idnits 2.17.1 draft-ietf-oauth-resource-indicators-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 5, 2019) is 1692 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-34) exists of draft-ietf-oauth-jwsreq-19 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 OAuth Working Group B. Campbell 3 Internet-Draft Ping Identity 4 Intended status: Standards Track J. Bradley 5 Expires: March 8, 2020 Yubico 6 H. Tschofenig 7 Arm Limited 8 September 5, 2019 10 Resource Indicators for OAuth 2.0 11 draft-ietf-oauth-resource-indicators-06 13 Abstract 15 This document specifies an extension to the OAuth 2.0 Authorization 16 Framework defining request parameters that enable a client to 17 explicitly signal to an authorization server about the identity of 18 the protected resource(s) to which it is requesting access. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at https://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on March 8, 2020. 37 Copyright Notice 39 Copyright (c) 2019 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (https://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 1.1. Requirements Notation and Conventions . . . . . . . . . . 3 56 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 57 2. Resource Parameter . . . . . . . . . . . . . . . . . . . . . 3 58 2.1. Authorization Request . . . . . . . . . . . . . . . . . . 5 59 2.2. Access Token Request . . . . . . . . . . . . . . . . . . 6 60 3. Security Considerations . . . . . . . . . . . . . . . . . . . 9 61 4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 10 62 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 63 5.1. OAuth Parameters Registration . . . . . . . . . . . . . . 10 64 5.2. OAuth Extensions Error Registration . . . . . . . . . . . 10 65 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 66 6.1. Normative References . . . . . . . . . . . . . . . . . . 11 67 6.2. Informative References . . . . . . . . . . . . . . . . . 11 68 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 12 69 Appendix B. Document History . . . . . . . . . . . . . . . . . . 12 70 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 72 1. Introduction 74 Several years of deployment and implementation experience with the 75 OAuth 2.0 Authorization Framework [RFC6749] has uncovered a need, in 76 some circumstances such as an authorization server servicing a 77 significant number of diverse resources, for the client to explicitly 78 signal to the authorization server where it intends to use the access 79 token it is requesting. 81 Knowing the protected resource (a.k.a. resource server, application, 82 API, etc.) that will process the access token enables the 83 authorization server to construct the token as necessary for that 84 entity. Properly encrypting the token (or content within the token) 85 to a particular resource, for example, requires knowing which 86 resource will receive and decrypt the token. Furthermore, various 87 resources oftentimes have different requirements with respect to the 88 data contained in, or referenced by, the token and knowing the 89 resource where the client intends to use the token allows the 90 authorization server to mint the token accordingly. 92 Specific knowledge of the intended recipient(s) of the access token 93 also helps facilitate improved security characteristics of the token 94 itself. Bearer tokens, currently the most commonly utilized type of 95 OAuth access token, allow any party in possession of a token to get 96 access to the associated resources. To prevent misuse, several 97 important security assumptions must hold, one of which is that an 98 access token must only be valid for use at a specific protected 99 resource and for a specific scope of access. Section 5.2 of 100 [RFC6750], for example, prescribes including the token's intended 101 recipients within the token to prevent token redirect. When the 102 authorization server is informed of the resource that will process 103 the access token, it can restrict the intended audience of that token 104 to the given resource such that the token cannot be used successfully 105 at other resources. 