idnits 2.17.1 draft-ietf-oauth-v2-23.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document obsoletes RFC5849, but the abstract doesn't seem to directly say this. It does mention RFC5849 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (January 21, 2012) is 4477 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 1750 (Obsoleted by RFC 4086) ** Obsolete normative reference: RFC 2246 (Obsoleted by RFC 4346) ** Obsolete normative reference: RFC 2616 (Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235) ** Obsolete normative reference: RFC 2617 (Obsoleted by RFC 7235, RFC 7615, RFC 7616, RFC 7617) ** Obsolete normative reference: RFC 2818 (Obsoleted by RFC 9110) ** Obsolete normative reference: RFC 4627 (Obsoleted by RFC 7158, RFC 7159) ** Downref: Normative reference to an Informational RFC: RFC 4949 ** Obsolete normative reference: RFC 5226 (Obsoleted by RFC 8126) ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) == Outdated reference: A later version (-23) exists of draft-ietf-oauth-saml2-bearer-08 == Outdated reference: A later version (-23) exists of draft-ietf-oauth-v2-bearer-08 == Outdated reference: A later version (-05) exists of draft-ietf-oauth-v2-http-mac-00 == Outdated reference: A later version (-08) exists of draft-ietf-oauth-v2-threatmodel-00 -- Obsolete informational reference (is this intentional?): RFC 5849 (Obsoleted by RFC 6749) Summary: 9 errors (**), 0 flaws (~~), 6 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group E. Hammer, Ed. 3 Internet-Draft 4 Obsoletes: 5849 (if approved) D. Recordon 5 Intended status: Standards Track Facebook 6 Expires: July 24, 2012 D. Hardt 7 Microsoft 8 January 21, 2012 10 The OAuth 2.0 Authorization Protocol 11 draft-ietf-oauth-v2-23 13 Abstract 15 The OAuth 2.0 authorization protocol enables a third-party 16 application to obtain limited access to an HTTP service, either on 17 behalf of a resource owner by orchestrating an approval interaction 18 between the resource owner and the HTTP service, or by allowing the 19 third-party application to obtain access on its own behalf. This 20 specification replaces and obsoletes the OAuth 1.0 protocol described 21 in RFC 5849. 23 Status of this Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on July 24, 2012. 40 Copyright Notice 42 Copyright (c) 2012 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 58 1.1. Roles . . . . . . . . . . . . . . . . . . . . . . . . . . 6 59 1.2. Protocol Flow . . . . . . . . . . . . . . . . . . . . . . 6 60 1.3. Authorization Grant . . . . . . . . . . . . . . . . . . . 7 61 1.3.1. Authorization Code . . . . . . . . . . . . . . . . . . 7 62 1.3.2. Implicit . . . . . . . . . . . . . . . . . . . . . . . 8 63 1.3.3. Resource Owner Password Credentials . . . . . . . . . 8 64 1.3.4. Client Credentials . . . . . . . . . . . . . . . . . . 9 65 1.4. Access Token . . . . . . . . . . . . . . . . . . . . . . 9 66 1.5. Refresh Token . . . . . . . . . . . . . . . . . . . . . . 9 67 1.6. TLS Version . . . . . . . . . . . . . . . . . . . . . . . 11 68 1.7. Interoperability . . . . . . . . . . . . . . . . . . . . 11 69 1.8. Notational Conventions . . . . . . . . . . . . . . . . . 12 70 2. Client Registration . . . . . . . . . . . . . . . . . . . . . 12 71 2.1. Client Types . . . . . . . . . . . . . . . . . . . . . . 13 72 2.2. Client Identifier . . . . . . . . . . . . . . . . . . . . 14 73 2.3. Client Authentication . . . . . . . . . . . . . . . . . . 14 74 2.3.1. Client Password . . . . . . . . . . . . . . . . . . . 15 75 2.3.2. Other Authentication Methods . . . . . . . . . . . . . 16 76 2.4. Unregistered Clients . . . . . . . . . . . . . . . . . . 16 77 3. Protocol Endpoints . . . . . . . . . . . . . . . . . . . . . . 16 78 3.1. Authorization Endpoint . . . . . . . . . . . . . . . . . 16 79 3.1.1. Response Type . . . . . . . . . . . . . . . . . . . . 17 80 3.1.2. Redirection Endpoint . . . . . . . . . . . . . . . . . 18 81 3.2. Token Endpoint . . . . . . . . . . . . . . . . . . . . . 20 82 3.2.1. Client Authentication . . . . . . . . . . . . . . . . 20 83 3.3. Access Token Scope . . . . . . . . . . . . . . . . . . . 21 84 4. Obtaining Authorization . . . . . . . . . . . . . . . . . . . 22 85 4.1. Authorization Code Grant . . . . . . . . . . . . . . . . 22 86 4.1.1. Authorization Request . . . . . . . . . . . . . . . . 23 87 4.1.2. Authorization Response . . . . . . . . . . . . . . . . 24 88 4.1.3. Access Token Request . . . . . . . . . . . . . . . . . 26 89 4.1.4. Access Token Response . . . . . . . . . . . . . . . . 27 90 4.2. Implicit Grant . . . . . . . . . . . . . . . . . . . . . 28 91 4.2.1. Authorization Request . . . . . . . . . . . . . . . . 30 92 4.2.2. Access Token Response . . . . . . . . . . . . . . . . 31 93 4.3. Resource Owner Password Credentials Grant . . . . . . . . 33 94 4.3.1. Authorization Request and Response . . . . . . . . . . 34 95 4.3.2. Access Token Request . . . . . . . . . . . . . . . . . 35 96 4.3.3. Access Token Response . . . . . . . . . . . . . . . . 36 97 4.4. Client Credentials Grant . . . . . . . . . . . . . . . . 36 98 4.4.1. Authorization Request and Response . . . . . . . . . . 37 99 4.4.2. Access Token Request . . . . . . . . . . . . . . . . . 37 100 4.4.3. Access Token Response . . . . . . . . . . . . . . . . 37 101 4.5. Extension Grants . . . . . . . . . . . . . . . . . . . . 38 102 5. Issuing an Access Token . . . . . . . . . . . . . . . . . . . 39 103 5.1. Successful Response . . . . . . . . . . . . . . . . . . . 39 104 5.2. Error Response . . . . . . . . . . . . . . . . . . . . . 40 105 6. Refreshing an Access Token . . . . . . . . . . . . . . . . . . 42 106 7. Accessing Protected Resources . . . . . . . . . . . . . . . . 43 107 7.1. Access Token Types . . . . . . . . . . . . . . . . . . . 43 108 8. Extensibility . . . . . . . . . . . . . . . . . . . . . . . . 44 109 8.1. Defining Access Token Types . . . . . . . . . . . . . . . 44 110 8.2. Defining New Endpoint Parameters . . . . . . . . . . . . 45 111 8.3. Defining New Authorization Grant Types . . . . . . . . . 45 112 8.4. Defining New Authorization Endpoint Response Types . . . 45 113 8.5. Defining Additional Error Codes . . . . . . . . . . . . . 46 114 9. Native Applications . . . . . . . . . . . . . . . . . . . . . 46 115 10. Security Considerations . . . . . . . . . . . . . . . . . . . 47 116 10.1. Client Authentication . . . . . . . . . . . . . . . . . . 48 117 10.2. Client Impersonation . . . . . . . . . . . . . . . . . . 48 118 10.3. Access Tokens . . . . . . . . . . . . . . . . . . . . . . 49 119 10.4. Refresh Tokens . . . . . . . . . . . . . . . . . . . . . 49 120 10.5. Authorization Codes . . . . . . . . . . . . . . . . . . . 50 121 10.6. Authorization Code Redirection URI Manipulation . . . . . 50 122 10.7. Resource Owner Password Credentials . . . . . . . . . . . 51 123 10.8. Request Confidentiality . . . . . . . . . . . . . . . . . 52 124 10.9. Endpoints Authenticity . . . . . . . . . . . . . . . . . 52 125 10.10. Credentials Guessing Attacks . . . . . . . . . . . . . . 52 126 10.11. Phishing Attacks . . . . . . . . . . . . . . . . . . . . 52 127 10.12. Cross-Site Request Forgery . . . . . . . . . . . . . . . 53 128 10.13. Clickjacking . . . . . . . . . . . . . . . . . . . . . . 54 129 10.14. Code Injection and Input Validation . . . . . . . . . . . 54 130 10.15. Open Redirectors . . . . . . . . . . . . . . . . . . . . 55 131 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 55 132 11.1. The OAuth Access Token Type Registry . . . . . . . . . . 55 133 11.1.1. Registration Template . . . . . . . . . . . . . . . . 56 134 11.2. The OAuth Parameters Registry . . . . . . . . . . . . . . 56 135 11.2.1. Registration Template . . . . . . . . . . . . . . . . 57 136 11.2.2. Initial Registry Contents . . . . . . . . . . . . . . 57 137 11.3. The OAuth Authorization Endpoint Response Type 138 Registry . . . . . . . . . . . . . . . . . . . . . . . . 59 139 11.3.1. Registration Template . . . . . . . . . . . . . . . . 60 140 11.3.2. Initial Registry Contents . . . . . . . . . . . . . . 60 141 11.4. The OAuth Extensions Error Registry . . . . . . . . . . . 60 142 11.4.1. Registration Template . . . . . . . . . . . . . . . . 61 143 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 62 144 Appendix A. Editor's Notes . . . . . . . . . . . . . . . . . . . 63 145 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 63 146 13.1. Normative References . . . . . . . . . . . . . . . . . . 63 147 13.2. Informative References . . . . . . . . . . . . . . . . . 64 148 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 65 150 1. Introduction 152 In the traditional client-server authentication model, the client 153 requests an access restricted resource (protected resource) on the 154 server by authenticating with the server using the resource owner's 155 credentials. In order to provide third-party applications access to 156 restricted resources, the resource owner shares its credentials with 157 the third-party. This creates several problems and limitations: 159 o Third-party applications are required to store the resource 160 owner's credentials for future use, typically a password in clear- 161 text. 162 o Servers are required to support password authentication, despite 163 the security weaknesses created by passwords. 164 o Third-party applications gain overly broad access to the resource 165 owner's protected resources, leaving resource owners without any 166 ability to restrict duration or access to a limited subset of 167 resources. 168 o Resource owners cannot revoke access to an individual third-party 169 without revoking access to all third-parties, and must do so by 170 changing their password. 171 o Compromise of any third-party application results in compromise of 172 the end-user s password and all of the data protected by that 173 password. 175 OAuth addresses these issues by introducing an authorization layer 176 and separating the role of the client from that of the resource 177 owner. In OAuth, the client requests access to resources controlled 178 by the resource owner and hosted by the resource server, and is 179 issued a different set of credentials than those of the resource 180 owner. 182 Instead of using the resource owner's credentials to access protected 183 resources, the client obtains an access token - a string denoting a 184 specific scope, lifetime, and other access attributes. Access tokens 185 are issued to third-party clients by an authorization server with the 186 approval of the resource owner. The client uses the access token to 187 access the protected resources hosted by the resource server. 189 For example, an end-user (resource owner) can grant a printing 190 service (client) access to her protected photos stored at a photo 191 sharing service (resource server), without sharing her username and 192 password with the printing service. Instead, she authenticates 193 directly with a server trusted by the photo sharing service 194 (authorization server) which issues the printing service delegation- 195 specific credentials (access token). 197 This specification is designed for use with HTTP [RFC2616]. The use 198 of OAuth with any transport protocol other than HTTP is undefined. 200 1.1. Roles 202 OAuth defines four roles: 204 resource owner 205 An entity capable of granting access to a protected resource (e.g. 206 end-user). 207 resource server 208 The server hosting the protected resources, capable of accepting 209 and responding to protected resource requests using access tokens. 210 client 211 An application making protected resource requests on behalf of the 212 resource owner and with its authorization. The term client does 213 not imply any particular implementation characteristics (e.g. 214 whether the application executes on a server, a desktop, or other 215 devices). 216 authorization server 217 The server issuing access tokens to the client after successfully 218 authenticating the resource owner and obtaining authorization. 220 The interaction between the authorization server and resource server 221 is beyond the scope of this specification. The authorization server 222 may be the same server as the resource server or a separate entity. 223 A single authorization server may issue access tokens accepted by 224 multiple resource servers. 226 1.2. Protocol Flow 228 +--------+ +---------------+ 229 | |--(A)- Authorization Request ->| Resource | 230 | | | Owner | 231 | |<-(B)-- Authorization Grant ---| | 232 | | +---------------+ 233 | | 234 | | +---------------+ 235 | |--(C)-- Authorization Grant -->| Authorization | 236 | Client | | Server | 237 | |<-(D)----- Access Token -------| | 238 | | +---------------+ 239 | | 240 | | +---------------+ 241 | |--(E)----- Access Token ------>| Resource | 242 | | | Server | 243 | |<-(F)--- Protected Resource ---| | 244 +--------+ +---------------+ 245 Figure 1: Abstract Protocol Flow 247 The abstract flow illustrated in Figure 1 describes the interaction 248 between the four roles and includes the following steps: 250 (A) The client requests authorization from the resource owner. The 251 authorization request can be made directly to the resource owner 252 (as shown), or preferably indirectly via the authorization 253 server as an intermediary. 254 (B) The client receives an authorization grant which is a credential 255 representing the resource owner's authorization, expressed using 256 one of four grant types defined in this specification or using 257 an extension grant type. The authorization grant type depends 258 on the method used by the client to request authorization and 259 the types supported by the authorization server. 260 (C) The client requests an access token by authenticating with the 261 authorization server and presenting the authorization grant. 262 (D) The authorization server authenticates the client and validates 263 the authorization grant, and if valid issues an access token. 264 (E) The client requests the protected resource from the resource 265 server and authenticates by presenting the access token. 266 (F) The resource server validates the access token, and if valid, 267 serves the request. 269 1.3. Authorization Grant 271 An authorization grant is a credential representing the resource 272 owner's authorization (to access its protected resources) used by the 273 client to obtain an access token. This specification defines four 274 grant types: authorization code, implicit, resource owner password 275 credentials, and client credentials, as well as an extensibility 276 mechanism for defining additional types. 278 1.3.1. Authorization Code 280 The authorization code is obtained by using an authorization server 281 as an intermediary between the client and resource owner. Instead of 282 requesting authorization directly from the resource owner, the client 283 directs the resource owner to an authorization server (via its user- 284 agent as defined in [RFC2616]), which in turn directs the resource 285 owner back to the client with the authorization code. 287 Before directing the resource owner back to the client with the 288 authorization code, the authorization server authenticates the 289 resource owner and obtains authorization. Because the resource owner 290 only authenticates with the authorization server, the resource 291 owner's credentials are never shared with the client. 293 The authorization code provides a few important security benefits 294 such as the ability to authenticate the client, and the transmission 295 of the access token directly to the client without passing it through 296 the resource owner's user-agent, potentially exposing it to others, 297 including the resource owner. 299 1.3.2. Implicit 301 The implicit grant is a simplified authorization code flow optimized 302 for clients implemented in a browser using a scripting language such 303 as JavaScript. In the implicit flow, instead of issuing the client 304 an authorization code, the client is issued an access token directly 305 (as the result of the resource owner authorization). The grant type 306 is implicit as no intermediate credentials (such as an authorization 307 code) are issued (and later used to obtain an access token). 309 When issuing an access token during the implicit grant flow, the 310 authorization server does not authenticate the client. In some 311 cases, the client identity can be verified via the redirection URI 312 used to deliver the access token to the client. The access token may 313 be exposed to the resource owner or other applications with access to 314 the resource owner's user-agent. 