server. | server. | |||
| skipping to change at page 23, line 29 ¶ | skipping to change at page 18, line 17 ¶ | |||
| HTTP/1.1 302 Found | HTTP/1.1 302 Found | |||
| Location: https://client.example.com/cb?code=i1WsRn1uB1 | Location: https://client.example.com/cb?code=i1WsRn1uB1 | |||
| In turn, the end-user's user-agent makes the following HTTPS "GET" | In turn, the end-user's user-agent makes the following HTTPS "GET" | |||
| request: | request: | |||
| GET /cb?code=i1WsRn1uB1 HTTP/1.1 | GET /cb?code=i1WsRn1uB1 HTTP/1.1 | |||
| Host: client.example.com | Host: client.example.com | |||
| 3.6.1.2. End-user Denies Authorization | 2.5.1.2. End-user Denies Authorization | |||
| If the end-user denied the access request, the authorization server | If the end-user denied the access request, the authorization server | |||
| constructs the request URI by adding the following parameters to the | constructs the request URI by adding the following parameters to the | |||
| query component of the redirection URI provided by the client: | query component of the redirection URI provided by the client: | |||
| error | error | |||
| REQUIRED. The parameter value MUST be set to "user_denied". | REQUIRED. The parameter value MUST be set to "user_denied". | |||
| state | state | |||
| REQUIRED if the "state" parameter was present in the client | REQUIRED if the "state" parameter was present in the client | |||
| skipping to change at page 24, line 7 ¶ | skipping to change at page 18, line 39 ¶ | |||
| the client. | the client. | |||
| For example, the authorization server directs the client to make the | For example, the authorization server directs the client to make the | |||
| following HTTP request: | following HTTP request: | |||
| GET /cb?error=user_denied HTTP/1.1 | GET /cb?error=user_denied HTTP/1.1 | |||
| Host: client.example.com | Host: client.example.com | |||
| The authorization flow concludes unsuccessfully. | The authorization flow concludes unsuccessfully. | |||
| 3.6.2. Client Requests Access Token | 2.5.2. Client Requests Access Token | |||
| The client obtains an access token from the authorization server by | The client obtains an access token from the authorization server by | |||
| making an HTTP "POST" request to the token endpoint. The client | making an HTTP "POST" request to the token endpoint. The client | |||
| constructs a request URI by adding the following parameters to the | constructs a request URI by adding the following parameters to the | |||
| request: | request: | |||
| type | type | |||
| REQUIRED. The parameter value MUST be set to "web_server". | REQUIRED. The parameter value MUST be set to "web_server". | |||
| client_id | client_id | |||
| REQUIRED. The client identifier as described in Section 3.1. | REQUIRED. The client identifier as described in Section 2.1. | |||
| client_secret | client_secret | |||
| REQUIRED if the client identifier has a matching secret. The | REQUIRED if the client identifier has a matching secret. The | |||
| client secret as described in Section 3.1. | client secret as described in Section 2.1. | |||
| code | code | |||
| REQUIRED. The verification code received from the | REQUIRED. The verification code received from the | |||
| authorization server. | authorization server. | |||
| redirect_uri | redirect_uri | |||
| REQUIRED. The redirection URI used in the initial request. | REQUIRED. The redirection URI used in the initial request. | |||
| secret_type | ||||
| OPTIONAL. The access token secret type as described by | ||||
| Section 5.3. If omitted, the authorization server will issue a | ||||
| bearer token (an access token without a matching secret) as | ||||
| described by Section 5.2. | ||||
| format | format | |||
| OPTIONAL. The response format requested by the client. Value | OPTIONAL. The response format requested by the client. Value | |||
| MUST be one of "json", "xml", or "form". Defaults to "json" if | MUST be one of "json", "xml", or "form". Alternatively, the | |||
| no omitted. | client MAY use the HTTP "Accept" header field with the desired | |||
| media type. Defaults to "json" if omitted and no "Accept" | ||||
| header field is present. | ||||
| For example, the client makes the following HTTPS request (line | For example, the client makes the following HTTPS request (line | |||
| breaks are for display purposes only): | breaks are for display purposes only): | |||
| POST /token HTTP/1.1 | POST /token HTTP/1.1 | |||
| Host: server.example.com | Host: server.example.com | |||
| Content-Type: application/x-www-form-urlencoded | Content-Type: application/x-www-form-urlencoded | |||
| type=web_server&client_id=s6BhdRkqt3& | type=web_server&client_id=s6BhdRkqt3& | |||
| client_secret=gX1fBat3bV&code=i1WsRn1uB1& | client_secret=gX1fBat3bV&code=i1WsRn1uB1& | |||
| redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb | redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb | |||
| The authorization server MUST verify that the verification code, | The authorization server MUST verify that the verification code, | |||
| client identity, client secret, and redirection URI are all valid and | client identity, client secret, and redirection URI are all valid and | |||
| match its stored association. If the request is valid, the | match its stored association. If the request is valid, the | |||
| authorization server issues a successful response as described in | authorization server issues a successful response as described in | |||
| Section 3.3.2.1. | Section 2.3.2.1. | |||
| For example: | For example: | |||
| HTTP/1.1 200 OK | HTTP/1.1 200 OK | |||
| Content-Type: application/json | Content-Type: application/json | |||
| Cache-Control: no-store | Cache-Control: no-store | |||
| { | { | |||
| "access_token":"SlAV32hkKG", | "access_token":"SlAV32hkKG", | |||
| "expires_in":3600, | "expires_in":3600, | |||
| "refresh_token":"8xLOxBtZp8" | "refresh_token":"8xLOxBtZp8" | |||
| } | } | |||
| If the request is invalid, the authorization server returns an error | If the request is invalid, the authorization server returns an error | |||
| response as described in Section 3.3.2.2 with one of the following | response as described in Section 2.3.2.2 with one of the following | |||
| error codes: | error codes: | |||
| o "redirect_uri_mismatch" | o "redirect_uri_mismatch" | |||
| o "bad_verification_code" | o "bad_verification_code" | |||
| o "incorrect_client_credentials" | o "incorrect_client_credentials" | |||
| For example: | For example: | |||
| HTTP/1.1 400 Bad Request | HTTP/1.1 400 Bad Request | |||
| Content-Type: application/json | Content-Type: application/json | |||
| Cache-Control: no-store | Cache-Control: no-store | |||
| { | { | |||
| "error":"incorrect_client_credentials" | "error":"incorrect_client_credentials" | |||
| } | } | |||
| 3.7. Device Flow | 2.6. User-Agent Flow | |||
| The user-agent flow is a user delegation flow suitable for client | ||||
| applications residing in a user-agent, typically implemented in a | ||||
| browser using a scripting language such as JavaScript. These clients | ||||
| cannot keep client secrets confidential and the authentication of the | ||||
| client is based on the user-agent's same-origin policy. | ||||
| Unlike other flows in which the client makes separate authorization | ||||
| and access token requests, the client received the access token as a | ||||
| result of the authorization request in the form of an HTTP | ||||
| redirection. The client requests the authorization server to | ||||
| redirect the user-agent to another web server or local resource | ||||
| accessible to the browser which is capable of extracting the access | ||||
| token from the response and passing it to the client. | ||||
| This user-agent flow does not utilize the client secret since the | ||||
| client executables reside on the end-user's computer or device which | ||||
| makes the client secret accessible and exploitable. Because the | ||||
| access token is encoded into the redirection URI, it may be exposed | ||||
| to the end-user and other applications residing on the computer or | ||||
| device. | ||||
| +----------+ Client Identifier +----------------+ | ||||
| | |>---(A)-- & Redirection URI --->| | | ||||
| | | | | | ||||
| End <--+ - - - +----(B)-- User authenticates -->| Authorization | | ||||
| User | | | Server | | ||||
| | |<---(C)-- Redirect URI --------<| | | ||||
| | Client | with Access Token | | | ||||
| | in | (w/ Optional Refresh Token) +----------------+ | ||||
| | Browser | in Fragment | ||||
| | | +----------------+ | ||||
| | |>---(D)-- Redirect URI -------->| | | ||||
| | | without Fragment | Web Server | | ||||
| | | | with Client | | ||||
| | (F) |<---(E)-- Web Page with -------<| Resource | | ||||
| | Access | Script | | | ||||
| | Token | +----------------+ | ||||
| +----------+ | ||||
| Figure 4: User-Agent Flow | ||||
| The user-agent flow illustrated in Figure 4 includes the following | ||||
| steps: | ||||
| (A) The client sends the user-agent to the authorization server and | ||||
| includes its client identifier and redirection URI in the | ||||
| request. | ||||
| (B) The authorization server authenticates the end-user (via the | ||||
| user-agent) and establishes whether the end-user grants or | ||||
| denies the client's access request. | ||||
| (C) Assuming the end-user granted access, the authorization server | ||||
| redirects the user-agent to the redirection URI provided | ||||
| earlier. The redirection URI includes the access token in the | ||||
| URI fragment. | ||||
| (D) The user-agent follows the redirection instructions by making a | ||||
| request to the web server which does not include the fragment. | ||||
| The user-agent retains the fragment information locally. | ||||
| (E) The web server returns a web page containing a script capable of | ||||
| extracting the access token from the URI fragment retained by | ||||
| the user-agent. | ||||
| (F) The user-agent executes the script provided by the web server | ||||
| which extracts the access token and passes it to the client. | ||||
| 2.6.1. Client Requests Authorization | ||||
| In order for the end-user to grant the client access, the client | ||||
| sends the end-user to the authorization server. The client | ||||
| constructs the request URI by adding the following URI query | ||||
| parameters to the end-user endpoint URI: | ||||
| type | ||||
| REQUIRED. The parameter value MUST be set to "user_agent". | ||||
| client_id | ||||
| REQUIRED. The client identifier as described in Section 2.1. | ||||
| redirect_uri | ||||
| REQUIRED unless a redirection URI has been established between | ||||
| the client and authorization server via other means. An | ||||
| absolute URI to which the authorization server will redirect | ||||
| the user-agent to when the end-user authorization step is | ||||
| completed. The authorization server SHOULD require the client | ||||
| to pre-register their redirection URI. Authorization servers | ||||
| MAY restrict the redirection URI to not include a query | ||||
| component as defined by [RFC3986] section 3. | ||||
| state | ||||
| OPTIONAL. An opaque value used by the client to maintain state | ||||
| between the request and callback. The authorization server | ||||
| includes this value when redirecting the user-agent back to the | ||||
| client. | ||||
| scope | ||||
| OPTIONAL. The scope of the access request expressed as a list | ||||
| of space-delimited strings. The value of the "scope" parameter | ||||
| is defined by the authorization server. If the value contains | ||||
| multiple space-delimited strings, their order does not matter, | ||||
| and each string adds an additional access range to the | ||||
