idnits 2.17.1 draft-ietf-oauth-v2-26.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document obsoletes RFC5849, but the abstract doesn't seem to directly say this. It does mention RFC5849 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (May 1, 2012) is 4375 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'TBD' is mentioned on line 2518, but not defined ** Obsolete normative reference: RFC 2246 (Obsoleted by RFC 4346) ** Obsolete normative reference: RFC 2616 (Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235) ** Obsolete normative reference: RFC 2617 (Obsoleted by RFC 7235, RFC 7615, RFC 7616, RFC 7617) ** Obsolete normative reference: RFC 2818 (Obsoleted by RFC 9110) ** Obsolete normative reference: RFC 4627 (Obsoleted by RFC 7158, RFC 7159) ** Downref: Normative reference to an Informational RFC: RFC 4949 ** Obsolete normative reference: RFC 5226 (Obsoleted by RFC 8126) ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) ** Obsolete normative reference: RFC 6125 (Obsoleted by RFC 9525) == Outdated reference: A later version (-23) exists of draft-ietf-oauth-saml2-bearer-08 == Outdated reference: A later version (-23) exists of draft-ietf-oauth-v2-bearer-08 == Outdated reference: A later version (-05) exists of draft-ietf-oauth-v2-http-mac-00 == Outdated reference: A later version (-08) exists of draft-ietf-oauth-v2-threatmodel-00 -- Obsolete informational reference (is this intentional?): RFC 5849 (Obsoleted by RFC 6749) Summary: 9 errors (**), 0 flaws (~~), 7 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group E. Hammer, Ed. 3 Internet-Draft 4 Obsoletes: 5849 (if approved) D. Recordon 5 Intended status: Standards Track Facebook 6 Expires: November 2, 2012 D. Hardt 7 Microsoft 8 May 1, 2012 10 The OAuth 2.0 Authorization Framework 11 draft-ietf-oauth-v2-26 13 Abstract 15 The OAuth 2.0 authorization framework enables a third-party 16 application to obtain limited access to an HTTP service, either on 17 behalf of a resource owner by orchestrating an approval interaction 18 between the resource owner and the HTTP service, or by allowing the 19 third-party application to obtain access on its own behalf. This 20 specification replaces and obsoletes the OAuth 1.0 protocol described 21 in RFC 5849. 23 Status of this Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on November 2, 2012. 40 Copyright Notice 42 Copyright (c) 2012 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 58 1.1. Roles . . . . . . . . . . . . . . . . . . . . . . . . . . 6 59 1.2. Protocol Flow . . . . . . . . . . . . . . . . . . . . . . 7 60 1.3. Authorization Grant . . . . . . . . . . . . . . . . . . . 8 61 1.3.1. Authorization Code . . . . . . . . . . . . . . . . . . 8 62 1.3.2. Implicit . . . . . . . . . . . . . . . . . . . . . . . 8 63 1.3.3. Resource Owner Password Credentials . . . . . . . . . 9 64 1.3.4. Client Credentials . . . . . . . . . . . . . . . . . . 9 65 1.4. Access Token . . . . . . . . . . . . . . . . . . . . . . 9 66 1.5. Refresh Token . . . . . . . . . . . . . . . . . . . . . . 10 67 1.6. TLS Version . . . . . . . . . . . . . . . . . . . . . . . 12 68 1.7. HTTP Redirections . . . . . . . . . . . . . . . . . . . . 12 69 1.8. Interoperability . . . . . . . . . . . . . . . . . . . . 12 70 1.9. Notational Conventions . . . . . . . . . . . . . . . . . 13 71 2. Client Registration . . . . . . . . . . . . . . . . . . . . . 13 72 2.1. Client Types . . . . . . . . . . . . . . . . . . . . . . 14 73 2.2. Client Identifier . . . . . . . . . . . . . . . . . . . . 15 74 2.3. Client Authentication . . . . . . . . . . . . . . . . . . 15 75 2.3.1. Client Password . . . . . . . . . . . . . . . . . . . 16 76 2.3.2. Other Authentication Methods . . . . . . . . . . . . . 17 77 2.4. Unregistered Clients . . . . . . . . . . . . . . . . . . 17 78 3. Protocol Endpoints . . . . . . . . . . . . . . . . . . . . . . 17 79 3.1. Authorization Endpoint . . . . . . . . . . . . . . . . . 17 80 3.1.1. Response Type . . . . . . . . . . . . . . . . . . . . 18 81 3.1.2. Redirection Endpoint . . . . . . . . . . . . . . . . . 19 82 3.2. Token Endpoint . . . . . . . . . . . . . . . . . . . . . 21 83 3.2.1. Client Authentication . . . . . . . . . . . . . . . . 21 84 3.3. Access Token Scope . . . . . . . . . . . . . . . . . . . 22 85 4. Obtaining Authorization . . . . . . . . . . . . . . . . . . . 23 86 4.1. Authorization Code Grant . . . . . . . . . . . . . . . . 23 87 4.1.1. Authorization Request . . . . . . . . . . . . . . . . 24 88 4.1.2. Authorization Response . . . . . . . . . . . . . . . . 25 89 4.1.3. Access Token Request . . . . . . . . . . . . . . . . . 