107 OAuth scope, from Section 3.3 of [RFC6749], is sometimes overloaded 108 to convey the location or identity of the protected resource, 109 however, doing so isn't always feasible or desirable. Scope is 110 typically about what access is being requested rather than where that 111 access will be redeemed (e.g., "email", "admin:org", "user_photos", 112 "channels:read", and "channels:write" are a small sample of scope 113 values in use in the wild that convey only the type of access and not 114 the location or identity). 116 In some circumstances and for some deployments, a means for the 117 client to signal to the authorization server where it intends to use 118 the access token it's requesting is important and useful. A number 119 of implementations and deployments of OAuth 2.0 have already employed 120 proprietary parameters toward that end. Going forward, this 121 specification aspires to provide a standardized and interoperable 122 alternative to the proprietary approaches. 124 1.1. Requirements Notation and Conventions 126 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 127 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 128 "OPTIONAL" in this document are to be interpreted as described in BCP 129 14 [RFC2119] [RFC8174] when, and only when, they appear in all 130 capitals, as shown here. 132 1.2. Terminology 134 This specification uses the terms "access token", "refresh token", 135 "authorization server", "resource server", "authorization endpoint", 136 "authorization request", "authorization response", "token endpoint", 137 "grant type", "access token request", "access token response", and 138 "client" defined by The OAuth 2.0 Authorization Framework [RFC6749]. 140 2. Resource Parameter 142 In requests to the authorization server, a client MAY indicate the 143 protected resource (a.k.a. resource server, application, API, etc.) 144 to which it is requesting access by including the following parameter 145 in the request. 147 resource 148 Indicates the target service or resource to which access is being 149 requested. Its value MUST be an absolute URI, as specified by 150 Section 4.3 of [RFC3986], which MAY include a query component but 151 MUST NOT include a fragment component. The "resource" parameter 152 URI value is an identifier representing the identity of the 153 resource, which MAY be a locator that corresponds to a network 154 addressable location where the target resource is hosted. 155 Multiple "resource" parameters MAY be used to indicate that the 156 requested token is intended to be used at multiple resources. 158 The parameter value identifies a resource to which the client is 159 requesting access. The parameter can carry the location of a 160 protected resource, typically as an https URL, or a more abstract 161 identifier. This enables the authorization server to apply policy as 162 appropriate for the resource, such as determining the type and 163 content of tokens to be issued, if and how tokens are encrypted, and 164 applying appropriate audience restrictions. 166 The client SHOULD provide the most specific URI that it can for the 167 complete API or set of resources it intends to access. In practice a 168 client will know a base URI for the application or resource that it 169 interacts with, which is appropriate to use as the value of the 170 "resource" parameter. The client SHOULD use the base URI of the API 171 as the "resource" parameter value unless specific knowledge of the 172 resource dictates otherwise. For example, the value 173 "https://api.example.com/" would be used for a resource that is the 174 exclusive application on that host, however, if the resource is one 175 of many applications on that host, something like 176 "https://api.example.com/app/" would be used as a more specific 177 value. Another example, for an API like SCIM [RFC7644] that has 178 multiple endpoints such as "https://apps.example.com/scim/Users", 179 "https://apps.example.com/scim/Groups", and 180 "https://apps.example.com/scim/Schemas" The client would use 181 "https://apps.example.com/scim/" as the resource so that the issued 182 access token is valid for all the endpoints of the SCIM API. 184 The following error code is provided for an authorization server to 185 indicate problems with the requested resource(s) in response to an 186 authorization request or access token request. It can also be used 187 to inform the client that it has requested an invalid combination of 188 resource and scope. 190 invalid_target 191 The requested resource is invalid, missing, unknown, or malformed. 