| requested scope. | ||||
| immediate | ||||
| OPTIONAL. The parameter value must be set to "true" or | ||||
| "false". If set to "true", the authorization server MUST NOT | ||||
| prompt the end-user to authenticate or approve access. | ||||
| Instead, the authorization server attempts to establish the | ||||
| end-user's identity via other means (e.g. browser cookies) and | ||||
| checks if the end-user has previously approved an identical | ||||
| access request by the same client and if that access grant is | ||||
| still active. If the authorization server does not support an | ||||
| immediate check or if it is unable to establish the end-user's | ||||
| identity or approval status, it MUST deny the request without | ||||
| prompting the end-user. Defaults to "false" if omitted. | ||||
| The client directs the end-user to the constructed URI using an HTTP | ||||
| redirection response, or by other means available to it via the end- | ||||
| user's user-agent. The request MUST use the HTTP "GET" method. | ||||
| For example, the client directs the end-user's user-agent to make the | ||||
| following HTTPS request (line breaks are for display purposes only): | ||||
| GET /authorize?type=user_agent&client_id=s6BhdRkqt3& | ||||
| redirect_uri=https%3A%2F%2FEexample%2Ecom%2Frd HTTP/1.1 | ||||
| Host: server.example.com | ||||
| If the client has previously registered a redirection URI with the | ||||
| authorization server, the authorization server MUST verify that the | ||||
| redirection URI received matches the registered URI associated with | ||||
| the client identifier. | ||||
| The authorization server authenticates the end-user and obtains an | ||||
| authorization decision (by asking the end-user or establishing | ||||
| approval via other means). The authorization server sends the end- | ||||
| user's user-agent to the provided client redirection URI using an | ||||
| HTTP redirection response. | ||||
| 2.6.1.1. End-user Grants Authorization | ||||
| If the end-user authorizes the access request, the authorization | ||||
| server issues an access token and delivers it to the client by adding | ||||
| the following parameters, using the | ||||
| "application/x-www-form-urlencoded" format as defined by | ||||
| [W3C.REC-html401-19991224], to the redirection URI fragment: | ||||
| access_token | ||||
| REQUIRED. The access token. | ||||
| expires_in | ||||
| OPTIONAL. The duration in seconds of the access token | ||||
| lifetime. | ||||
| refresh_token | ||||
| OPTIONAL. The refresh token. | ||||
| state | ||||
| REQUIRED if the "state" parameter was present in the client | ||||
| authorization request. Set to the exact value received from | ||||
| the client. | ||||
| For example, the authorization server redirects the end-user's user- | ||||
| agent by sending the following HTTP response: | ||||
| HTTP/1.1 302 Found | ||||
| Location: http://example.com/rd#access_token=FJQbwq9&expires_in=3600 | ||||
| 2.6.1.2. End-user Denies Authorization | ||||
| If the end-user denied the access request, the authorization server | ||||
| responds to the client by adding the following parameters, using the | ||||
| "application/x-www-form-urlencoded" format as defined by | ||||
| [W3C.REC-html401-19991224], to the redirection URI fragment: | ||||
| error | ||||
| REQUIRED. The parameter value MUST be set to "user_denied". | ||||
| state | ||||
| REQUIRED if the "state" parameter was present in the client | ||||
| authorization request. Set to the exact value received from | ||||
| the client. | ||||
| For example, the authorization server responds with the following: | ||||
| HTTP/1.1 302 Found | ||||
| Location: http://example.com/rd#error=user_denied | ||||
| The authorization flow concludes unsuccessfully. To extract the | ||||
| error message, the client follows the steps described in | ||||
| Section 2.6.2. | ||||
| 2.6.2. Client Extracts Access Token | ||||
| The user-agent follows the authorization server redirection response | ||||
| by making an HTTP "GET" request to the URI received in the "Location" | ||||
| HTTP response header. The user-agent SHALL NOT include the fragment | ||||
| component with the request. | ||||
| For example, the user-agent makes the following HTTP "GET" request in | ||||
| response to the redirection directive received from the authorization | ||||
| server: | ||||
| GET /rd HTTP/1.1 | ||||
| Host: example.com | ||||
| The HTTP response to the redirection request returns a web page | ||||
| (typically an HTML page with an embedded script) capable of accessing | ||||
| the full redirection URI including the fragment retained by the user- | ||||
| agent, and extracting the access token (and other parameters) | ||||
| contained in the fragment. | ||||
| 2.7. Device Flow | ||||
| The device flow is a user delegation flow suitable for clients | The device flow is a user delegation flow suitable for clients | |||
| executing on devices which do not have an easy data-entry method | executing on devices which do not have an easy data-entry method | |||
| (e.g. game consoles or media hub), but where the end-user has | (e.g. game consoles or media hub), but where the end-user has | |||
| separate access to a user-agent on another computer or device (e.g. | separate access to a user-agent on another computer or device (e.g. | |||
| home computer, a laptop, or a smart phone). The client is incapable | home computer, a laptop, or a smart phone). The client is incapable | |||
| of receiving incoming requests from the authorization server | of receiving incoming requests from the authorization server | |||
| (incapable of acting as an HTTP server). | (incapable of acting as an HTTP server). | |||
| Instead of interacting with the end-user's user-agent, the client | Instead of interacting with the end-user's user-agent, the client | |||
| instructs the end-user to use another computer or device and connect | instructs the end-user to use another computer or device and connect | |||
| to the authorization server to approve the access request. Since the | to the authorization server to approve the access request. Since the | |||
| client cannot receive incoming requests, it polls the authorization | client cannot receive incoming requests, it polls the authorization | |||
| server repeatedly until the end-user completes the approval process. | server repeatedly until the end-user completes the approval process. | |||
| skipping to change at page 26, line 44 ¶ | skipping to change at page 26, line 30 ¶ | |||
| : | | | : | | | |||
| (C) User Code & Verification URI | | | (C) User Code & Verification URI | | | |||
| : | | | : | | | |||
| v | | | v | | | |||
| +----------+ | | | +----------+ | | | |||
| | End-user | | | | | End-user | | | | |||
| | at |<---(D)-- User authenticates -->| | | | at |<---(D)-- User authenticates -->| | | |||
| | Browser | | | | | Browser | | | | |||
| +----------+ +----------------+ | +----------+ +----------------+ | |||
| Figure 5 | Figure 5: Device Flow | |||
| The device flow illustrated in Figure 5 includes the following steps: | The device flow illustrated in Figure 5 includes the following steps: | |||
| (A) The client requests access from the authorization server and | (A) The client requests access from the authorization server and | |||
| includes its client identifier in the request. | includes its client identifier in the request. | |||
| (B) The authorization server issues a verification code, an end-user | (B) The authorization server issues a verification code, an end-user | |||
| code, and provides the end-user verification URI. | code, and provides the end-user verification URI. | |||
| (C) The client instructs the end-user to use its user-agent | (C) The client instructs the end-user to use its user-agent | |||
| skipping to change at page 27, line 33 ¶ | skipping to change at page 27, line 15 ¶ | |||
| (E) While the end-user authorizes (or denies) the client's request | (E) While the end-user authorizes (or denies) the client's request | |||
| (D), the client repeatedly polls the authorization server to | (D), the client repeatedly polls the authorization server to | |||
| find out if the end-user completed the end-user authorization | find out if the end-user completed the end-user authorization | |||
| step. The client includes the verification code and its client | step. The client includes the verification code and its client | |||
| identifier. | identifier. | |||
| (F) Assuming the end-user granted access, the authorization server | (F) Assuming the end-user granted access, the authorization server | |||
| validates the verification code provided by the client and | validates the verification code provided by the client and | |||
| responds back with the access token. | responds back with the access token. | |||
| 3.7.1. Client Requests Authorization | 2.7.1. Client Requests Authorization | |||
| The client initiates the flow by requesting a set of verification | The client initiates the flow by requesting a set of verification | |||
| codes from the authorization server by making an HTTP "POST" request | codes from the authorization server by making an HTTP "POST" request | |||
| to the token endpoint. The client constructs a request URI by adding | to the token endpoint. The client constructs a request URI by adding | |||
| the following parameters to the request: | the following parameters to the request: | |||
| type | type | |||
| REQUIRED. The parameter value MUST be set to "device_code". | REQUIRED. The parameter value MUST be set to "device_code". | |||
| client_id | client_id | |||
| REQUIRED. The client identifier as described in Section 3.1. | REQUIRED. The client identifier as described in Section 2.1. | |||
| scope | scope | |||
| OPTIONAL. The scope of the access request expressed as a list | OPTIONAL. The scope of the access request expressed as a list | |||
| of space-delimited strings. The value of the "scope" parameter | of space-delimited strings. The value of the "scope" parameter | |||
| is defined by the authorization server. If the value contains | is defined by the authorization server. If the value contains | |||
| multiple space-delimited strings, their order does not matter, | multiple space-delimited strings, their order does not matter, | |||
| and each string adds an additional access range to the | and each string adds an additional access range to the | |||
| requested scope. | requested scope. | |||
| format | format | |||
| OPTIONAL. The response format requested by the client. Value | OPTIONAL. The response format requested by the client. Value | |||
| MUST be one of "json", "xml", or "form". Defaults to "json" if | MUST be one of "json", "xml", or "form". Alternatively, the | |||
| no omitted. | client MAY use the HTTP "Accept" header field with the desired | |||
| media type. Defaults to "json" if omitted and no "Accept" | ||||
| header field is present. | ||||
| For example, the client makes the following HTTPS request (line | For example, the client makes the following HTTPS request (line | |||
| breaks are for display purposes only): | breaks are for display purposes only): | |||
| POST /token?type=device_code&client_id=s6BhdRkqt3 | POST /token HTTP/1.1 | |||
| HTTP/1.1 | ||||
| Host: server.example.com | Host: server.example.com | |||
| Content-Type: application/x-www-form-urlencoded | ||||
| type=device_code&client_id=s6BhdRkqt3 | ||||
| In response, the authorization server generates a verification code | In response, the authorization server generates a verification code | |||
| and an end-user code and includes them in the HTTP response body | and an end-user code and includes them in the HTTP response body | |||
