< draft-ietf-oauth-v2-06.txt   draft-ietf-oauth-v2-07.txt >
Network Working Group E. Hammer-Lahav, Ed. Network Working Group E. Hammer-Lahav, Ed.
Internet-Draft Yahoo! Internet-Draft Yahoo!
Intended status: Standards Track D. Recordon Intended status: Standards Track D. Recordon
Expires: December 11, 2010 Facebook Expires: December 13, 2010 Facebook
D. Hardt D. Hardt
Microsoft Microsoft
June 9, 2010 June 11, 2010
The OAuth 2.0 Protocol The OAuth 2.0 Protocol
draft-ietf-oauth-v2-06 draft-ietf-oauth-v2-07
Abstract Abstract
This specification describes the OAuth 2.0 protocol. OAuth provides This specification describes the OAuth 2.0 protocol. OAuth provides
a method for making authenticated HTTP requests using a token - an a method for making authenticated HTTP requests using a token - an
string used to denote an access grant with specific scope, duration, string used to denote an access grant with specific scope, duration,
and other attributes. Tokens are issued to third-party clients by an and other attributes. Tokens are issued to third-party clients by an
authorization server with the approval of the resource owner. OAuth authorization server with the approval of the resource owner. OAuth
defines multiple flows for obtaining a token to support a wide range defines multiple flows for obtaining a token to support a wide range
of client types and user experience. of client types and user experience.
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 11, 2010. This Internet-Draft will expire on December 13, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 12 skipping to change at page 3, line 12
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
1.2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3. Example . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.3. Example . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.4. Notational Conventions . . . . . . . . . . . . . . . . . . 8 1.4. Notational Conventions . . . . . . . . . . . . . . . . . . 8
2. Obtaining an Access Token . . . . . . . . . . . . . . . . . . 8 2. Client Flows . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1. Client Credentials . . . . . . . . . . . . . . . . . . . . 9 2.1. Web Server Flow . . . . . . . . . . . . . . . . . . . . . 8
2.2. End-User Endpoint . . . . . . . . . . . . . . . . . . . . 9 2.2. User-Agent Flow . . . . . . . . . . . . . . . . . . . . . 10
2.3. Token Endpoint . . . . . . . . . . . . . . . . . . . . . . 10 2.3. Username and Password Flow . . . . . . . . . . . . . . . . 11
2.3.1. Client Authentication . . . . . . . . . . . . . . . . 10 2.4. Client Credentials Flow . . . . . . . . . . . . . . . . . 13
2.3.2. Response Format . . . . . . . . . . . . . . . . . . . 11 2.5. Assertion Flow . . . . . . . . . . . . . . . . . . . . . . 13
2.4. Flow Parameters . . . . . . . . . . . . . . . . . . . . . 14 2.6. Native Application Considerations . . . . . . . . . . . . 14
2.5. Web Server Flow . . . . . . . . . . . . . . . . . . . . . 14 3. Client Credentials . . . . . . . . . . . . . . . . . . . . . . 15
2.5.1. Client Requests Authorization . . . . . . . . . . . . 16 3.1. Client Authentication . . . . . . . . . . . . . . . . . . 15
2.5.2. Client Requests Access Token . . . . . . . . . . . . . 18 4. Establishing Resource Owner Authorization . . . . . . . . . . 16
2.6. User-Agent Flow . . . . . . . . . . . . . . . . . . . . . 20 4.1. Verification Code . . . . . . . . . . . . . . . . . . . . 17
2.6.1. Client Requests Authorization . . . . . . . . . . . . 22 4.1.1. End-User Authorization Endpoint . . . . . . . . . . . 17
2.6.2. Client Extracts Access Token . . . . . . . . . . . . . 25 4.2. Resource Owner Credentials . . . . . . . . . . . . . . . . 20
2.7. Device Flow . . . . . . . . . . . . . . . . . . . . . . . 25 4.3. Assertion . . . . . . . . . . . . . . . . . . . . . . . . 21
2.7.1. Client Requests Authorization . . . . . . . . . . . . 27 5. Obtaining an Access Token . . . . . . . . . . . . . . . . . . 21
2.7.2. Client Requests Access Token . . . . . . . . . . . . . 29 5.1. Token Endpoint . . . . . . . . . . . . . . . . . . . . . . 21
2.8. Username and Password Flow . . . . . . . . . . . . . . . . 31 5.1.1. Verification Code . . . . . . . . . . . . . . . . . . 22
2.8.1. Client Requests Access Token . . . . . . . . . . . . . 32 5.1.2. Resource Owner Credentials . . . . . . . . . . . . . . 22
2.9. Client Credentials Flow . . . . . . . . . . . . . . . . . 34 5.1.3. Assertion . . . . . . . . . . . . . . . . . . . . . . 23
2.9.1. Client Requests Access Token . . . . . . . . . . . . . 35 5.1.4. Refresh Token . . . . . . . . . . . . . . . . . . . . 24
2.10. Assertion Flow . . . . . . . . . . . . . . . . . . . . . . 36 5.1.5. Access Token Response . . . . . . . . . . . . . . . . 25
2.10.1. Client Requests Access Token . . . . . . . . . . . . . 37 5.1.6. Error Response . . . . . . . . . . . . . . . . . . . . 26
2.11. Native Application Considerations . . . . . . . . . . . . 39 6. Accessing a Protected Resource . . . . . . . . . . . . . . . . 27
3. Refreshing an Access Token . . . . . . . . . . . . . . . . . . 40 6.1. The Authorization Request Header . . . . . . . . . . . . . 28
4. Accessing a Protected Resource . . . . . . . . . . . . . . . . 42 6.2. URI Query Parameter . . . . . . . . . . . . . . . . . . . 28
4.1. The Authorization Request Header . . . . . . . . . . . . . 43 6.3. Form-Encoded Body Parameter . . . . . . . . . . . . . . . 29
4.2. URI Query Parameter . . . . . . . . . . . . . . . . . . . 44 7. Identifying a Protected Resource . . . . . . . . . . . . . . . 30
4.3. Form-Encoded Body Parameter . . . . . . . . . . . . . . . 44 7.1. The WWW-Authenticate Response Header . . . . . . . . . . . 30
5. Identifying a Protected Resource . . . . . . . . . . . . . . . 45 8. Security Considerations . . . . . . . . . . . . . . . . . . . 31
5.1. The WWW-Authenticate Response Header . . . . . . . . . . . 45 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 31
6. Security Considerations . . . . . . . . . . . . . . . . . . . 46 Appendix A. Contributors . . . . . . . . . . . . . . . . . . . . 31
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 46 Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 31
Appendix A. Contributors . . . . . . . . . . . . . . . . . . . . 46 Appendix C. Document History . . . . . . . . . . . . . . . . . . 32
Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 47 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Appendix C. Differences from OAuth 1.0a . . . . . . . . . . . . . 47 10.1. Normative References . . . . . . . . . . . . . . . . . . . 34
Appendix D. Document History . . . . . . . . . . . . . . . . . . 47 10.2. Informative References . . . . . . . . . . . . . . . . . . 35
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 36
8.1. Normative References . . . . . . . . . . . . . . . . . . . 49
8.2. Informative References . . . . . . . . . . . . . . . . . . 50
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 51
1. Introduction 1. Introduction
With the increasing use of distributed web services and cloud With the increasing use of distributed web services and cloud
computing, third-party applications require access to server-hosted computing, third-party applications require access to server-hosted
resources. These resources are usually protected and require resources. These resources are usually protected and require
authentication using the resource owner's credentials (typically a authentication using the resource owner's credentials (typically a
username and password). In the traditional client-server username and password). In the traditional client-server
authentication model, a client accessing a protected resource on a authentication model, a client accessing a protected resource on a
server presents the resource owner's credentials in order to server presents the resource owner's credentials in order to
skipping to change at page 5, line 28 skipping to change at page 5, line 28
token token
A string representing an access grant issued to the client. A string representing an access grant issued to the client.
The string is usually opaque to the client and can self-contain The string is usually opaque to the client and can self-contain
the authorization information in a verifiable manner (i.e. the authorization information in a verifiable manner (i.e.
signed), or denotes an identifier used to retrieve the signed), or denotes an identifier used to retrieve the
authorization information. authorization information.
access token access token
A token used by the client to make authenticated requests on A token used by the client to make authenticated requests on
behalf of the resource owner. behalf of the resource owner. Access tokens represent a
specific scope, duration, and other access attributes granted
by the resource owner and enforced by the resource and
authorization servers.
refresh token refresh token
A token used by the client to replace an expired access token A token used by the client to replace an expired access token
with a new access token without having to involve the resource with a new access token without having to involve the resource
owner. A refresh token is used when the access token is valid owner. A refresh token is used when the access token is valid
for a shorter time period than the duration of the access grant for a shorter time period than the duration of the access grant
approved by the resource owner. granted by the resource owner.
authorization server authorization server
An HTTP server capable of issuing tokens after successfully An HTTP server capable of issuing tokens after successfully
authenticating the resource owner and obtaining authorization. authenticating the resource owner and obtaining authorization.
The authorization server may be the same server as the resource The authorization server may be the same server as the resource
server, or a separate entity. server, or a separate entity.
end-user endpoint end-user authorization endpoint
The authorization server's HTTP endpoint capable of The authorization server's HTTP endpoint capable of
authenticating the end-user and obtaining authorization. authenticating the end-user and obtaining authorization.
token endpoint token endpoint
The authorization server's HTTP endpoint capable of issuing The authorization server's HTTP endpoint capable of issuing
tokens and refreshing expired tokens. tokens and refreshing expired tokens.
client identifier client identifier
An unique identifier issued to the client to identify itself to An unique identifier issued to the client to identify itself to
the authorization server. Client identifiers may have a the authorization server. Client identifiers may have a
skipping to change at page 7, line 36 skipping to change at page 7, line 37
User delegation flows are used to grant client access to protected User delegation flows are used to grant client access to protected
resources by the end-user without sharing the end-user credentials resources by the end-user without sharing the end-user credentials
(e.g. a username and password) with the client. Instead, the end- (e.g. a username and password) with the client. Instead, the end-
user authenticates directly with the authorization server, and grants user authenticates directly with the authorization server, and grants
client access to its protected resources. The user delegation flows client access to its protected resources. The user delegation flows
defined by this specifications are: defined by this specifications are:
o Web Server Flow - This flow is optimized for clients that are part o Web Server Flow - This flow is optimized for clients that are part
of a web server application, accessible via HTTP requests. This of a web server application, accessible via HTTP requests. This
flow is described in Section 2.5. flow is described in Section 2.1.
o User-Agent Flow - This flow is designed for clients running inside o User-Agent Flow - This flow is designed for clients running inside
a user-agent (typically a web browser). This flow is described in a user-agent (typically a web browser). This flow is described in
Section 2.6. Section 2.2.
o Device Flow - This flow is suitable for clients executing on
limited devices, but where the end-user has separate access to a
user-agent on another computer or device. This flow is described
in Section 2.7.
Direct credentials flows enable clients to obtain an access token Direct credentials flows enable clients to obtain an access token
with a single request using the client credentials or end-user with a single request using the client credentials or end-user
credentials without seeking additional resource owner authorization. credentials without seeking additional resource owner authorization.