316 Implicit grants improve the responsiveness and efficiency of some 317 clients (such as a client implemented as an in-browser application) 318 since it reduces the number of round trips required to obtain an 319 access token. However, this convenience should be weighed against 320 the security implications of using implicit grants, especially when 321 the authorization code grant type is available. 323 1.3.3. Resource Owner Password Credentials 325 The resource owner password credentials (i.e. username and password) 326 can be used directly as an authorization grant to obtain an access 327 token. The credentials should only be used when there is a high 328 degree of trust between the resource owner and the client (e.g. the 329 client is part of the device operating system or a highly privileged 330 application), and when other authorization grant types are not 331 available (such as an authorization code). 333 Even though this grant type requires direct client access to the 334 resource owner credentials, the resource owner credentials are used 335 for a single request and are exchanged for an access token. This 336 grant type can eliminate the need for the client to store the 337 resource owner credentials for future use, by exchanging the 338 credentials with a long-lived access token or refresh token. 340 1.3.4. Client Credentials 342 The client credentials (or other forms of client authentication) can 343 be used as an authorization grant when the authorization scope is 344 limited to the protected resources under the control of the client, 345 or to protected resources previously arranged with the authorization 346 server. Client credentials are used as an authorization grant 347 typically when the client is acting on its own behalf (the client is 348 also the resource owner), or is requesting access to protected 349 resources based on an authorization previously arranged with the 350 authorization server. 352 1.4. Access Token 354 Access tokens are credentials used to access protected resources. An 355 access token is a string representing an authorization issued to the 356 client. The string is usually opaque to the client. Tokens 357 represent specific scopes and durations of access, granted by the 358 resource owner, and enforced by the resource server and authorization 359 server. 361 The token may denote an identifier used to retrieve the authorization 362 information, or self-contain the authorization information in a 363 verifiable manner (i.e. a token string consisting of some data and a 364 signature). Additional authentication credentials, which are beyond 365 the scope of this specification, may be required in order for the 366 client to use a token. 368 The access token provides an abstraction layer, replacing different 369 authorization constructs (e.g. username and password) with a single 370 token understood by the resource server. This abstraction enables 371 issuing access tokens more restrictive than the authorization grant 372 used to obtain them, as well as removing the resource server's need 373 to understand a wide range of authentication methods. 375 Access tokens can have different formats, structures, and methods of 376 utilization (e.g. cryptographic properties) based on the resource 377 server security requirements. Access token attributes and the 378 methods used to access protected resources are beyond the scope of 379 this specification and are defined by companion specifications. 381 1.5. Refresh Token 383 Refresh tokens are credentials used to obtain access tokens. Refresh 384 tokens are issued to the client by the authorization server and are 385 used to obtain a new access token when the current access token 386 becomes invalid or expires, or to obtain additional access tokens 387 with identical or narrower scope (access tokens may have a shorter 388 lifetime and fewer permissions than authorized by the resource 389 owner). Issuing a refresh token is optional at the discretion of the 390 authorization server. If the authorization server issues a refresh 391 token, it is included when issuing an access token. 393 A refresh token is a string representing the authorization granted to 394 the client by the resource owner. The string is usually opaque to 395 the client. The token denotes an identifier used to retrieve the 396 authorization information. Unlike access tokens, refresh tokens are 397 intended for use only with authorization servers and are never sent 398 to resource servers. 400 +--------+ +---------------+ 401 | |--(A)------- Authorization Grant --------->| | 402 | | | | 403 | |<-(B)----------- Access Token -------------| | 404 | | & Refresh Token | | 405 | | | | 406 | | +----------+ | | 407 | |--(C)---- Access Token ---->| | | | 408 | | | | | | 409 | |<-(D)- Protected Resource --| Resource | | Authorization | 410 | Client | | Server | | Server | 411 | |--(E)---- Access Token ---->| | | | 412 | | | | | | 413 | |<-(F)- Invalid Token Error -| | | | 414 | | +----------+ | | 415 | | | | 416 | |--(G)----------- Refresh Token ----------->| | 417 | | | | 418 | |<-(H)----------- Access Token -------------| | 419 +--------+ & Optional Refresh Token +---------------+ 421 Figure 2: Refreshing an Expired Access Token 423 The flow illustrated in Figure 2 includes the following steps: 425 (A) The client requests an access token by authenticating with the 426 authorization server, and presenting an authorization grant. 427 (B) The authorization server authenticates the client and validates 428 the authorization grant, and if valid issues an access token and 429 a refresh token. 431 (C) The client makes a protected resource request to the resource 432 server by presenting the access token. 433 (D) The resource server validates the access token, and if valid, 434 serves the request. 435 (E) Steps (C) and (D) repeat until the access token expires. If the 436 client knows the access token expired, it skips to step (G), 437 otherwise it makes another protected resource request. 438 (F) Since the access token is invalid, the resource server returns 439 an invalid token error. 440 (G) The client requests a new access token by authenticating with 441 the authorization server and presenting the refresh token. The 442 client authentication requirements are based on the client type 443 and on the authorization server policies. 444 (H) The authorization server authenticates the client and validates 445 the refresh token, and if valid issues a new access token (and 446 optionally, a new refresh token). 448 Steps C, D, E, and F are outside the scope of this specification as 449 described in Section 7. 451 1.6. TLS Version 453 Whenever TLS is required by this specification, the appropriate 454 version (or versions) of TLS will vary over time, based on the 455 widespread deployment and known security vulnerabilities. At the 456 time of this writing, TLS version 1.2 [RFC5246] is the most recent 457 version, but has a very limited deployment base and might not be 458 readily available for implementation. TLS version 1.0 [RFC2246] is 459 the most widely deployed version, and will provide the broadest 460 interoperability. 462 Implementations MAY also support additional transport-layer 463 mechanisms that meet their security requirements. 465 1.7. Interoperability 467 OAuth 2.0 provides a rich authorization framework with well-defined 468 security properties. However, as a rich and highly extensible 469 framework with many optional components, this specification is likely 470 to produce a wide range of non-interoperable implementations. In 471 addition, this specification leaves a few required components 472 partially or fully undefined (e.g. client registration, authorization 473 server capabilities, endpoint discovery). 475 This protocol was design with the clear expectation that future work 476 will define prescriptive profiles and extensions necessary to achieve 477 full web-scale interoperability. 479 1.8. Notational Conventions 481 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 482 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and 'OPTIONAL' in this 483 specification are to be interpreted as described in [RFC2119]. 485 This specification uses the Augmented Backus-Naur Form (ABNF) 486 notation of [RFC5234]. 488 Certain security-related terms are to be understood in the sense 489 defined in [RFC4949]. These terms include, but are not limited to, 490 'attack', 'authentication', 'authorization', 'certificate', 491 'confidentiality', 'credential', 'encryption', 'identity', 'sign', 492 'signature', 'trust', 'validate', and 'verify'. 494 Unless otherwise noted, all the protocol parameter names and values 495 are case sensitive. 497 2. Client Registration 499 Before initiating the protocol, the client registers with the 500 authorization server. The means through which the client registers 501 with the authorization server are beyond the scope of this 502 specification, but typically involve end-user interaction with an 503 HTML registration form. 505 Client registration does not require a direct interaction between the 506 client and the authorization server. When supported by the 507 authorization server, registration can rely on other means for 508 establishing trust and obtaining the required client properties (e.g. 509 redirection URI, client type). For example, registration can be 510 accomplished using a self-issued or third-party-issued assertion, or 511 by the authorization server performing client discovery using a 512 trusted channel. 514 When registering a client, the client developer: 516 o specifies the client type as described in Section 2.1, 517 o provides its client redirection URIs as described in 518 Section 3.1.2, and 519 o includes any other information required by the authorization 520 server (e.g. application name, website, description, logo image, 521 the acceptance of legal terms). 523 2.1. Client Types 525 OAuth defines two client types, based on their ability to 526 authenticate securely with the authorization server (i.e. ability to 527 maintain the confidentiality of their client credentials): 529 confidential 530 Clients capable of maintaining the confidentiality of their 531 credentials (e.g. client implemented on a secure server with 532 restricted access to the client credentials), or capable of secure 533 client authentication using other means. 534 public 535 Clients incapable of maintaining the confidentiality of their 536 credentials (e.g. clients executing on the device used by the 537 resource owner such as an installed native application or a web 538 browser-based application), and incapable of secure client 539 authentication via any other means. 541 The client type designation is based on the authorization server's 542 definition of secure authentication and its acceptable exposure 543 levels of client credentials. 545 The authorization server SHOULD NOT make assumptions about the client 546 type, nor accept the type information provided by the client 547 developer without first establishing trust. 549 A client application consisting of multiple components, each with its 550 own client type (e.g. a distributed client with both a confidential 551 server-based component and a public browser-based component), MUST 552 register each component separately as a different client to ensure 553 proper handling by the authorization server. The authorization 554 server MAY provider tools to manage such complex clients through a 555 single administration interface. 557 This specification has been designed around the following client 558 profiles: 560 web application 561 A web application is a confidential client running on a web 562 server. Resource owners access the client via an HTML user 563 interface rendered in a user-agent on the device used by the 564 resource owner. The client credentials as well as any access 565 token issued to the client are stored on the web server and are 566 not exposed to or accessible by the resource owner. 568 user-agent-based application 569 A user-agent-based application is a public client in which the 570 client code is downloaded from a web server and executes within a 571 user-agent (e.g. web browser) on the device used by the resource 572 owner. Protocol data and credentials are easily accessible (and 573 often visible) to the resource owner. Since such applications 574 reside within the user-agent, they can make seamless use of the 575 user-agent capabilities when requesting authorization. 576 native application 577 A native application is a public client installed and executed on 578 the device used by the resource owner. Protocol data and 579 credentials are accessible to the resource owner. It is assumed 580 that any client authentication credentials included in the 581 application can be extracted. On the other hand, dynamically 582 issued credentials such as access tokens or refresh tokens can 583 receive an acceptable level of protection. At a minimum, these 584 credentials are protected from hostile servers with which the 585 application may interact with. On some platforms these 586 credentials might be protected from other applications residing on 587 the same device. 589 2.2. Client Identifier 591 The authorization server issues the registered client a client 592 identifier - a unique string representing the registration 593 information provided by the client. The client identifier is not a 594 secret, it is exposed to the resource owner, and MUST NOT be used 595 alone for client authentication. 597 2.3. Client Authentication 599 If the client type is confidential, the client and authorization 600 server establish a client authentication method suitable for the 601 security requirements of the authorization server. The authorization 602 server MAY accept any form of client authentication meeting its 603 security requirements. 605 Confidential clients are typically issued (or establish) a set of 606 client credentials used for authenticating with the authorization 607 server (e.g. password, public/private key pair). 609 The authorization server MAY establish a client authentication method 610 with public clients. However, the authorization server MUST NOT rely 611 on public client authentication for the purpose of identifying the 612 client. 614 The client MUST NOT use more than one authentication method in each 615 request. 617 2.3.1. Client Password 619 Clients in possession of a client password MAY use the HTTP Basic 620 authentication scheme as defined in [RFC2617] to authenticate with 621 the authorization server. The client identifier is used as the 622 username, and the client password is used as the password. The 623 authorization server MUST support the HTTP Basic authentication 624 scheme for authenticating clients which were issued a client 625 password. 627 For example (extra line breaks are for display purposes only): 629 Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW 631 Alternatively, the authorization server MAY support including the 632 client credentials in the request body using the following 633 parameters: 635 client_id 636 REQUIRED. The client identifier issued to the client during 637 the registration process described by Section 2.2. 638 client_secret 639 REQUIRED. The client secret. The client MAY omit the 640 parameter if the client secret is an empty string. 642 Including the client credentials in the request body using the two 643 parameters is NOT RECOMMENDED, and should be limited to clients 644 unable to directly utilize the HTTP Basic authentication scheme (or 645 other password-based HTTP authentication schemes). The parameters 646 can only be transmitted in the request body and MUST NOT be included 647 in the request URI. 649 For example, requesting to refresh an access token (Section 6) using 650 the body parameters (extra line breaks are for display purposes 651 only): 653 POST /token HTTP/1.1 654 Host: server.example.com 655 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 657 grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA 658 &client_id=s6BhdRkqt3&client_secret=7Fjfp0ZBr1KtDRbnfVdmIw 660 The authorization server MUST require TLS as described in Section 1.6 661 when sending requests using password authentication. 663 Since this client authentication method involves a password, the 664 authorization server MUST protect any endpoint utilizing it against 665 brute force attacks. 667 2.3.2. Other Authentication Methods 669 The authorization server MAY support any suitable HTTP authentication 670 scheme matching its security requirements. When using other 671 authentication methods, the authorization server MUST define a 672 mapping between the client identifier (registration record) and 673 authentication scheme. 675 2.4. Unregistered Clients 677 This specification does not exclude the use of unregistered clients. 