| using the "application/json" format as described by Section 3.3.2 | using the "application/json" format as described by Section 2.3.2 | |||
| with a 200 status code (OK). The response contains the following | with a 200 status code (OK). The response contains the following | |||
| parameters: | parameters: | |||
| code | code | |||
| REQUIRED. The verification code. | REQUIRED. The verification code. | |||
| user_code | user_code | |||
| REQUIRED. The end-user code. | REQUIRED. The end-user code. | |||
| verification_uri | verification_uri | |||
| skipping to change at page 29, line 29 ¶ | skipping to change at page 29, line 8 ¶ | |||
| URI to the end-user, and instructs the end-user to visit the URI | URI to the end-user, and instructs the end-user to visit the URI | |||
| using a user-agent and enter the end-user code. | using a user-agent and enter the end-user code. | |||
| The end-user manually types the provided verification URI and | The end-user manually types the provided verification URI and | |||
| authenticates with the authorization server. The authorization | authenticates with the authorization server. The authorization | |||
| server prompts the end-user to authorize the client's request by | server prompts the end-user to authorize the client's request by | |||
| entering the end-user code provided by the client. Once the end-user | entering the end-user code provided by the client. Once the end-user | |||
| approves or denies the request, the authorization server informs the | approves or denies the request, the authorization server informs the | |||
| end-user to return to the device for further instructions. | end-user to return to the device for further instructions. | |||
| 3.7.2. Client Requests Access Token | 2.7.2. Client Requests Access Token | |||
| Since the client is unable to receive incoming requests from the | Since the client is unable to receive incoming requests from the | |||
| authorization server, it polls the authorization server repeatedly | authorization server, it polls the authorization server repeatedly | |||
| until the end-user grants or denies the request, or the verification | until the end-user grants or denies the request, or the verification | |||
| code expires. | code expires. | |||
| The client makes the following request at an arbitrary but reasonable | The client makes the following request at an arbitrary but reasonable | |||
| interval which MUST NOT exceed the minimum interval rate provided by | interval which MUST NOT exceed the minimum interval rate provided by | |||
| the authorization server (if present via the "interval" parameter). | the authorization server (if present via the "interval" parameter). | |||
| Alternatively, the client MAY provide a user interface for the end- | Alternatively, the client MAY provide a user interface for the end- | |||
| user to manually inform it when authorization was granted. | user to manually inform it when authorization was granted. | |||
| The client requests an access token by making an HTTP "POST" request | The client requests an access token by making an HTTP "POST" request | |||
| to the token endpoint. The client constructs a request URI by adding | to the token endpoint. The client constructs a request URI by adding | |||
| the following parameters to the request: | the following parameters to the request: | |||
| type | type | |||
| REQUIRED. The parameter value MUST be set to "device_token". | REQUIRED. The parameter value MUST be set to "device_token". | |||
| client_id | client_id | |||
| REQUIRED. The client identifier as described in Section 3.1. | REQUIRED. The client identifier as described in Section 2.1. | |||
| code | code | |||
| The verification code received from the authorization server. | REQUIRED. The verification code received from the | |||
| authorization server. | ||||
| secret_type | ||||
| OPTIONAL. The access token secret type as described by | ||||
| Section 5.3. If omitted, the authorization server will issue a | ||||
| bearer token (an access token without a matching secret) as | ||||
| described by Section 5.2. | ||||
| format | format | |||
| OPTIONAL. The response format requested by the client. Value | OPTIONAL. The response format requested by the client. Value | |||
| MUST be one of "json", "xml", or "form". Defaults to "json" if | MUST be one of "json", "xml", or "form". Alternatively, the | |||
| no omitted. | client MAY use the HTTP "Accept" header field with the desired | |||
| media type. Defaults to "json" if omitted and no "Accept" | ||||
| header field is present. | ||||
| For example, the client makes the following HTTPS request (line | For example, the client makes the following HTTPS request (line | |||
| breaks are for display purposes only): | breaks are for display purposes only): | |||
| POST /token?type=device_token&client_id=s6BhdRkqt3 | POST /token HTTP/1.1 | |||
| &code=74tq5miHKB HTTP/1.1 | ||||
| Host: server.example.com | Host: server.example.com | |||
| Content-Type: application/x-www-form-urlencoded | ||||
| type=device_token&client_id=s6BhdRkqt3 | ||||
| &code=74tq5miHKB | ||||
| If the end-user authorized the request, the authorization server | If the end-user authorized the request, the authorization server | |||
| issues an access token response as described in Section 3.3.2.1. | issues an access token response as described in Section 2.3.2.1. | |||
| For example: | For example: | |||
| HTTP/1.1 200 OK | HTTP/1.1 200 OK | |||
| Content-Type: application/json | Content-Type: application/json | |||
| Cache-Control: no-store | Cache-Control: no-store | |||
| { | { | |||
| "access_token":"SlAV32hkKG", | "access_token":"SlAV32hkKG", | |||
| "expires_in":3600, | "expires_in":3600, | |||
| "refresh_token":"8xLOxBtZp8" | "refresh_token":"8xLOxBtZp8" | |||
| } | } | |||
| If the request is invalid, the authorization server returns an error | If the request is invalid, the authorization server returns an error | |||
| response as described in Section 3.3.2.2 with one of the following | response as described in Section 2.3.2.2 with one of the following | |||
| error codes: | error codes: | |||
| o "authorization_declined" | o "authorization_declined" | |||
| o "bad_verification_code" | o "bad_verification_code" | |||
| For example: | For example: | |||
| HTTP/1.1 400 Bad Request | HTTP/1.1 400 Bad Request | |||
| Content-Type: application/json | Content-Type: application/json | |||
| Cache-Control: no-store | Cache-Control: no-store | |||
| { | { | |||
| "error":"authorization_declined" | "error":"authorization_declined" | |||
| } | } | |||
| If the end-user authorization is pending or expired without receiving | If the end-user authorization is pending or expired without receiving | |||
| any response from the end-user, or the client is exceeding the | any response from the end-user, or the client is exceeding the | |||
| allowed polling interval, the authorization server returns an error | allowed polling interval, the authorization server returns an error | |||
| response as described in Section 3.3.2.2 with one of the following | response as described in Section 2.3.2.2 with one of the following | |||
| error codes: | error codes: | |||
| o "'authorization_pending" | o "'authorization_pending" | |||
| o "slow_down" | o "slow_down" | |||
| o "code_expired" | o "code_expired" | |||
| For example: | For example: | |||
| HTTP/1.1 400 Bad Request | HTTP/1.1 400 Bad Request | |||
| Content-Type: application/json | Content-Type: application/json | |||
| Cache-Control: no-store | Cache-Control: no-store | |||
| { | { | |||
| "error":"authorization_pending" | "error":"authorization_pending" | |||
| } | } | |||
| 3.8. Username and Password Flow | 2.8. Username and Password Flow | |||
| The username and password flow is suitable for clients capable of | The username and password flow is suitable for clients capable of | |||
| asking end-users for their usernames and passwords. It is also used | asking end-users for their usernames and passwords. It is also used | |||
| to migrate existing clients using direct authentication schemes such | to migrate existing clients using direct authentication schemes such | |||
| as HTTP Basic or Digest authentication to OAuth by converting the | as HTTP Basic or Digest authentication to OAuth by converting the | |||
| end-user credentials stored with tokens. | end-user credentials stored with tokens. | |||
| However, unlike the HTTP Basic authentication scheme defined in | However, unlike the HTTP Basic authentication scheme defined in | |||
| [RFC2617], the end-user's credentials are used in a single request | [RFC2617], the end-user's credentials are used in a single request | |||
| and are exchanged for an access token and refresh token which | and are exchanged for an access token and refresh token which | |||
| skipping to change at page 32, line 35 ¶ | skipping to change at page 32, line 19 ¶ | |||
| : | : | |||
| v | v | |||
| +--------+ +---------------+ | +--------+ +---------------+ | |||
| | | Client Credentials | | | | | Client Credentials | | | |||
| | |>--(B)--- & User Credentials ---->| Authorization | | | |>--(B)--- & User Credentials ---->| Authorization | | |||
| | Client | | Server | | | Client | | Server | | |||
| | |<--(C)---- Access Token ---------<| | | | |<--(C)---- Access Token ---------<| | | |||
| | | (w/ Optional Refresh Token) | | | | | (w/ Optional Refresh Token) | | | |||
| +--------+ +---------------+ | +--------+ +---------------+ | |||
| Figure 6 | Figure 6: Username and Password Flow | |||
| The username and password flow illustrated in Figure 6 includes the | The username and password flow illustrated in Figure 6 includes the | |||
| following steps: | following steps: | |||
| (A) The end-user provides the client with its username and password. | (A) The end-user provides the client with its username and password. | |||
| (B) The client sends an access token request to the authorization | (B) The client sends an access token request to the authorization | |||
| server and includes its client identifier and client secret, and | server and includes its client identifier and client secret, and | |||
| the end-user's username and password. | the end-user's username and password. | |||
| (C) The authorization server validates the end-user credentials and | (C) The authorization server validates the end-user credentials and | |||
| the client credentials and issues an access token. | the client credentials and issues an access token. | |||
| 3.8.1. Client Requests Access Token | 2.8.1. Client Requests Access Token | |||
| The client requests an access token by making an HTTP "POST" request | The client requests an access token by making an HTTP "POST" request | |||
| to the token endpoint. The client constructs a request URI by adding | to the token endpoint. The client constructs a request URI by adding | |||
| the following parameters to the request: | the following parameters to the request: | |||
| type | type | |||
| REQUIRED. The parameter value MUST be set to "username". | REQUIRED. The parameter value MUST be set to "username". | |||
| client_id | client_id | |||
| REQUIRED. The client identifier as described in Section 3.1. | REQUIRED. The client identifier as described in Section 2.1. | |||
| client_secret | client_secret | |||
| REQUIRED. The client secret as described in Section 3.1. | REQUIRED. The client secret as described in Section 2.1. | |||
| OPTIONAL if no client secret was issued. | OPTIONAL if no client secret was issued. | |||
| username | username | |||
| REQUIRED. The end-user's username. | REQUIRED. The end-user's username. | |||