The direct credentials flows defined by this specification are: The direct credentials flows defined by this specification are:
o Username and Password Flow - This flow is used in cases where the o Username and Password Flow - This flow is used in cases where the
end-user trusts the client to handle its credentials but it is end-user trusts the client to handle its credentials but it is
still undesirable for the client to store the end-user's username still undesirable for the client to store the end-user's username
and password. This flow is only suitable when there is a high and password. This flow is only suitable when there is a high
degree of trust between the end-user and the client. This flow is degree of trust between the end-user and the client. This flow is
described in Section 2.8. described in Section 2.3.
o Client Credentials Flow - The client uses its credentials to o Client Credentials Flow - The client uses its credentials to
obtain an access token. This flow is described in Section 2.9. obtain an access token. This flow is described in Section 2.4.
Autonomous flows enable clients to use utilize existing trust Autonomous flows enable clients to utilize existing trust
relationships or different authorization constructs to obtain an relationships or different authorization constructs to obtain an
access token. They provide a bridge between OAuth and other trust access token. They provide a bridge between OAuth and other trust
frameworks. The autonomous authorization flow defined by this frameworks. The autonomous authorization flow defined by this
specifications is: specifications is:
o Assertion Flow - The client presents an assertion such as a SAML o Assertion Flow - The client presents an assertion such as a SAML
[OASIS.saml-core-2.0-os] assertion to the authorization server in [OASIS.saml-core-2.0-os] assertion to the authorization server in
exchange for an access token. This flow is described in exchange for an access token. This flow is described in
Section 2.10. Section 2.5.
The sizes of tokens and other values received from the authorization
server, are left undefined by this specification. Clients should
avoid making assumptions about value sizes. Servers should document
the expected size of any value they issue.
1.3. Example 1.3. Example
[[ Todo ]] [[ Todo ]]
1.4. Notational Conventions 1.4. Notational Conventions
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT',
'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and 'OPTIONAL' in this 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and 'OPTIONAL' in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
This document uses the Augmented Backus-Naur Form (ABNF) notation of This document uses the Augmented Backus-Naur Form (ABNF) notation of
[I-D.ietf-httpbis-p1-messaging]. Additionally, the realm and auth- [I-D.ietf-httpbis-p1-messaging]. Additionally, the realm and auth-
param rules are included from [RFC2617], and the URI-Reference rule param rules are included from [RFC2617].
from [RFC3986].
2. Obtaining an Access Token
The client obtains an access token by using one of the authorization
flows supported by the authorization server. The authorization flows
all use the same authorization and token endpoints, each with a
different set of request parameters and values.
Access tokens have a scope, duration, and other access attributes
granted by the resource owner. These attributes MUST be enforced by
the resource server when receiving a protected resource request, and
by the authorization server when receiving a token refresh request.
In many cases it is desirable to issue access tokens with a shorter
lifetime than the duration of the authorization grant. However, it
may be undesirable to require the resource owner to authorize the
request again. Instead, the authorization server issues a refresh
token in addition to the access token. When the access token
expires, the client can request a new access token without involving
the resource owner as long as the authorization grant is still valid.
The token refresh method is described in Section 3.
2.1. Client Credentials
When requesting access from the authorization server, the client
identifies itself using a set of client credentials. The client
credentials include a client identifier and an OPTIONAL symmetric
shared secret. The means through which the client obtains these
credentials are beyond the scope of this specification, but usually
involve registration with the authorization server.
The client identifier is used by the authorization server to
establish the identity of the client for the purpose of presenting
information to the resource owner prior to granting access, as well
as for providing different service levels to different clients. They
can also be used to block unauthorized clients from requesting
access.
Due to the nature of some clients, authorization servers SHOULD NOT
make assumptions about the confidentiality of client credentials
without establishing trust with the client operator. Authorization
servers SHOULD NOT issue client secrets to clients incapable of
keeping their secrets confidential.
2.2. End-User Endpoint
In flows that involved an end-user, clients direct the end-user to
the end-user endpoint to approve their access request. When
accessing the end-user endpoint, the end-user first authenticates
with the authorization server, and then approves or denies the access
request.
The way in which the authorization server authenticates the end-user
(e.g. username and password login, OpenID, session cookies) and in
which the authorization server obtains the end-user's authorization,
including whether it uses a secure channel such as TLS, is beyond the
scope of this specification. However, the authorization server MUST
first verify the identity of the end-user.
The URI of the end-user endpoint can be found in the service
documentation, or can be obtained by using [[ OAuth Discovery ]].
The end-user endpoint advertised by the resource server MAY include a
query component as defined by [RFC3986] section 3, which must be
retained when adding additional query parameters.
Since requests to the end-user endpoint result in user authentication
and the transmission of sensitive values, the authorization server
SHOULD require the use of a transport-layer mechanism such as TLS
when sending requests to the end-user endpoint.
2.3. Token Endpoint
After obtaining authorization from the resource owner, clients
request an access token from the authorization server's token
endpoint.
The URI of the token endpoint can be found in the service
documentation, or can be obtained by using [[ OAuth Discovery ]].
The token endpoint advertised by the resource server MAY include a
query component as defined by [RFC3986] section 3.
Since requests to the token endpoint result in the transmission of
plain text credentials in the HTTP request and response, the
authorization server MUST require the use of a transport-layer
mechanism when sending requests to the token endpoints. Servers MUST
support TLS 1.2 as defined in [RFC5246] and MAY support addition
mechanisms with equivalent protections.
2.3.1. Client Authentication
The token endpoint requires the client to authenticate itself to the
authorization server. This is done by including the client
identifier (and optional secret) in the request. The client
identifier and secret are included in the request using two request
parameters: "client_id" and "client_secret".
For example (line breaks are for display purposes only):
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
type=web_server&client_id=s6BhdRkqt3&
client_secret=gX1fBat3bV&code=i1WsRn1uB1&
redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
The client MAY include the client credentials using an HTTP
authentication scheme which supports authenticating using a username
and password, instead of using the "client_id" and "client_secret"
request parameters. Including the client credentials using an HTTP
authentication scheme fulfills the requirements of including the
parameters as defined by the various flows.
The client MUST NOT include the client credentials using more than
one mechanism. If more than one mechanism is used, regardless if the
credentials are identical, the server MUST reply with an HTTP 400
status code (Bad Request) and include the "multiple-credentials"
error message.
The authorization server MUST accept the client credentials using
both the request parameters, and the HTTP Basic authentication scheme
as defined in [RFC2617]. The authorization server MAY support
additional HTTP authentication schemes.
For example (line breaks are for display purposes only):
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
type=web_server&code=i1WsRn1uB1&
redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
2.3.2. Response Format
Authorization servers respond to client requests by including a set
of response parameters in the entity body of the HTTP response. The
response uses one of three formats based on the format requested by
the client (using the "format" request parameter or the HTTP "Accept"
header field):
o The "application/json" media type as defined by [RFC4627]. The
parameters are serialized into a JSON structure by adding each
parameter at the highest structure level. Parameter names and
string values are included as JSON strings. Numerical values are
included as JSON numbers.
For example:
{
"access_token":"SlAV32hkKG",
"expires_in":3600,
"refresh_token":"8xLOxBtZp8"
}
o The "application/xml" media type as defined by [RFC3023]. The
parameters are serialized into an XML structure by adding each
parameter as a child element of the root "<OAuth>" element. [[ Add
namespace ]]
For example:
<?xml version='1.0' encoding="utf-8"?>
<OAuth>
<access_token>SlAV32hkKG</access_token>
<expires_in>3600</expires_in>
<refresh_token>8xLOxBtZp8</refresh_token>
</OAuth>
o The "application/x-www-form-urlencoded" media type as defined by
[W3C.REC-html401-19991224].
For example (line breaks are for display purposes only):
access_token=SlAV32hkKG&expires_in=3600&
refresh_token=8xLOxBtZp8
The authorization server MUST include the HTTP "Cache-Control"
response header field with a value of "no-store" in any response
containing tokens, secrets, or other sensitive information.
2.3.2.1. Access Token Response
After receiving and verifying a valid and authorized access token
request from the client (as described in each of the flows below),
the authorization server constructs the response using the format
requested by the client, which includes the parameters listed below,
as well as additional flow-specific parameters. The formatted
parameters are sent to the client in the entity body of the HTTP
response with a 200 status code (OK).
The token response contains the following common parameters:
access_token
REQUIRED. The access token issued by the authorization server.
expires_in
OPTIONAL. The duration in seconds of the access token
lifetime.
refresh_token
OPTIONAL. The refresh token used to obtain new access tokens
using the same end-user access grant as described in Section 3.
scope
OPTIONAL. The scope of the access token as a list of space-
delimited strings. The value of the "scope" parameter is
defined by the authorization server. If the value contains
multiple space-delimited strings, their order does not matter,
and each string adds an additional access range to the
requested scope.
For example:
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
{
"access_token":"SlAV32hkKG",
"expires_in":3600,
"refresh_token":"8xLOxBtZp8"
}
2.3.2.2. Error Response
If the token request is invalid or unauthorized, the authorization
server constructs the response using the format requested by the
client which includes the parameters listed below, as well as
additional flow-specific parameters. The formatted parameters are
sent to the client in the entity body of the HTTP response with a 400
status code (Bad Request).
The response contains the following common parameter:
error
REQUIRED. The parameter value MUST be set to one of the values
specified by each flow.
For example:
HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
{
"error":"incorrect_client_credentials"
}
2.4. Flow Parameters
The sizes of tokens and other values received from the authorization
server, are left undefined by this specification. Clients should
avoid making assumptions about value sizes. Servers should document
the expected size of any value they issue.
Unless otherwise noted, all the protocol parameter names and values Unless otherwise noted, all the protocol parameter names and values
are case sensitive. are case sensitive.
2.5. Web Server Flow 2. Client Flows
2.1. Web Server Flow
The web server flow is a user delegation flow suitable for clients The web server flow is a user delegation flow suitable for clients
capable of interacting with the end-user's user-agent (typically a capable of interacting with the end-user's user-agent (typically a
web browser) and capable of receiving incoming requests from the web browser) and capable of receiving incoming requests from the
authorization server (capable of acting as an HTTP server). authorization server (capable of acting as an HTTP server).
+----------+ Client Identifier +---------------+ +----------+ Client Identifier +---------------+
| -+----(A)-- & Redirect URI ------->| | | -+----(A)-- & Redirect URI ------->| |
| End-user | | Authorization | | End-user | | Authorization |
| at |<---(B)-- User authenticates --->| Server | | at |<---(B)-- User authenticates --->| Server |
skipping to change at page 15, line 30 skipping to change at page 9, line 32
| | | | | |
| |<---(E)------- Access Token -----------------' | |<---(E)------- Access Token -----------------'
+---------+ (w/ Optional Refresh Token) +---------+ (w/ Optional Refresh Token)
Figure 3: Web Server Flow Figure 3: Web Server Flow
The web server flow illustrated in Figure 3 includes the following The web server flow illustrated in Figure 3 includes the following
steps: steps:
(A) The web client initiates the flow by redirecting the end-user's (A) The web client initiates the flow by redirecting the end-user's
user-agent to the end-user endpoint with its client identifier user-agent to the end-user authorization endpoint as described
in Section 4.1.1 using client type "web_server". The client
includes its client identifier, requested scope, local state,
and a redirect URI to which the authorization server will send and a redirect URI to which the authorization server will send
the end-user back once authorization is received (or denied). the end-user back once authorization is granted (or denied).