193 The authorization server SHOULD audience-restrict issued access 194 tokens to the resource(s) indicated by the "resource" parameter. 195 Audience restrictions can be communicated in JSON Web Tokens 196 [RFC7519] with the "aud" claim and the top-level member of the same 197 name provides the audience restriction information in a Token 198 Introspection [RFC7662] response. The authorization server may use 199 the exact "resource" value as the audience or it may map from that 200 value to a more general URI or abstract identifier for the given 201 resource. 203 2.1. Authorization Request 205 When the "resource" parameter is used in an authorization request to 206 the authorization endpoint, it indicates the identity of the 207 protected resource(s) to which access is being requested. When an 208 access token will be returned directly from the authorization 209 endpoint via the implicit flow (Section 4.2 of OAuth 2.0 [RFC6749]), 210 the requested resource is applicable to that access token. In the 211 code flow (Section 4.1 of OAuth 2.0 [RFC6749]) where an intermediate 212 representation of the authorization grant (the authorization code) is 213 returned from the authorization endpoint, the requested resource is 214 applicable to the full authorization grant. 216 For an authorization request sent as a JSON Web Token (JWT), such as 217 when using JWT Secured Authorization Request [I-D.ietf-oauth-jwsreq], 218 a single "resource" parameter value is represented as a JSON string 219 while multiple values are represented as an array of strings. 221 If the client omits the "resource" parameter when requesting 222 authorization, the authorization server MAY process the request with 223 no specific resource or by using a pre-defined default resource 224 value. Alternatively, the authorization server MAY require clients 225 to specify the resource(s) they intend to access and MAY fail 226 requests that omit the parameter with an "invalid_target" error. The 227 authorization server might use this data to inform the user about the 228 resources the client is going to access on her behalf, to apply 229 policy (e.g., refuse the request due to unknown resources), and to 230 determine the set of resources that can be used in subsequent access 231 token requests. 233 If the authorization server fails to parse the provided value(s) or 234 does not consider the resource(s) acceptable, it should reject the 235 request with an error response using the error code "invalid_target" 236 as the value of the "error" parameter and can provide additional 237 information regarding the reasons for the error using the 238 "error_description". 240 An example of an authorization request where the client tells the 241 authorization server that it wants an access token for use at 242 "https://api.example.com/app/" is shown in Figure 1 below (extra line 243 breaks and indentation are for display purposes only). 245 GET /as/authorization.oauth2?response_type=token 246 &client_id=example-client 247 &state=XzZaJlcwYew1u0QBrRv_Gw 248 &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb 249 &resource=https%3A%2F%2Fapi.example.com%2Fapp%2F HTTP/1.1 250 Host: authorization-server.example.com 252 Figure 1: Implicit Flow Authorization Request 254 Below in Figure 2 is an example of an authorization request using the 255 "code" response type where the client is requesting access to the 256 resource owner's contacts and calendar data at 257 "https://cal.example.com/" and "https://contacts.example.com/" (extra 258 line breaks and indentation are for display purposes only). 260 GET /as/authorization.oauth2?response_type=code 261 &client_id=s6BhdRkqt3 262 &state=tNwzQ87pC6llebpmac_IDeeq-mCR2wLDYljHUZUAWuI 263 &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb 264 &scope=calendar%20contacts 265 &resource=https%3A%2F%2Fcal.example.com%2F 266 &resource=https%3A%2F%2Fcontacts.example.com%2F HTTP/1.1 267 Host: authorization-server.example.com 269 Figure 2: Code Flow Authorization Request 271 2.2. Access Token Request 273 When the "resource" parameter is used on an access token request made 274 to the token endpoint, for all grant types, it indicates the target 275 service or protected resource where the client intends to use the 276 requested access token. 