| password | password | |||
| REQUIRED. The end-user's password. | REQUIRED. The end-user's password. | |||
| scope | scope | |||
| OPTIONAL. The scope of the access request expressed as a list | OPTIONAL. The scope of the access request expressed as a list | |||
| of space-delimited strings. The value of the "scope" parameter | of space-delimited strings. The value of the "scope" parameter | |||
| is defined by the authorization server. If the value contains | is defined by the authorization server. If the value contains | |||
| multiple space-delimited strings, their order does not matter, | multiple space-delimited strings, their order does not matter, | |||
| and each string adds an additional access range to the | and each string adds an additional access range to the | |||
| requested scope. | requested scope. | |||
| secret_type | ||||
| OPTIONAL. The access token secret type as described by | ||||
| Section 5.3. If omitted, the authorization server will issue a | ||||
| bearer token (an access token without a matching secret) as | ||||
| described by Section 5.2. | ||||
| format | format | |||
| OPTIONAL. The response format requested by the client. Value | OPTIONAL. The response format requested by the client. Value | |||
| MUST be one of "json", "xml", or "form". Defaults to "json" if | MUST be one of "json", "xml", or "form". Alternatively, the | |||
| no omitted. | client MAY use the HTTP "Accept" header field with the desired | |||
| media type. Defaults to "json" if omitted and no "Accept" | ||||
| header field is present. | ||||
| For example, the client makes the following HTTPS request (line | For example, the client makes the following HTTPS request (line | |||
| breaks are for display purposes only): | breaks are for display purposes only): | |||
| POST /token HTTP/1.1 | POST /token HTTP/1.1 | |||
| Host: server.example.com | Host: server.example.com | |||
| Content-Type: application/x-www-form-urlencoded | ||||
| type=username&client_id=s6BhdRkqt3&client_secret= | type=username&client_id=s6BhdRkqt3&client_secret= | |||
| 47HDu8s&username=johndoe&password=A3ddj3w | 47HDu8s&username=johndoe&password=A3ddj3w | |||
| The authorization server MUST validate the client credentials and | The authorization server MUST validate the client credentials and | |||
| end-user credentials and if valid issues an access token response as | end-user credentials and if valid issues an access token response as | |||
| described in Section 3.3.2.1. | described in Section 2.3.2.1. | |||
| For example: | For example: | |||
| HTTP/1.1 200 OK | HTTP/1.1 200 OK | |||
| Content-Type: application/json | Content-Type: application/json | |||
| Cache-Control: no-store | Cache-Control: no-store | |||
| { | { | |||
| "access_token":"SlAV32hkKG", | "access_token":"SlAV32hkKG", | |||
| "expires_in":3600, | "expires_in":3600, | |||
| skipping to change at page 34, line 28 ¶ | skipping to change at page 34, line 4 ¶ | |||
| For example: | For example: | |||
| HTTP/1.1 200 OK | HTTP/1.1 200 OK | |||
| Content-Type: application/json | Content-Type: application/json | |||
| Cache-Control: no-store | Cache-Control: no-store | |||
| { | { | |||
| "access_token":"SlAV32hkKG", | "access_token":"SlAV32hkKG", | |||
| "expires_in":3600, | "expires_in":3600, | |||
| "refresh_token":"8xLOxBtZp8" | "refresh_token":"8xLOxBtZp8" | |||
| } | } | |||
| If the request is invalid, the authorization server returns an error | If the request is invalid, the authorization server returns an error | |||
| response as described in Section 3.3.2.2 with one of the following | response as described in Section 2.3.2.2 with one of the following | |||
| error codes: | error codes: | |||
| o "incorrect_client_credentials" | o "incorrect_client_credentials" | |||
| o "unauthorized_client'" - The client is not permitted to use this | o "unauthorized_client'" - The client is not permitted to use this | |||
| flow. | flow. | |||
| For example: | For example: | |||
| HTTP/1.1 400 Bad Request | HTTP/1.1 400 Bad Request | |||
| Content-Type: application/json | Content-Type: application/json | |||
| Cache-Control: no-store | Cache-Control: no-store | |||
| { | { | |||
| "error":"incorrect_client_credentials" | "error":"incorrect_client_credentials" | |||
| } | } | |||
| 3.9. Client Credentials Flow | 2.9. Client Credentials Flow | |||
| The client credentials flow is used when the client acts on behalf of | The client credentials flow is used when the client acts on behalf of | |||
| itself (the client is the resource owner), or when the client | itself (the client is the resource owner), or when the client | |||
| credentials are used to obtain an access token representing a | credentials are used to obtain an access token representing a | |||
| previously established access authorization. The client secret is | previously established access authorization. The client secret is | |||
| assumed to be high-entropy since it is not designed to be memorized | assumed to be high-entropy since it is not designed to be memorized | |||
| by an end-user. | by an end-user. | |||
| +--------+ +---------------+ | +--------+ +---------------+ | |||
| | | | | | | | | | | |||
| | |>--(A)--- Client Credentials ---->| Authorization | | | |>--(A)--- Client Credentials ---->| Authorization | | |||
| | Client | | Server | | | Client | | Server | | |||
| | |<--(B)---- Access Token ---------<| | | | |<--(B)---- Access Token ---------<| | | |||
| | | (w/ Optional Refresh Token) | | | | | (w/ Optional Refresh Token) | | | |||
| +--------+ +---------------+ | +--------+ +---------------+ | |||
| Figure 7 | Figure 7: Client Credentials Flow | |||
| The client credential flow illustrated in Figure 7 includes the | The client credential flow illustrated in Figure 7 includes the | |||
| following steps: | following steps: | |||
| (A) The client sends an access token request to the authorization | (A) The client sends an access token request to the authorization | |||
| server and includes its client identifier and client secret. | server and includes its client identifier and client secret. | |||
| (B) The authorization server validates the client credentials and | (B) The authorization server validates the client credentials and | |||
| issues an access token. | issues an access token. | |||
| 3.9.1. Client Requests Access Token | 2.9.1. Client Requests Access Token | |||
| The client requests an access token by making an HTTP "POST" request | The client requests an access token by making an HTTP "POST" request | |||
| to the token endpoint. The client constructs a request URI by adding | to the token endpoint. The client constructs a request URI by adding | |||
| the following parameters to the request: | the following parameters to the request: | |||
| type | type | |||
| REQUIRED. The parameter value MUST be set to | REQUIRED. The parameter value MUST be set to | |||
| "client_credentials". | "client_credentials". | |||
| client_id | client_id | |||
| REQUIRED. The client identifier as described in Section 3.1. | REQUIRED. The client identifier as described in Section 2.1. | |||
| client_secret | client_secret | |||
| REQUIRED. The client secret as described in Section 3.1. | REQUIRED. The client secret as described in Section 2.1. | |||
| scope | scope | |||
| OPTIONAL. The scope of the access request expressed as a list | OPTIONAL. The scope of the access request expressed as a list | |||
| of space-delimited strings. The value of the "scope" parameter | of space-delimited strings. The value of the "scope" parameter | |||
| is defined by the authorization server. If the value contains | is defined by the authorization server. If the value contains | |||
| multiple space-delimited strings, their order does not matter, | multiple space-delimited strings, their order does not matter, | |||
| and each string adds an additional access range to the | and each string adds an additional access range to the | |||
| requested scope. | requested scope. | |||
| secret_type | ||||
| OPTIONAL. The access token secret type as described by | ||||
| Section 5.3. If omitted, the authorization server will issue a | ||||
| bearer token (an access token without a matching secret) as | ||||
| described by Section 5.2. | ||||
| format | format | |||
| OPTIONAL. The response format requested by the client. Value | OPTIONAL. The response format requested by the client. Value | |||
| MUST be one of "json", "xml", or "form". Defaults to "json" if | MUST be one of "json", "xml", or "form". Alternatively, the | |||
| no omitted. | client MAY use the HTTP "Accept" header field with the desired | |||
| media type. Defaults to "json" if omitted and no "Accept" | ||||
| header field is present. | ||||
| For example, the client makes the following HTTPS request: | For example, the client makes the following HTTPS request: | |||
| POST /token HTTP/1.1 | POST /token HTTP/1.1 | |||
| Host: server.example.com | Host: server.example.com | |||
| Content-Type: application/x-www-form-urlencoded | ||||
| type=client_credentials&client_id=s6BhdRkqt3&client_secret=47HDu8s | type=client_credentials&client_id=s6BhdRkqt3&client_secret=47HDu8s | |||
| The authorization server MUST validate the client credentials and if | The authorization server MUST validate the client credentials and if | |||
| valid issues an access token response as described in | valid issues an access token response as described in | |||
| Section 3.3.2.1. | Section 2.3.2.1. | |||
| For example: | For example: | |||
| HTTP/1.1 200 OK | HTTP/1.1 200 OK | |||
| Content-Type: application/json | Content-Type: application/json | |||
| Cache-Control: no-store | Cache-Control: no-store | |||
| { | { | |||
| "access_token":"SlAV32hkKG", | "access_token":"SlAV32hkKG", | |||
| "expires_in":3600, | "expires_in":3600, | |||
| "refresh_token":"8xLOxBtZp8" | "refresh_token":"8xLOxBtZp8" | |||
| } | } | |||
| If the request is invalid, the authorization server returns an error | If the request is invalid, the authorization server returns an error | |||
| response as described in Section 3.3.2.2 with one of the following | response as described in Section 2.3.2.2 with one of the following | |||
| error codes: | error codes: | |||
| o "incorrect_client_credentials" | o "incorrect_client_credentials" | |||
| For example: | For example: | |||
| HTTP/1.1 400 Bad Request | HTTP/1.1 400 Bad Request | |||
| Content-Type: application/json | Content-Type: application/json | |||
| Cache-Control: no-store | Cache-Control: no-store | |||
| { | { | |||
| "error":"incorrect_client_credentials" | "error":"incorrect_client_credentials" | |||
| } | } | |||
| 3.10. Assertion Flow | 2.10. Assertion Flow | |||
| The assertion flow is used when a client wishes to exchange an | The assertion flow is used when a client wishes to exchange an | |||
| existing security token or assertion for an access token. This flow | existing security token or assertion for an access token. This flow | |||
| is suitable when the client is the resource owner or is acting on | is suitable when the client is the resource owner or is acting on | |||
| behalf of the resource owner (based on the content of the assertion | behalf of the resource owner (based on the content of the assertion | |||
| used). | used). | |||
| The assertion flow requires the client to obtain a assertion (such as | The assertion flow requires the client to obtain a assertion (such as | |||
| a SAML [OASIS.saml-core-2.0-os] assertion) from an assertion issuer | a SAML [OASIS.saml-core-2.0-os] assertion) from an assertion issuer | |||
| or to self-issue an assertion prior to initiating the flow. The | or to self-issue an assertion prior to initiating the flow. The | |||