(B) The authorization server authenticates the end-user (via the (B) The authorization server authenticates the end-user (via the
user-agent) and establishes whether the end-user grants or user-agent) and establishes whether the end-user grants or
denies the client's access request. denies the client's access request.
(C) Assuming the end-user granted access, the authorization server (C) Assuming the end-user granted access, the authorization server
redirects the user-agent back to the client to the redirection redirects the user-agent back to the client to the redirection
URI provided earlier. The authorization includes a verification URI provided earlier. The authorization includes a verification
code for the client to use to obtain an access token. code for the client to use to obtain an access token.
(D) The client requests an access token from the authorization (D) The client requests an access token from the authorization
server by including its client credentials (identifier and server by authenticating and including the verification code
secret), as well as the verification code received in the received in the previous step as described in Section 5.1.
previous step.
(E) The authorization server validates the client credentials and (E) The authorization server validates the client credentials and
the verification code and responds back with the access token. the verification code and responds back with the access token.
2.5.1. Client Requests Authorization 2.2. User-Agent Flow
In order for the end-user to grant the client access, the client
sends the end-user to the authorization server. The client
constructs the request URI by adding the following URI query
parameters to the end-user endpoint URI:
type
REQUIRED. The parameter value MUST be set to "web_server".
client_id
REQUIRED. The client identifier as described in Section 2.1.
redirect_uri
REQUIRED unless a redirection URI has been established between
the client and authorization server via other means. An
absolute URI to which the authorization server will redirect
the user-agent to when the end-user authorization step is
completed. The authorization server MAY require the client to
pre-register their redirection URI. Authorization servers MAY
restrict the redirection URI to not include a query component
as defined by [RFC3986] section 3.
state
OPTIONAL. An opaque value used by the client to maintain state
between the request and callback. The authorization server
includes this value when redirecting the user-agent back to the
client.
scope
OPTIONAL. The scope of the access request expressed as a list
of space-delimited strings. The value of the "scope" parameter
is defined by the authorization server. If the value contains
multiple space-delimited strings, their order does not matter,
and each string adds an additional access range to the
requested scope.
immediate
OPTIONAL. The parameter value must be set to "true" or
"false". If set to "true", the authorization server MUST NOT
prompt the end-user to authenticate or approve access.
Instead, the authorization server attempts to establish the
end-user's identity via other means (e.g. browser cookies) and
checks if the end-user has previously approved an identical
access request by the same client and if that access grant is
still active. If the authorization server does not support an
immediate check or if it is unable to establish the end-user's
identity or approval status, it MUST deny the request without
prompting the end-user. Defaults to "false" if omitted.
The client directs the end-user to the constructed URI using an HTTP
redirection response, or by other means available to it via the end-
user's user-agent. The request MUST use the HTTP "GET" method.
For example, the client directs the end-user's user-agent to make the
following HTTPS requests (line breaks are for display purposes only):
GET /authorize?type=web_server&client_id=s6BhdRkqt3&redirect_uri=
https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
Host: server.example.com
If the client has previously registered a redirection URI with the
authorization server, the authorization server MUST verify that the
redirection URI received matches the registered URI associated with
the client identifier.
The authorization server authenticates the end-user and obtains an
authorization decision (by asking the end-user or establishing
approval via other means). The authorization server sends the end-
user's user-agent to the provided client redirection URI using an
HTTP redirection response, or by other means available to it via the
end-user's user-agent.
2.5.1.1. End-user Grants Authorization
If the end-user authorizes the access request, the authorization
server generates a verification code and associates it with the
client identifier and redirection URI. The authorization server
constructs the request URI by adding the following parameters to the
query component of redirection URI provided by the client:
code
REQUIRED. The verification code generated by the authorization
server.
state
REQUIRED if the "state" parameter was present in the client
authorization request. Set to the exact value received from
the client.
The verification code should expire shortly after it is issued and
allowed for a single use.
For example, the authorization server redirects the end-user's user-
agent by sending the following HTTP response:
HTTP/1.1 302 Found
Location: https://client.example.com/cb?code=i1WsRn1uB1
In turn, the end-user's user-agent makes the following HTTPS "GET"
request:
GET /cb?code=i1WsRn1uB1 HTTP/1.1
Host: client.example.com
2.5.1.2. End-user Denies Authorization
If the end-user denied the access request, the authorization server
constructs the request URI by adding the following parameters to the
query component of the redirection URI provided by the client:
error
REQUIRED. The parameter value MUST be set to "user_denied".
state
REQUIRED if the "state" parameter was present in the client
authorization request. Set to the exact value received from
the client.
For example, the authorization server directs the client to make the
following HTTP request:
GET /cb?error=user_denied HTTP/1.1
Host: client.example.com
The authorization flow concludes unsuccessfully.
2.5.2. Client Requests Access Token
The client obtains an access token from the authorization server by
making an HTTP "POST" request to the token endpoint. The client
constructs a request URI by adding the following parameters to the
request:
type
REQUIRED. The parameter value MUST be set to "web_server".
client_id
REQUIRED. The client identifier as described in Section 2.1.
client_secret
REQUIRED if the client identifier has a matching secret. The
client secret as described in Section 2.1.
code
REQUIRED. The verification code received from the
authorization server.
redirect_uri
REQUIRED. The redirection URI used in the initial request.
format
OPTIONAL. The response format requested by the client. Value
MUST be one of "json", "xml", or "form". Alternatively, the
client MAY use the HTTP "Accept" header field with the desired
media type. Defaults to "json" if omitted and no "Accept"
header field is present.
For example, the client makes the following HTTPS request (line
breaks are for display purposes only):
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
type=web_server&client_id=s6BhdRkqt3&
client_secret=gX1fBat3bV&code=i1WsRn1uB1&
redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
The authorization server MUST verify that the verification code,
client identity, client secret, and redirection URI are all valid and
match its stored association. If the request is valid, the
authorization server issues a successful response as described in
Section 2.3.2.1.
For example:
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
{
"access_token":"SlAV32hkKG",
"expires_in":3600,
"refresh_token":"8xLOxBtZp8"
}
If the request is invalid, the authorization server returns an error
response as described in Section 2.3.2.2 with one of the following
error codes:
o "redirect_uri_mismatch"
o "bad_verification_code"
o "incorrect_client_credentials"
For example:
HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
{
"error":"incorrect_client_credentials"
}
2.6. User-Agent Flow
The user-agent flow is a user delegation flow suitable for client The user-agent flow is a user delegation flow suitable for client
applications residing in a user-agent, typically implemented in a applications residing in a user-agent, typically implemented in a
browser using a scripting language such as JavaScript. These clients browser using a scripting language such as JavaScript. These clients
cannot keep client secrets confidential and the authentication of the cannot keep client secrets confidential and the authentication of the
client is based on the user-agent's same-origin policy. client is based on the user-agent's same-origin policy.
Unlike other flows in which the client makes separate authorization Unlike other flows in which the client makes separate authorization
and access token requests, the client received the access token as a and access token requests, the client received the access token as a
result of the authorization request in the form of an HTTP result of the authorization request in the form of an HTTP
skipping to change at page 21, line 32 skipping to change at page 11, line 4
| in | (w/ Optional Refresh Token) +----------------+ | in | (w/ Optional Refresh Token) +----------------+
| Browser | in Fragment | Browser | in Fragment
| | +----------------+ | | +----------------+
| |>---(D)-- Redirect URI -------->| | | |>---(D)-- Redirect URI -------->| |
| | without Fragment | Web Server | | | without Fragment | Web Server |
| | | with Client | | | | with Client |
| (F) |<---(E)-- Web Page with -------<| Resource | | (F) |<---(E)-- Web Page with -------<| Resource |
| Access | Script | | | Access | Script | |
| Token | +----------------+ | Token | +----------------+
+----------+ +----------+
Figure 4: User-Agent Flow Figure 4: User-Agent Flow
The user-agent flow illustrated in Figure 4 includes the following The user-agent flow illustrated in Figure 4 includes the following
steps: steps:
(A) The client sends the user-agent to the authorization server and (A) The client sends the user-agent to the end-user authorization
includes its client identifier and redirection URI in the endpoint as described in Section 4.1.1 using client type
request. "user-agent". The client includes its client identifier,
requested scope, local state, and a redirect URI to which the
authorization server will send the end-user back once
authorization is granted (or denied).
(B) The authorization server authenticates the end-user (via the (B) The authorization server authenticates the end-user (via the
user-agent) and establishes whether the end-user grants or user-agent) and establishes whether the end-user grants or
denies the client's access request. denies the client's access request.
(C) Assuming the end-user granted access, the authorization server (C) Assuming the end-user granted access, the authorization server
redirects the user-agent to the redirection URI provided redirects the user-agent to the redirection URI provided
earlier. The redirection URI includes the access token in the earlier. The redirection URI includes the access token (and an
URI fragment. optional verification code) in the URI fragment.
(D) The user-agent follows the redirection instructions by making a (D) The user-agent follows the redirection instructions by making an
request to the web server which does not include the fragment. HTTP "GET" request to the web server which does not include the
The user-agent retains the fragment information locally. fragment. The user-agent retains the fragment information
locally. The user-agent MUST NOT include the fragment component
with the request.
(E) The web server returns a web page containing a script capable of (E) The web server returns a web page (typically an HTML page with
extracting the access token from the URI fragment retained by an embedded script) capable of accessing the full redirection
the user-agent. URI including the fragment retained by the user-agent, and
extracting the access token (and other parameters) contained in
the fragment.
(F) The user-agent executes the script provided by the web server (F) The user-agent executes the script provided by the web server
which extracts the access token and passes it to the client. which extracts the access token and passes it to the client. If
a verification code was issued, the client can pass it to a web
2.6.1. Client Requests Authorization server component to obtain another access token for additional
server-based protected resources interaction.
In order for the end-user to grant the client access, the client
sends the end-user to the authorization server. The client
constructs the request URI by adding the following URI query
parameters to the end-user endpoint URI:
type 2.3. Username and Password Flow
REQUIRED. The parameter value MUST be set to "user_agent".
client_id The username and password flow is suitable for clients capable of
REQUIRED. The client identifier as described in Section 2.1. asking end-users for their usernames and passwords. It is also used
to migrate existing clients using direct authentication schemes such
as HTTP Basic or Digest authentication to OAuth by converting the
end-user credentials stored with tokens.
redirect_uri However, unlike the HTTP Basic authentication scheme defined in
REQUIRED unless a redirection URI has been established between
the client and authorization server via other means. An
absolute URI to which the authorization server will redirect
the user-agent to when the end-user authorization step is
completed. The authorization server SHOULD require the client
to pre-register their redirection URI. Authorization servers
MAY restrict the redirection URI to not include a query
component as defined by [RFC3986] section 3.
state [RFC2617], the end-user's credentials are used in a single request
OPTIONAL. An opaque value used by the client to maintain state and are exchanged for an access token and refresh token which
between the request and callback. The authorization server eliminates the client need to store them for future use.
includes this value when redirecting the user-agent back to the
client.
scope The methods through which the client prompts end users for their
OPTIONAL. The scope of the access request expressed as a list usernames and passwords is beyond the scope of this specification.
of space-delimited strings. The value of the "scope" parameter The client MUST discard the usernames and passwords once an access
is defined by the authorization server. If the value contains token has been obtained.
multiple space-delimited strings, their order does not matter,
and each string adds an additional access range to the
requested scope.
immediate This flow is suitable in cases where the end-user already has a trust
OPTIONAL. The parameter value must be set to "true" or relationship with the client, such as its computer operating system
"false". If set to "true", the authorization server MUST NOT or highly privileged applications. Authorization servers should take
prompt the end-user to authenticate or approve access. special care when enabling the username and password flow, and only
Instead, the authorization server attempts to establish the when other delegation flows are not viable.
end-user's identity via other means (e.g. browser cookies) and
checks if the end-user has previously approved an identical
access request by the same client and if that access grant is
still active. If the authorization server does not support an
immediate check or if it is unable to establish the end-user's
identity or approval status, it MUST deny the request without
prompting the end-user. Defaults to "false" if omitted.