27 90 4.1.4. Access Token Response . . . . . . . . . . . . . . . . 28 91 4.2. Implicit Grant . . . . . . . . . . . . . . . . . . . . . 29 92 4.2.1. Authorization Request . . . . . . . . . . . . . . . . 31 93 4.2.2. Access Token Response . . . . . . . . . . . . . . . . 32 94 4.3. Resource Owner Password Credentials Grant . . . . . . . . 34 95 4.3.1. Authorization Request and Response . . . . . . . . . . 36 96 4.3.2. Access Token Request . . . . . . . . . . . . . . . . . 36 97 4.3.3. Access Token Response . . . . . . . . . . . . . . . . 37 98 4.4. Client Credentials Grant . . . . . . . . . . . . . . . . 37 99 4.4.1. Authorization Request and Response . . . . . . . . . . 38 100 4.4.2. Access Token Request . . . . . . . . . . . . . . . . . 38 101 4.4.3. Access Token Response . . . . . . . . . . . . . . . . 39 102 4.5. Extension Grants . . . . . . . . . . . . . . . . . . . . 39 103 5. Issuing an Access Token . . . . . . . . . . . . . . . . . . . 40 104 5.1. Successful Response . . . . . . . . . . . . . . . . . . . 40 105 5.2. Error Response . . . . . . . . . . . . . . . . . . . . . 41 106 6. Refreshing an Access Token . . . . . . . . . . . . . . . . . . 43 107 7. Accessing Protected Resources . . . . . . . . . . . . . . . . 44 108 7.1. Access Token Types . . . . . . . . . . . . . . . . . . . 44 109 8. Extensibility . . . . . . . . . . . . . . . . . . . . . . . . 45 110 8.1. Defining Access Token Types . . . . . . . . . . . . . . . 45 111 8.2. Defining New Endpoint Parameters . . . . . . . . . . . . 46 112 8.3. Defining New Authorization Grant Types . . . . . . . . . 46 113 8.4. Defining New Authorization Endpoint Response Types . . . 46 114 8.5. Defining Additional Error Codes . . . . . . . . . . . . . 47 115 9. Native Applications . . . . . . . . . . . . . . . . . . . . . 47 116 10. Security Considerations . . . . . . . . . . . . . . . . . . . 49 117 10.1. Client Authentication . . . . . . . . . . . . . . . . . . 49 118 10.2. Client Impersonation . . . . . . . . . . . . . . . . . . 49 119 10.3. Access Tokens . . . . . . . . . . . . . . . . . . . . . . 50 120 10.4. Refresh Tokens . . . . . . . . . . . . . . . . . . . . . 51 121 10.5. Authorization Codes . . . . . . . . . . . . . . . . . . . 51 122 10.6. Authorization Code Redirection URI Manipulation . . . . . 52 123 10.7. Resource Owner Password Credentials . . . . . . . . . . . 53 124 10.8. Request Confidentiality . . . . . . . . . . . . . . . . . 53 125 10.9. Endpoints Authenticity . . . . . . . . . . . . . . . . . 53 126 10.10. Credentials Guessing Attacks . . . . . . . . . . . . . . 53 127 10.11. Phishing Attacks . . . . . . . . . . . . . . . . . . . . 54 128 10.12. Cross-Site Request Forgery . . . . . . . . . . . . . . . 54 129 10.13. Clickjacking . . . . . . . . . . . . . . . . . . . . . . 55 130 10.14. Code Injection and Input Validation . . . . . . . . . . . 56 131 10.15. Open Redirectors . . . . . . . . . . . . . . . . . . . . 56 132 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 56 133 11.1. The OAuth Access Token Type Registry . . . . . . . . . . 56 134 11.1.1. Registration Template . . . . . . . . . . . . . . . . 57 135 11.2. The OAuth Parameters Registry . . . . . . . . . . . . . . 57 136 11.2.1. Registration Template . . . . . . . . . . . . . . . . 58 137 11.2.2. Initial Registry Contents . . . . . . . . . . . . . . 58 138 11.3. The OAuth Authorization Endpoint Response Type 139 Registry . . . . . . . . . . . . . . . . . . . . . . . . 60 140 11.3.1. Registration Template . . . . . . . . . . . . . . . . 61 141 11.3.2. Initial Registry Contents . . . . . . . . . . . . . . 61 142 11.4. The OAuth Extensions Error Registry . . . . . . . . . . . 61 143 11.4.1. Registration Template . . . . . . . . . . . . . . . . 62 145 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 62 146 Appendix A. Editor's Notes . . . . . . . . . . . . . . . . . . . 63 147 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 64 148 13.1. Normative References . . . . . . . . . . . . . . . . . . 64 149 13.2. Informative References . . . . . . . . . . . . . . . . . 65 150 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 66 152 1. Introduction 154 In the traditional client-server authentication model, the client 155 requests an access restricted resource (protected resource) on the 156 server by authenticating with the server using the resource owner's 157 credentials. In order to provide third-party applications access to 158 restricted resources, the resource owner shares its credentials with 159 the third-party. This creates several problems and limitations: 161 o Third-party applications are required to store the resource 162 owner's credentials for future use, typically a password in clear- 163 text. 164 o Servers are required to support password authentication, despite 165 the security weaknesses inherent in passwords. 