678 However, the use with such clients is beyond the scope of this 679 specification, and requires additional security analysis and review 680 of its interoperability impact. 682 3. Protocol Endpoints 684 The authorization process utilizes two authorization server endpoints 685 (HTTP resources): 687 o Authorization endpoint - used to obtain authorization from the 688 resource owner via user-agent redirection. 689 o Token endpoint - used to exchange an authorization grant for an 690 access token, typically with client authentication. 692 As well as one client endpoint: 694 o Redirection endpoint - used to return authorization credentials 695 responses from the authorization server to the client via the 696 resource owner user-agent. 698 Not every authorization grant type utilizes both endpoints. 699 Extension grant types MAY define additional endpoints as needed. 701 3.1. Authorization Endpoint 703 The authorization endpoint is used to interact with the resource 704 owner and obtain an authorization grant. The authorization server 705 MUST first verify the identity of the resource owner. The way in 706 which the authorization server authenticates the resource owner (e.g. 707 username and password login, session cookies) is beyond the scope of 708 this specification. 710 The means through which the client obtains the location of the 711 authorization endpoint are beyond the scope of this specification, 712 but the location is typically provided in the service documentation. 714 The endpoint URI MAY include an "application/x-www-form-urlencoded" 715 formatted ([W3C.REC-html401-19991224]) query component ([RFC3986] 716 section 3.4), which MUST be retained when adding additional query 717 parameters. The endpoint URI MUST NOT include a fragment component. 719 Since requests to the authorization endpoint result in user 720 authentication and the transmission of clear-text credentials (in the 721 HTTP response), the authorization server MUST require TLS as 722 described in Section 1.6 when sending requests to the authorization 723 endpoint. 725 The authorization server MUST support the use of the HTTP "GET" 726 method [RFC2616] for the authorization endpoint, and MAY support the 727 use of the "POST" method as well. 729 Parameters sent without a value MUST be treated as if they were 730 omitted from the request. The authorization server MUST ignore 731 unrecognized request parameters. Request and response parameters 732 MUST NOT be included more than once. 734 3.1.1. Response Type 736 The authorization endpoint is used by the authorization code grant 737 type and implicit grant type flows. The client informs the 738 authorization server of the desired grant type using the following 739 parameter: 741 response_type 742 REQUIRED. The value MUST be one of "code" for requesting an 743 authorization code as described by Section 4.1.1, "token" for 744 requesting an access token (implicit grant) as described by 745 Section 4.2.1, or a registered extension value as described by 746 Section 8.4. 748 Extension response types MAY contain a space-delimited (%x20) list of 749 values, where the order of values does not matter (e.g. response type 750 "a b" is the same as "b a"). The meaning of such composite response 751 types is defined by their respective specifications. 753 If an authorization request is missing the "response_type" parameter, 754 the authorization server MUST return an error response as described 755 in Section 4.1.2.1. 757 3.1.2. Redirection Endpoint 759 After completing its interaction with the resource owner, the 760 authorization server directs the resource owner's user-agent back to 761 the client. The authorization server redirects the user-agent to the 762 client's redirection endpoint previously established with the 763 authorization server during the client registration process or when 764 making the authorization request. 766 The redirection endpoint URI MUST be an absolute URI as defined by 767 [RFC3986] section 4.3. The endpoint URI MAY include an 768 "application/x-www-form-urlencoded" formatted 769 ([W3C.REC-html401-19991224]) query component ([RFC3986] section 3.4), 770 which MUST be retained when adding additional query parameters. The 771 endpoint URI MUST NOT include a fragment component. 773 3.1.2.1. Endpoint Request Confidentiality 775 The redirection endpoint SHOULD require the use of TLS as described 776 in Section 1.6 when the requested response type is "code" or "token", 777 or when the redirection request will result in the transmission of 778 sensitive credentials over an open network. This specification does 779 not mandate the use of TLS because at the time of this writing, 780 requiring clients to deploy TLS is a significant hurdle for most 781 client developers. 783 Lack of transport-layer security can have a severe impact on the 784 security of the client and the protected resources it is authorized 785 to access. The use of transport-layer security is particularly 786 critical when the authorization process is used as a form of 787 delegated end-user authentication by the client (e.g. third-party 788 sign-in service). 790 3.1.2.2. Registration Requirements 792 The authorization server MUST require the following clients to 793 register their redirection endpoint: 795 o Public clients. 796 o Confidential clients utilizing the implicit grant type. 798 The authorization server SHOULD require all clients to register their 799 redirection endpoint prior to utilizing the authorization endpoint 801 The authorization server SHOULD require the client to provide the 802 complete redirection URI (the client MAY use the "state" request 803 parameter to achieve per-request customization). If requiring the 804 registration of the complete redirection URI is not possible, the 805 authorization server SHOULD require the registration of the URI 806 scheme, authority, and path (allowing the client to dynamically vary 807 only the query component of the redirection URI when requesting 808 authorization). 810 The authorization server MAY allow the client to register multiple 811 redirection endpoints. 813 Lack of a redirection URI registration requirement can enable an 814 attacker to use the authorization endpoint as open redirector as 815 described in Section 10.15. 817 3.1.2.3. Dynamic Configuration 819 If multiple redirection URIs have been registered, if only part of 820 the redirection URI has been registered, or if no redirection URI has 821 been registered, the client MUST include a redirection URI with the 822 authorization request using the "redirect_uri" request parameter. 824 When a redirection URI is included in an authorization request, the 825 authorization server MUST compare and match the value received 826 against at least one of the registered redirection URIs (or URI 827 components) as defined in [RFC3986] section 6, if any redirection 828 URIs were registered. If the client registration included the full 829 redirection URI, the authorization server MUST compare the two URIs 830 using simple string comparison as defined in [RFC3986] section 6.2.1. 832 3.1.2.4. Invalid Endpoint 834 If an authorization request fails validation due to a missing, 835 invalid, or mismatching redirection URI, the authorization server 836 SHOULD inform the resource owner of the error, and MUST NOT 837 automatically redirect the user-agent to the invalid redirection URI. 839 3.1.2.5. Endpoint Content 841 The redirection request to the client's endpoint typically results in 842 an HTML document response, processed by the user-agent. If the HTML 843 response is served directly as the result of the redirection request, 844 any script included in the HTML document will execute with full 845 access to the redirection URI and the credentials it contains. 847 The client MUST NOT include any untrusted third-party scripts in the 848 redirection endpoint response (e.g. third-party analytics, social 849 plug-ins, ad networks) without first ensuring that its own scripts 850 used to extract and remove the credentials from the URI will execute 851 first. 853 The client SHOULD NOT include any third-party scripts in the 854 redirection endpoint response. Instead, it should extract the 855 credentials from the URI and redirect the user-agent again to another 856 endpoint without the credentials in the URI. 858 3.2. Token Endpoint 860 The token endpoint is used by the client to obtain an access token by 861 presenting its authorization grant or refresh token. The token 862 endpoint is used with every authorization grant except for the 863 implicit grant type (since an access token is issued directly). 865 The means through which the client obtains the location of the token 866 endpoint are beyond the scope of this specification but is typically 867 provided in the service documentation. 869 The endpoint URI MAY include an "application/x-www-form-urlencoded" 870 formatted ([W3C.REC-html401-19991224]) query component ([RFC3986] 871 section 3.4), which MUST be retained when adding additional query 872 parameters. The endpoint URI MUST NOT include a fragment component. 874 Since requests to the token endpoint result in the transmission of 875 clear-text credentials (in the HTTP request and response), the 876 authorization server MUST require TLS as described in Section 1.6 877 when sending requests to the token endpoint. 879 The client MUST use the HTTP "POST" method when making access token 880 requests. 882 Parameters sent without a value MUST be treated as if they were 883 omitted from the request. The authorization server MUST ignore 884 unrecognized request parameters. Request and response parameters 885 MUST NOT be included more than once. 887 3.2.1. Client Authentication 889 Confidential clients or other clients issued client credentials MUST 890 authenticate with the authorization server as described in 891 Section 2.3 when making requests to the token endpoint. Client 892 authentication is used for: 894 o Enforcing the binding of refresh tokens and authorization codes to 895 the client they were issued to. Client authentication is critical 896 when an authorization code is transmitted to the redirection 897 endpoint over an insecure channel, or when the redirection URI has 898 not been registered in full. 900 o Recovering from a compromised client by disabling the client or 901 changing its credentials, thus preventing an attacker from abusing 902 stolen refresh tokens. Changing a single set of client 903 credentials is significantly faster than revoking an entire set of 904 refresh tokens. 905 o Implementing authentication management best practices which 906 require periodic credential rotation. Rotation of an entire set 907 of refresh tokens can be challenging, while rotation of a single 908 set of client credentials is significantly easier. 910 A public client that was not issued a client password MAY use the 911 "client_id" request parameter to identify itself when sending 912 requests to the token endpoint. 914 3.3. Access Token Scope 916 The authorization and token endpoints allow the client to specify the 917 scope of the access request using the "scope" request parameter. In 918 turn, the authorization server uses the "scope" response parameter to 919 inform the client of the scope of the access token issued. 921 The value of the scope parameter is expressed as a list of space- 922 delimited, case sensitive strings. The strings are defined by the 923 authorization server. If the value contains multiple space-delimited 924 strings, their order does not matter, and each string adds an 925 additional access range to the requested scope. 927 scope = scope-token *( SP scope-token ) 928 scope-token = 1*( %x21 / %x23-5B / %x5D-7E ) 930 The authorization server MAY fully or partially ignore the scope 931 requested by the client based on the authorization server policy or 932 the resource owner's instructions. If the issued access token scope 933 is different from the one requested by the client, the authorization 934 server MUST include the "scope" response parameter to inform the 935 client of the actual scope granted. 937 If the client omits the scope parameter when requesting 938 authorization, the authorization server MUST either process the 939 request using a pre-defined default value, or fail the request 940 indicating an invalid scope. The authorization server SHOULD 941 document its scope requirements and default value (if defined). 943 4. Obtaining Authorization 945 To request an access token, the client obtains authorization from the 946 resource owner. The authorization is expressed in the form of an 947 authorization grant which the client uses to request the access 948 token. OAuth defines four grant types: authorization code, implicit, 949 resource owner password credentials, and client credentials. It also 950 provides an extension mechanism for defining additional grant types. 952 4.1. Authorization Code Grant 954 The authorization code grant type is used to obtain both access 955 tokens and refresh tokens and is optimized for confidential clients. 956 As a redirection-based flow, the client must be capable of 957 interacting with the resource owner's user-agent (typically a web 958 browser) and capable of receiving incoming requests (via redirection) 959 from the authorization server. 961 +----------+ 962 | resource | 963 | owner | 964 | | 965 +----------+ 966 ^ 967 | 968 (B) 969 +----|-----+ Client Identifier +---------------+ 970 | -+----(A)-- & Redirection URI ---->| | 971 | User- | | Authorization | 972 | Agent -+----(B)-- User authenticates --->| Server | 973 | | | | 974 | -+----(C)-- Authorization Code ---<| | 975 +-|----|---+ +---------------+ 976 | | ^ v 977 (A) (C) | | 978 | | | | 979 ^ v | | 980 +---------+ | | 981 | |>---(D)-- Authorization Code ---------' | 982 | Client | & Redirection URI | 983 | | | 984 | |<---(E)----- Access Token -------------------' 985 +---------+ (w/ Optional Refresh Token) 987 Note: The lines illustrating steps A, B, and C are broken into two 988 parts as they pass through the user-agent. 990 Figure 3: Authorization Code Flow 992 The flow illustrated in Figure 3 includes the following steps: 994 (A) The client initiates the flow by directing the resource owner's 995 user-agent to the authorization endpoint. The client includes 996 its client identifier, requested scope, local state, and a 997 redirection URI to which the authorization server will send the 998 user-agent back once access is granted (or denied). 999 (B) The authorization server authenticates the resource owner (via 1000 the user-agent) and establishes whether the resource owner 1001 grants or denies the client's access request. 1002 (C) Assuming the resource owner grants access, the authorization 1003 server redirects the user-agent back to the client using the 1004 redirection URI provided earlier (in the request or during 1005 client registration). The redirection URI includes an 1006 authorization code and any local state provided by the client 1007 earlier. 1008 (D) The client requests an access token from the authorization 1009 server's token endpoint by including the authorization code 1010 received in the previous step. When making the request, the 1011 client authenticates with the authorization server. The client 1012 includes the redirection URI used to obtain the authorization 1013 code for verification. 1014 (E) The authorization server authenticates the client, validates the 1015 authorization code, and ensures the redirection URI received 1016 matches the URI used to redirect the client in step (C). If 1017 valid, the authorization server responds back with an access 1018 token and optionally, a refresh token. 1020 4.1.1. Authorization Request 1022 The client constructs the request URI by adding the following 1023 parameters to the query component of the authorization endpoint URI 1024 using the "application/x-www-form-urlencoded" format as defined by 1025 [W3C.REC-html401-19991224]: 1027 response_type 1028 REQUIRED. Value MUST be set to "code". 1029 client_id 1030 REQUIRED. The client identifier as described in Section 2.2. 1031 redirect_uri 1032 OPTIONAL. As described in Section 3.1.2. 1033 scope 1034 OPTIONAL. The scope of the access request as described by 1035 Section 3.3. 1037 state 1038 RECOMMENDED. An opaque value used by the client to maintain 1039 state between the request and callback. The authorization 1040 server includes this value when redirecting the user-agent back 1041 to the client. The parameter SHOULD be used for preventing 1042 cross-site request forgery as described in Section 10.12. 1044 The client directs the resource owner to the constructed URI using an 1045 HTTP redirection response, or by other means available to it via the 1046 user-agent. 