278 The resource value(s) that are acceptable to an authorization server 279 in fulfilling an access token request are at its sole discretion 280 based on local policy or configuration. In the case of a 281 "refresh_token" or "authorization_code" grant type request, such 282 policy may limit the acceptable resources to those that were 283 originally granted by the resource owner or a subset thereof. In the 284 "authorization_code" case where the requested resources are a subset 285 of the set of resources originally granted, the authorization server 286 will issue an access token based on that subset of requested 287 resources while any refresh token that is returned is bound to the 288 full original grant. 290 When requesting a token, the client can indicate the desired target 291 service(s) where it intends to use that token by way of the 292 "resource" parameter and can indicate the desired scope of the 293 requested token using the "scope" parameter. The semantics of such a 294 request are that the client is asking for a token with the requested 295 scope that is usable at all the requested target services. 296 Effectively, the requested access rights of the token are the 297 cartesian product of all the scopes at all the target services. To 298 the extent possible, when issuing access tokens, the authorization 299 server should downscope the scope value associated with an access 300 token to the value the respective resource is able to process and 301 needs to know. This further improves privacy as a list of scope 302 values is an indication that the resource owner uses the multiple 303 various services listed; downscoping a token to only that which is 304 needed for a particular service can limit the extent to which such 305 information is revealed across different services. As specified in 306 Section 5.1 of [RFC6749], the authorization server must indicate the 307 access token's effective scope to the client in the "scope" response 308 parameter value when it differs from the scope requested by the 309 client. 311 Following from the code flow authorization request shown in Figure 2, 312 the below examples show an "authorization_code" grant type access 313 token request (Figure 3) and response (Figure 4) where the client 314 tells the authorization server that it wants the access token for use 315 at "https://cal.example.com/" (extra line breaks and indentation are 316 for display purposes only). 318 POST /as/token.oauth2 HTTP/1.1 319 Host: authorization-server.example.com 320 Authorization: Basic czZCaGRSa3F0Mzpoc3FFelFsVW9IQUU5cHg0RlNyNHlJ 321 Content-Type: application/x-www-form-urlencoded 323 grant_type=authorization_code 324 &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb 325 &code=10esc29BWC2qZB0acc9v8zAv9ltc2pko105tQauZ 326 &resource=https%3A%2F%2Fcal.example.com%2F 328 Figure 3: Access Token Request 330 HTTP/1.1 200 OK 331 Content-Type: application/json 332 Cache-Control: no-cache, no-store 334 { 335 "access_token":"eyJhbGciOiJFUzI1NiIsImtpZCI6Ijc3In0.eyJpc3MiOi 336 JodHRwOi8vYXV0aG9yaXphdGlvbi1zZXJ2ZXIuZXhhbXBsZS5jb20iLCJzdWI 337 iOiJfX2JfYyIsImV4cCI6MTU4ODQyMDgwMCwic2NvcGUiOiJjYWxlbmRhciIs 338 ImF1ZCI6Imh0dHBzOi8vY2FsLmV4YW1wbGUuY29tLyJ9.nNWJ2dXSxaDRdMUK 339 lzs-cYIj8MDoM6Gy7pf_sKrLGsAFf1C2bDhB60DQfW1DZL5npdko1_Mmk5sUf 340 zkiQNVpYw", 341 "token_type":"Bearer", 342 "expires_in":3600, 343 "refresh_token":"4LTC8lb0acc6Oy4esc1Nk9BWC0imAwH7kic16BDC2", 344 "scope":"calendar" 345 } 347 Figure 4: Access Token Response 349 A subsequent access token request, using the refresh token, where the 350 client tells the authorization server that it wants an access token 351 for use at "https://contacts.example.com/" is shown in Figure 5 below 352 with the response shown in Figure 6 (extra line breaks and 353 indentation are for display purposes only). 355 POST /as/token.oauth2 HTTP/1.1 356 Host: authorization-server.example.com 357 Authorization: Basic czZCaGRSa3F0Mzpoc3FFelFsVW9IQUU5cHg0RlNyNHlJ 358 Content-Type: application/x-www-form-urlencoded 360 grant_type=refresh_token 361 &refresh_token=4LTC8lb0acc6Oy4esc1Nk9BWC0imAwH7kic16BDC2 362 &resource=https%3A%2F%2Fcontacts.example.com%2F 364 Figure 5: Access Token Request 366 HTTP/1.1 200 OK 367 Content-Type: application/json 368 Cache-Control: no-cache, no-store 370 { 371 "access_token":"eyJhbGciOiJFUzI1NiIsImtpZCI6Ijc3In0.eyJpc3MiOi 372 JodHRwOi8vYXV0aG9yaXphdGlvbi1zZXJ2ZXIuZXhhbXBsZS5jb20iLCJzdWI 373 iOiJfX2JfYyIsImV4cCI6MTU4ODQyMDgyNiwic2NvcGUiOiJjb250YWN0cyIs 