166 o Third-party applications gain overly broad access to the resource 167 owner's protected resources, leaving resource owners without any 168 ability to restrict duration or access to a limited subset of 169 resources. 170 o Resource owners cannot revoke access to an individual third-party 171 without revoking access to all third-parties, and must do so by 172 changing their password. 173 o Compromise of any third-party application results in compromise of 174 the end-user's password and all of the data protected by that 175 password. 177 OAuth addresses these issues by introducing an authorization layer 178 and separating the role of the client from that of the resource 179 owner. In OAuth, the client requests access to resources controlled 180 by the resource owner and hosted by the resource server, and is 181 issued a different set of credentials than those of the resource 182 owner. 184 Instead of using the resource owner's credentials to access protected 185 resources, the client obtains an access token - a string denoting a 186 specific scope, lifetime, and other access attributes. Access tokens 187 are issued to third-party clients by an authorization server with the 188 approval of the resource owner. The client uses the access token to 189 access the protected resources hosted by the resource server. 191 For example, an end-user (resource owner) can grant a printing 192 service (client) access to her protected photos stored at a photo 193 sharing service (resource server), without sharing her username and 194 password with the printing service. Instead, she authenticates 195 directly with a server trusted by the photo sharing service 196 (authorization server) which issues the printing service delegation- 197 specific credentials (access token). 199 This specification is designed for use with HTTP ([RFC2616]). The 200 use of OAuth over any other protocol than HTTP is out of scope. 202 The OAuth 1.0 protocol ([RFC5849]), published as an informational 203 document, was the result of a small ad-hoc community effort. This 204 standards-track specification builds on the OAuth 1.0 deployment 205 experience, as well as additional use cases and extensibility 206 requirements gathered from the wider IETF community. The OAuth 2.0 207 protocol is not backward compatible with OAuth 1.0. The two versions 208 may co-exist on the network and implementations may choose to support 209 both. However, it is the intention of this specification that new 210 implementation support OAuth 2.0 as specified in this document, and 211 that OAuth 1.0 is used only to support existing deployments. The 212 OAuth 2.0 protocol shares very few implementation details with the 213 OAuth 1.0 protocol. Implementers familiar with OAuth 1.0 should 214 approach this document without any assumptions as to its structure 215 and details. 217 1.1. Roles 219 OAuth defines four roles: 221 resource owner 222 An entity capable of granting access to a protected resource. 223 When the resource owner is a person, it is referred to as an end- 224 user. 225 resource server 226 The server hosting the protected resources, capable of accepting 227 and responding to protected resource requests using access tokens. 228 client 229 An application making protected resource requests on behalf of the 230 resource owner and with its authorization. The term client does 231 not imply any particular implementation characteristics (e.g. 232 whether the application executes on a server, a desktop, or other 233 devices). 234 authorization server 235 The server issuing access tokens to the client after successfully 236 authenticating the resource owner and obtaining authorization. 238 The interaction between the authorization server and resource server 239 is beyond the scope of this specification. The authorization server 240 may be the same server as the resource server or a separate entity. 241 A single authorization server may issue access tokens accepted by 242 multiple resource servers. 