1048 For example, the client directs the user-agent to make the following 1049 HTTP request using TLS (extra line breaks are for display purposes 1050 only): 1052 GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz 1053 &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 1054 Host: server.example.com 1056 The authorization server validates the request to ensure all required 1057 parameters are present and valid. If the request is valid, the 1058 authorization server authenticates the resource owner and obtains an 1059 authorization decision (by asking the resource owner or by 1060 establishing approval via other means). 1062 When a decision is established, the authorization server directs the 1063 user-agent to the provided client redirection URI using an HTTP 1064 redirection response, or by other means available to it via the user- 1065 agent. 1067 4.1.2. Authorization Response 1069 If the resource owner grants the access request, the authorization 1070 server issues an authorization code and delivers it to the client by 1071 adding the following parameters to the query component of the 1072 redirection URI using the "application/x-www-form-urlencoded" format: 1074 code 1075 REQUIRED. The authorization code generated by the 1076 authorization server. The authorization code MUST expire 1077 shortly after it is issued to mitigate the risk of leaks. A 1078 maximum authorization code lifetime of 10 minutes is 1079 RECOMMENDED. The client MUST NOT use the authorization code 1080 more than once. If an authorization code is used more than 1081 once, the authorization server MUST deny the request and SHOULD 1082 revoke (when possible) all tokens previously issued based on 1083 that authorization code. The authorization code is bound to 1084 the client identifier and redirection URI. 1085 state 1086 REQUIRED if the "state" parameter was present in the client 1087 authorization request. The exact value received from the 1088 client. 1090 For example, the authorization server redirects the user-agent by 1091 sending the following HTTP response: 1093 HTTP/1.1 302 Found 1094 Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA 1095 &state=xyz 1097 The client MUST ignore unrecognized response parameters. The 1098 authorization code string size is left undefined by this 1099 specification. The client should avoid making assumptions about code 1100 value sizes. The authorization server should document the size of 1101 any value it issues. 1103 4.1.2.1. Error Response 1105 If the request fails due to a missing, invalid, or mismatching 1106 redirection URI, or if the client identifier is missing or invalid, 1107 the authorization server SHOULD inform the resource owner of the 1108 error, and MUST NOT automatically redirect the user-agent to the 1109 invalid redirection URI. 1111 If the resource owner denies the access request or if the request 1112 fails for reasons other than a missing or invalid redirection URI, 1113 the authorization server informs the client by adding the following 1114 parameters to the query component of the redirection URI using the 1115 "application/x-www-form-urlencoded" format: 1117 error 1118 REQUIRED. A single error code from the following: 1119 invalid_request 1120 The request is missing a required parameter, includes an 1121 invalid parameter value, or is otherwise malformed. 1122 unauthorized_client 1123 The client is not authorized to request an authorization 1124 code using this method. 1126 access_denied 1127 The resource owner or authorization server denied the 1128 request. 1129 unsupported_response_type 1130 The authorization server does not support obtaining an 1131 authorization code using this method. 1132 invalid_scope 1133 The requested scope is invalid, unknown, or malformed. 1134 server_error 1135 The authorization server encountered an unexpected 1136 condition which prevented it from fulfilling the request. 1137 temporarily_unavailable 1138 The authorization server is currently unable to handle 1139 the request due to a temporary overloading or maintenance 1140 of the server. 1141 error_description 1142 OPTIONAL. A human-readable UTF-8 encoded text providing 1143 additional information, used to assist the client developer in 1144 understanding the error that occurred. 1145 error_uri 1146 OPTIONAL. A URI identifying a human-readable web page with 1147 information about the error, used to provide the client 1148 developer with additional information about the error. 1149 state 1150 REQUIRED if a "state" parameter was present in the client 1151 authorization request. The exact value received from the 1152 client. 1154 For example, the authorization server redirects the user-agent by 1155 sending the following HTTP response: 1157 HTTP/1.1 302 Found 1158 Location: https://client.example.com/cb?error=access_denied&state=xyz 1160 4.1.3. Access Token Request 1162 The client makes a request to the token endpoint by adding the 1163 following parameters using the "application/x-www-form-urlencoded" 1164 format in the HTTP request entity-body: 1166 grant_type 1167 REQUIRED. Value MUST be set to "authorization_code". 1169 code 1170 REQUIRED. The authorization code received from the 1171 authorization server. 1172 redirect_uri 1173 REQUIRED, if the "redirect_uri" parameter was included in the 1174 authorization request as described in Section 4.1.1, and their 1175 values MUST be identical. 1177 If the client type is confidential or the client was issued client 1178 credentials (or assigned other authentication requirements), the 1179 client MUST authenticate with the authorization server as described 1180 in Section 3.2.1. 1182 For example, the client makes the following HTTP request using TLS 1183 (extra line breaks are for display purposes only): 1185 POST /token HTTP/1.1 1186 Host: server.example.com 1187 Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW 1188 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 1190 grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA 1191 &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb 1193 The authorization server MUST: 1195 o require client authentication for confidential clients or for any 1196 client that was issued client credentials (or with other 1197 authentication requirements), 1198 o authenticate the client if client authentication is included and 1199 ensure the authorization code was issued to the authenticated 1200 client, 1201 o verify that the authorization code is valid, and 1202 o ensure that the "redirect_uri" parameter is present if the 1203 "redirect_uri" parameter was included in the initial authorization 1204 request as described in Section 4.1.1, and if included ensure 1205 their values are identical. 1207 4.1.4. Access Token Response 1209 If the access token request is valid and authorized, the 1210 authorization server issues an access token and optional refresh 1211 token as described in Section 5.1. If the request client 1212 authentication failed or is invalid, the authorization server returns 1213 an error response as described in Section 5.2. 1215 An example successful response: 1217 HTTP/1.1 200 OK 1218 Content-Type: application/json;charset=UTF-8 1219 Cache-Control: no-store 1220 Pragma: no-cache 1222 { 1223 "access_token":"2YotnFZFEjr1zCsicMWpAA", 1224 "token_type":"example", 1225 "expires_in":3600, 1226 "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", 1227 "example_parameter":"example_value" 1228 } 1230 4.2. Implicit Grant 1232 The implicit grant type is used to obtain access tokens (it does not 1233 support the issuance of refresh tokens) and is optimized for public 1234 clients known to operate a particular redirection URI. These clients 1235 are typically implemented in a browser using a scripting language 1236 such as JavaScript. 1238 As a redirection-based flow, the client must be capable of 1239 interacting with the resource owner's user-agent (typically a web 1240 browser) and capable of receiving incoming requests (via redirection) 1241 from the authorization server. 1243 Unlike the authorization code grant type in which the client makes 1244 separate requests for authorization and access token, the client 1245 receives the access token as the result of the authorization request. 1247 The implicit grant type does not include client authentication, and 1248 relies on the presence of the resource owner and the registration of 1249 the redirection URI. Because the access token is encoded into the 1250 redirection URI, it may be exposed to the resource owner and other 1251 applications residing on the same device. 1253 +----------+ 1254 | Resource | 1255 | Owner | 1256 | | 1257 +----------+ 1258 ^ 1259 | 1260 (B) 1261 +----|-----+ Client Identifier +---------------+ 1262 | -+----(A)-- & Redirection URI --->| | 1263 | User- | | Authorization | 1264 | Agent -|----(B)-- User authenticates -->| Server | 1265 | | | | 1266 | |<---(C)--- Redirection URI ----<| | 1267 | | with Access Token +---------------+ 1268 | | in Fragment 1269 | | +---------------+ 1270 | |----(D)--- Redirection URI ---->| Web-Hosted | 1271 | | without Fragment | Client | 1272 | | | Resource | 1273 | (F) |<---(E)------- Script ---------<| | 1274 | | +---------------+ 1275 +-|--------+ 1276 | | 1277 (A) (G) Access Token 1278 | | 1279 ^ v 1280 +---------+ 1281 | | 1282 | Client | 1283 | | 1284 +---------+ 1286 Note: The lines illustrating steps A and B are broken into two parts 1287 as they pass through the user-agent. 1289 Figure 4: Implicit Grant Flow 1291 The flow illustrated in Figure 4 includes the following steps: 1293 (A) The client initiates the flow by directing the resource owner's 1294 user-agent to the authorization endpoint. The client includes 1295 its client identifier, requested scope, local state, and a 1296 redirection URI to which the authorization server will send the 1297 user-agent back once access is granted (or denied). 1299 (B) The authorization server authenticates the resource owner (via 1300 the user-agent) and establishes whether the resource owner 1301 grants or denies the client's access request. 1302 (C) Assuming the resource owner grants access, the authorization 1303 server redirects the user-agent back to the client using the 1304 redirection URI provided earlier. The redirection URI includes 1305 the access token in the URI fragment. 1306 (D) The user-agent follows the redirection instructions by making a 1307 request to the web-hosted client resource (which does not 1308 include the fragment per [RFC2616]). The user-agent retains the 1309 fragment information locally. 1310 (E) The web-hosted client resource returns a web page (typically an 1311 HTML document with an embedded script) capable of accessing the 1312 full redirection URI including the fragment retained by the 1313 user-agent, and extracting the access token (and other 1314 parameters) contained in the fragment. 1315 (F) The user-agent executes the script provided by the web-hosted 1316 client resource locally, which extracts the access token and 1317 passes it to the client. 1319 4.2.1. Authorization Request 1321 The client constructs the request URI by adding the following 1322 parameters to the query component of the authorization endpoint URI 1323 using the "application/x-www-form-urlencoded" format: 1325 response_type 1326 REQUIRED. Value MUST be set to "token". 1327 client_id 1328 REQUIRED. The client identifier as described in Section 2.2. 1329 redirect_uri 1330 OPTIONAL. As described in Section 3.1.2. 1331 scope 1332 OPTIONAL. The scope of the access request as described by 1333 Section 3.3. 1334 state 1335 RECOMMENDED. An opaque value used by the client to maintain 1336 state between the request and callback. The authorization 1337 server includes this value when redirecting the user-agent back 1338 to the client. The parameter SHOULD be used for preventing 1339 cross-site request forgery as described in Section 10.12. 1341 The client directs the resource owner to the constructed URI using an 1342 HTTP redirection response, or by other means available to it via the 1343 user-agent. 1345 For example, the client directs the user-agent to make the following 1346 HTTP request using TLS (extra line breaks are for display purposes 1347 only): 1349 GET /authorize?response_type=token&client_id=s6BhdRkqt3&state=xyz 1350 &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 1351 Host: server.example.com 1353 The authorization server validates the request to ensure all required 1354 parameters are present and valid. The authorization server MUST 1355 verify that the redirection URI to which it will redirect the access 1356 token matches a redirection URI registered by the client as described 1357 in Section 3.1.2. 1359 If the request is valid, the authorization server authenticates the 1360 resource owner and obtains an authorization decision (by asking the 1361 resource owner or by establishing approval via other means). 1363 When a decision is established, the authorization server directs the 1364 user-agent to the provided client redirection URI using an HTTP 1365 redirection response, or by other means available to it via the user- 1366 agent. 1368 4.2.2. Access Token Response 1370 If the resource owner grants the access request, the authorization 1371 server issues an access token and delivers it to the client by adding 1372 the following parameters to the fragment component of the redirection 1373 URI using the "application/x-www-form-urlencoded" format: 1375 access_token 1376 REQUIRED. The access token issued by the authorization server. 1377 token_type 1378 REQUIRED. The type of the token issued as described in 1379 Section 7.1. Value is case insensitive. 1380 expires_in 1381 RECOMMENDED. The lifetime in seconds of the access token. For 1382 example, the value "3600" denotes that the access token will 1383 expire in one hour from the time the response was generated. 1384 If omitted, the authorization server SHOULD provide the 1385 expiration time via other means or document the default value. 1386 scope 1387 OPTIONAL, if identical to the scope requested by the client, 1388 otherwise REQUIRED. The scope of the access token as described 1389 by Section 3.3. 1391 state 1392 REQUIRED if the "state" parameter was present in the client 1393 authorization request. The exact value received from the 1394 client. 1396 The authorization server MUST NOT issue a refresh token. 1398 For example, the authorization server redirects the user-agent by 1399 sending the following HTTP response (URI extra line breaks are for 1400 display purposes only): 1402 HTTP/1.1 302 Found 1403 Location: http://example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA 1404 &state=xyz&token_type=example&expires_in=3600 1406 Developers should note that some user-agents do not support the 1407 inclusion of a fragment component in the HTTP "Location" response 1408 header field. Such clients will require using other methods for 1409 redirecting the client than a 3xx redirection response. For example, 1410 returning an HTML page which includes a 'continue' button with an 1411 action linked to the redirection URI. 1413 The client MUST ignore unrecognized response parameters. The access 1414 token string size is left undefined by this specification. The 1415 client should avoid making assumptions about value sizes. The 1416 authorization server should document the size of any value it issues. 1418 4.2.2.1. Error Response 1420 If the request fails due to a missing, invalid, or mismatching 1421 redirection URI, or if the client identifier is missing or invalid, 1422 the authorization server SHOULD inform the resource owner of the 1423 error, and MUST NOT automatically redirect the user-agent to the 1424 invalid redirection URI. 1426 If the resource owner denies the access request or if the request 1427 fails for reasons other than a missing or invalid redirection URI, 1428 the authorization server informs the client by adding the following 1429 parameters to the fragment component of the redirection URI using the 1430 "application/x-www-form-urlencoded" format: 1432 error 1433 REQUIRED. A single error code from the following: 1435 invalid_request 1436 The request is missing a required parameter, includes an 1437 invalid parameter value, or is otherwise malformed. 1438 unauthorized_client 1439 The client is not authorized to request an access token 1440 using this method. 1441 access_denied 1442 The resource owner or authorization server denied the 1443 request. 1444 unsupported_response_type 1445 The authorization server does not support obtaining an 1446 access token using this method. 1447 invalid_scope 1448 The requested scope is invalid, unknown, or malformed. 1449 server_error 1450 The authorization server encountered an unexpected 1451 condition which prevented it from fulfilling the request. 