| skipping to change at page 37, line 42 ¶ | skipping to change at page 37, line 15 ¶ | |||
| specification. | specification. | |||
| +--------+ +---------------+ | +--------+ +---------------+ | |||
| | | | | | | | | | | |||
| | |>--(A)------ Assertion ---------->| Authorization | | | |>--(A)------ Assertion ---------->| Authorization | | |||
| | Client | | Server | | | Client | | Server | | |||
| | |<--(B)---- Access Token ---------<| | | | |<--(B)---- Access Token ---------<| | | |||
| | | | | | | | | | | |||
| +--------+ +---------------+ | +--------+ +---------------+ | |||
| Figure 8 | Figure 8: Assertion Flow | |||
| The assertion flow illustrated in Figure 8 includes the following | The assertion flow illustrated in Figure 8 includes the following | |||
| steps: | steps: | |||
| (A) The client sends an access token request to the authorization | (A) The client sends an access token request to the authorization | |||
| server and includes an assertion. | server and includes an assertion. | |||
| (B) The authorization server validates the assertion and issues an | (B) The authorization server validates the assertion and issues an | |||
| access token. | access token. | |||
| 3.10.1. Client Requests Access Token | 2.10.1. Client Requests Access Token | |||
| The client requests an access token by making an HTTP "POST" request | The client requests an access token by making an HTTP "POST" request | |||
| to the token endpoint. The client constructs a request URI by adding | to the token endpoint. The client constructs a request URI by adding | |||
| the following parameters to the request: | the following parameters to the request: | |||
| type | type | |||
| REQUIRED. The parameter value MUST be set to "assertion". | REQUIRED. The parameter value MUST be set to "assertion". | |||
| format | assertion_format | |||
| REQUIRED. The format of the assertion as defined by the | REQUIRED. The format of the assertion as defined by the | |||
| authorization server. The value MUST be an absolute URI. | authorization server. The value MUST be an absolute URI. | |||
| assertion | assertion | |||
| REQUIRED. The assertion. | REQUIRED. The assertion. | |||
| client_id | client_id | |||
| OPTIONAL. The client identifier as described in Section 3.1. | OPTIONAL. The client identifier as described in Section 2.1. | |||
| The authorization server MAY require including the client | The authorization server MAY require including the client | |||
| credentials with the request based on the assertion properties. | credentials with the request based on the assertion properties. | |||
| client_secret | client_secret | |||
| OPTIONAL. The client secret as described in Section 3.1. MUST | OPTIONAL. The client secret as described in Section 2.1. MUST | |||
| NOT be included if the "client_id" parameter is omitted. | NOT be included if the "client_id" parameter is omitted. | |||
| scope | scope | |||
| OPTIONAL. The scope of the access request expressed as a list | OPTIONAL. The scope of the access request expressed as a list | |||
| of space-delimited strings. The value of the "scope" parameter | of space-delimited strings. The value of the "scope" parameter | |||
| is defined by the authorization server. If the value contains | is defined by the authorization server. If the value contains | |||
| multiple space-delimited strings, their order does not matter, | multiple space-delimited strings, their order does not matter, | |||
| and each string adds an additional access range to the | and each string adds an additional access range to the | |||
| requested scope. | requested scope. | |||
| secret_type | ||||
| OPTIONAL. The access token secret type as described by | ||||
| Section 5.3. If omitted, the authorization server will issue a | ||||
| bearer token (an access token without a matching secret) as | ||||
| described by Section 5.2. | ||||
| format | format | |||
| OPTIONAL. The response format requested by the client. Value | OPTIONAL. The response format requested by the client. Value | |||
| MUST be one of "json", "xml", or "form". Defaults to "json" if | MUST be one of "json", "xml", or "form". Alternatively, the | |||
| no omitted. | client MAY use the HTTP "Accept" header field with the desired | |||
| media type. Defaults to "json" if omitted and no "Accept" | ||||
| header field is present. | ||||
| For example, the client makes the following HTTPS request (line | For example, the client makes the following HTTPS request (line | |||
| breaks are for display purposes only): | breaks are for display purposes only): | |||
| POST /token HTTP/1.1 | POST /token HTTP/1.1 | |||
| Host: server.example.com | Host: server.example.com | |||
| Content-Type: application/x-www-form-urlencoded | ||||
| type=assertion&format=_______&assertion=_______ | type=assertion&assertion_format=_______&assertion=_______ | |||
| The authorization server MUST validate the assertion and if valid | The authorization server MUST validate the assertion and if valid | |||
| issues an access token response as described in Section 3.3.2.1. The | issues an access token response as described in Section 2.3.2.1. The | |||
| authorization server SHOULD NOT issue a refresh token. | authorization server SHOULD NOT issue a refresh token. | |||
| For example: | For example: | |||
| HTTP/1.1 200 OK | HTTP/1.1 200 OK | |||
| Content-Type: application/json | Content-Type: application/json | |||
| Cache-Control: no-store | Cache-Control: no-store | |||
| { | { | |||
| "access_token":"SlAV32hkKG", | "access_token":"SlAV32hkKG", | |||
| "expires_in":3600 | "expires_in":3600 | |||
| } | } | |||
| If the request is invalid, the authorization server returns an error | If the request is invalid, the authorization server returns an error | |||
| response as described in Section 3.3.2.2 with one of the following | response as described in Section 2.3.2.2 with one of the following | |||
| error codes: | error codes: | |||
| o "invalid_assertion" | o "invalid_assertion" | |||
| o "unknown_format" | o "unknown_format" | |||
| For example: | For example: | |||
| HTTP/1.1 400 Bad Request | HTTP/1.1 400 Bad Request | |||
| Content-Type: application/json | Content-Type: application/json | |||
| Cache-Control: no-store | Cache-Control: no-store | |||
| { | { | |||
| "error":"invalid_assertion" | "error":"invalid_assertion" | |||
| } | } | |||
| Authorization servers SHOULD issue access tokens with a limited | Authorization servers SHOULD issue access tokens with a limited | |||
| lifetime and require clients to refresh them by requesting a new | lifetime and require clients to refresh them by requesting a new | |||
| access token using the same assertion if it is still valid. | access token using the same assertion if it is still valid. | |||
| Otherwise the client MUST obtain a new valid assertion. | Otherwise the client MUST obtain a new valid assertion. | |||
| 4. Refreshing an Access Token | 2.11. Native Application Considerations | |||
| Native application are clients running as native code on the end- | ||||
| user's computer or device (i.e. executing outside a browser or as a | ||||
| desktop program). These clients are often capable of interacting | ||||
| with (or embedding) the end-user's user-agent but are incapable of | ||||
| receiving callback requests from the server (incapable of acting as | ||||
| an HTTP server). | ||||
| Native application clients can utilize many of the flows defined in | ||||
| this specification with little or no changes. For example: | ||||
| o Launch an external user-agent and have it redirect back to the | ||||
| client using a custom URI scheme. This works with the web server | ||||
| flow and user-agent flow. | ||||
| o Launch an external user-agent and poll for changes to the window | ||||
| title. This works with the web server flow with a server-hosted | ||||
| custom redirect result page that puts the verification code in the | ||||
| title. | ||||
| o Use an embedded user-agent and obtain the redirection URI. This | ||||
| works with the web server flow and user-agent flow. | ||||
| o Use the device profile with an external or embedded user-agent. | ||||
| The application will open a user-agent and then poll the | ||||
| authorization server for results. | ||||
| o Use the username and password flow and prompt the end-users for | ||||
| their credentials. This is generally discouraged as it hands the | ||||
| end-user's password directly to the 3rd party and may not work | ||||
| with some authentication schemes. | ||||
| When choosing between launching an external browser and an embedded | ||||
| user-agent, developers should consider the following: | ||||
| o External user-agents may improve completion rate as the end-user | ||||
| may already be logged-in and not have to re-authenticate. | ||||
| o Embedded user-agents often offer a better end-user flow, as they | ||||
| remove the need to switch context and open new windows. | ||||
| o Embedded user-agents are less secure because users are | ||||
| authenticating in unidentified window without access to the | ||||
| protections offered by many user-agents. | ||||
| 3. Refreshing an Access Token | ||||
| Token refresh is used when the lifetime of an access token is shorter | Token refresh is used when the lifetime of an access token is shorter | |||
| than the lifetime of the authorization grant. It allows clients to | than the lifetime of the authorization grant. It allows clients to | |||
| obtain a new access token without having to go through the | obtain a new access token without having to go through the | |||
| authorization flow again or involve the resource owner. It is also | authorization flow again or involve the resource owner. | |||
| used to obtain a new token with different security properties (e.g. | ||||
| bearer token, token with shared symmetric secret). | ||||
| +--------+ Client Credentials, +---------------+ | +--------+ +---------------+ | |||
| | | Refresh Token, | | | | | Client Credentials, | | | |||
| | |>--(A)----- & Secret Type ------->| Authorization | | | |>--(A)----- Refresh Token ------->| Authorization | | |||
| | Client | | Server | | | Client | | Server | | |||
| | |<--(B)----- Access Token --------<| | | | |<--(B)----- Access Token --------<| | | |||
| | | & Optional Secret | | | | | | | | |||
| +--------+ +---------------+ | +--------+ +---------------+ | |||
| Figure 9 | Figure 9: Refreshing an Access Token | |||
| To refresh a token, the client constructs an HTTP "POST" request to | To refresh a token, the client constructs an HTTP "POST" request to | |||
| the token endpoint and includes the following parameters in the HTTP | the token endpoint and includes the following parameters in the HTTP | |||
| request body using the "application/x-www-form-urlencoded" content | request body using the "application/x-www-form-urlencoded" content | |||
| type as defined by [W3C.REC-html40-19980424]: | type as defined by [W3C.REC-html401-19991224]: | |||
| type | type | |||
| REQUIRED. The parameter value MUST be set to "refresh". | REQUIRED. The parameter value MUST be set to "refresh". | |||
| client_id | client_id | |||
| REQUIRED. The client identifier as described in Section 3.1. | REQUIRED. The client identifier as described in Section 2.1. | |||
| client_secret | client_secret | |||
| REQUIRED if the client was issued a secret. The client secret. | REQUIRED if the client was issued a secret. The client secret. | |||
| refresh_token | refresh_token | |||
| REQUIRED. The refresh token associated with the access token | REQUIRED. The refresh token associated with the access token | |||
| to be refreshed. | to be refreshed. | |||
| secret_type | ||||