244 1.2. Protocol Flow 246 +--------+ +---------------+ 247 | |--(A)- Authorization Request ->| Resource | 248 | | | Owner | 249 | |<-(B)-- Authorization Grant ---| | 250 | | +---------------+ 251 | | 252 | | +---------------+ 253 | |--(C)-- Authorization Grant -->| Authorization | 254 | Client | | Server | 255 | |<-(D)----- Access Token -------| | 256 | | +---------------+ 257 | | 258 | | +---------------+ 259 | |--(E)----- Access Token ------>| Resource | 260 | | | Server | 261 | |<-(F)--- Protected Resource ---| | 262 +--------+ +---------------+ 264 Figure 1: Abstract Protocol Flow 266 The abstract flow illustrated in Figure 1 describes the interaction 267 between the four roles and includes the following steps: 269 (A) The client requests authorization from the resource owner. The 270 authorization request can be made directly to the resource owner 271 (as shown), or preferably indirectly via the authorization 272 server as an intermediary. 273 (B) The client receives an authorization grant which is a credential 274 representing the resource owner's authorization, expressed using 275 one of four grant types defined in this specification or using 276 an extension grant type. The authorization grant type depends 277 on the method used by the client to request authorization and 278 the types supported by the authorization server. 279 (C) The client requests an access token by authenticating with the 280 authorization server and presenting the authorization grant. 281 (D) The authorization server authenticates the client and validates 282 the authorization grant, and if valid issues an access token. 283 (E) The client requests the protected resource from the resource 284 server and authenticates by presenting the access token. 285 (F) The resource server validates the access token, and if valid, 286 serves the request. 288 The preferred method for the client to obtain an authorization grant 289 from the resource owner (depicted in steps (A) and (B)) is to use the 290 authorization server as an intermediary which is illustrated in 291 Figure 3. 293 1.3. Authorization Grant 295 An authorization grant is a credential representing the resource 296 owner's authorization (to access its protected resources) used by the 297 client to obtain an access token. This specification defines four 298 grant types: authorization code, implicit, resource owner password 299 credentials, and client credentials, as well as an extensibility 300 mechanism for defining additional types. 302 1.3.1. Authorization Code 304 The authorization code is obtained by using an authorization server 305 as an intermediary between the client and resource owner. Instead of 306 requesting authorization directly from the resource owner, the client 307 directs the resource owner to an authorization server (via its user- 308 agent as defined in [RFC2616]), which in turn directs the resource 309 owner back to the client with the authorization code. 311 Before directing the resource owner back to the client with the 312 authorization code, the authorization server authenticates the 313 resource owner and obtains authorization. Because the resource owner 314 only authenticates with the authorization server, the resource 315 owner's credentials are never shared with the client. 317 The authorization code provides a few important security benefits 318 such as the ability to authenticate the client, and the transmission 319 of the access token directly to the client without passing it through 320 the resource owner's user-agent, potentially exposing it to others, 321 including the resource owner. 323 1.3.2. Implicit 325 The implicit grant is a simplified authorization code flow optimized 326 for clients implemented in a browser using a scripting language such 327 as JavaScript. In the implicit flow, instead of issuing the client 328 an authorization code, the client is issued an access token directly 329 (as the result of the resource owner authorization). The grant type 330 is implicit as no intermediate credentials (such as an authorization 331 code) are issued (and later used to obtain an access token). 333 When issuing an access token during the implicit grant flow, the 334 authorization server does not authenticate the client. In some 335 cases, the client identity can be verified via the redirection URI 336 used to deliver the access token to the client. The access token may 337 be exposed to the resource owner or other applications with access to 338 the resource owner's user-agent. 340 Implicit grants improve the responsiveness and efficiency of some 341 clients (such as a client implemented as an in-browser application) 342 since it reduces the number of round trips required to obtain an 343 access token. However, this convenience should be weighed against 344 the security implications of using implicit grants, especially when 345 the authorization code grant type is available. 