The client directs the end-user to the constructed URI using an HTTP End-user
redirection response, or by other means available to it via the end- v
user's user-agent. The request MUST use the HTTP "GET" method. :
(A)
:
v
+--------+ +---------------+
| | Client Credentials | |
| |>--(B)--- & User Credentials ---->| Authorization |
| Client | | Server |
| |<--(C)---- Access Token ---------<| |
| | (w/ Optional Refresh Token) | |
+--------+ +---------------+
For example, the client directs the end-user's user-agent to make the Figure 5: Username and Password Flow
following HTTPS request (line breaks are for display purposes only):
GET /authorize?type=user_agent&client_id=s6BhdRkqt3& The username and password flow illustrated in Figure 5 includes the
redirect_uri=https%3A%2F%2FEexample%2Ecom%2Frd HTTP/1.1 following steps:
Host: server.example.com
If the client has previously registered a redirection URI with the (A) The end-user provides the client with its username and password.
authorization server, the authorization server MUST verify that the
redirection URI received matches the registered URI associated with
the client identifier.
The authorization server authenticates the end-user and obtains an (B) The client requests an access token from the authorization
authorization decision (by asking the end-user or establishing server by authenticating and including the end-user's username
approval via other means). The authorization server sends the end- and password, and desired scope as described in Section 5.1.
user's user-agent to the provided client redirection URI using an
HTTP redirection response.
2.6.1.1. End-user Grants Authorization (C) The authorization server validates the end-user credentials and
the client credentials and issues an access token.
If the end-user authorizes the access request, the authorization 2.4. Client Credentials Flow
server issues an access token and delivers it to the client by adding
the following parameters, using the
"application/x-www-form-urlencoded" format as defined by
[W3C.REC-html401-19991224], to the redirection URI fragment:
access_token The client credentials flow is used when the client acts on behalf of
REQUIRED. The access token. itself (the client is the resource owner), or when the client
credentials are used to obtain an access token representing a
previously established access authorization. The client secret is
assumed to be high-entropy since it is not designed to be memorized
by an end-user.
expires_in +--------+ +---------------+
OPTIONAL. The duration in seconds of the access token | | | |
lifetime. | |>--(A)--- Client Credentials ---->| Authorization |
| Client | | Server |
| |<--(B)---- Access Token ---------<| |
| | (w/ Optional Refresh Token) | |
+--------+ +---------------+
refresh_token Figure 6: Client Credentials Flow
OPTIONAL. The refresh token.
state The client credential flow illustrated in Figure 6 includes the
REQUIRED if the "state" parameter was present in the client following steps:
authorization request. Set to the exact value received from
the client.
For example, the authorization server redirects the end-user's user- (A) The client requests an access token from the authorization
agent by sending the following HTTP response: server by authenticating and including the desired scope as
described in Section 5.1. No additional authorization grant
information is needed.
HTTP/1.1 302 Found (B) The authorization server validates the client credentials and
Location: http://example.com/rd#access_token=FJQbwq9&expires_in=3600 issues an access token.
2.6.1.2. End-user Denies Authorization 2.5. Assertion Flow
If the end-user denied the access request, the authorization server The assertion flow is used when a client wishes to exchange an
responds to the client by adding the following parameters, using the existing security token or assertion for an access token. This flow
"application/x-www-form-urlencoded" format as defined by is suitable when the client is the resource owner or is acting on
[W3C.REC-html401-19991224], to the redirection URI fragment: behalf of the resource owner (based on the content of the assertion
used).
error The assertion flow requires the client to obtain a assertion (such as
REQUIRED. The parameter value MUST be set to "user_denied". a SAML [OASIS.saml-core-2.0-os] assertion) from an assertion issuer
or to self-issue an assertion prior to initiating the flow. The
assertion format, the process by which the assertion is obtained, and
the method of validating the assertion are defined by the assertion
issuer and the authorization server, and are beyond the scope of this
specification.
state +--------+ +---------------+
REQUIRED if the "state" parameter was present in the client | | | |
authorization request. Set to the exact value received from | |>--(A)------ Assertion ---------->| Authorization |
the client. | Client | | Server |
| |<--(B)---- Access Token ---------<| |
| | | |
+--------+ +---------------+
For example, the authorization server responds with the following: Figure 7: Assertion Flow
HTTP/1.1 302 Found The assertion flow illustrated in Figure 7 includes the following
Location: http://example.com/rd#error=user_denied steps:
The authorization flow concludes unsuccessfully. To extract the (A) The client requests an access token from the authorization
error message, the client follows the steps described in server by authenticating and including the assertion, assertion
Section 2.6.2. type, and desired scope as described in Section 5.1.
2.6.2. Client Extracts Access Token (B) The authorization server validates the assertion and issues an
access token.
The user-agent follows the authorization server redirection response 2.6. Native Application Considerations
by making an HTTP "GET" request to the URI received in the "Location"
HTTP response header. The user-agent SHALL NOT include the fragment
component with the request.
For example, the user-agent makes the following HTTP "GET" request in Native application are clients running as native code on the end-
response to the redirection directive received from the authorization user's computer or device (i.e. executing outside a browser or as a
server: desktop program). These clients are often capable of interacting
with (or embedding) the end-user's user-agent but are incapable of
receiving callback requests from the server (incapable of acting as
an HTTP server).
GET /rd HTTP/1.1 Native application clients can utilize many of the flows defined in
Host: example.com this specification with little or no changes. For example:
The HTTP response to the redirection request returns a web page o Launch an external user-agent and have it redirect back to the
(typically an HTML page with an embedded script) capable of accessing client using a custom URI scheme. This works with the web server
the full redirection URI including the fragment retained by the user- flow and user-agent flow.
agent, and extracting the access token (and other parameters)
contained in the fragment.
2.7. Device Flow o Launch an external user-agent and poll for changes to the window
title. This works with the web server flow with a server-hosted
custom redirect result page that puts the verification code in the
title.
The device flow is a user delegation flow suitable for clients o Use an embedded user-agent and obtain the redirection URI. This
executing on devices which do not have an easy data-entry method works with the web server flow and user-agent flow.
(e.g. game consoles or media hub), but where the end-user has
separate access to a user-agent on another computer or device (e.g.
home computer, a laptop, or a smart phone). The client is incapable
of receiving incoming requests from the authorization server
(incapable of acting as an HTTP server).
Instead of interacting with the end-user's user-agent, the client o Use the username and password flow and prompt the end-users for
instructs the end-user to use another computer or device and connect their credentials. This is generally discouraged as it hands the
to the authorization server to approve the access request. Since the end-user's password directly to the 3rd party and may not work
client cannot receive incoming requests, it polls the authorization with some authentication schemes.
server repeatedly until the end-user completes the approval process.
This device flow does not utilize the client secret since the client When choosing between launching an external browser and an embedded
executables reside on a local device which makes the client secret user-agent, developers should consider the following:
accessible and exploitable.
+----------+ +----------------+ o External user-agents may improve completion rate as the end-user
| |>---(A)-- Client Identifier --->| | may already be logged-in and not have to re-authenticate.
| | | |
| |<---(B)-- Verification Code, --<| |
| | User Code, | |
| | & Verification URI | |
| Device | | |
| Client | Client Identifier & | |
| |>---(E)-- Verification Code --->| |
| | ... | |
| |>---(E)---> | |
| | | Authorization |
| |<---(F)-- Access Token --------<| Server |
+----------+ (w/ Optional Refresh Token) | |
v | |
: | |
(C) User Code & Verification URI | |
: | |
v | |
+----------+ | |
| End-user | | |
| at |<---(D)-- User authenticates -->| |
| Browser | | |
+----------+ +----------------+
Figure 5: Device Flow o Embedded user-agents often offer a better end-user flow, as they
remove the need to switch context and open new windows.
The device flow illustrated in Figure 5 includes the following steps: o Embedded user-agents are less secure because users are
authenticating in unidentified window without access to the
protections offered by many user-agents.
(A) The client requests access from the authorization server and 3. Client Credentials
includes its client identifier in the request.
(B) The authorization server issues a verification code, an end-user When requesting access from the authorization server, the client
code, and provides the end-user verification URI. identifies itself using a set of client credentials. The client
credentials include a client identifier and an OPTIONAL symmetric
shared secret. The means through which the client obtains these
credentials are beyond the scope of this specification, but usually
involve registration with the authorization server.
(C) The client instructs the end-user to use its user-agent The client identifier is used by the authorization server to
(elsewhere) and visit the provided end-user verification URI. establish the identity of the client for the purpose of presenting
The client provides the end-user with the end-user code to enter information to the resource owner prior to granting access, as well
in order to grant access. as for providing different service levels to different clients. They
can also be used to block unauthorized clients from requesting
access.
(D) The authorization server authenticates the end-user (via the Due to the nature of some clients, authorization servers SHOULD NOT
user-agent) and prompts the end-user to grant the client's make assumptions about the confidentiality of client credentials
access request. If the end-user agrees to the client's access without establishing trust with the client operator. Authorization
request, the end-user enters the end-user code provided by the servers SHOULD NOT issue client secrets to clients incapable of
client. The authorization server validates the end-user code keeping their secrets confidential.
provided by the end-user.
(E) While the end-user authorizes (or denies) the client's request 3.1. Client Authentication
(D), the client repeatedly polls the authorization server to
find out if the end-user completed the end-user authorization
step. The client includes the verification code and its client
identifier.
(F) Assuming the end-user granted access, the authorization server The token endpoint requires the client to authenticate itself to the
validates the verification code provided by the client and authorization server. This is done by including the client
responds back with the access token. identifier (and optional secret) in the request. The client
identifier and secret are included in the request using two request
parameters: "client_id" and "client_secret".
2.7.1. Client Requests Authorization For example (line breaks are for display purposes only):
The client initiates the flow by requesting a set of verification POST /token HTTP/1.1
codes from the authorization server by making an HTTP "POST" request Host: server.example.com
to the token endpoint. The client constructs a request URI by adding Content-Type: application/x-www-form-urlencoded
the following parameters to the request:
type type=web_server&client_id=s6BhdRkqt3&
REQUIRED. The parameter value MUST be set to "device_code". client_secret=gX1fBat3bV&code=i1WsRn1uB1&
redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
client_id The client MAY include the client credentials using an HTTP
REQUIRED. The client identifier as described in Section 2.1. authentication scheme which supports authenticating using a username
and password, instead of using the "client_id" and "client_secret"
request parameters. Including the client credentials using an HTTP
authentication scheme fulfills the requirements of including the
parameters as defined by the various flows.
scope The client MUST NOT include the client credentials using more than
OPTIONAL. The scope of the access request expressed as a list one mechanism. If more than one mechanism is used, regardless if the
of space-delimited strings. The value of the "scope" parameter credentials are identical, the server MUST reply with an HTTP 400
is defined by the authorization server. If the value contains status code (Bad Request) and include the "multiple-credentials"
multiple space-delimited strings, their order does not matter, error message.
and each string adds an additional access range to the
requested scope.
format The authorization server MUST accept the client credentials using
OPTIONAL. The response format requested by the client. Value both the request parameters, and the HTTP Basic authentication scheme
MUST be one of "json", "xml", or "form". Alternatively, the as defined in [RFC2617]. The authorization server MAY support
client MAY use the HTTP "Accept" header field with the desired additional HTTP authentication schemes.
media type. Defaults to "json" if omitted and no "Accept"
header field is present.
