| < draft-ietf-oauth-v2-14.txt | draft-ietf-oauth-v2-15.txt > | |||
|---|---|---|---|---|
| Network Working Group E. Hammer-Lahav, Ed. | Network Working Group E. Hammer-Lahav, Ed. | |||
| Internet-Draft Yahoo! | Internet-Draft Yahoo! | |||
| Obsoletes: 5849 (if approved) D. Recordon | Obsoletes: 5849 (if approved) D. Recordon | |||
| Intended status: Standards Track Facebook | Intended status: Standards Track Facebook | |||
| Expires: October 8, 2011 D. Hardt | Expires: October 8, 2011 D. Hardt | |||
| Microsoft | Microsoft | |||
| April 6, 2011 | April 6, 2011 | |||
| The OAuth 2.0 Authorization Protocol | The OAuth 2.0 Authorization Protocol | |||
| draft-ietf-oauth-v2-14 | draft-ietf-oauth-v2-15 | |||
| Abstract | Abstract | |||
| The OAuth 2.0 authorization protocol enables granting third-party | The OAuth 2.0 authorization protocol enables granting third-party | |||
| applications limited access to HTTP service on behalf of an end-user | applications limited access to HTTP service on behalf of an end-user | |||
| by orchestrating an approval interaction between the end-user and the | by orchestrating an approval interaction between the end-user and the | |||
| HTTP service. | HTTP service. | |||
| Status of this Memo | Status of this Memo | |||
| skipping to change at page 11, line 29 ¶ | skipping to change at page 11, line 29 ¶ | |||
| resource owner. The way in which the authorization server | resource owner. The way in which the authorization server | |||
| authenticates the resource owner (e.g. username and password login, | authenticates the resource owner (e.g. username and password login, | |||
| session cookies) is beyond the scope of this specification. | session cookies) is beyond the scope of this specification. | |||
| The means through which the client obtains the location of the | The means through which the client obtains the location of the | |||
| authorization endpoint are beyond the scope of this specification but | authorization endpoint are beyond the scope of this specification but | |||
| is typically provided in the service documentation. The endpoint URI | is typically provided in the service documentation. The endpoint URI | |||
| MAY include a query component as defined by [RFC3986] section 3, | MAY include a query component as defined by [RFC3986] section 3, | |||
| which MUST be retained when adding additional query parameters. | which MUST be retained when adding additional query parameters. | |||
| Requests to the authorization endpoint result in resource owner | Since requests to the authorization endpoint result in user | |||
| authentication and the transmission of sensitive information. If the | authentication and the transmission of clear-text credentials (in the | |||
| response includes an access token, the authorization server MUST | HTTP response), the authorization server MUST require the use of a | |||
| require TLS 1.2 as defined in [RFC5246] and MAY support additional | transport-layer security mechanism when sending requests to the token | |||
| transport-layer mechanisms meeting its security requirements. If the | endpoints. The authorization server MUST support TLS 1.2 as defined | |||
| response does not include an access token, the authorization server | in [RFC5246], and MAY support additional transport-layer mechanisms | |||
| SHOULD require TLS 1.2 and any additional transport-layer mechanism | ||||
| meeting its security requirements. | meeting its security requirements. | |||
| The authorization server MUST support the use of the HTTP "GET" | The authorization server MUST support the use of the HTTP "GET" | |||
| method [RFC2616] for the authorization endpoint, and MAY support the | method [RFC2616] for the authorization endpoint, and MAY support the | |||
| use of the "POST" method as well. | use of the "POST" method as well. | |||
| The REQUIRED "response_type" request parameter is used to identify | The REQUIRED "response_type" request parameter is used to identify | |||
| which grant type the client is requesting: authorization code or | which grant type the client is requesting: authorization code or | |||
| implicit, described in Section 4.1.1 and Section 4.2.1 respectively. | implicit, described in Section 4.1.1 and Section 4.2.1 respectively. | |||
| If the request is missing the "response_type" parameter, the | If the request is missing the "response_type" parameter, the | |||
| End of changes. 2 change blocks. | ||||
| 8 lines changed or deleted | 7 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||