1452 temporarily_unavailable 1453 The authorization server is currently unable to handle 1454 the request due to a temporary overloading or maintenance 1455 of the server. 1456 error_description 1457 OPTIONAL. A human-readable UTF-8 encoded text providing 1458 additional information, used to assist the client developer in 1459 understanding the error that occurred. 1460 error_uri 1461 OPTIONAL. A URI identifying a human-readable web page with 1462 information about the error, used to provide the client 1463 developer with additional information about the error. 1464 state 1465 REQUIRED if a "state" parameter was present in the client 1466 authorization request. The exact value received from the 1467 client. 1469 For example, the authorization server redirects the user-agent by 1470 sending the following HTTP response: 1472 HTTP/1.1 302 Found 1473 Location: https://client.example.com/cb#error=access_denied&state=xyz 1475 4.3. Resource Owner Password Credentials Grant 1477 The resource owner password credentials grant type is suitable in 1478 cases where the resource owner has a trust relationship with the 1479 client, such as the device operating system or a highly privileged 1480 application. The authorization server should take special care when 1481 enabling this grant type, and only allow it when other flows are not 1482 viable. 1484 The grant type is suitable for clients capable of obtaining the 1485 resource owner's credentials (username and password, typically using 1486 an interactive form). It is also used to migrate existing clients 1487 using direct authentication schemes such as HTTP Basic or Digest 1488 authentication to OAuth by converting the stored credentials to an 1489 access token. 1491 +----------+ 1492 | Resource | 1493 | Owner | 1494 | | 1495 +----------+ 1496 v 1497 | Resource Owner 1498 (A) Password Credentials 1499 | 1500 v 1501 +---------+ +---------------+ 1502 | |>--(B)---- Resource Owner ------->| | 1503 | | Password Credentials | Authorization | 1504 | Client | | Server | 1505 | |<--(C)---- Access Token ---------<| | 1506 | | (w/ Optional Refresh Token) | | 1507 +---------+ +---------------+ 1509 Figure 5: Resource Owner Password Credentials Flow 1511 The flow illustrated in Figure 5 includes the following steps: 1513 (A) The resource owner provides the client with its username and 1514 password. 1515 (B) The client requests an access token from the authorization 1516 server's token endpoint by including the credentials received 1517 from the resource owner. When making the request, the client 1518 authenticates with the authorization server. 1519 (C) The authorization server authenticates the client and validates 1520 the resource owner credentials, and if valid issues an access 1521 token. 1523 4.3.1. Authorization Request and Response 1525 The method through which the client obtains the resource owner 1526 credentials is beyond the scope of this specification. The client 1527 MUST discard the credentials once an access token has been obtained. 1529 4.3.2. Access Token Request 1531 The client makes a request to the token endpoint by adding the 1532 following parameters using the "application/x-www-form-urlencoded" 1533 format in the HTTP request entity-body: 1535 grant_type 1536 REQUIRED. Value MUST be set to "password". 1537 username 1538 REQUIRED. The resource owner username, encoded as UTF-8. 1539 password 1540 REQUIRED. The resource owner password, encoded as UTF-8. 1541 scope 1542 OPTIONAL. The scope of the access request as described by 1543 Section 3.3. 1545 If the client type is confidential or the client was issued client 1546 credentials (or assigned other authentication requirements), the 1547 client MUST authenticate with the authorization server as described 1548 in Section 3.2.1. 1550 For example, the client makes the following HTTP request using 1551 transport-layer security (extra line breaks are for display purposes 1552 only): 1554 POST /token HTTP/1.1 1555 Host: server.example.com 1556 Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW 1557 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 1559 grant_type=password&username=johndoe&password=A3ddj3w 1561 The authorization server MUST: 1563 o require client authentication for confidential clients or for any 1564 client that was issued client credentials (or with other 1565 authentication requirements), 1566 o authenticate the client if client authentication is included, and 1567 o validate the resource owner password credentials. 1569 Since this access token request utilizes the resource owner's 1570 password, the authorization server MUST protect the endpoint against 1571 brute force attacks (e.g. using rate-limitation or generating 1572 alerts). 1574 4.3.3. Access Token Response 1576 If the access token request is valid and authorized, the 1577 authorization server issues an access token and optional refresh 1578 token as described in Section 5.1. If the request failed client 1579 authentication or is invalid, the authorization server returns an 1580 error response as described in Section 5.2. 1582 An example successful response: 1584 HTTP/1.1 200 OK 1585 Content-Type: application/json;charset=UTF-8 1586 Cache-Control: no-store 1587 Pragma: no-cache 1589 { 1590 "access_token":"2YotnFZFEjr1zCsicMWpAA", 1591 "token_type":"example", 1592 "expires_in":3600, 1593 "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", 1594 "example_parameter":"example_value" 1595 } 1597 4.4. Client Credentials Grant 1599 The client can request an access token using only its client 1600 credentials (or other supported means of authentication) when the 1601 client is requesting access to the protected resources under its 1602 control, or those of another resource owner which has been previously 1603 arranged with the authorization server (the method of which is beyond 1604 the scope of this specification). 1606 The client credentials grant type MUST only be used by confidential 1607 clients. 1609 +---------+ +---------------+ 1610 | | | | 1611 | |>--(A)- Client Authentication --->| Authorization | 1612 | Client | | Server | 1613 | |<--(B)---- Access Token ---------<| | 1614 | | | | 1615 +---------+ +---------------+ 1617 Figure 6: Client Credentials Flow 1619 The flow illustrated in Figure 6 includes the following steps: 1621 (A) The client authenticates with the authorization server and 1622 requests an access token from the token endpoint. 1623 (B) The authorization server authenticates the client, and if valid 1624 issues an access token. 1626 4.4.1. Authorization Request and Response 1628 Since the client authentication is used as the authorization grant, 1629 no additional authorization request is needed. 1631 4.4.2. Access Token Request 1633 The client makes a request to the token endpoint by adding the 1634 following parameters using the "application/x-www-form-urlencoded" 1635 format in the HTTP request entity-body: 1637 grant_type 1638 REQUIRED. Value MUST be set to "client_credentials". 1639 scope 1640 OPTIONAL. The scope of the access request as described by 1641 Section 3.3. 1643 The client MUST authenticate with the authorization server as 1644 described in Section 3.2.1. 1646 For example, the client makes the following HTTP request using 1647 transport-layer security (extra line breaks are for display purposes 1648 only): 1650 POST /token HTTP/1.1 1651 Host: server.example.com 1652 Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW 1653 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 1655 grant_type=client_credentials 1657 The authorization server MUST authenticate the client. 1659 4.4.3. Access Token Response 1661 If the access token request is valid and authorized, the 1662 authorization server issues an access token as described in 1663 Section 5.1. A refresh token SHOULD NOT be included. If the request 1664 failed client authentication or is invalid, the authorization server 1665 returns an error response as described in Section 5.2. 1667 An example successful response: 1669 HTTP/1.1 200 OK 1670 Content-Type: application/json;charset=UTF-8 1671 Cache-Control: no-store 1672 Pragma: no-cache 1674 { 1675 "access_token":"2YotnFZFEjr1zCsicMWpAA", 1676 "token_type":"example", 1677 "expires_in":3600, 1678 "example_parameter":"example_value" 1679 } 1681 4.5. Extension Grants 1683 The client uses an extension grant type by specifying the grant type 1684 using an absolute URI (defined by the authorization server) as the 1685 value of the "grant_type" parameter of the token endpoint, and by 1686 adding any additional parameters necessary. 1688 For example, to request an access token using a SAML 2.0 assertion 1689 grant type as defined by [I-D.ietf-oauth-saml2-bearer], the client 1690 makes the following HTTP request using TLS (line breaks are for 1691 display purposes only): 1693 POST /token HTTP/1.1 1694 Host: server.example.com 1695 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 1697 grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2- 1698 bearer&assertion=PEFzc2VydGlvbiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDU 1699 [...omitted for brevity...]aG5TdGF0ZW1lbnQ-PC9Bc3NlcnRpb24- 1701 If the access token request is valid and authorized, the 1702 authorization server issues an access token and optional refresh 1703 token as described in Section 5.1. If the request failed client 1704 authentication or is invalid, the authorization server returns an 1705 error response as described in Section 5.2. 1707 5. Issuing an Access Token 1709 If the access token request is valid and authorized, the 1710 authorization server issues an access token and optional refresh 1711 token as described in Section 5.1. If the request failed client 1712 authentication or is invalid, the authorization server returns an 1713 error response as described in Section 5.2. 1715 5.1. Successful Response 1717 The authorization server issues an access token and optional refresh 1718 token, and constructs the response by adding the following parameters 1719 to the entity body of the HTTP response with a 200 (OK) status code: 1721 access_token 1722 REQUIRED. The access token issued by the authorization server. 1723 token_type 1724 REQUIRED. The type of the token issued as described in 1725 Section 7.1. Value is case insensitive. 1726 expires_in 1727 RECOMMENDED. The lifetime in seconds of the access token. For 1728 example, the value "3600" denotes that the access token will 1729 expire in one hour from the time the response was generated. 1730 If omitted, the authorization server SHOULD provide the 1731 expiration time via other means or document the default value. 1732 refresh_token 1733 OPTIONAL. The refresh token which can be used to obtain new 1734 access tokens using the same authorization grant as described 1735 in Section 6. 1736 scope 1737 OPTIONAL, if identical to the scope requested by the client, 1738 otherwise REQUIRED. The scope of the access token as described 1739 by Section 3.3. 1741 The parameters are included in the entity body of the HTTP response 1742 using the "application/json" media type as defined by [RFC4627]. The 1743 parameters are serialized into a JSON structure by adding each 1744 parameter at the highest structure level. Parameter names and string 1745 values are included as JSON strings. Numerical values are included 1746 as JSON numbers. The order of parameters does not matter and can 1747 vary. 1749 The authorization server MUST include the HTTP "Cache-Control" 1750 response header field [RFC2616] with a value of "no-store" in any 1751 response containing tokens, credentials, or other sensitive 1752 information, as well as the "Pragma" response header field [RFC2616] 1753 with a value of "no-cache". 1755 For example: 1757 HTTP/1.1 200 OK 1758 Content-Type: application/json;charset=UTF-8 1759 Cache-Control: no-store 1760 Pragma: no-cache 1762 { 1763 "access_token":"2YotnFZFEjr1zCsicMWpAA", 1764 "token_type":"example", 1765 "expires_in":3600, 1766 "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", 1767 "example_parameter":"example_value" 1768 } 1770 The client MUST ignore unrecognized value names in the response. The 1771 sizes of tokens and other values received from the authorization 1772 server are left undefined. The client should avoid making 1773 assumptions about value sizes. The authorization server should 1774 document the size of any value it issues. 1776 5.2. Error Response 1778 The authorization server responds with an HTTP 400 (Bad Request) 1779 status code and includes the following parameters with the response: 1781 error 1782 REQUIRED. A single error code from the following: 1783 invalid_request 1784 The request is missing a required parameter, includes an 1785 unsupported parameter value, repeats a parameter, 1786 includes multiple credentials, utilizes more than one 1787 mechanism for authenticating the client, or is otherwise 1788 malformed. 1789 invalid_client 1790 Client authentication failed (e.g. unknown client, no 1791 client authentication included, or unsupported 1792 authentication method). The authorization server MAY 1793 return an HTTP 401 (Unauthorized) status code to indicate 1794 which HTTP authentication schemes are supported. If the 1795 client attempted to authenticate via the "Authorization" 1796 request header field, the authorization server MUST 1797 respond with an HTTP 401 (Unauthorized) status code, and 1798 include the "WWW-Authenticate" response header field 1799 matching the authentication scheme used by the client. 1801 invalid_grant 1802 The provided authorization grant (e.g. authorization 1803 code, resource owner credentials) is invalid, expired, 1804 revoked, does not match the redirection URI used in the 1805 authorization request, or was issued to another client. 1806 unauthorized_client 1807 The authenticated client is not authorized to use this 1808 authorization grant type. 1809 unsupported_grant_type 1810 The authorization grant type is not supported by the 1811 authorization server. 1812 invalid_scope 1813 The requested scope is invalid, unknown, malformed, or 1814 exceeds the scope granted by the resource owner. 1815 error_description 1816 OPTIONAL. A human-readable UTF-8 encoded text providing 1817 additional information, used to assist the client developer in 1818 understanding the error that occurred. 1819 error_uri 1820 OPTIONAL. A URI identifying a human-readable web page with 1821 information about the error, used to provide the client 1822 developer with additional information about the error. 1824 The parameters are included in the entity body of the HTTP response 1825 using the "application/json" media type as defined by [RFC4627]. The 1826 parameters are serialized into a JSON structure by adding each 1827 parameter at the highest structure level. Parameter names and string 1828 values are included as JSON strings. Numerical values are included 1829 as JSON numbers. The order of parameters does not matter and can 1830 vary. 1832 For example: 1834 HTTP/1.1 400 Bad Request 1835 Content-Type: application/json;charset=UTF-8 1836 Cache-Control: no-store 1837 Pragma: no-cache 1839 { 1840 "error":"invalid_request" 1841 } 1843 6. Refreshing an Access Token 1845 If the authorization server issued a refresh token to the client, the 1846 client makes a refresh request to the token endpoint by adding the 1847 following parameters using the "application/x-www-form-urlencoded" 1848 format in the HTTP request entity-body: 1850 grant_type 1851 REQUIRED. Value MUST be set to "refresh_token". 1852 refresh_token 1853 REQUIRED. The refresh token issued to the client. 1854 scope 1855 OPTIONAL. The scope of the access request as described by 1856 Section 3.3. The requested scope MUST NOT include any scope 1857 not originally granted by the resource owner, and if omitted is 1858 treated as equal to the scope originally granted by the 1859 resource owner. 1861 Because refresh tokens are typically long-lasting credentials used to 1862 request additional access tokens, the refresh token is bound to the 1863 client which it was issued. If the client type is confidential or 1864 the client was issued client credentials (or assigned other 1865 authentication requirements), the client MUST authenticate with the 1866 authorization server as described in Section 3.2.1. 1868 For example, the client makes the following HTTP request using 1869 transport-layer security (extra line breaks are for display purposes 1870 only): 1872 POST /token HTTP/1.1 1873 Host: server.example.com 1874 Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW 1875 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 1877 grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA 1879 The authorization server MUST: 1881 o require client authentication for confidential clients or for any 1882 client that was issued client credentials (or with other 1883 authentication requirements), 1884 o authenticate the client if client authentication is included and 1885 ensure the refresh token was issued to the authenticated client, 1886 and 1888 o validate the refresh token. 