For example, the client makes the following HTTPS request (line For example (line breaks are for display purposes only):
breaks are for display purposes only):
POST /token HTTP/1.1 POST /token HTTP/1.1
Host: server.example.com Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded
type=device_code&client_id=s6BhdRkqt3 type=web_server&code=i1WsRn1uB1&
redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
In response, the authorization server generates a verification code
and an end-user code and includes them in the HTTP response body
using the "application/json" format as described by Section 2.3.2
with a 200 status code (OK). The response contains the following
parameters:
code
REQUIRED. The verification code.
user_code
REQUIRED. The end-user code.
verification_uri
REQUIRED. The end-user verification URI on the authorization
server. The URI should be short and easy to remember as end-
users will be asked to manually type it into their user-agent.
expires_in
OPTIONAL. The duration in seconds of the verification code
lifetime.
interval 4. Establishing Resource Owner Authorization
OPTIONAL. The minimum amount of time in seconds that the
client SHOULD wait between polling requests to the token
endpoint.
For example: Before the client can obtain an access token, it must first attain
authorization from the resource owner. The methods through which the
client attains authorization are codified in the various
authorization flows defined in Section 5, and depends on the client
type and its trust relationship with the resource owner.
HTTP/1.1 200 OK Resource owner authorization can be expressed in multiple ways: a
Content-Type: application/json verification code obtained through direct interaction with an end-
Cache-Control: no-store user, the resource owner credentials (or the client credentials when
the client is also the resource owner) obtained through a trust
relationship with the resource owner, or an assertion obtained
through means beyond the scope of this specification.
{ 4.1. Verification Code
"code":"74tq5miHKB",
"user_code":"94248",
"verification_uri":"http://www.example.com/device",
"interval"=5
}
The client displays the end-user code and the end-user verification When an end-user is involved, the client attains authorization in the
URI to the end-user, and instructs the end-user to visit the URI form of a verification code by sending the end-user to the
using a user-agent and enter the end-user code. authorization server to review and grant the request. The client
sends the end-user by directing the end-user's user-agent to the
authorization server's end-user authorization endpoint.
The end-user manually types the provided verification URI and 4.1.1. End-User Authorization Endpoint
authenticates with the authorization server. The authorization
server prompts the end-user to authorize the client's request by
entering the end-user code provided by the client. Once the end-user
approves or denies the request, the authorization server informs the
end-user to return to the device for further instructions.
2.7.2. Client Requests Access Token When directed to the end-user authorization endpoint, the end-user
first authenticates with the authorization server, and then grants or
denies the access request. The way in which the authorization server
authenticates the end-user (e.g. username and password login, OpenID,
session cookies) and in which the authorization server obtains the
end-user's authorization, including whether it uses a secure channel
such as TLS, is beyond the scope of this specification. However, the
authorization server MUST first verify the identity of the end-user.
Since the client is unable to receive incoming requests from the The location of the end-user authorization endpoint can be found in
authorization server, it polls the authorization server repeatedly the service documentation, or can be obtained by using [[ OAuth
until the end-user grants or denies the request, or the verification Discovery ]]. The end-user authorization endpoint URI MAY include a
code expires. query component as defined by [RFC3986] section 3, which must be
retained when adding additional query parameters.
The client makes the following request at an arbitrary but reasonable Since requests to the end-user authorization endpoint result in user
interval which MUST NOT exceed the minimum interval rate provided by authentication and the transmission of sensitive information, the
the authorization server (if present via the "interval" parameter). authorization server SHOULD require the use of a transport-layer
Alternatively, the client MAY provide a user interface for the end- mechanism such as TLS when sending requests to the end-user
user to manually inform it when authorization was granted. authorization endpoint.
The client requests an access token by making an HTTP "POST" request In order to direct the end-user's user-agent to the authorization
to the token endpoint. The client constructs a request URI by adding server, the client constructs the request URI by adding the following
the following parameters to the request: parameters to the end-user authorization endpoint URI query component
using the "application/x-www-form-urlencoded" format as defined by
[W3C.REC-html401-19991224]:
type type
REQUIRED. The parameter value MUST be set to "device_token". REQUIRED. The client type (user-agent or web server).
Determines how the authorization server delivers the
authorization response back to the client. The parameter value
MUST be set to "web_server" or "user_agent".
client_id client_id
REQUIRED. The client identifier as described in Section 2.1. REQUIRED. The client identifier as described in Section 3.
code redirect_uri
REQUIRED. The verification code received from the REQUIRED, unless a redirection URI has been established between
authorization server. the client and authorization server via other means. An
absolute URI to which the authorization server will redirect
the user-agent to when the end-user authorization step is
completed. The authorization server SHOULD require the client
to pre-register their redirection URI. Authorization servers
MAY restrict the redirection URI to not include a query
component as defined by [RFC3986] section 3.
format state
OPTIONAL. The response format requested by the client. Value OPTIONAL. An opaque value used by the client to maintain state
MUST be one of "json", "xml", or "form". Alternatively, the between the request and callback. The authorization server
client MAY use the HTTP "Accept" header field with the desired includes this value when redirecting the user-agent back to the
media type. Defaults to "json" if omitted and no "Accept" client.
header field is present.
For example, the client makes the following HTTPS request (line scope
breaks are for display purposes only): OPTIONAL. The scope of the access request expressed as a list
of space-delimited strings. The value of the "scope" parameter
is defined by the authorization server. If the value contains
multiple space-delimited strings, their order does not matter,
and each string adds an additional access range to the
requested scope.
POST /token HTTP/1.1 The client directs the end-user to the constructed URI using an HTTP
redirection response, or by other means available to it via the end-
user's user-agent. The request MUST use the HTTP "GET" method.
For example, the client directs the end-user's user-agent to make the
following HTTPS request (line breaks are for display purposes only):
GET /authorize?type=web_server&client_id=s6BhdRkqt3&redirect_uri=
https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
Host: server.example.com Host: server.example.com
Content-Type: application/x-www-form-urlencoded
type=device_token&client_id=s6BhdRkqt3 If the client has previously registered a redirection URI with the
&code=74tq5miHKB authorization server, the authorization server MUST verify that the
redirection URI received matches the registered URI associated with
the client identifier. [[ provide guidance on how to perform matching
]]
If the end-user authorized the request, the authorization server The authorization server authenticates the end-user and obtains an
issues an access token response as described in Section 2.3.2.1. authorization decision (by asking the end-user or by establishing
approval via other means). When a decision has been established, the
authorization server directs the end-user's user-agent to the
provided client redirection URI using an HTTP redirection response,
or by other means available to it via the end-user's user-agent.
For example: 4.1.1.1. Authorization Server Response
HTTP/1.1 200 OK If the end-user grants the access request, the authorization server
Content-Type: application/json issues an access token, a verification code, or both, and delivers
Cache-Control: no-store them to the client by adding the following parameters to the
redirection URI:
{ code
"access_token":"SlAV32hkKG", REQUIRED if the client type is "web_server", otherwise
"expires_in":3600, OPTIONAL. The verification code generated by the authorization
"refresh_token":"8xLOxBtZp8" server. The verification code SHOULD expire shortly after it
} is issued and allowed for a single use. The verification code
is bound to the client identifier and redirection URI.
If the request is invalid, the authorization server returns an error access_token
response as described in Section 2.3.2.2 with one of the following REQUIRED if the client type is "user_agent", otherwise MUST NOT
error codes: be included. The access token.
o "authorization_declined" expires_in
OPTIONAL. The duration in seconds of the access token lifetime
if an access token is included.
o "bad_verification_code" state
REQUIRED if the "state" parameter was present in the client
authorization request. Set to the exact value received from
the client.
For example: If the end-user denies the access request, the authorization server
informs the client by adding the following parameters to the
redirection URI:
HTTP/1.1 400 Bad Request error
Content-Type: application/json REQUIRED. The parameter value MUST be set to "user_denied".
Cache-Control: no-store
{ state
"error":"authorization_declined" REQUIRED if the "state" parameter was present in the client
} authorization request. Set to the exact value received from
the client.
If the end-user authorization is pending or expired without receiving The method in which the authorization server adds the parameter to
any response from the end-user, or the client is exceeding the the redirection URI is determined by the client type provided by the
allowed polling interval, the authorization server returns an error client in the authorization request using the "type" parameter.
response as described in Section 2.3.2.2 with one of the following
error codes:
o "'authorization_pending" If the client type is "web_server", the authorization server adds the
parameters to the redirection URI query component using the
"application/x-www-form-urlencoded" format as defined by
[W3C.REC-html401-19991224].
o "slow_down" For example, the authorization server redirects the end-user's user-
o "code_expired" agent by sending the following HTTP response:
For example: HTTP/1.1 302 Found
Location: https://client.example.com/cb?code=i1WsRn1uB1
HTTP/1.1 400 Bad Request If the client type is "user_agent", the authorization server adds the
Content-Type: application/json parameters to the redirection URI fragment component using the
Cache-Control: no-store "application/x-www-form-urlencoded" format as defined by
[W3C.REC-html401-19991224]. [[ replace form-encoded with JSON? ]]
{ For example, the authorization server redirects the end-user's user-
"error":"authorization_pending" agent by sending the following HTTP response:
}
2.8. Username and Password Flow HTTP/1.1 302 Found
Location: http://example.com/rd#access_token=FJQbwq9&expires_in=3600
The username and password flow is suitable for clients capable of 4.2. Resource Owner Credentials
asking end-users for their usernames and passwords. It is also used
to migrate existing clients using direct authentication schemes such
as HTTP Basic or Digest authentication to OAuth by converting the
end-user credentials stored with tokens.
However, unlike the HTTP Basic authentication scheme defined in While OAuth seeks to eliminate the need for resource owners to share
[RFC2617], the end-user's credentials are used in a single request their credentials with the client, possesion of the resource owner
and are exchanged for an access token and refresh token which credentials constitute an authorization grant (if supported by the
eliminates the client need to store them for future use. authorization server). Resource owner credentials should only be
used when there is a high degree of trust between the resource owner
the client.
The methods through which the client prompts end users for their In cases where the client is also the resource owner, the client
usernames and passwords is beyond the scope of this specification. credentials can be used to obtain an access token provisioned for
The client MUST discard the usernames and passwords once an access accessing the client's protected resources.
token has been obtained.
This flow is suitable in cases where the end-user already has a trust 4.3. Assertion
relationship with the client, such as its computer operating system
or highly privileged applications. Authorization servers should take
special care when enabling the username and password flow, and only
when other delegation flows are not viable.
End-user Assertions enable the client to utilize existing trust relationships
v or different authorization constructs to obtain an access token.