| OPTIONAL. The access token secret type as described by | ||||
| Section 5.3. If omitted, the authorization server will issue a | ||||
| bearer token (an access token without a matching secret) as | ||||
| described by Section 5.2. | ||||
| format | format | |||
| OPTIONAL. The response format requested by the client. Value | OPTIONAL. The response format requested by the client. Value | |||
| MUST be one of "json", "xml", or "form". Defaults to "json" if | MUST be one of "json", "xml", or "form". Alternatively, the | |||
| no omitted. | client MAY use the HTTP "Accept" header field with the desired | |||
| media type. Defaults to "json" if omitted and no "Accept" | ||||
| header field is present. | ||||
| For example, the client makes the following HTTPS request (line break | For example, the client makes the following HTTPS request (line break | |||
| are for display purposes only): | are for display purposes only): | |||
| POST /token HTTP/1.1 | POST /token HTTP/1.1 | |||
| Host: server.example.com | Host: server.example.com | |||
| Content-Type: application/x-www-form-urlencoded | Content-Type: application/x-www-form-urlencoded | |||
| type=refresh_token&client_id=s6BhdRkqt3&client_secret=8eSEIpnqmM | type=refresh_token&client_id=s6BhdRkqt3&client_secret=8eSEIpnqmM | |||
| &refresh_token=n4E9O119d&secret_type=hmac-sha256 | &refresh_token=n4E9O119d | |||
| verify the client credential, the validity of the refresh token, and | verify the client credential, the validity of the refresh token, and | |||
| that the resource owner's authorization is still valid. If the | that the resource owner's authorization is still valid. If the | |||
| request is valid, the authorization server issues an access token | request is valid, the authorization server issues an access token | |||
| response as described in Section 3.3.2.1. The authorization server | response as described in Section 2.3.2.1. The authorization server | |||
| MAY issue a new refresh token in which case the client MUST NOT use | MAY issue a new refresh token in which case the client MUST NOT use | |||
| the previous refresh token and replace it with the newly issued | the previous refresh token and replace it with the newly issued | |||
| refresh token. | refresh token. | |||
| For example: | For example: | |||
| HTTP/1.1 200 OK | HTTP/1.1 200 OK | |||
| Content-Type: application/json | Content-Type: application/json | |||
| Cache-Control: no-store | Cache-Control: no-store | |||
| { | { | |||
| "access_token":"SlAV32hkKG", | "access_token":"SlAV32hkKG", | |||
| "expires_in":3600 | "expires_in":3600 | |||
| } | } | |||
| If the request is invalid, the authorization server returns an error | If the request is invalid, the authorization server returns an error | |||
| response as described in Section 3.3.2.2 with one of the following | response as described in Section 2.3.2.2 with one of the following | |||
| error codes: | error codes: | |||
| o "incorrect_client_credentials" | o "incorrect_client_credentials" | |||
| o "authorization_expired" | o "authorization_expired" | |||
| o "unsupported_secret_type" | ||||
| For example: | For example: | |||
| HTTP/1.1 400 Bad Request | HTTP/1.1 400 Bad Request | |||
| Content-Type: application/json | Content-Type: application/json | |||
| Cache-Control: no-store | Cache-Control: no-store | |||
| { | { | |||
| "error":"incorrect_client_credentials" | "error":"incorrect_client_credentials" | |||
| } | } | |||
| 5. Accessing a Protected Resource | 4. Accessing a Protected Resource | |||
| Clients access protected resources by presenting an access token to | Clients access protected resources by presenting an access token to | |||
| the resource server. The methods used by the resource server to | the resource server. | |||
| validate the access token are beyond the scope of this specification, | ||||
| but generally involve an interaction or coordination between the | ||||
| resource server and authorization server. | ||||
| The method in which a client uses an access token depends on the | For example: | |||
| security properties of the access tokens. By default, access tokens | ||||
| are issued without a matching secret. Clients MAY request an access | ||||
| token with a matching secret by specifying the desired secret type | ||||
| using the "secret_type" token request parameter. | ||||
| When an access token does not include a matching secret, the access | GET /resource HTTP/1.1 | |||
| token acts as a bearer token, where the token string is a shared | Host: server.example.com | |||
| symmetric secret. This requires treating the access token with the | Authorization: Token token="vF9dft4qmT" | |||
| same care as other secrets (e.g. user passwords). Access tokens | ||||
| SHOULD NOT be sent in the clear over an insecure channel. | Access tokens act as bearer tokens, where the token string acts as a | |||
| shared symmetric secret. This requires treating the access token | ||||
| with the same care as other secrets (e.g. end-user passwords). | ||||
| Access tokens SHOULD NOT be sent in the clear over an insecure | ||||
| channel. | ||||
| However, when it is necessary to transmit bearer tokens in the clear | However, when it is necessary to transmit bearer tokens in the clear | |||
| without a secure channel, authorization servers SHOULD issue access | without a secure channel, authorization servers SHOULD issue access | |||
| tokens with limited scope and lifetime to reduce the potential risk | tokens with limited scope and lifetime to reduce the potential risk | |||
| from a compromised access token. Clients SHOULD request and utilize | from a compromised access token. | |||
| an access token with a matching secret when making protected resource | ||||
| requests over an insecure channel (e.g. an HTTP request without using | ||||
| TLS/SSL). | ||||
| When an access token includes a matching secret, the secret is not | ||||
| included directly in the request but is used instead to generate a | ||||
| cryptographic signature of the request. The signature can only be | ||||
| generated and verified by entities with access to the secret. | ||||
| Clients SHOULD NOT make authenticated requests with an access token | Clients SHOULD NOT make authenticated requests with an access token | |||
| to unfamiliar resource servers, especially when using bearer tokens, | to unfamiliar resource servers, especially when using bearer tokens, | |||
| regardless of the presence of a secure channel. | regardless of the presence of a secure channel. | |||
| 5.1. The Authorization Request Header | The methods used by the resource server to validate the access token | |||
| are beyond the scope of this specification, but generally involve an | ||||
| The "Authorization" request header field is used by clients to make | interaction or coordination between the resource server and | |||
| both bearer token and cryptographic token requests. When making | authorization server. | |||
| bearer token requests, the client uses the "token" attribute to | ||||
| include the access token in the request without any of the other | ||||
| attributes. Additional methods for making bearer token requests are | ||||
| described in Section 5.2. | ||||
| For example: | ||||
| GET /resource HTTP/1.1 | ||||
| Host: server.example.com | ||||
| Authorization: Token token="vF9dft4qmT" | ||||
| When making a cryptographic token request (using an access token with | ||||
| a matching secret) the client uses the "token" attribute to include | ||||
| the access token in the request, and uses the "nonce", "timestamp", | ||||
| "algorithm", and "signature" attributes to apply the matching secret. | ||||
| For example: | ||||
| GET /resource HTTP/1.1 | ||||
| Host: server.example.com | ||||
| Authorization: Token token="vF9dft4qmT", | ||||
| nonce="s8djwd", | ||||
| timestamp="137131200", | ||||
| algorithm="hmac-sha256", | ||||
| signature="wOJIO9A2W5mFwDgiDvZbTSMK/PY=" | ||||
| The "Authorization" header field uses the framework defined by | ||||
| [RFC2617] as follows: | ||||
| credentials = "Token" RWS token-response | ||||
| token-response = token-id | ||||
| [ CS nonce ] | ||||
| [ CS timestamp ] | ||||
| [ CS algorithm ] | ||||
| [ CS signature ] | ||||
| token-id = "token" "=" <"> token <"> | ||||
| timestamp = "timestamp" "=" <"> 1*DIGIT <"> | ||||
| nonce = "nonce" "=" <"> token <"> | ||||
| algorithm = "algorithm" "=" algorithm-name | ||||
| algorithm-name = "hmac-sha256" / | ||||
| token | ||||
| signature = "signature" "=" <"> token <"> | ||||
| 5.2. Bearer Token Requests | ||||
| Clients make bearer token requests by including the access token | ||||
| using the HTTP "Authorization" request header with the "Token" | ||||
| authentication scheme as described in Section 5.1. The access token | ||||
| is included using the "token" parameter. | ||||
| For example, the client makes the following HTTPS request: | ||||
| GET /resource HTTP/1.1 | ||||
| Host: server.example.com | ||||
| Authorization: Token token="vF9dft4qmT" | ||||
| The resource server MUST validate the access token and ensure it has | The resource server MUST validate the access token and ensure it has | |||
| not expired and that its scope covers the requested resource. If the | not expired and that its scope covers the requested resource. If the | |||
| token expired or is invalid, the resource server MUST reply with an | token expired or is invalid, the resource server MUST reply with an | |||
| HTTP 401 status code (Unauthorized) and include the HTTP | HTTP 401 status code (Unauthorized) and include the HTTP | |||
| "WWW-Authenticate" response header as described in Section 6.1. | "WWW-Authenticate" response header as described in Section 5.1. | |||
| For example: | For example: | |||
| HTTP/1.1 401 Unauthorized | HTTP/1.1 401 Unauthorized | |||
| WWW-Authenticate: Token realm='Service', error='token_expired' | WWW-Authenticate: Token realm='Service', error='token_expired' | |||
| Alternatively, the client MAY include the access token using the HTTP | Clients make authenticated token requests using the "Authorization" | |||
| request URI in the query component as described in Section 5.2.1, or | request header field as described in Section 4.1. Alternatively, | |||
| in the HTTP body when using the "application/x-www-form-urlencoded" | clients MAY include the access token using the HTTP request URI in | |||
| content type as described in Section 5.2.2. Clients SHOULD only use | the query component as described in Section 4.2, or in the HTTP body | |||
| the request URI or body when the "Authorization" request header is | when using the "application/x-www-form-urlencoded" content type as | |||
| not available, and MUST NOT use more than one method in each request. | described in Section 4.3. | |||
| 5.2.1. URI Query Parameter | Clients SHOULD only use the request URI or body when the | |||
| "Authorization" request header field is not available, and MUST NOT | ||||
| use more than one method in each request. [[ specify error ]] | ||||
| 4.1. The Authorization Request Header | ||||
| The "Authorization" request header field is used by clients to make | ||||
| authenticated token requests. The client uses the "token" attribute | ||||
| to include the access token in the request. | ||||
| The "Authorization" header field uses the framework defined by | ||||
| [RFC2617] as follows: | ||||
| credentials = "Token" RWS access-token [ CS 1#auth-param ] | ||||
| access-token = "token" "=" <"> token <"> | ||||
| CS = OWS "," OWS | ||||
| 4.2. URI Query Parameter | ||||
| When including the access token in the HTTP request URI, the client | When including the access token in the HTTP request URI, the client | |||