1890 If valid and authorized, the authorization server issues an access 1891 token as described in Section 5.1. If the request failed 1892 verification or is invalid, the authorization server returns an error 1893 response as described in Section 5.2. 1895 The authorization server MAY issue a new refresh token, in which case 1896 the client MUST discard the old refresh token and replace it with the 1897 new refresh token. The authorization server MAY revoke the old 1898 refresh token after issuing a new refresh token to the client. If a 1899 new refresh token is issued, the refresh token scope MUST be 1900 identical to that of the refresh token included by the client in the 1901 request. 1903 7. Accessing Protected Resources 1905 The client accesses protected resources by presenting the access 1906 token to the resource server. The resource server MUST validate the 1907 access token and ensure it has not expired and that its scope covers 1908 the requested resource. The methods used by the resource server to 1909 validate the access token (as well as any error responses) are beyond 1910 the scope of this specification, but generally involve an interaction 1911 or coordination between the resource server and the authorization 1912 server. 1914 The method in which the client utilized the access token to 1915 authenticate with the resource server depends on the type of access 1916 token issued by the authorization server. Typically, it involves 1917 using the HTTP "Authorization" request header field [RFC2617] with an 1918 authentication scheme defined by the access token type specification. 1920 7.1. Access Token Types 1922 The access token type provides the client with the information 1923 required to successfully utilize the access token to make a protected 1924 resource request (along with type-specific attributes). The client 1925 MUST NOT use an access token if it does not understand the token 1926 type. 1928 For example, the "bearer" token type defined in 1929 [I-D.ietf-oauth-v2-bearer] is utilized by simply including the access 1930 token string in the request: 1932 GET /resource/1 HTTP/1.1 1933 Host: example.com 1934 Authorization: Bearer 7Fjfp0ZBr1KtDRbnfVdmIw 1936 while the "mac" token type defined in [I-D.ietf-oauth-v2-http-mac] is 1937 utilized by issuing a MAC key together with the access token which is 1938 used to sign certain components of the HTTP requests: 1940 GET /resource/1 HTTP/1.1 1941 Host: example.com 1942 Authorization: MAC id="h480djs93hd8", 1943 nonce="274312:dj83hs9s", 1944 mac="kDZvddkndxvhGRXZhvuDjEWhGeE=" 1946 The above examples are provided for illustration purposes only. 1947 Developers are advised to consult the [I-D.ietf-oauth-v2-bearer] and 1948 [I-D.ietf-oauth-v2-http-mac] specifications before use. 1950 Each access token type definition specifies the additional attributes 1951 (if any) sent to the client together with the "access_token" response 1952 parameter. It also defines the HTTP authentication method used to 1953 include the access token when making a protected resource request. 1955 8. Extensibility 1957 8.1. Defining Access Token Types 1959 Access token types can be defined in one of two ways: registered in 1960 the access token type registry (following the procedures in 1961 Section 11.1), or by using a unique absolute URI as its name. 1963 Types utilizing a URI name SHOULD be limited to vendor-specific 1964 implementations that are not commonly applicable, and are specific to 1965 the implementation details of the resource server where they are 1966 used. 1968 All other types MUST be registered. Type names MUST conform to the 1969 type-name ABNF. If the type definition includes a new HTTP 1970 authentication scheme, the type name SHOULD be identical to the HTTP 1971 authentication scheme name (as defined by [RFC2617]). The token type 1972 "example" is reserved for use in examples. 1974 type-name = 1*name-char 1975 name-char = "-" / "." / "_" / DIGIT / ALPHA 1977 8.2. Defining New Endpoint Parameters 1979 New request or response parameters for use with the authorization 1980 endpoint or the token endpoint are defined and registered in the 1981 parameters registry following the procedure in Section 11.2. 1983 Parameter names MUST conform to the param-name ABNF and parameter 1984 values syntax MUST be well-defined (e.g., using ABNF, or a reference 1985 to the syntax of an existing parameter). 1987 param-name = 1*name-char 1988 name-char = "-" / "." / "_" / DIGIT / ALPHA 1990 Unregistered vendor-specific parameter extensions that are not 1991 commonly applicable, and are specific to the implementation details 1992 of the authorization server where they are used SHOULD utilize a 1993 vendor-specific prefix that is not likely to conflict with other 1994 registered values (e.g. begin with 'companyname_'). 1996 8.3. Defining New Authorization Grant Types 1998 New authorization grant types can be defined by assigning them a 1999 unique absolute URI for use with the "grant_type" parameter. If the 2000 extension grant type requires additional token endpoint parameters, 2001 they MUST be registered in the OAuth parameters registry as described 2002 by Section 11.2. 2004 8.4. Defining New Authorization Endpoint Response Types 2006 New response types for use with the authorization endpoint are 2007 defined and registered in the authorization endpoint response type 2008 registry following the procedure in Section 11.3. Response type 2009 names MUST conform to the response-type ABNF. 2011 response-type = response-name *( SP response-name ) 2012 response-name = 1*response-char 2013 response-char = "_" / DIGIT / ALPHA 2015 If a response type contains one or more space characters (%x20), it 2016 is compared as a space-delimited list of values in which the order of 2017 values does not matter. Only one order of values can be registered, 2018 which covers all other arrangements of the same set of values. 2020 For example, the response type "token code" is left undefined by this 2021 specification. However, an extension can define and register the 2022 "token code" response type. Once registered, the same combination 2023 cannot be registered as "code token", but both values can be used to 2024 denote the same response type. 2026 8.5. Defining Additional Error Codes 2028 In cases where protocol extensions (i.e. access token types, 2029 extension parameters, or extension grant types) require additional 2030 error codes to be used with the authorization code grant error 2031 response (Section 4.1.2.1), the implicit grant error response 2032 (Section 4.2.2.1), or the token error response (Section 5.2), such 2033 error codes MAY be defined. 2035 Extension error codes MUST be registered (following the procedures in 2036 Section 11.4) if the extension they are used in conjunction with is a 2037 registered access token type, a registered endpoint parameter, or an 2038 extension grant type. Error codes used with unregistered extensions 2039 MAY be registered. 2041 Error codes MUST conform to the error-code ABNF, and SHOULD be 2042 prefixed by an identifying name when possible. For example, an error 2043 identifying an invalid value set to the extension parameter "example" 2044 should be named "example_invalid". 2046 error-code = ALPHA *error-char 2047 error-char = "-" / "." / "_" / DIGIT / ALPHA 2049 9. Native Applications 2051 Native applications are clients installed and executed on the device 2052 used by the resource owner (i.e. desktop application, native mobile 2053 application). Native applications require special consideration 2054 related to security, platform capabilities, and overall end-user 2055 experience. 2057 The authorization endpoint requires interaction between the client 2058 and the resource owner's user-agent. Native applications can invoke 2059 an external user-agent or embed a user-agent within the application. 2060 For example: 2062 o External user-agent - the native application can capture the 2063 response from the authorization server using a redirection URI 2064 with a scheme registered with the operating system to invoke the 2065 client as the handler, manual copy-and-paste of the credentials, 2066 running a local web server, installing a user-agent extension, or 2067 by providing a redirection URI identifying a server-hosted 2068 resource under the client's control, which in turn makes the 2069 response available to the native application. 2070 o Embedded user-agent - the native application obtains the response 2071 by directly communicating with the embedded user-agent by 2072 monitoring state changes emitted during the resource load, or 2073 accessing the user-agent's cookies storage. 2075 When choosing between an external or embedded user-agent, developers 2076 should consider: 2078 o External user-agents may improve completion rate as the resource 2079 owner may already have an active session with the authorization 2080 server removing the need to re-authenticate. It provides a 2081 familiar end-user experience and functionality. The resource 2082 owner may also rely on user-agent features or extensions to assist 2083 with authentication (e.g. password manager, 2-factor device 2084 reader). 2085 o Embedded user-agents may offer improved usability, as they remove 2086 the need to switch context and open new windows. 2087 o Embedded user-agents pose a security challenge because resource 2088 owners are authenticating in an unidentified window without access 2089 to the visual protections found in most external user-agents. 2090 Embedded user-agents educate end-user to trust unidentified 2091 requests for authentication (making phishing attacks easier to 2092 execute). 2094 When choosing between the implicit grant type and the authorization 2095 code grant type, the following should be considered: 2097 o Native applications that use the authorization code grant type 2098 SHOULD do so without using client credentials, due to the native 2099 application's inability to keep client credentials confidential. 2100 o When using the implicit grant type flow a refresh token is not 2101 returned which requires repeating the authorization process once 2102 the access token expires. 2104 10. Security Considerations 2106 As a flexible and extensible framework, OAuth's security 2107 considerations depend on many factors. The following sections 2108 provide implementers with security guidelines focused on the three 2109 client profiles described in Section 2.1: web application, user- 2110 agent-based application, and native application. 2112 A comprehensive OAuth security model and analysis, as well as 2113 background for the protocol design is provided by 2114 [I-D.ietf-oauth-v2-threatmodel]. 2116 10.1. Client Authentication 2118 The authorization server establishes client credentials with web 2119 application clients for the purpose of client authentication. The 2120 authorization server is encouraged to consider stronger client 2121 authentication means than a client password. Web application clients 2122 MUST ensure confidentiality of client passwords and other client 2123 credentials. 2125 The authorization server MUST NOT issue client passwords or other 2126 client credentials to native application or user-agent-based 2127 application clients for the purpose of client authentication. The 2128 authorization server MAY issue a client password or other credentials 2129 for a specific installation of a native application client on a 2130 specific device. 2132 When client authentication is not possible, the authorization server 2133 SHOULD employ other means to validate the client's identity. For 2134 example, by requiring the registration of the client redirection URI 2135 or enlisting the resource owner to confirm identity. A valid 2136 redirection URI is not sufficient to verify the client's identity 2137 when asking for end-user authorization, but can be used to prevent 2138 delivering credentials to a counterfeit client after obtaining end- 2139 user authorization. 2141 The authorization server must consider the security implications of 2142 interacting with unauthenticated clients and take measures to limit 2143 the potential exposure of other credentials (e.g. refresh tokens) 2144 issued to such clients. 2146 10.2. Client Impersonation 2148 A malicious client can impersonate another client and obtain access 2149 to protected resources, if the impersonated client fails to, or is 2150 unable to, keep its client credentials confidential. 2152 The authorization server MUST authenticate the client whenever 2153 possible. If the authorization server cannot authenticate the client 2154 due to the client's nature, the authorization server MUST require the 2155 registration of any redirection URI used for receiving authorization 2156 responses, and SHOULD utilize other means to protect resource owners 2157 from such potentially malicious clients. For example, the 2158 authorization server can engage the resource owner to assist in 2159 identifying the client and its origin. 2161 The authorization server SHOULD enforce explicit resource owner 2162 authentication and provide the resource owner with information about 2163 the client and the requested authorization scope and lifetime. It is 2164 up to the resource owner to review the information in the context of 2165 the current client, and authorize or deny the request. 2167 The authorization server SHOULD NOT process repeated authorization 2168 requests automatically (without active resource owner interaction) 2169 without authenticating the client or relying on other measures to 2170 ensure the repeated request comes from the original client and not an 2171 impersonator. 2173 10.3. Access Tokens 2175 Access token credentials (as well as any confidential access token 2176 attributes) MUST be kept confidential in transit and storage, and 2177 only shared among the authorization server, the resource servers the 2178 access token is valid for, and the client to whom the access token is 2179 issued. Access token credentials MUST only be transmitted using TLS 2180 as described in Section 1.6 with server authentication as defined by 2181 [RFC2818]. 2183 When using the implicit grant type, the access token is transmitted 2184 in the URI fragment, which can expose it to unauthorized parties. 2186 The authorization server MUST ensure that access tokens cannot be 2187 generated, modified, or guessed to produce valid access tokens by 2188 unauthorized parties. 2190 The client SHOULD request access tokens with the minimal scope and 2191 lifetime necessary. The authorization server SHOULD take the client 2192 identity into account when choosing how to honor the requested scope 2193 and lifetime, and MAY issue an access token with a less rights than 2194 requested. 2196 10.4. Refresh Tokens 2198 Authorization servers MAY issue refresh tokens to web application 2199 clients and native application clients. 2201 Refresh tokens MUST be kept confidential in transit and storage, and 2202 shared only among the authorization server and the client to whom the 2203 refresh tokens were issued. The authorization server MUST maintain 2204 the binding between a refresh token and the client to whom it was 2205 issued. Refresh tokens MUST only be transmitted using TLS as 2206 described in Section 1.6 with server authentication as defined by 2207 [RFC2818]. 2209 The authorization server MUST verify the binding between the refresh 2210 token and client identity whenever the client identity can be 2211 authenticated. When client authentication is not possible, the 2212 authorization server SHOULD deploy other means to detect refresh 2213 token abuse. 2215 For example, the authorization server could employ refresh token 2216 rotation in which a new refresh token is issued with every access 2217 token refresh response. The previous refresh token is invalidated 2218 but retained by the authorization server. If a refresh token is 2219 compromised and subsequently used by both the attacker and the 2220 legitimate client, one of them will present an invalidated refresh 2221 token which will inform the authorization server of the breach. 2223 The authorization server MUST ensure that refresh tokens cannot be 2224 generated, modified, or guessed to produce valid refresh tokens by 2225 unauthorized parties. 