: They provide a bridge between OAuth and other trust frameworks. The
(A) authorization grant represented by an assertion depends on the
: assertion type, its content, and how it was issued, which are beyond
v the scope of this specification.
+--------+ +---------------+
| | Client Credentials | |
| |>--(B)--- & User Credentials ---->| Authorization |
| Client | | Server |
| |<--(C)---- Access Token ---------<| |
| | (w/ Optional Refresh Token) | |
+--------+ +---------------+
Figure 6: Username and Password Flow 5. Obtaining an Access Token
The username and password flow illustrated in Figure 6 includes the The client obtains an access token by authenticating with the
following steps: authorization server and presenting its authorization grant.
(A) The end-user provides the client with its username and password. In many cases it is desirable to issue access tokens with a shorter
lifetime than the duration of the authorization grant. However, it
may be undesirable to require the resource owner to authorize the
request again. Instead, the authorization server issues a refresh
token in addition to the access token. When the access token
expires, the client can request a new access token without involving
the resource owner as long as the authorization grant is still valid.
The token refresh method is described in Section 5.1.4.
(B) The client sends an access token request to the authorization 5.1. Token Endpoint
server and includes its client identifier and client secret, and
the end-user's username and password.
(C) The authorization server validates the end-user credentials and After obtaining authorization from the resource owner, clients
the client credentials and issues an access token. request an access token from the authorization server's token
endpoint. When requesting an access token, the client authenticates
with the authorization server and includes the authorization grant
(in the form of a verification code, resource owner credentials, an
assertion, or a refresh token).
2.8.1. Client Requests Access Token The location of the token endpoint can be found in the service
documentation, or can be obtained by using [[ OAuth Discovery ]].
The token endpoint URI MAY include a query component, which must be
retained when adding additional query parameters.
The client requests an access token by making an HTTP "POST" request Since requests to the token endpoint result in the transmission of
to the token endpoint. The client constructs a request URI by adding plain text credentials in the HTTP request and response, the
the following parameters to the request: authorization server MUST require the use of a transport-layer
mechanism when sending requests to the token endpoints. Servers MUST
support TLS 1.2 as defined in [RFC5246] and MAY support addition
mechanisms with equivalent protections.
type The client obtains an access token by constructing a token request.
REQUIRED. The parameter value MUST be set to "username". The client constructs the request URI by:
client_id o Adding its client credentials to the request as described in
REQUIRED. The client identifier as described in Section 2.1. Section 3.1. For example, if the client uses a set of basic
client credentials, it adds the "client_id" and "client_secret"
parameters to the request (or uses the HTTP Basic authentication
scheme).
client_secret o Adding the authorization grand in the form of a verification code,
REQUIRED. The client secret as described in Section 2.1. resource owner credentials, an assertion, or refresh token. If
OPTIONAL if no client secret was issued. the client is acting on behalf of itself (the client is also the
resource owner), no additional information is needed. The
authorization grant is added to the request URI query component
using the "application/x-www-form-urlencoded" format as described
below.
username 5.1.1. Verification Code
REQUIRED. The end-user's username.
password The client includes the verification code using following parameters:
REQUIRED. The end-user's password.
scope code
OPTIONAL. The scope of the access request expressed as a list REQUIRED. The verification code received from the
of space-delimited strings. The value of the "scope" parameter authorization server.
is defined by the authorization server. If the value contains
multiple space-delimited strings, their order does not matter,
and each string adds an additional access range to the
requested scope.
format redirect_uri
OPTIONAL. The response format requested by the client. Value REQUIRED. The redirection URI used in the initial request.
MUST be one of "json", "xml", or "form". Alternatively, the
client MAY use the HTTP "Accept" header field with the desired
media type. Defaults to "json" if omitted and no "Accept"
header field is present.
For example, the client makes the following HTTPS request (line For example, the client makes the following HTTPS request (line
breaks are for display purposes only): breaks are for display purposes only):
POST /token HTTP/1.1 POST /token HTTP/1.1
Host: server.example.com Host: server.example.com
Content-Type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded
type=username&client_id=s6BhdRkqt3&client_secret= client_id=s6BhdRkqt3&
47HDu8s&username=johndoe&password=A3ddj3w client_secret=gX1fBat3bV&code=i1WsRn1uB1&
redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
The authorization server MUST validate the client credentials and
end-user credentials and if valid issues an access token response as
described in Section 2.3.2.1.
For example:
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
{
"access_token":"SlAV32hkKG",
"expires_in":3600,
"refresh_token":"8xLOxBtZp8"
}
If the request is invalid, the authorization server returns an error
response as described in Section 2.3.2.2 with one of the following
error codes:
o "incorrect_client_credentials"
o "unauthorized_client'" - The client is not permitted to use this
flow.
For example:
HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
{
"error":"incorrect_client_credentials"
}
2.9. Client Credentials Flow
The client credentials flow is used when the client acts on behalf of
itself (the client is the resource owner), or when the client
credentials are used to obtain an access token representing a
previously established access authorization. The client secret is
assumed to be high-entropy since it is not designed to be memorized
by an end-user.
+--------+ +---------------+
| | | |
| |>--(A)--- Client Credentials ---->| Authorization |
| Client | | Server |
| |<--(B)---- Access Token ---------<| |
| | (w/ Optional Refresh Token) | |
+--------+ +---------------+
Figure 7: Client Credentials Flow
The client credential flow illustrated in Figure 7 includes the
following steps:
(A) The client sends an access token request to the authorization
server and includes its client identifier and client secret.
(B) The authorization server validates the client credentials and
issues an access token.
2.9.1. Client Requests Access Token The authorization server MUST verify that the verification code,
client identity, client secret, and redirection URI are all valid and
match its stored association. If the request is valid, the
authorization server issues a successful response as described in
Section 5.1.5.
The client requests an access token by making an HTTP "POST" request 5.1.2. Resource Owner Credentials
to the token endpoint. The client constructs a request URI by adding
the following parameters to the request:
type The client includes the resource owner credentials using the
REQUIRED. The parameter value MUST be set to following parameters: [[ add internationalization consideration for
"client_credentials". username and password ]]
client_id username
REQUIRED. The client identifier as described in Section 2.1. REQUIRED. The end-user's username.
client_secret password
REQUIRED. The client secret as described in Section 2.1. REQUIRED. The end-user's password.
scope scope
OPTIONAL. The scope of the access request expressed as a list OPTIONAL. The scope of the access request expressed as a list
of space-delimited strings. The value of the "scope" parameter of space-delimited strings. The value of the "scope" parameter
is defined by the authorization server. If the value contains is defined by the authorization server. If the value contains
multiple space-delimited strings, their order does not matter, multiple space-delimited strings, their order does not matter,
and each string adds an additional access range to the and each string adds an additional access range to the
requested scope. requested scope.
format For example, the client makes the following HTTPS request (line
OPTIONAL. The response format requested by the client. Value breaks are for display purposes only):
MUST be one of "json", "xml", or "form". Alternatively, the
client MAY use the HTTP "Accept" header field with the desired
media type. Defaults to "json" if omitted and no "Accept"
header field is present.
For example, the client makes the following HTTPS request:
POST /token HTTP/1.1 POST /token HTTP/1.1
Host: server.example.com Host: server.example.com
Content-Type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded
type=client_credentials&client_id=s6BhdRkqt3&client_secret=47HDu8s client_id=s6BhdRkqt3&client_secret=
47HDu8s&username=johndoe&password=A3ddj3w
The authorization server MUST validate the client credentials and if
valid issues an access token response as described in
Section 2.3.2.1.
For example:
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
{
"access_token":"SlAV32hkKG",
"expires_in":3600,
"refresh_token":"8xLOxBtZp8"
}
If the request is invalid, the authorization server returns an error
response as described in Section 2.3.2.2 with one of the following
error codes:
o "incorrect_client_credentials"
For example:
HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
{
"error":"incorrect_client_credentials"
}
2.10. Assertion Flow
The assertion flow is used when a client wishes to exchange an
existing security token or assertion for an access token. This flow
is suitable when the client is the resource owner or is acting on
behalf of the resource owner (based on the content of the assertion
used).
The assertion flow requires the client to obtain a assertion (such as
a SAML [OASIS.saml-core-2.0-os] assertion) from an assertion issuer
or to self-issue an assertion prior to initiating the flow. The
assertion format, the process by which the assertion is obtained, and
the method of validating the assertion are defined by the assertion
issuer and the authorization server, and are beyond the scope of this
specification.
+--------+ +---------------+
| | | |
| |>--(A)------ Assertion ---------->| Authorization |
| Client | | Server |
| |<--(B)---- Access Token ---------<| |
| | | |
+--------+ +---------------+
Figure 8: Assertion Flow
The assertion flow illustrated in Figure 8 includes the following
steps:
(A) The client sends an access token request to the authorization
server and includes an assertion.
(B) The authorization server validates the assertion and issues an The authorization server MUST validate the client credentials and
access token. end-user credentials and if valid issues an access token response as
described in Section 5.1.5.
2.10.1. Client Requests Access Token If the client is acting on behalf of itself (the client is also the
resource owner), the client authentication alone suffice and the
"username" and "password" parameters MUST NOT be used.
The client requests an access token by making an HTTP "POST" request 5.1.3. Assertion
to the token endpoint. The client constructs a request URI by adding
the following parameters to the request:
type The client includes the assertion using the following parameters:
REQUIRED. The parameter value MUST be set to "assertion".
assertion_format assertion_type
REQUIRED. The format of the assertion as defined by the REQUIRED. The format of the assertion as defined by the
authorization server. The value MUST be an absolute URI. authorization server. The value MUST be an absolute URI.
assertion assertion
REQUIRED. The assertion. REQUIRED. The assertion.
client_id
OPTIONAL. The client identifier as described in Section 2.1.
The authorization server MAY require including the client
credentials with the request based on the assertion properties.
client_secret
OPTIONAL. The client secret as described in Section 2.1. MUST
NOT be included if the "client_id" parameter is omitted.
scope scope
OPTIONAL. The scope of the access request expressed as a list OPTIONAL. The scope of the access request expressed as a list
of space-delimited strings. The value of the "scope" parameter of space-delimited strings. The value of the "scope" parameter
is defined by the authorization server. If the value contains is defined by the authorization server. If the value contains
multiple space-delimited strings, their order does not matter, multiple space-delimited strings, their order does not matter,
and each string adds an additional access range to the and each string adds an additional access range to the
requested scope. requested scope.
format
OPTIONAL. The response format requested by the client. Value
MUST be one of "json", "xml", or "form". Alternatively, the
client MAY use the HTTP "Accept" header field with the desired
media type. Defaults to "json" if omitted and no "Accept"
header field is present.
For example, the client makes the following HTTPS request (line For example, the client makes the following HTTPS request (line
breaks are for display purposes only): breaks are for display purposes only):
POST /token HTTP/1.1 POST /token HTTP/1.1
Host: server.example.com Host: server.example.com
Content-Type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded
type=assertion&assertion_format=_______&assertion=_______ client_id=s6BhdRkqt3&client_secret=diejdsks&
assertion_type=urn%3Aoasis%3Anames%sAtc%3ASAML%3A2.0%3Aassertion&
assertion=PHNhbWxwOl...[ommited for brevity]...ZT4%3D
The authorization server MUST validate the assertion and if valid The authorization server MUST validate the assertion and if valid
issues an access token response as described in Section 2.3.2.1. The issues an access token response as described in Section 5.1.5. The
authorization server SHOULD NOT issue a refresh token. authorization server SHOULD NOT issue a refresh token.