| adds the access token to the request URI query component as defined | adds the access token to the request URI query component as defined | |||
| by [RFC3986] using the "oauth_token" parameter. | by [RFC3986] using the "oauth_token" parameter. | |||
| For example, the client makes the following HTTPS request: | For example, the client makes the following HTTPS request: | |||
| GET /resource?oauth_token=vF9dft4qmT HTTP/1.1 | GET /resource?oauth_token=vF9dft4qmT HTTP/1.1 | |||
| Host: server.example.com | Host: server.example.com | |||
| The HTTP request URI query can include other request-specific | The HTTP request URI query can include other request-specific | |||
| parameters, in which case, the "oauth_token" parameters SHOULD be | parameters, in which case, the "oauth_token" parameters SHOULD be | |||
| appended following the request-specific parameters, properly | appended following the request-specific parameters, properly | |||
| separated by an "&" character (ASCII code 38). | separated by an "&" character (ASCII code 38). | |||
| The resource server MUST validate the access token and ensure it has | The resource server MUST validate the access token and ensure it has | |||
| not expired and its scope includes the requested resource. If the | not expired and its scope includes the requested resource. If the | |||
| resource expired or is not valid, the resource server MUST reply with | resource expired or is not valid, the resource server MUST reply with | |||
| an HTTP 401 status code (Unauthorized) and include the HTTP | an HTTP 401 status code (Unauthorized) and include the HTTP | |||
| "WWW-Authenticate" response header as described in Section 6.1. | "WWW-Authenticate" response header as described in Section 5.1. | |||
| 5.2.2. Form-Encoded Body Parameter | 4.3. Form-Encoded Body Parameter | |||
| When including the access token in the HTTP request entity-body, the | When including the access token in the HTTP request entity-body, the | |||
| client adds the access token to the request body using the | client adds the access token to the request body using the | |||
| "oauth_token" parameter. The client can use this method only if the | "oauth_token" parameter. The client can use this method only if the | |||
| following REQUIRED conditions are met: | following REQUIRED conditions are met: | |||
| o The entity-body is single-part. | o The entity-body is single-part. | |||
| o The entity-body follows the encoding requirements of the | o The entity-body follows the encoding requirements of the | |||
| "application/x-www-form-urlencoded" content-type as defined by | "application/x-www-form-urlencoded" content-type as defined by | |||
| [W3C.REC-html40-19980424]. | [W3C.REC-html401-19991224]. | |||
| o The HTTP request entity-header includes the "Content-Type" header | o The HTTP request entity-header includes the "Content-Type" header | |||
| field set to "application/x-www-form-urlencoded". | field set to "application/x-www-form-urlencoded". | |||
| o The HTTP request method is "POST", "PUT", or "DELETE". | o The HTTP request method is "POST", "PUT", or "DELETE". | |||
| The entity-body can include other request-specific parameters, in | The entity-body can include other request-specific parameters, in | |||
| which case, the "oauth_token" parameters SHOULD be appended following | which case, the "oauth_token" parameters SHOULD be appended following | |||
| the request-specific parameters, properly separated by an "&" | the request-specific parameters, properly separated by an "&" | |||
| character (ASCII code 38). | character (ASCII code 38). | |||
| skipping to change at page 46, line 35 ¶ | skipping to change at page 45, line 24 ¶ | |||
| POST /resource HTTP/1.1 | POST /resource HTTP/1.1 | |||
| Host: server.example.com | Host: server.example.com | |||
| Content-Type: application/x-www-form-urlencoded | Content-Type: application/x-www-form-urlencoded | |||
| oauth_token=vF9dft4qmT | oauth_token=vF9dft4qmT | |||
| The resource server MUST validate the access token and ensure it has | The resource server MUST validate the access token and ensure it has | |||
| not expired and its scope includes the requested resource. If the | not expired and its scope includes the requested resource. If the | |||
| resource expired or is not valid, the resource server MUST reply with | resource expired or is not valid, the resource server MUST reply with | |||
| an HTTP 401 status code (Unauthorized) and include the HTTP | an HTTP 401 status code (Unauthorized) and include the HTTP | |||
| "WWW-Authenticate" response header as described in Section 6.1. | "WWW-Authenticate" response header as described in Section 5.1. | |||
| 5.3. Cryptographic Tokens Requests | ||||
| Clients make authenticated protected resource requests using an | ||||
| access token with a matching secret by calculating a set of values | ||||
| and including them in the request using the "Authorization" header | ||||
| field. The way clients calculate these values depends on the access | ||||
| token secret type as issued by the authorization server. | ||||
| This specification defines the "hmac-sha256" algorithm, and | ||||
| establishes a registry for providing additional algorithms. Clients | ||||
| obtain an access token with a matching "hmac-sha256" secret by using | ||||
| the "secret_type" parameter when requesting an access token. | ||||
| 5.3.1. The 'hmac-sha256' Algorithm | ||||
| The "hmac-sha256" algorithm uses the HMAC method as defined in | ||||
| [RFC2104] together with the SHA-256 hash function defined in [NIST | ||||
| FIPS-180-3] to apply the access token secret to the request and | ||||
| generate a signature value that is included in the request instead of | ||||
| transmitting the secret in the clear. | ||||
| To use the "hmac-sha256" algorithm, clients: | ||||
| 1. Calculate the request timestamp and generate a request nonce as | ||||
| described in Section 5.3.1.1. | ||||
| 2. Construct the normalized request string as described in | ||||
| Section 5.3.1.2. | ||||
| 3. Calculate the request signature as described in Section 5.3.1.3. | ||||
| 4. Include the timestamp, nonce, algorithm name, and calculated | ||||
| signature in the request using the "Authorization" header field. | ||||
| For example: | ||||
| GET /resource HTTP/1.1 | ||||
| Host: server.example.com | ||||
| Authorization: Token token="vF9dft4qmT", | ||||
| nonce="s8djwd", | ||||
| timestamp="137131200", | ||||
| algorithm="hmac-sha256", | ||||
| signature="wOJIO9A2W5mFwDgiDvZbTSMK/PY=" | ||||
| The resource server MUST validate the access token and ensure it has | ||||
| not expired and that its scope covers the requested resource. The | ||||
| resource server MUST also recalculate the request signature using the | ||||
| attributes provided by the client and compare it to the signature | ||||
| provided. If the token expired or is invalid, or if the signature is | ||||
| incorrect, the resource server MUST reply with an HTTP 401 status | ||||
| code (Unauthorized) and include the HTTP "WWW-Authenticate" response | ||||
| header as described in Section 6.1. | ||||
| For example: | ||||
| HTTP/1.1 401 Unauthorized | ||||
| Date: Tue, 15 Nov 2010 08:12:31 GMT | ||||
| WWW-Authenticate: Token realm='Service', | ||||
| algorithms='hmac-sha256', | ||||
| error='invalid_signature' | ||||
| [[ Errors list ]] | ||||
| 5.3.1.1. Nonce and Timestamp | ||||
| A timestamp in combination with unique nonce values is used to | ||||
| protect against replay attacks when transmitted over an insecure | ||||
| channel. | ||||
| The nonce is a random string, uniquely generated by the client to | ||||
| allow the resource server to verify that a request has never been | ||||
| made before and helps prevent replay attacks when requests are made | ||||
| over a non-secure channel. The nonce value MUST be unique across all | ||||
| requests with the same timestamp and token combinations. | ||||
| The timestamp value is the current time expressed in the number of | ||||
| seconds since January 1, 1970 00:00:00 GMT, and MUST be a positive | ||||
| integer. | ||||
| To avoid the need to retain an infinite number of nonce values for | ||||
| future checks, resource servers MAY choose to restrict the time | ||||
| period after which a request with an old timestamp is rejected. When | ||||
| resource servers apply such a restriction, clients SHOULD synchronize | ||||
| their clocks by using the resource server's time as indicated by the | ||||
| HTTP "Date" response header field as defined in [RFC2616]. | ||||
| 5.3.1.2. Normalized String Construction | ||||
| The normalized request string is a consistent, reproducible | ||||
| concatenation of several of the HTTP request elements into a single | ||||
| string. The string is used as an input to the selected cryptographic | ||||
| method and includes the HTTP request method (e.g. "GET", "POST", | ||||
| etc.), the authority as declared by the HTTP "Host" request header, | ||||
| and the request resource URI. | ||||
| The normalized request string does not cover the entire HTTP request. | ||||
| Most notably, it does not include the entity-body or most HTTP | ||||
| entity-headers. It is important to note that the resource server | ||||
| cannot verify the authenticity of the excluded request elements | ||||
| without using additional protections such as TLS/SSL. | ||||
| The normalized request string is constructed by concatenating | ||||
| together, in order, the following HTTP request elements, separated by | ||||
| the "," character (ASCII code 44): | ||||
| 1. The request timestamp as described in Section 5.3.1.1. | ||||
| 2. The request nonce as described in Section 5.3.1.1. | ||||
| 3. The cryptographic algorithm used. | ||||
| 4. The HTTP request method in uppercase. For example: "HEAD", | ||||
| "GET", "POST", etc. | ||||
| 5. The hostname, colon-separated (ASCII code 58) from the TCP port | ||||
| used to make the request as included in the HTTP request "Host" | ||||
| header field. The port MUST be included even if it is not | ||||
| included in the "Host" header field (i.e. the default port for | ||||
| the scheme). | ||||
| 6. The request resource URI. | ||||
| For example, the normalized request string for the "GET" request URI | ||||
| "http://example.com/resource", request timestamp "137131200", request | ||||
| nonce "s8djwd", and "hmac-sha256" algorithm (line breaks are for | ||||
| display purposes only): | ||||
| 137131200,s8djwd,hmac-sha256,GET,example.com:80, | ||||
| http://example.com/resource | ||||
| 5.3.1.3. Signature Calculation | ||||
| Clients calculate the request signature using the HMAC-SHA256 | ||||
| function: | ||||
| digest = HMAC-SHA256 (key, text) | ||||
| by setting the function variables are follows: | ||||
| text | ||||
| is set to the value of the normalize request string as | ||||
| described in Section 5.3.1.2. | ||||
| key | ||||
| is set to the access token secret. | ||||
| The request signature is the calculated value of the "digest" | ||||
| variable after the result octet string is base64-encoded per | ||||
| [RFC2045] section 6.8. | ||||
| 6. Identifying a Protected Resource | 5. Identifying a Protected Resource | |||
| Clients access protected resources after locating the appropriate | Clients access protected resources after locating the appropriate | |||
| end-user and token endpoints and obtaining an access token. In many | end-user and token endpoints and obtaining an access token. In many | |||
| cases, interacting with a protected resource requires prior knowledge | cases, interacting with a protected resource requires prior knowledge | |||