2227 10.5. Authorization Codes 2229 The transmission of authorization codes SHOULD be made over a secure 2230 channel, and the client SHOULD implement TLS for use with its 2231 redirection URI if the URI identifies a network resource. Since 2232 authorization codes are transmitted via user-agent redirections, they 2233 could potentially be disclosed through user-agent history and HTTP 2234 referrer headers. 2236 Authorization codes operate as plaintext bearer credentials, used to 2237 verify that the resource owner who granted authorization at the 2238 authorization server is the same resource owner returning to the 2239 client to complete the process. Therefore, if the client relies on 2240 the authorization code for its own resource owner authentication, the 2241 client redirection endpoint MUST require TLS. 2243 Authorization codes MUST be short lived and single use. If the 2244 authorization server observes multiple attempts to exchange an 2245 authorization code for an access token, the authorization server 2246 SHOULD attempt to revoke all access tokens already granted based on 2247 the compromised authorization code. 2249 If the client can be authenticated, the authorization servers MUST 2250 authenticate the client and ensure that the authorization code was 2251 issued to the same client. 2253 10.6. Authorization Code Redirection URI Manipulation 2255 When requesting authorization using the authorization code grant 2256 type, the client can specify a redirection URI via the "redirect_uri" 2257 parameter. If an attacker can manipulate the value of the 2258 redirection URI, it can cause the authorization server to redirect 2259 the resource owner user-agent to a URI under the control of the 2260 attacker with the authorization code. 2262 An attacker can create an account at a legitimate client and initiate 2263 the authorization flow. When the attacker is sent to the 2264 authorization server to grant access, the attacker grabs the 2265 authorization URI provided by the legitimate client, and replaces the 2266 client's redirection URI with a URI under the control of the 2267 attacker. The attacker then tricks the victim into following the 2268 manipulated link to authorize access to the legitimate client. 2270 Once at the authorization server, the victim is prompted with a 2271 normal, valid request on behalf of a legitimate and trusted client, 2272 and authorizes the request. The victim is then redirected to an 2273 endpoint under the control of the attacker with the authorization 2274 code. The attacker completes the authorization flow by sending the 2275 authorization code to the client using the original redirection URI 2276 provided by the client. The client exchanges the authorization code 2277 with an access token and links it to the attacker's client account 2278 which can now gain access to the protected resources authorized by 2279 the victim (via the client). 2281 In order to prevent such an attack, the authorization server MUST 2282 ensure that the redirection URI used to obtain the authorization code 2283 is identical to the redirection URI provided when exchanging the 2284 authorization code for an access token. The authorization server 2285 MUST require public clients and SHOULD require confidential clients 2286 to register their redirection URIs. If a redirection URI is provided 2287 in the request, the authorization server MUST validate it against the 2288 registered value. 2290 10.7. Resource Owner Password Credentials 2292 The resource owner password credentials grant type is often used for 2293 legacy or migration reasons. It reduces the overall risk of storing 2294 username and password by the client, but does not eliminate the need 2295 to expose highly privileged credentials to the client. 2297 This grant type carries a higher risk than other grant types because 2298 it maintains the password anti-pattern this protocol seeks to avoid. 2299 The client could abuse the password or the password could 2300 unintentionally be disclosed to an attacker (e.g. via log files or 2301 other records kept by the client). 2303 Additionally, because the resource owner does not have control over 2304 the authorization process (the resource owner involvement ends when 2305 it hands over its credentials to the client), the client can obtain 2306 access tokens with a broader scope and longer lifetime than desired 2307 by the resource owner. The authorization server should consider the 2308 scope and lifetime of access tokens issued via this grant type. 2310 The authorization server and client SHOULD minimize use of this grant 2311 type and utilize other grant types whenever possible. 2313 10.8. Request Confidentiality 2315 Access tokens, refresh tokens, resource owner passwords, and client 2316 credentials MUST NOT be transmitted in the clear. Authorization 2317 codes SHOULD NOT be transmitted in the clear. 2319 The "state" and "scope" parameters SHOULD NOT include sensitive 2320 client or resource owner information in plain text as they can be 2321 transmitted over insecure channels or stored insecurely. 2323 10.9. Endpoints Authenticity 2325 In order to prevent man-in-the-middle attacks, the authorization 2326 server MUST implement and require TLS with server authentication as 2327 defined by [RFC2818] for any request sent to the authorization and 2328 token endpoints. The client MUST validate the authorization server's 2329 TLS certificate in accordance with its requirements for server 2330 identity authentication. 2332 10.10. Credentials Guessing Attacks 2334 The authorization server MUST prevent attackers from guessing access 2335 tokens, authorization codes, refresh tokens, resource owner 2336 passwords, and client credentials. 2338 Generated tokens and other credentials not intended for handling by 2339 end-users MUST be constructed from a cryptographically strong random 2340 or pseudo-random number sequence ([RFC1750]) generated by the 2341 authorization server. The probability of any two values being 2342 identical MUST be less than or equal to 2^(-128) and SHOULD be less 2343 than or equal to 2^(-160). 2345 The authorization server MUST utilize other means to protect 2346 credentials intended for end-user usage. 2348 10.11. Phishing Attacks 2350 Wide deployment of this and similar protocols may cause end-users to 2351 become inured to the practice of being redirected to websites where 2352 they are asked to enter their passwords. If end-users are not 2353 careful to verify the authenticity of these websites before entering 2354 their credentials, it will be possible for attackers to exploit this 2355 practice to steal resource owners' passwords. 2357 Service providers should attempt to educate end-users about the risks 2358 phishing attacks pose, and should provide mechanisms that make it 2359 easy for end-users to confirm the authenticity of their sites. 2360 Client developers should consider the security implications of how 2361 they interact with the user-agent (e.g., external, embedded), and the 2362 ability of the end-user to verify the authenticity of the 2363 authorization server. 2365 To reduce the risk of phishing attacks, the authorization servers 2366 MUST utilize TLS on every endpoint used for end-user interaction. 2368 10.12. Cross-Site Request Forgery 2370 Cross-site request forgery (CSRF) is an exploit in which an attacker 2371 causes the user-agent of a victim end-user to follow a malicious URI 2372 (e.g. provided to the user-agent as a misleading link, image, or 2373 redirection) to a trusting server (usually established via the 2374 presence of a valid session cookie). 2376 A CSRF attack against the client's redirection URI allows an attacker 2377 to inject their own authorization code or access token, which can 2378 result in the client using an access token associated with the 2379 attacker's protected resources rather than the victim's (e.g. save 2380 the victim's bank account information to a protected resource 2381 controlled by the attacker). 2383 The client MUST implement CSRF protection for its redirection URI. 2384 This is typically accomplished by requiring any request sent to the 2385 redirection URI endpoint to include a value that binds the request to 2386 the user-agent's authenticated state (e.g. a hash of the session 2387 cookie used to authenticate the user-agent). The client SHOULD 2388 utilize the "state" request parameter to deliver this value to the 2389 authorization server when making an authorization request. 2391 Once authorization has been obtained from the end-user, the 2392 authorization server redirects the end-user's user-agent back to the 2393 client with the required binding value contained in the "state" 2394 parameter. The binding value enables the client to verify the 2395 validity of the request by matching the binding value to the user- 2396 agent's authenticated state. The binding value used for CSRF 2397 protection MUST contain a non-guessable value (as described in 2398 Section 10.10), and the user-agent's authenticated state (e.g. 2399 session cookie, HTML5 local storage) MUST be kept in a location 2400 accessible only to the client and the user-agent (i.e., protected by 2401 same-origin policy). 2403 A CSRF attack against the authorization server's authorization 2404 endpoint can result in an attacker obtaining end-user authorization 2405 for a malicious client without involving or alerting the end-user. 2407 The authorization server MUST implement CSRF protection for its 2408 authorization endpoint, and ensure that a malicious client cannot 2409 obtain authorization without the awareness and explicit consent of 2410 the resource owner. 2412 10.13. Clickjacking 2414 In a clickjacking attack, an attacker registers a legitimate client 2415 and then constructs a malicious site in which it loads the 2416 authorization server's authorization endpoint web page in a 2417 transparent iframe overlaid on top of a set of dummy buttons which 2418 are carefully constructed to be placed directly under important 2419 buttons on the authorization page. When an end-user clicks a 2420 misleading visible button, the end-user is actually clicking an 2421 invisible button on the authorization page (such as an "Authorize" 2422 button). This allows an attacker to trick a resource owner into 2423 granting its client access without their knowledge. 2425 To prevent this form of attack, native applications SHOULD use 2426 external browsers instead of embedding browsers within the 2427 application when requesting end-user authorization. For most newer 2428 browsers, avoidance of iframes can be enforced by the authorization 2429 server using the (non-standard) "x-frame-options" header. This 2430 header can have two values, "deny" and "sameorigin", which will block 2431 any framing, or framing by sites with a different origin, 2432 respectively. For older browsers, javascript framebusting techniques 2433 can be used but may not be effective in all browsers. 2435 10.14. Code Injection and Input Validation 2437 A code injection attack occurs when an input or otherwise external 2438 variable is used by an application unsanitized and causes 2439 modification to the application logic. This may allow an attacker to 2440 gain access to the application device or its data, cause denial of 2441 service, or a wide range of malicious side-effects. 2443 The Authorization server and client MUST validate and sanitize any 2444 value received, and in particular, the value of the "state" and 2445 "redirect_uri" parameters. 2447 10.15. Open Redirectors 2449 The authorization server authorization endpoint and the client 2450 redirection endpoint can be improperly configured and operate as open 2451 redirectors. An open redirector is an endpoint using a parameter to 2452 automatically redirect a user-agent to the location specified by the 2453 parameter value without any validation. 2455 Open redirectors can be used in phishing attacks, or by an attacker 2456 to get end-users to visit malicious sites by making the URI's 2457 authority look like a familiar and trusted destination. In addition, 2458 if the authorization server allows the client to register only part 2459 of the redirection URI, an attacker can use an open redirector 2460 operated by the client to construct a redirection URI that will pass 2461 the authorization server validation but will send the authorization 2462 code or access token to an endpoint under the control of the 2463 attacker. 2465 11. IANA Considerations 2467 11.1. The OAuth Access Token Type Registry 2469 This specification establishes the OAuth access token type registry. 2471 Access token types are registered on the advice of one or more 2472 Designated Experts (appointed by the IESG or their delegate), with a 2473 Specification Required (using terminology from [RFC5226]). However, 2474 to allow for the allocation of values prior to publication, the 2475 Designated Expert(s) may approve registration once they are satisfied 2476 that such a specification will be published. 2478 Registration requests should be sent to the [TBD]@ietf.org mailing 2479 list for review and comment, with an appropriate subject (e.g., 2480 "Request for access token type: example"). [[ Note to RFC-EDITOR: The 2481 name of the mailing list should be determined in consultation with 2482 the IESG and IANA. Suggested name: oauth-ext-review. ]] 2484 Within at most 14 days of the request, the Designated Expert(s) will 2485 either approve or deny the registration request, communicating this 2486 decision to the review list and IANA. Denials should include an 2487 explanation and, if applicable, suggestions as to how to make the 2488 request successful. 2490 Decisions (or lack thereof) made by the Designated Expert(s) can be 2491 first appealed to Security Area Directors (contactable using 2492 app-ads@tools.ietf.org email address or directly by looking up their 2493 email addresses on http://www.iesg.org/ website) and, if the 2494 appellant is not satisfied with the response, to the full IESG (using 2495 the iesg@iesg.org mailing list). 2497 IANA should only accept registry updates from the Designated 2498 Expert(s), and should direct all requests for registration to the 2499 review mailing list. 2501 11.1.1. Registration Template 2503 Type name: 2504 The name requested (e.g., "example"). 2505 Additional Token Endpoint Response Parameters: 2506 Additional response parameters returned together with the 2507 "access_token" parameter. New parameters MUST be separately 2508 registered in the OAuth parameters registry as described by 2509 Section 11.2. 2510 HTTP Authentication Scheme(s): 2511 The HTTP authentication scheme name(s), if any, used to 2512 authenticate protected resources requests using access tokens of 2513 this type. 2514 Change controller: 2515 For standards-track RFCs, state "IETF". For others, give the name 2516 of the responsible party. Other details (e.g., postal address, 2517 e-mail address, home page URI) may also be included. 2518 Specification document(s): 2519 Reference to the document that specifies the parameter, preferably 2520 including a URI that can be used to retrieve a copy of the 2521 document. An indication of the relevant sections may also be 2522 included, but is not required. 2524 11.2. The OAuth Parameters Registry 2526 This specification establishes the OAuth parameters registry. 2528 Additional parameters for inclusion in the authorization endpoint 2529 request, the authorization endpoint response, the token endpoint 2530 request, or the token endpoint response are registered on the advice 2531 of one or more Designated Experts (appointed by the IESG or their 2532 delegate), with a Specification Required (using terminology from 2533 [RFC5226]). However, to allow for the allocation of values prior to 2534 publication, the Designated Expert(s) may approve registration once 2535 they are satisfied that such a specification will be published. 2537 Registration requests should be sent to the [TBD]@ietf.org mailing 2538 list for review and comment, with an appropriate subject (e.g., 2539 "Request for parameter: example"). [[ Note to RFC-EDITOR: The name of 2540 the mailing list should be determined in consultation with the IESG 2541 and IANA. Suggested name: oauth-ext-review. ]] 2542 Within at most 14 days of the request, the Designated Expert(s) will 2543 either approve or deny the registration request, communicating this 2544 decision to the review list and IANA. Denials should include an 2545 explanation and, if applicable, suggestions as to how to make the 2546 request successful. 2548 Decisions (or lack thereof) made by the Designated Expert(s) can be 2549 first appealed to Security Area Directors (contactable using 2550 app-ads@tools.ietf.org email address or directly by looking up their 2551 email addresses on http://www.iesg.org/ website) and, if the 2552 appellant is not satisfied with the response, to the full IESG (using 2553 the iesg@iesg.org mailing list). 