For example:
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
{
"access_token":"SlAV32hkKG",
"expires_in":3600
}
If the request is invalid, the authorization server returns an error
response as described in Section 2.3.2.2 with one of the following
error codes:
o "invalid_assertion"
o "unknown_format"
For example:
HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
{
"error":"invalid_assertion"
}
Authorization servers SHOULD issue access tokens with a limited Authorization servers SHOULD issue access tokens with a limited
lifetime and require clients to refresh them by requesting a new lifetime and require clients to refresh them by requesting a new
access token using the same assertion if it is still valid. access token using the same assertion if it is still valid.
Otherwise the client MUST obtain a new valid assertion. Otherwise the client MUST obtain a new valid assertion.
2.11. Native Application Considerations 5.1.4. Refresh Token
Native application are clients running as native code on the end-
user's computer or device (i.e. executing outside a browser or as a
desktop program). These clients are often capable of interacting
with (or embedding) the end-user's user-agent but are incapable of
receiving callback requests from the server (incapable of acting as
an HTTP server).
Native application clients can utilize many of the flows defined in
this specification with little or no changes. For example:
o Launch an external user-agent and have it redirect back to the
client using a custom URI scheme. This works with the web server
flow and user-agent flow.
o Launch an external user-agent and poll for changes to the window
title. This works with the web server flow with a server-hosted
custom redirect result page that puts the verification code in the
title.
o Use an embedded user-agent and obtain the redirection URI. This
works with the web server flow and user-agent flow.
o Use the device profile with an external or embedded user-agent.
The application will open a user-agent and then poll the
authorization server for results.
o Use the username and password flow and prompt the end-users for
their credentials. This is generally discouraged as it hands the
end-user's password directly to the 3rd party and may not work
with some authentication schemes.
When choosing between launching an external browser and an embedded
user-agent, developers should consider the following:
o External user-agents may improve completion rate as the end-user
may already be logged-in and not have to re-authenticate.
o Embedded user-agents often offer a better end-user flow, as they
remove the need to switch context and open new windows.
o Embedded user-agents are less secure because users are
authenticating in unidentified window without access to the
protections offered by many user-agents.
3. Refreshing an Access Token
Token refresh is used when the lifetime of an access token is shorter Token refresh is used when the lifetime of an access token is shorter
than the lifetime of the authorization grant. It allows clients to than the lifetime of the authorization grant. It enables the client
obtain a new access token without having to go through the to obtain a new access token without having to go through the
authorization flow again or involve the resource owner. authorization flow again or involve the resource owner.
+--------+ +---------------+ The client includes the refresh token using the following parameters:
| | Client Credentials, | |
| |>--(A)----- Refresh Token ------->| Authorization |
| Client | | Server |
| |<--(B)----- Access Token --------<| |
| | | |
+--------+ +---------------+
Figure 9: Refreshing an Access Token
To refresh a token, the client constructs an HTTP "POST" request to
the token endpoint and includes the following parameters in the HTTP
request body using the "application/x-www-form-urlencoded" content
type as defined by [W3C.REC-html401-19991224]:
type
REQUIRED. The parameter value MUST be set to "refresh".
client_id
REQUIRED. The client identifier as described in Section 2.1.
client_secret
REQUIRED if the client was issued a secret. The client secret.
refresh_token refresh_token
REQUIRED. The refresh token associated with the access token REQUIRED. The refresh token associated with the access token
to be refreshed. to be refreshed.
format
OPTIONAL. The response format requested by the client. Value
MUST be one of "json", "xml", or "form". Alternatively, the
client MAY use the HTTP "Accept" header field with the desired
media type. Defaults to "json" if omitted and no "Accept"
header field is present.
For example, the client makes the following HTTPS request (line break For example, the client makes the following HTTPS request (line break
are for display purposes only): are for display purposes only):
POST /token HTTP/1.1 POST /token HTTP/1.1
Host: server.example.com Host: server.example.com
Content-Type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded
type=refresh_token&client_id=s6BhdRkqt3&client_secret=8eSEIpnqmM client_id=s6BhdRkqt3&client_secret=8eSEIpnqmM
&refresh_token=n4E9O119d &refresh_token=n4E9O119d
verify the client credential, the validity of the refresh token, and The authorization server MUST verify the client credentials, the
that the resource owner's authorization is still valid. If the validity of the refresh token, and that the resource owner's
request is valid, the authorization server issues an access token authorization is still valid. If the request is valid, the
response as described in Section 2.3.2.1. The authorization server authorization server issues an access token response as described in
MAY issue a new refresh token in which case the client MUST NOT use Section 5.1.5. The authorization server MAY issue a new refresh
the previous refresh token and replace it with the newly issued token in which case the client MUST NOT use the previous refresh
refresh token. token and replace it with the newly issued refresh token.
5.1.5. Access Token Response
After receiving and verifying a valid and authorized access token
request from the client, the authorization server issues the access
token and optional refresh token, and constructs the response by
adding the following parameters to the entity body of the HTTP
response with a 200 status code (OK):
The token response contains the following parameters:
access_token
REQUIRED. The access token issued by the authorization server.
expires_in
OPTIONAL. The duration in seconds of the access token
lifetime.
refresh_token
OPTIONAL. The refresh token used to obtain new access tokens
using the same end-user access grant as described in
Section 5.1.4.
scope
OPTIONAL. The scope of the access token as a list of space-
delimited strings. The value of the "scope" parameter is
defined by the authorization server. If the value contains
multiple space-delimited strings, their order does not matter,
and each string adds an additional access range to the
requested scope.
The parameters are including in the entity body of the HTTP response
using the "application/json" media type as defined by [RFC4627]. The
parameters are serialized into a JSON structure by adding each
parameter at the highest structure level. Parameter names and string
values are included as JSON strings. Numerical values are included
as JSON numbers.
The authorization server MUST include the HTTP "Cache-Control"
response header field with a value of "no-store" in any response
containing tokens, secrets, or other sensitive information.
For example: For example:
HTTP/1.1 200 OK HTTP/1.1 200 OK
Content-Type: application/json Content-Type: application/json
Cache-Control: no-store Cache-Control: no-store
{ {
"access_token":"SlAV32hkKG", "access_token":"SlAV32hkKG",
"expires_in":3600 "expires_in":3600,
"refresh_token":"8xLOxBtZp8"
} }
If the request is invalid, the authorization server returns an error 5.1.6. Error Response
response as described in Section 2.3.2.2 with one of the following
error codes:
o "incorrect_client_credentials" If the token request is invalid or unauthorized, the authorization
server constructs the response by adding the following parameter to
the entity body of the HTTP response with a a 400 status code (Bad
Request) using the "application/json" media type:
o "authorization_expired" error
REQUIRED. The error code as described in Section 5.1.6.1.
For example: For example:
HTTP/1.1 400 Bad Request HTTP/1.1 400 Bad Request
Content-Type: application/json Content-Type: application/json
Cache-Control: no-store Cache-Control: no-store
{ {
"error":"incorrect_client_credentials" "error":"incorrect_client_credentials"
} }
4. Accessing a Protected Resource 5.1.6.1. Error Codes
[[ expalain each error code: ]]
o "redirect_uri_mismatch"
o "bad_verification_code"
o "incorrect_client_credentials"
o "unauthorized_client'" - The client is not permitted to use this
authorization grant type.
o "invalid_assertion"
o "unknown_format"
o "authorization_expired"
6. Accessing a Protected Resource
Clients access protected resources by presenting an access token to Clients access protected resources by presenting an access token to
the resource server. the resource server.
For example: For example:
GET /resource HTTP/1.1 GET /resource HTTP/1.1
Host: server.example.com Host: server.example.com
Authorization: Token token="vF9dft4qmT" Authorization: Token token="vF9dft4qmT"
skipping to change at page 43, line 27 skipping to change at page 28, line 14
The methods used by the resource server to validate the access token The methods used by the resource server to validate the access token
are beyond the scope of this specification, but generally involve an are beyond the scope of this specification, but generally involve an
interaction or coordination between the resource server and interaction or coordination between the resource server and
authorization server. authorization server.
The resource server MUST validate the access token and ensure it has The resource server MUST validate the access token and ensure it has
not expired and that its scope covers the requested resource. If the not expired and that its scope covers the requested resource. If the
token expired or is invalid, the resource server MUST reply with an token expired or is invalid, the resource server MUST reply with an
HTTP 401 status code (Unauthorized) and include the HTTP HTTP 401 status code (Unauthorized) and include the HTTP
"WWW-Authenticate" response header as described in Section 5.1. "WWW-Authenticate" response header as described in Section 7.1.
For example: For example:
HTTP/1.1 401 Unauthorized HTTP/1.1 401 Unauthorized
WWW-Authenticate: Token realm='Service', error='token_expired' WWW-Authenticate: Token realm='Service', error='token_expired'
Clients make authenticated token requests using the "Authorization" Clients make authenticated token requests using the "Authorization"
request header field as described in Section 4.1. Alternatively, request header field as described in Section 6.1. Alternatively,
clients MAY include the access token using the HTTP request URI in clients MAY include the access token using the HTTP request URI in
the query component as described in Section 4.2, or in the HTTP body the query component as described in Section 6.2, or in the HTTP body
when using the "application/x-www-form-urlencoded" content type as when using the "application/x-www-form-urlencoded" content type as
described in Section 4.3. described in Section 6.3.
Clients SHOULD only use the request URI or body when the Clients SHOULD only use the request URI or body when the
"Authorization" request header field is not available, and MUST NOT "Authorization" request header field is not available, and MUST NOT
use more than one method in each request. [[ specify error ]] use more than one method in each request. [[ specify error ]]
4.1. The Authorization Request Header 6.1. The Authorization Request Header
The "Authorization" request header field is used by clients to make The "Authorization" request header field is used by clients to make
authenticated token requests. The client uses the "token" attribute authenticated token requests. The client uses the "token" attribute
to include the access token in the request. to include the access token in the request.
The "Authorization" header field uses the framework defined by The "Authorization" header field uses the framework defined by
[RFC2617] as follows: [RFC2617] as follows:
credentials = "Token" RWS access-token [ CS 1#auth-param ] credentials = "Token" RWS access-token [ CS 1#auth-param ]
access-token = "token" "=" <"> token <"> access-token = "token" "=" <"> token <">
CS = OWS "," OWS CS = OWS "," OWS
4.2. URI Query Parameter 6.2. URI Query Parameter
When including the access token in the HTTP request URI, the client When including the access token in the HTTP request URI, the client
adds the access token to the request URI query component as defined adds the access token to the request URI query component as defined
by [RFC3986] using the "oauth_token" parameter. by [RFC3986] using the "oauth_token" parameter.
For example, the client makes the following HTTPS request: For example, the client makes the following HTTPS request:
GET /resource?oauth_token=vF9dft4qmT HTTP/1.1 GET /resource?oauth_token=vF9dft4qmT HTTP/1.1
Host: server.example.com Host: server.example.com
The HTTP request URI query can include other request-specific The HTTP request URI query can include other request-specific
parameters, in which case, the "oauth_token" parameters SHOULD be parameters, in which case, the "oauth_token" parameters SHOULD be
appended following the request-specific parameters, properly appended following the request-specific parameters, properly
separated by an "&" character (ASCII code 38). separated by an "&" character (ASCII code 38).