| of the protected resource properties and methods, as well as its | of the protected resource properties and methods, as well as its | |||
| authentication requirements (i.e. establishing client identity, | authentication requirements (i.e. establishing client identity, | |||
| locating the end-user and token endpoints). | locating the end-user and token endpoints). | |||
| However, there are cases in which clients are unfamiliar with the | However, there are cases in which clients are unfamiliar with the | |||
| protected resource, including whether the resource requires | protected resource, including whether the resource requires | |||
| authentication. When clients attempt to access an unfamiliar | authentication. When clients attempt to access an unfamiliar | |||
| protected resource without an access token, the resource server | protected resource without an access token, the resource server | |||
| denies the request and informs the client of the required credentials | denies the request and informs the client of the required credentials | |||
| using an HTTP authentication challenge. | using an HTTP authentication challenge. | |||
| In addition, when receiving an invalid authenticated request, the | In addition, when receiving an invalid authenticated request, the | |||
| resource server issues an authentication challenge including the | resource server issues an authentication challenge including the | |||
| error type and message. | error type and message. | |||
| 6.1. The WWW-Authenticate Response Header | 5.1. The WWW-Authenticate Response Header | |||
| A resource server receiving a request for a protected resource | A resource server receiving a request for a protected resource | |||
| without a valid access token MUST respond with a 401 (Unauthorized) | without a valid access token MUST respond with a 401 (Unauthorized) | |||
| or 403 (Forbidden) HTTP status code, and include at least one "Token" | or 403 (Forbidden) HTTP status code, and include at least one "Token" | |||
| "WWW-Authenticate" response header field challenge. | "WWW-Authenticate" response header field challenge. | |||
| The "WWW-Authenticate" header field uses the framework defined by | The "WWW-Authenticate" header field uses the framework defined by | |||
| [RFC2617] as follows: | [RFC2617] as follows: | |||
| challenge = "Token" RWS token-challenge | challenge = "Token" RWS token-challenge | |||
| token-challenge = realm | token-challenge = realm | |||
| [ CS user-uri ] | ||||
| [ CS token-uri ] | ||||
| [ CS algorithms ] | ||||
| [ CS scope ] | ||||
| [ CS error ] | [ CS error ] | |||
| [ CS 1#auth-param ] | ||||
| user-uri = "user-uri" "=" URI-Reference | ||||
| token-uri = "token-uri" "=" URI-Reference | ||||
| algorithms = "algorithms" "=" <"> 1#algorithm-name <"> | ||||
| scope = "scope" "=" <"> 1#URI-Reference <"> | ||||
| error = "error" "=" <"> token <"> | error = "error" "=" <"> token <"> | |||
| CS = OWS "," OWS | ||||
| The "realm" attribute is used to provide the protected resources | The "realm" attribute is used to provide the protected resources | |||
| partition as defined by [RFC2617]. | partition as defined by [RFC2617]. | |||
| The "user-uri" and "token-uri" attributes provide a way for the | ||||
| resource server to advertise the URIs of the end-user and token | ||||
| endpoints capable of issuing an access token suitable for accessing | ||||
| the requested resource. | ||||
| The "algorithms" attribute is a space-delimited list of the | ||||
| cryptographic algorithms supported by the resource server. The | ||||
| client MAY request an access token with a suitable matching secret by | ||||
| using the "secret_type" request parameter as described in | ||||
| Section 5.3. | ||||
| The "scope" attribute is a space-delimited list of URIs (relative or | ||||
| absolute) indicating the required scope of the access token for | ||||
| accessing the requested resource. | ||||
| The "error" attribute is used to inform the client the reason why an | The "error" attribute is used to inform the client the reason why an | |||
| access request was declined. [[ Add list of error codes ]] | access request was declined. [[ Add list of error codes ]] | |||
| 7. Security Considerations | 6. Security Considerations | |||
| [[ Todo ]] | [[ Todo ]] | |||
| 8. IANA Considerations | 7. IANA Considerations | |||
| [[ Not Yet ]] | [[ Not Yet ]] | |||
| 9. Acknowledgements | Appendix A. Contributors | |||
| The following people contributed to preliminary versions of this | ||||
| document: Blaine Cook (BT), Brian Eaton (Google), Yaron Goland | ||||
| (Microsoft), Brent Goldman (Facebook), Raffi Krikorian (Twitter), | ||||
| Luke Shepard (Facebook), and Allen Tom (Yahoo!). The content and | ||||
| concepts within are a product of the OAuth community, WRAP community, | ||||
| and the OAuth Working Group. | ||||
| The OAuth Working Group has dozens of very active contributors who | ||||
| proposed ideas and wording for this document, including: [[ If your | ||||
| name is missing or you think someone should be added here, please | ||||
| send Eran a note - don't be shy ]] | ||||
| Michael Adams, Andrew Arnott, Dirk Balfanz, Brian Campbell, Leah | ||||
| Culver, Igor Faynberg, George Fletcher, Evan Gilbert, Justin Hart, | ||||
| John Kemp, Torsten Lodderstedt, Eve Maler, James Manger, Chuck | ||||
| Mortimore, Justin Richer, Peter Saint-Andre, Nat Sakimura, Rob Sayre, | ||||
| Marius Scurtescu, Justin Smith, and Franklin Tse. | ||||
| Appendix B. Acknowledgements | ||||
| [[ Add OAuth 1.0a authors + WG contributors ]] | [[ Add OAuth 1.0a authors + WG contributors ]] | |||
| Appendix A. Differences from OAuth 1.0a | Appendix C. Differences from OAuth 1.0a | |||
| [[ Todo ]] | [[ Todo ]] | |||
| Appendix B. Document History | Appendix D. Document History | |||
| [[ to be removed by RFC editor before publication as an RFC ]] | [[ to be removed by RFC editor before publication as an RFC ]] | |||
| -06 | ||||
| o Editorial changes, corrections, clarifications, etc. | ||||
| o Removed conformance section. | ||||
| o Moved authors section to contributors appendix. | ||||
| o Added section on native applications. | ||||
| o Changed error response to use the requested format. Added support | ||||
| for HTTP "Accept" header. | ||||
| o Flipped the order of the web server and user-agent flows. | ||||
| o Renamed assertion flow "format" parameter name to | ||||
| "assertion_format" to resolve conflict. | ||||
| o Removed the term identifier from token definitions. Added a | ||||
| cryptographic token definition. | ||||
| o Added figure titles. | ||||
| o Added server response 401 when client tried to authenticate using | ||||
| multiple credentials. | ||||
| o Clarified support for TLS alternatives, and added requirement for | ||||
| TLS 1.2 support for token endpoint. | ||||
| o Removed all signature and cryptography. | ||||
| o Removed all discovery. | ||||
| o Updated HTML4 reference. | ||||
| -05 | -05 | |||
| o Corrected device example. | o Corrected device example. | |||
| o Added client credentials parameters to the assertion flow as | o Added client credentials parameters to the assertion flow as | |||
| OPTIONAL. | OPTIONAL. | |||
| o Added the ability to send client credentials using an HTTP | o Added the ability to send client credentials using an HTTP | |||
| authentication scheme. | authentication scheme. | |||
| skipping to change at page 53, line 39 ¶ | skipping to change at page 49, line 30 ¶ | |||
| o Editorial changes based on feedback from Brian Eaton, Bill Keenan, | o Editorial changes based on feedback from Brian Eaton, Bill Keenan, | |||
| and Chuck Mortimore. | and Chuck Mortimore. | |||
| o Changed device flow "type" parameter values and switch to use only | o Changed device flow "type" parameter values and switch to use only | |||
| the token endpoint. | the token endpoint. | |||
| -00 | -00 | |||
| o Initial draft based on a combination of WRAP and OAuth 1.0a. | o Initial draft based on a combination of WRAP and OAuth 1.0a. | |||
| 10. References | 8. References | |||
| 10.1. Normative References | 8.1. Normative References | |||
| [I-D.ietf-httpbis-p1-messaging] | [I-D.ietf-httpbis-p1-messaging] | |||
| Fielding, R., Gettys, J., Mogul, J., Nielsen, H., | Fielding, R., Gettys, J., Mogul, J., Nielsen, H., | |||
| Masinter, L., Leach, P., Berners-Lee, T., and J. Reschke, | Masinter, L., Leach, P., Berners-Lee, T., and J. Reschke, | |||
| "HTTP/1.1, part 1: URIs, Connections, and Message | "HTTP/1.1, part 1: URIs, Connections, and Message | |||
| Parsing", draft-ietf-httpbis-p1-messaging-09 (work in | Parsing", draft-ietf-httpbis-p1-messaging-09 (work in | |||
| progress), March 2010. | progress), March 2010. | |||
| [NIST FIPS-180-3] | [NIST FIPS-180-3] | |||
| National Institute of Standards and Technology, "Secure | National Institute of Standards and Technology, "Secure | |||
| skipping to change at page 54, line 45 ¶ | skipping to change at page 50, line 37 ¶ | |||
| [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO | [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO | |||
| 10646", STD 63, RFC 3629, November 2003. | 10646", STD 63, RFC 3629, November 2003. | |||
| [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | |||
| Resource Identifier (URI): Generic Syntax", STD 66, | Resource Identifier (URI): Generic Syntax", STD 66, | |||
| RFC 3986, January 2005. | RFC 3986, January 2005. | |||
| [RFC4627] Crockford, D., "The application/json Media Type for | [RFC4627] Crockford, D., "The application/json Media Type for | |||
| JavaScript Object Notation (JSON)", RFC 4627, July 2006. | JavaScript Object Notation (JSON)", RFC 4627, July 2006. | |||
| [W3C.REC-html40-19980424] | [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
| Hors, A., Raggett, D., and I. Jacobs, "HTML 4.0 | (TLS) Protocol Version 1.2", RFC 5246, August 2008. | |||
| [W3C.REC-html401-19991224] | ||||
| Hors, A., Jacobs, I., and D. Raggett, "HTML 4.01 | ||||
| Specification", World Wide Web Consortium | Specification", World Wide Web Consortium | |||
| Recommendation REC-html40-19980424, April 1998, | Recommendation REC-html401-19991224, December 1999, | |||
| <http://www.w3.org/TR/1998/REC-html40-19980424>. | <http://www.w3.org/TR/1999/REC-html401-19991224>. | |||
| 10.2. Informative References | 8.2. Informative References | |||
| [I-D.hammer-oauth] | [I-D.hammer-oauth] | |||
| Hammer-Lahav, E., "The OAuth 1.0 Protocol", | Hammer-Lahav, E., "The OAuth 1.0 Protocol", | |||
| draft-hammer-oauth-10 (work in progress), February 2010. | draft-hammer-oauth-10 (work in progress), February 2010. | |||
| [I-D.hardt-oauth] | [I-D.hardt-oauth] | |||
| Hardt, D., Tom, A., Eaton, B., and Y. Goland, "OAuth Web | Hardt, D., Tom, A., Eaton, B., and Y. Goland, "OAuth Web | |||
| Resource Authorization Profiles", draft-hardt-oauth-01 | Resource Authorization Profiles", draft-hardt-oauth-01 | |||
| (work in progress), January 2010. | (work in progress), January 2010. | |||
| skipping to change at page 55, line 37 ¶ | skipping to change at page 51, line 31 ¶ | |||
| Email: eran@hueniverse.com | Email: eran@hueniverse.com | |||
| URI: http://hueniverse.com | URI: http://hueniverse.com | |||
| David Recordon | David Recordon | |||
| Email: davidrecordon@facebook.com | Email: davidrecordon@facebook.com | |||
| URI: http://www.davidrecordon.com/ | URI: http://www.davidrecordon.com/ | |||
| Dick Hardt | Dick Hardt | |||
| Microsoft | ||||
| Email: dick.hardt@gmail.com | Email: dick.hardt@gmail.com | |||
| URI: http://dickhardt.org/ | URI: http://dickhardt.org/ | |||
| End of changes. 158 change blocks. | ||||
| 781 lines changed or deleted | 614 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||