2555 IANA should only accept registry updates from the Designated 2556 Expert(s), and should direct all requests for registration to the 2557 review mailing list. 2559 11.2.1. Registration Template 2561 Parameter name: 2562 The name requested (e.g., "example"). 2563 Parameter usage location: 2564 The location(s) where parameter can be used. The possible 2565 locations are: authorization request, authorization response, 2566 token request, or token response. 2567 Change controller: 2568 For standards-track RFCs, state "IETF". For others, give the name 2569 of the responsible party. Other details (e.g., postal address, 2570 e-mail address, home page URI) may also be included. 2571 Specification document(s): 2572 Reference to the document that specifies the parameter, preferably 2573 including a URI that can be used to retrieve a copy of the 2574 document. An indication of the relevant sections may also be 2575 included, but is not required. 2577 11.2.2. Initial Registry Contents 2579 The OAuth Parameters Registry's initial contents are: 2581 o Parameter name: client_id 2582 o Parameter usage location: authorization request, token request 2583 o Change controller: IETF 2584 o Specification document(s): [[ this document ]] 2586 o Parameter name: client_secret 2587 o Parameter usage location: token request 2588 o Change controller: IETF 2589 o Specification document(s): [[ this document ]] 2591 o Parameter name: response_type 2592 o Parameter usage location: authorization request 2593 o Change controller: IETF 2594 o Specification document(s): [[ this document ]] 2596 o Parameter name: redirect_uri 2597 o Parameter usage location: authorization request, token request 2598 o Change controller: IETF 2599 o Specification document(s): [[ this document ]] 2601 o Parameter name: scope 2602 o Parameter usage location: authorization request, authorization 2603 response, token request, token response 2604 o Change controller: IETF 2605 o Specification document(s): [[ this document ]] 2607 o Parameter name: state 2608 o Parameter usage location: authorization request, authorization 2609 response 2610 o Change controller: IETF 2611 o Specification document(s): [[ this document ]] 2613 o Parameter name: code 2614 o Parameter usage location: authorization response, token request 2615 o Change controller: IETF 2616 o Specification document(s): [[ this document ]] 2618 o Parameter name: error_description 2619 o Parameter usage location: authorization response, token response 2620 o Change controller: IETF 2621 o Specification document(s): [[ this document ]] 2623 o Parameter name: error_uri 2624 o Parameter usage location: authorization response, token response 2625 o Change controller: IETF 2626 o Specification document(s): [[ this document ]] 2628 o Parameter name: grant_type 2629 o Parameter usage location: token request 2630 o Change controller: IETF 2631 o Specification document(s): [[ this document ]] 2633 o Parameter name: access_token 2634 o Parameter usage location: authorization response, token response 2635 o Change controller: IETF 2636 o Specification document(s): [[ this document ]] 2638 o Parameter name: token_type 2639 o Parameter usage location: authorization response, token response 2640 o Change controller: IETF 2641 o Specification document(s): [[ this document ]] 2643 o Parameter name: expires_in 2644 o Parameter usage location: authorization response, token response 2645 o Change controller: IETF 2646 o Specification document(s): [[ this document ]] 2648 o Parameter name: username 2649 o Parameter usage location: token request 2650 o Change controller: IETF 2651 o Specification document(s): [[ this document ]] 2653 o Parameter name: password 2654 o Parameter usage location: token request 2655 o Change controller: IETF 2656 o Specification document(s): [[ this document ]] 2658 o Parameter name: refresh_token 2659 o Parameter usage location: token request, token response 2660 o Change controller: IETF 2661 o Specification document(s): [[ this document ]] 2663 11.3. The OAuth Authorization Endpoint Response Type Registry 2665 This specification establishes the OAuth authorization endpoint 2666 response type registry. 2668 Additional response type for use with the authorization endpoint are 2669 registered on the advice of one or more Designated Experts (appointed 2670 by the IESG or their delegate), with a Specification Required (using 2671 terminology from [RFC5226]). However, to allow for the allocation of 2672 values prior to publication, the Designated Expert(s) may approve 2673 registration once they are satisfied that such a specification will 2674 be published. 2676 Registration requests should be sent to the [TBD]@ietf.org mailing 2677 list for review and comment, with an appropriate subject (e.g., 2678 "Request for response type: example"). [[ Note to RFC-EDITOR: The 2679 name of the mailing list should be determined in consultation with 2680 the IESG and IANA. Suggested name: oauth-ext-review. ]] 2681 Within at most 14 days of the request, the Designated Expert(s) will 2682 either approve or deny the registration request, communicating this 2683 decision to the review list and IANA. Denials should include an 2684 explanation and, if applicable, suggestions as to how to make the 2685 request successful. 2687 Decisions (or lack thereof) made by the Designated Expert(s) can be 2688 first appealed to Security Area Directors (contactable using 2689 app-ads@tools.ietf.org email address or directly by looking up their 2690 email addresses on http://www.iesg.org/ website) and, if the 2691 appellant is not satisfied with the response, to the full IESG (using 2692 the iesg@iesg.org mailing list). 2694 IANA should only accept registry updates from the Designated 2695 Expert(s), and should direct all requests for registration to the 2696 review mailing list. 2698 11.3.1. Registration Template 2700 Response type name: 2701 The name requested (e.g., "example"). 2702 Change controller: 2703 For standards-track RFCs, state "IETF". For others, give the name 2704 of the responsible party. Other details (e.g., postal address, 2705 e-mail address, home page URI) may also be included. 2706 Specification document(s): 2707 Reference to the document that specifies the type, preferably 2708 including a URI that can be used to retrieve a copy of the 2709 document. An indication of the relevant sections may also be 2710 included, but is not required. 2712 11.3.2. Initial Registry Contents 2714 The OAuth Authorization Endpoint Response Type Registry's initial 2715 contents are: 2717 o Response type name: code 2718 o Change controller: IETF 2719 o Specification document(s): [[ this document ]] 2721 o Response type name: token 2722 o Change controller: IETF 2723 o Specification document(s): [[ this document ]] 2725 11.4. The OAuth Extensions Error Registry 2727 This specification establishes the OAuth extensions error registry. 2729 Additional error codes used together with other protocol extensions 2730 (i.e. extension grant types, access token types, or extension 2731 parameters) are registered on the advice of one or more Designated 2732 Experts (appointed by the IESG or their delegate), with a 2733 Specification Required (using terminology from [RFC5226]). However, 2734 to allow for the allocation of values prior to publication, the 2735 Designated Expert(s) may approve registration once they are satisfied 2736 that such a specification will be published. 2738 Registration requests should be sent to the [TBD]@ietf.org mailing 2739 list for review and comment, with an appropriate subject (e.g., 2740 "Request for error code: example"). [[ Note to RFC-EDITOR: The name 2741 of the mailing list should be determined in consultation with the 2742 IESG and IANA. Suggested name: oauth-ext-review. ]] 2744 Within at most 14 days of the request, the Designated Expert(s) will 2745 either approve or deny the registration request, communicating this 2746 decision to the review list and IANA. Denials should include an 2747 explanation and, if applicable, suggestions as to how to make the 2748 request successful. 2750 Decisions (or lack thereof) made by the Designated Expert(s) can be 2751 first appealed to Security Area Directors (contactable using 2752 app-ads@tools.ietf.org email address or directly by looking up their 2753 email addresses on http://www.iesg.org/ website) and, if the 2754 appellant is not satisfied with the response, to the full IESG (using 2755 the iesg@iesg.org mailing list). 2757 IANA should only accept registry updates from the Designated 2758 Expert(s), and should direct all requests for registration to the 2759 review mailing list. 2761 11.4.1. Registration Template 2763 Error name: 2764 The name requested (e.g., "example"). 2765 Error usage location: 2766 The location(s) where the error can be used. The possible 2767 locations are: authorization code grant error response 2768 (Section 4.1.2.1), implicit grant error response 2769 (Section 4.2.2.1), or token error response (Section 5.2). 2770 Related protocol extension: 2771 The name of the extension grant type, access token type, or 2772 extension parameter, the error code is used in conjunction with. 2774 Change controller: 2775 For standards-track RFCs, state "IETF". For others, give the name 2776 of the responsible party. Other details (e.g., postal address, 2777 e-mail address, home page URI) may also be included. 2778 Specification document(s): 2779 Reference to the document that specifies the error code, 2780 preferably including a URI that can be used to retrieve a copy of 2781 the document. An indication of the relevant sections may also be 2782 included, but is not required. 2784 12. Acknowledgements 2786 The initial OAuth 2.0 protocol specification was edited by David 2787 Recordon, based on two previous publications: the OAuth 1.0 community 2788 specification [RFC5849], and OAuth WRAP (OAuth Web Resource 2789 Authorization Profiles) [I-D.draft-hardt-oauth-01]. The Security 2790 Considerations section was drafted by Torsten Lodderstedt, Mark 2791 McGloin, Phil Hunt, and Anthony Nadalin. 2793 The OAuth 1.0 community specification was edited by Eran Hammer and 2794 authored by Mark Atwood, Dirk Balfanz, Darren Bounds, Richard M. 2795 Conlan, Blaine Cook, Leah Culver, Breno de Medeiros, Brian Eaton, 2796 Kellan Elliott-McCrea, Larry Halff, Eran Hammer, Ben Laurie, Chris 2797 Messina, John Panzer, Sam Quigley, David Recordon, Eran Sandler, 2798 Jonathan Sergent, Todd Sieling, Brian Slesinsky, and Andy Smith. 2800 The OAuth WRAP specification was edited by Dick Hardt and authored by 2801 Brian Eaton, Yaron Goland, Dick Hardt, and Allen Tom. 2803 This specification is the work of the OAuth Working Group which 2804 includes dozens of active and dedicated participants. In particular, 2805 the following individuals contributed ideas, feedback, and wording 2806 which shaped and formed the final specification: 2808 Michael Adams, Amanda Anganes, Andrew Arnott, Dirk Balfanz, Aiden 2809 Bell, Brian Campbell, Scott Cantor, Marcos Caceres, Blaine Cook, 2810 Roger Crew, Brian Eaton, Leah Culver, Bill de h ra, Andr DeMarre, 2811 Brian Eaton, Wolter Eldering, Brian Ellin, Igor Faynberg, George 2812 Fletcher, Tim Freeman, Evan Gilbert, Yaron Goland, Brent Goldman, 2813 Kristoffer Gronowski, Justin Hart, Dick Hardt, Craig Heath, Phil 2814 Hunt, Michael B. Jones, Terry Jones, John Kemp, Mark Kent, Raffi 2815 Krikorian, Chasen Le Hara, Rasmus Lerdorf, Torsten Lodderstedt, Hui- 2816 Lan Lu, Casey Lucas, Paul Madsen, Alastair Mair, Eve Maler, James 2817 Manger, Mark McGloin, Laurence Miao, William Mills, Chuck Mortimore, 2818 Anthony Nadalin, Julian Reschke, Justin Richer, Peter Saint-Andre, 2819 Nat Sakimura, Rob Sayre, Marius Scurtescu, Naitik Shah, Luke Shepard, 2820 Vlad Skvortsov, Justin Smith, Niv Steingarten, Christian St bner, 2821 Jeremy Suriel, Paul Tarjan, Allen Tom, Franklin Tse, Nick Walker, 2822 Shane Weeden, and Skylar Woodward. 2824 This document was produced under the chairmanship of Blaine Cook, 2825 Peter Saint-Andre, Hannes Tschofenig, and Barry Leiba. The area 2826 directors included Lisa Dusseault, Peter Saint-Andre, and Stephen 2827 Farrell. 2829 Appendix A. Editor's Notes 2831 While many people contributed to this specification throughout its 2832 long journey, the editor would like to acknowledge and thank a few 2833 individuals for their outstanding and invaluable efforts leading up 2834 to the publication of this specification. It is these individuals 2835 without whom this work would not have existed or reached its 2836 successful conclusion. 2838 David Recordon for continuously being one of OAuth s most valuable 2839 assets, bringing pragmatism and urgency to the work, and helping 2840 shape it from its very beginning, as well as being one of the best 2841 collaborators I had the pleasure of working with. 2843 James Manger for his creative ideas and always insightful feedback. 2844 Brian Campbell, Torsten Lodderstedt, Chuck Mortimore, Justin Richer, 2845 Marius Scurtescu, and Luke Shepard for their continued participation 2846 and valuable feedback. 2848 Special thanks goes to Mike Curtis and Yahoo! for their unconditional 2849 support of this work for over three years. 2851 13. References 2853 13.1. Normative References 2855 [RFC1750] Eastlake, D., Crocker, S., and J. Schiller, "Randomness 2856 Recommendations for Security", RFC 1750, December 1994. 2858 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2859 Requirement Levels", BCP 14, RFC 2119, March 1997. 2861 [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", 2862 RFC 2246, January 1999. 2864 [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., 2865 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext 2866 Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. 2868 [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., 2869 Leach, P., Luotonen, A., and L. Stewart, "HTTP 2870 Authentication: Basic and Digest Access Authentication", 2871 RFC 2617, June 1999. 2873 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. 2875 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 2876 Resource Identifier (URI): Generic Syntax", STD 66, 2877 RFC 3986, January 2005. 2879 [RFC4627] Crockford, D., "The application/json Media Type for 2880 JavaScript Object Notation (JSON)", RFC 4627, July 2006. 2882 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", 2883 RFC 4949, August 2007. 2885 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 2886 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 2887 May 2008. 2889 [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax 2890 Specifications: ABNF", STD 68, RFC 5234, January 2008. 2892 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 2893 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 2895 [W3C.REC-html401-19991224] 2896 Hors, A., Raggett, D., and I. Jacobs, "HTML 4.01 2897 Specification", World Wide Web Consortium 2898 Recommendation REC-html401-19991224, December 1999, 2899 . 2901 13.2. Informative References 2903 [I-D.draft-hardt-oauth-01] 2904 Hardt, D., Ed., Tom, A., Eaton, B., and Y. Goland, "OAuth 2905 Web Resource Authorization Profiles", January 2010. 2907 [I-D.ietf-oauth-saml2-bearer] 2908 Mortimore, C., "SAML 2.0 Bearer Assertion Profiles for 2909 OAuth 2.0", draft-ietf-oauth-saml2-bearer-08 (work in 2910 progress), August 2011. 2912 [I-D.ietf-oauth-v2-bearer] 2913 Jones, M., Hardt, D., and D. Recordon, "The OAuth 2.0 2914 Protocol: Bearer Tokens", draft-ietf-oauth-v2-bearer-08 2915 (work in progress), July 2011. 2917 [I-D.ietf-oauth-v2-http-mac] 2918 Hammer-Lahav, E., Barth, A., and B. Adida, "HTTP 2919 Authentication: MAC Access Authentication", 2920 draft-ietf-oauth-v2-http-mac-00 (work in progress), 2921 May 2011. 2923 [I-D.ietf-oauth-v2-threatmodel] 2924 Lodderstedt, T., McGloin, M., and P. Hunt, "OAuth 2.0 2925 Threat Model and Security Considerations", 2926 draft-ietf-oauth-v2-threatmodel-00 (work in progress), 2927 July 2011. 2929 [OASIS.saml-core-2.0-os] 2930 Cantor, S., Kemp, J., Philpott, R., and E. Maler, 2931 "Assertions and Protocol for the OASIS Security Assertion 2932 Markup Language (SAML) V2.0", OASIS Standard saml-core- 2933 2.0-os, March 2005. 2935 [RFC5849] Hammer-Lahav, E., "The OAuth 1.0 Protocol", RFC 5849, 2936 April 2010. 2938 Authors' Addresses 2940 Eran Hammer (editor) 2942 Email: eran@hueniverse.com 2943 URI: http://hueniverse.com 2945 David Recordon 2946 Facebook 2948 Email: dr@fb.com 2949 URI: http://www.davidrecordon.com/ 2951 Dick Hardt 2952 Microsoft 2954 Email: dick.hardt@gmail.com 2955 URI: http://dickhardt.org/