347 1.3.3. Resource Owner Password Credentials 349 The resource owner password credentials (i.e. username and password) 350 can be used directly as an authorization grant to obtain an access 351 token. The credentials should only be used when there is a high 352 degree of trust between the resource owner and the client (e.g. the 353 client is part of the device operating system or a highly privileged 354 application), and when other authorization grant types are not 355 available (such as an authorization code). 357 Even though this grant type requires direct client access to the 358 resource owner credentials, the resource owner credentials are used 359 for a single request and are exchanged for an access token. This 360 grant type can eliminate the need for the client to store the 361 resource owner credentials for future use, by exchanging the 362 credentials with a long-lived access token or refresh token. 364 1.3.4. Client Credentials 366 The client credentials (or other forms of client authentication) can 367 be used as an authorization grant when the authorization scope is 368 limited to the protected resources under the control of the client, 369 or to protected resources previously arranged with the authorization 370 server. Client credentials are used as an authorization grant 371 typically when the client is acting on its own behalf (the client is 372 also the resource owner), or is requesting access to protected 373 resources based on an authorization previously arranged with the 374 authorization server. 376 1.4. Access Token 378 Access tokens are credentials used to access protected resources. An 379 access token is a string representing an authorization issued to the 380 client. The string is usually opaque to the client. Tokens 381 represent specific scopes and durations of access, granted by the 382 resource owner, and enforced by the resource server and authorization 383 server. 385 The token may denote an identifier used to retrieve the authorization 386 information, or self-contain the authorization information in a 387 verifiable manner (i.e. a token string consisting of some data and a 388 signature). Additional authentication credentials, which are beyond 389 the scope of this specification, may be required in order for the 390 client to use a token. 392 The access token provides an abstraction layer, replacing different 393 authorization constructs (e.g. username and password) with a single 394 token understood by the resource server. This abstraction enables 395 issuing access tokens more restrictive than the authorization grant 396 used to obtain them, as well as removing the resource server's need 397 to understand a wide range of authentication methods. 399 Access tokens can have different formats, structures, and methods of 400 utilization (e.g. cryptographic properties) based on the resource 401 server security requirements. Access token attributes and the 402 methods used to access protected resources are beyond the scope of 403 this specification and are defined by companion specifications. 405 1.5. Refresh Token 407 Refresh tokens are credentials used to obtain access tokens. Refresh 408 tokens are issued to the client by the authorization server and are 409 used to obtain a new access token when the current access token 410 becomes invalid or expires, or to obtain additional access tokens 411 with identical or narrower scope (access tokens may have a shorter 412 lifetime and fewer permissions than authorized by the resource 413 owner). Issuing a refresh token is optional at the discretion of the 414 authorization server. If the authorization server issues a refresh 415 token, it is included when issuing an access token (i.e. step (D) in 416 Figure 1). 418 A refresh token is a string representing the authorization granted to 419 the client by the resource owner. The string is usually opaque to 420 the client. The token denotes an identifier used to retrieve the 421 authorization information. Unlike access tokens, refresh tokens are 422 intended for use only with authorization servers and are never sent 423 to resource servers. 425 +--------+ +---------------+ 426 | |--(A)------- Authorization Grant --------->| | 427 | | | | 428 | |<-(B)----------- Access Token -------------| | 429 | | & Refresh Token | | 430 | | | | 431 | | +----------+ | | 432 | |--(C)---- Access Token ---->| | | | 433 | | | | | | 434 | |<-(D)- Protected Resource --| Resource | | Authorization | 435 | Client | | Server | | Server | 436 | |--(E)---- Access Token ---->| | | | 437 | | | | | | 438 | |<-(F)- Invalid Token Error -| | | | 439 | | +----------+ | | 440 | | | | 441 | |--(G)----------- Refresh Token ----------->| | 442 | | | | 443 | |<-(H)----------- Access Token -------------| | 444 +--------+ & Optional Refresh Token +---------------+ 446 Figure 2: Refreshing an Expired Access Token 448 The flow illustrated in Figure 2 includes the following steps: 450 (A) The client requests an access token by authenticating with the 451 authorization server, and presenting an authorization grant. 