374 ImF1ZCI6Imh0dHBzOi8vY29udGFjdHMuZXhhbXBsZS5jb20vIn0.5f4yhqazc 375 OSlJw4y94KPeWNEFQqj2cfeO8x4hr3YbHtIl3nQXnBMw5wREY5O1YbZED-GfH 376 UowfmtNaA5EikYAw", 377 "token_type":"Bearer", 378 "expires_in":3600, 379 "scope":"contacts" 380 } 382 Figure 6: Access Token Response 384 3. Security Considerations 386 An audience-restricted access token, legitimately presented to a 387 resource, cannot then be taken by that resource and presented 388 elsewhere for illegitimate access to other resources. The "resource" 389 parameter enables a client to indicate the protected resources where 390 the requested access token will be used, which in turn enables the 391 authorization server to apply the appropriate audience restrictions 392 to the token. 394 Some servers may host user content or be multi-tenant. In order to 395 avoid attacks where one tenant uses an access token to illegitimately 396 access resources owned by a different tenant, it is important to use 397 a specific resource URI including any portion of the URI that 398 identifies the tenant, such as a path component. This will allow 399 access tokens to be audience-restricted in a way that identifies the 400 tenant and prevent their use, due to an invalid audience, at 401 resources owned by a different tenant. 403 Although multiple occurrences of the "resource" parameter may be 404 included in a token request, using only a single "resource" parameter 405 is encouraged. A bearer token that has multiple intended recipients 406 (audiences) indicating that the token is valid at more than one 407 protected resource can be used by any one of those protected 408 resources to access any of the other protected resources. Thus, a 409 high degree of trust between the involved parties is needed when 410 using access tokens with multiple audiences. Furthermore an 411 authorization server may be unwilling or unable to fulfill a token 412 request with multiple resources. 414 Whenever feasible, the "resource" parameter should correspond to the 415 network addressable location of the protected resource. This makes 416 it possible for the client to validate that the resource being 417 requested controls the corresponding network location, reducing the 418 risk of malicious endpoints obtaining tokens meant for other 419 resources. If the "resource" parameter contains an abstract 420 identifier, it is the client's responsibility to validate out of band 421 that any network endpoint to which tokens are sent are the intended 422 audience for that identifier. 424 4. Privacy Considerations 426 In typical OAuth deployments the authorization sever is in a position 427 to observe and track a significant amount of user and client 428 behavior. It is largely just inherent to the nature of OAuth and 429 this document does little to affect that. In some cases, however, 430 such as when access token introspection is not being used, use of the 431 resource parameter defined herein may allow for tracking behavior at 432 a somewhat more granular and specific level than would otherwise be 433 possible in its absence. 435 5. IANA Considerations 437 5.1. OAuth Parameters Registration 439 This specification updates the following value in the IANA "OAuth 440 Parameters" registry [IANA.OAuth.Parameters] established by 441 [RFC6749]. 443 o Parameter name: resource 444 o Parameter usage location: authorization request, token request 445 o Change controller: IESG 446 o Specification document(s): [[ this specification ]] 448 5.2. OAuth Extensions Error Registration 450 This specification updates the following error in the IANA "OAuth 451 Extensions Error Registry" [IANA.OAuth.Parameters] established by 452 [RFC6749]. 454 o Error name: invalid_target 455 o Error usage location: implicit grant error response, token error 456 response 457 o Related protocol extension: resource parameter 458 o Change controller: IESG 459 o Specification document(s): [[ this specification ]] 461 6. References 463 6.1. Normative References 465 [IANA.OAuth.Parameters] 466 IANA, "OAuth Parameters", 467 . 469 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 470 Requirement Levels", BCP 14, RFC 2119, 471 DOI 10.17487/RFC2119, March 1997, 472 . 474 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 475 Resource Identifier (URI): Generic Syntax", STD 66, 476 RFC 3986, DOI 10.17487/RFC3986, January 2005, 477 . 