The resource server MUST validate the access token and ensure it has The resource server MUST validate the access token and ensure it has
not expired and its scope includes the requested resource. If the not expired and its scope includes the requested resource. If the
resource expired or is not valid, the resource server MUST reply with resource expired or is not valid, the resource server MUST reply with
an HTTP 401 status code (Unauthorized) and include the HTTP an HTTP 401 status code (Unauthorized) and include the HTTP
"WWW-Authenticate" response header as described in Section 5.1. "WWW-Authenticate" response header as described in Section 7.1.
4.3. Form-Encoded Body Parameter 6.3. Form-Encoded Body Parameter
When including the access token in the HTTP request entity-body, the When including the access token in the HTTP request entity-body, the
client adds the access token to the request body using the client adds the access token to the request body using the
"oauth_token" parameter. The client can use this method only if the "oauth_token" parameter. The client can use this method only if the
following REQUIRED conditions are met: following REQUIRED conditions are met:
o The entity-body is single-part. o The entity-body is single-part.
o The entity-body follows the encoding requirements of the o The entity-body follows the encoding requirements of the
"application/x-www-form-urlencoded" content-type as defined by "application/x-www-form-urlencoded" content-type as defined by
skipping to change at page 45, line 17 skipping to change at page 30, line 4
The entity-body can include other request-specific parameters, in The entity-body can include other request-specific parameters, in
which case, the "oauth_token" parameters SHOULD be appended following which case, the "oauth_token" parameters SHOULD be appended following
the request-specific parameters, properly separated by an "&" the request-specific parameters, properly separated by an "&"
character (ASCII code 38). character (ASCII code 38).
For example, the client makes the following HTTPS request: For example, the client makes the following HTTPS request:
POST /resource HTTP/1.1 POST /resource HTTP/1.1
Host: server.example.com Host: server.example.com
Content-Type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded
oauth_token=vF9dft4qmT oauth_token=vF9dft4qmT
The resource server MUST validate the access token and ensure it has The resource server MUST validate the access token and ensure it has
not expired and its scope includes the requested resource. If the not expired and its scope includes the requested resource. If the
resource expired or is not valid, the resource server MUST reply with resource expired or is not valid, the resource server MUST reply with
an HTTP 401 status code (Unauthorized) and include the HTTP an HTTP 401 status code (Unauthorized) and include the HTTP
"WWW-Authenticate" response header as described in Section 5.1. "WWW-Authenticate" response header as described in Section 7.1.
5. Identifying a Protected Resource 7. Identifying a Protected Resource
Clients access protected resources after locating the appropriate Clients access protected resources after locating the appropriate
end-user and token endpoints and obtaining an access token. In many end-user authorization endpoint and token endpoint and obtaining an
cases, interacting with a protected resource requires prior knowledge access token. In many cases, interacting with a protected resource
of the protected resource properties and methods, as well as its requires prior knowledge of the protected resource properties and
authentication requirements (i.e. establishing client identity, methods, as well as its authentication requirements (i.e.
locating the end-user and token endpoints). establishing client identity, locating the end-user authorization and
token endpoints).
However, there are cases in which clients are unfamiliar with the However, there are cases in which clients are unfamiliar with the
protected resource, including whether the resource requires protected resource, including whether the resource requires
authentication. When clients attempt to access an unfamiliar authentication. When clients attempt to access an unfamiliar
protected resource without an access token, the resource server protected resource without an access token, the resource server
denies the request and informs the client of the required credentials denies the request and informs the client of the required credentials
using an HTTP authentication challenge. using an HTTP authentication challenge.
In addition, when receiving an invalid authenticated request, the In addition, when receiving an invalid authenticated request, the
resource server issues an authentication challenge including the resource server issues an authentication challenge including the
error type and message. error type and message.
5.1. The WWW-Authenticate Response Header 7.1. The WWW-Authenticate Response Header
A resource server receiving a request for a protected resource A resource server receiving a request for a protected resource
without a valid access token MUST respond with a 401 (Unauthorized) without a valid access token MUST respond with a 401 (Unauthorized)
or 403 (Forbidden) HTTP status code, and include at least one "Token" or 403 (Forbidden) HTTP status code, and include at least one "Token"
"WWW-Authenticate" response header field challenge. "WWW-Authenticate" response header field challenge.
The "WWW-Authenticate" header field uses the framework defined by The "WWW-Authenticate" header field uses the framework defined by
[RFC2617] as follows: [RFC2617] as follows:
challenge = "Token" RWS token-challenge challenge = "Token" RWS token-challenge
skipping to change at page 46, line 24 skipping to change at page 31, line 13
[ CS 1#auth-param ] [ CS 1#auth-param ]
error = "error" "=" <"> token <"> error = "error" "=" <"> token <">
The "realm" attribute is used to provide the protected resources The "realm" attribute is used to provide the protected resources
partition as defined by [RFC2617]. partition as defined by [RFC2617].
The "error" attribute is used to inform the client the reason why an The "error" attribute is used to inform the client the reason why an
access request was declined. [[ Add list of error codes ]] access request was declined. [[ Add list of error codes ]]
6. Security Considerations 8. Security Considerations
[[ Todo ]] [[ Todo ]]
7. IANA Considerations 9. IANA Considerations
[[ Not Yet ]] [[ Not Yet ]]
Appendix A. Contributors Appendix A. Contributors
The following people contributed to preliminary versions of this The following people contributed to preliminary versions of this
document: Blaine Cook (BT), Brian Eaton (Google), Yaron Goland document: Blaine Cook (BT), Brian Eaton (Google), Yaron Goland
(Microsoft), Brent Goldman (Facebook), Raffi Krikorian (Twitter), (Microsoft), Brent Goldman (Facebook), Raffi Krikorian (Twitter),
Luke Shepard (Facebook), and Allen Tom (Yahoo!). The content and Luke Shepard (Facebook), and Allen Tom (Yahoo!). The content and
concepts within are a product of the OAuth community, WRAP community, concepts within are a product of the OAuth community, WRAP community,
skipping to change at page 47, line 13 skipping to change at page 32, line 5
Michael Adams, Andrew Arnott, Dirk Balfanz, Brian Campbell, Leah Michael Adams, Andrew Arnott, Dirk Balfanz, Brian Campbell, Leah
Culver, Igor Faynberg, George Fletcher, Evan Gilbert, Justin Hart, Culver, Igor Faynberg, George Fletcher, Evan Gilbert, Justin Hart,
John Kemp, Torsten Lodderstedt, Eve Maler, James Manger, Chuck John Kemp, Torsten Lodderstedt, Eve Maler, James Manger, Chuck
Mortimore, Justin Richer, Peter Saint-Andre, Nat Sakimura, Rob Sayre, Mortimore, Justin Richer, Peter Saint-Andre, Nat Sakimura, Rob Sayre,
Marius Scurtescu, Justin Smith, and Franklin Tse. Marius Scurtescu, Justin Smith, and Franklin Tse.
Appendix B. Acknowledgements Appendix B. Acknowledgements
[[ Add OAuth 1.0a authors + WG contributors ]] [[ Add OAuth 1.0a authors + WG contributors ]]
Appendix C. Differences from OAuth 1.0a Appendix C. Document History
[[ Todo ]] [[ to be removed by RFC editor before publication as an RFC ]]
Appendix D. Document History -07
[[ to be removed by RFC editor before publication as an RFC ]] o Major rewrite of entire document structure.
o Removed device profile.
o Added verification code support to user-agent flow.
o Removed multiple formats support, leaving JSON as the only format.
o Changed assertion "assertion_format" parameter to
"assertion_type".
o Removed "type" parameter from token endpoint.
-06 -06
o Editorial changes, corrections, clarifications, etc. o Editorial changes, corrections, clarifications, etc.
o Removed conformance section. o Removed conformance section.
o Moved authors section to contributors appendix. o Moved authors section to contributors appendix.
o Added section on native applications. o Added section on native applications.
skipping to change at page 49, line 30 skipping to change at page 34, line 30
o Editorial changes based on feedback from Brian Eaton, Bill Keenan, o Editorial changes based on feedback from Brian Eaton, Bill Keenan,
and Chuck Mortimore. and Chuck Mortimore.
o Changed device flow "type" parameter values and switch to use only o Changed device flow "type" parameter values and switch to use only
the token endpoint. the token endpoint.
-00 -00
o Initial draft based on a combination of WRAP and OAuth 1.0a. o Initial draft based on a combination of WRAP and OAuth 1.0a.
8. References 10. References
8.1. Normative References 10.1. Normative References
[I-D.ietf-httpbis-p1-messaging] [I-D.ietf-httpbis-p1-messaging]
Fielding, R., Gettys, J., Mogul, J., Nielsen, H., Fielding, R., Gettys, J., Mogul, J., Nielsen, H.,
Masinter, L., Leach, P., Berners-Lee, T., and J. Reschke, Masinter, L., Leach, P., Berners-Lee, T., and J. Reschke,
"HTTP/1.1, part 1: URIs, Connections, and Message "HTTP/1.1, part 1: URIs, Connections, and Message
Parsing", draft-ietf-httpbis-p1-messaging-09 (work in Parsing", draft-ietf-httpbis-p1-messaging-09 (work in
progress), March 2010. progress), March 2010.
[NIST FIPS-180-3] [NIST FIPS-180-3]
National Institute of Standards and Technology, "Secure National Institute of Standards and Technology, "Secure
skipping to change at page 50, line 41 skipping to change at page 35, line 41
Resource Identifier (URI): Generic Syntax", STD 66, Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, January 2005. RFC 3986, January 2005.
[RFC4627] Crockford, D., "The application/json Media Type for [RFC4627] Crockford, D., "The application/json Media Type for
JavaScript Object Notation (JSON)", RFC 4627, July 2006. JavaScript Object Notation (JSON)", RFC 4627, July 2006.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008. (TLS) Protocol Version 1.2", RFC 5246, August 2008.
[W3C.REC-html401-19991224] [W3C.REC-html401-19991224]
Hors, A., Jacobs, I., and D. Raggett, "HTML 4.01 Hors, A., Raggett, D., and I. Jacobs, "HTML 4.01
Specification", World Wide Web Consortium Specification", World Wide Web Consortium
Recommendation REC-html401-19991224, December 1999, Recommendation REC-html401-19991224, December 1999,
<http://www.w3.org/TR/1999/REC-html401-19991224>. <http://www.w3.org/TR/1999/REC-html401-19991224>.
8.2. Informative References 10.2. Informative References
[I-D.hammer-oauth] [I-D.hammer-oauth]
Hammer-Lahav, E., "The OAuth 1.0 Protocol", Hammer-Lahav, E., "The OAuth 1.0 Protocol",
draft-hammer-oauth-10 (work in progress), February 2010. draft-hammer-oauth-10 (work in progress), February 2010.
[I-D.hardt-oauth] [I-D.hardt-oauth]
Hardt, D., Tom, A., Eaton, B., and Y. Goland, "OAuth Web Hardt, D., Tom, A., Eaton, B., and Y. Goland, "OAuth Web
Resource Authorization Profiles", draft-hardt-oauth-01 Resource Authorization Profiles", draft-hardt-oauth-01
(work in progress), January 2010. (work in progress), January 2010.
 End of changes. 185 change blocks. 
1256 lines changed or deleted 620 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/