479 [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", 480 RFC 6749, DOI 10.17487/RFC6749, October 2012, 481 . 483 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 484 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 485 May 2017, . 487 6.2. Informative References 489 [I-D.ietf-oauth-jwsreq] 490 Sakimura, N. and J. Bradley, "The OAuth 2.0 Authorization 491 Framework: JWT Secured Authorization Request (JAR)", 492 draft-ietf-oauth-jwsreq-19 (work in progress), June 2019. 494 [RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization 495 Framework: Bearer Token Usage", RFC 6750, 496 DOI 10.17487/RFC6750, October 2012, 497 . 499 [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token 500 (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, 501 . 503 [RFC7644] Hunt, P., Ed., Grizzle, K., Ansari, M., Wahlstroem, E., 504 and C. Mortimore, "System for Cross-domain Identity 505 Management: Protocol", RFC 7644, DOI 10.17487/RFC7644, 506 September 2015, . 508 [RFC7662] Richer, J., Ed., "OAuth 2.0 Token Introspection", 509 RFC 7662, DOI 10.17487/RFC7662, October 2015, 510 . 512 Appendix A. Acknowledgements 514 This specification was developed within the OAuth Working Group under 515 the chairmanship of Hannes Tschofenig and Rifaat Shekh-Yusef with 516 Eric Rescorla, Benjamin Kaduk and Roman Danyliw serving as Security 517 Area Directors. Additionally, the following individuals contributed 518 ideas, feedback, and wording that helped shape this specification: 520 Vittorio Bertocci, Sergey Beryozkin, Roman Danyliw, William Denniss, 521 Vladimir Dzhuvinov, George Fletcher, Dick Hardt, Phil Hunt, Michael 522 Jones, Benjamin Kaduk, Barry Leiba, Torsten Lodderstedt, Anthony 523 Nadalin, Justin Richer, Adam Roach, Nat Sakimura, Rifaat Shekh-Yusef, 524 Filip Skokan, Eric Vyncke, and Hans Zandbelt. 526 Appendix B. Document History 528 [[ to be removed by the RFC Editor before publication as an RFC ]] 530 draft-ietf-oauth-resource-indicators-06 532 o Expand JWT acronym on first use per Genart last call review. 533 o Updates from IESG evaluation comments. 535 draft-ietf-oauth-resource-indicators-05 537 o Remove specific mention of error_uri, which is rarely (if ever) 538 used and seems to only confuse things for readers of extensions 539 like this one. 541 draft-ietf-oauth-resource-indicators-04 543 o Editorial updates from AD review that were overlooked in -03. 545 draft-ietf-oauth-resource-indicators-03 547 o Editorial updates from AD review. 548 o Update draft-ietf-oauth-jwsreq ref to -19. 549 o Update the IANA requests to say they update the registries. 551 draft-ietf-oauth-resource-indicators-02 553 o Clarify that the value of the "resource" parameter is a URI which 554 can be an abstract identifier for the target resource and doesn't 555 necessarily have to correspond to a network addressable location. 557 o Significant rework of the main section of the document attempting 558 to clarify a number of things that came up at, around and after 559 IETF 102 and the call for adoption. 560 o Change the "invalid_resource" error to "invalid_target" to align 561 with draft-ietf-oauth-token-exchange, which has some overlap in 562 functionality. 563 o Allow the "resource" parameter value to have a query component 564 (aligning with draft-ietf-oauth-token-exchange). 565 o Moved the Security Considerations section to before the IANA 566 Considerations. 567 o Other editorial updates. 568 o Rework the Acknowledgements section. 569 o Use RFC 8174 boilerplate. 571 draft-ietf-oauth-resource-indicators-00 573 o First version of the working group document. A replica of draft- 574 campbell-oauth-resource-indicators-02. 576 draft-campbell-oauth-resource-indicators-02 578 o No changes. 580 draft-campbell-oauth-resource-indicators-01 582 o Move Hannes Tschofenig, who wrote https://tools.ietf.org/html/ 583 draft-tschofenig-oauth-audience in '13, from Acknowledgements to 584 Authors. 585 o Added IANA Considerations to register the "resource" parameter and 586 "invalid_resource" error code. 588 draft-campbell-oauth-resource-indicators-00 590 o Initial draft to define a resource parameter for OAuth 2.0. 592 Authors' Addresses 594 Brian Campbell 595 Ping Identity 597 Email: brian.d.campbell@gmail.com 598 John Bradley 599 Yubico 601 Email: ve7jtb@ve7jtb.com 603 Hannes Tschofenig 604 Arm Limited 606 Email: hannes.tschofenig@gmx.net