452 (B) The authorization server authenticates the client and validates 453 the authorization grant, and if valid issues an access token and 454 a refresh token. 455 (C) The client makes a protected resource request to the resource 456 server by presenting the access token. 457 (D) The resource server validates the access token, and if valid, 458 serves the request. 459 (E) Steps (C) and (D) repeat until the access token expires. If the 460 client knows the access token expired, it skips to step (G), 461 otherwise it makes another protected resource request. 462 (F) Since the access token is invalid, the resource server returns 463 an invalid token error. 464 (G) The client requests a new access token by authenticating with 465 the authorization server and presenting the refresh token. The 466 client authentication requirements are based on the client type 467 and on the authorization server policies. 469 (H) The authorization server authenticates the client and validates 470 the refresh token, and if valid issues a new access token (and 471 optionally, a new refresh token). 473 Steps C, D, E, and F are outside the scope of this specification as 474 described in Section 7. 476 1.6. TLS Version 478 Whenever TLS is used by this specification, the appropriate version 479 (or versions) of TLS will vary over time, based on the widespread 480 deployment and known security vulnerabilities. At the time of this 481 writing, TLS version 1.2 [RFC5246] is the most recent version, but 482 has a very limited deployment base and might not be readily available 483 for implementation. TLS version 1.0 [RFC2246] is the most widely 484 deployed version, and will provide the broadest interoperability. 486 Implementations MAY also support additional transport-layer security 487 mechanisms that meet their security requirements. 489 1.7. HTTP Redirections 491 This specification makes extensive use of HTTP redirections, in which 492 the client or the authorization server direct the resource owner's 493 user-agent to another destination. While the examples in this 494 specification show the use of the HTTP 302 status code, any other 495 method available via the user-agent to accomplish this redirection is 496 allowed and is considered to be an implementation detail. 498 1.8. Interoperability 500 OAuth 2.0 provides a rich authorization framework with well-defined 501 security properties. However, as a rich and highly extensible 502 framework with many optional components, on its own, this 503 specification is likely to produce a wide range of non-interoperable 504 implementations. 506 In addition, this specification leaves a few required components 507 partially or fully undefined (e.g. client registration, authorization 508 server capabilities, endpoint discovery). Without these components, 509 clients must be manually and specifically configured against a 510 specific authorization server and resource server in order to 511 interoperate. 513 This framework was designed with the clear expectation that future 514 work will define prescriptive profiles and extensions necessary to 515 achieve full web-scale interoperability. 517 1.9. Notational Conventions 519 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 520 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 521 specification are to be interpreted as described in [RFC2119]. 523 This specification uses the Augmented Backus-Naur Form (ABNF) 524 notation of [RFC5234]. 526 Certain security-related terms are to be understood in the sense 527 defined in [RFC4949]. These terms include, but are not limited to, 528 "attack", "authentication", "authorization", "certificate", 529 "confidentiality", "credential", "encryption", "identity", "sign", 530 "signature", "trust", "validate", and "verify". 532 Unless otherwise noted, all the protocol parameter names and values 533 are case sensitive. 535 2. Client Registration 537 Before initiating the protocol, the client registers with the 538 authorization server. The means through which the client registers 539 with the authorization server are beyond the scope of this 540 specification, but typically involve end-user interaction with an 541 HTML registration form. 543 Client registration does not require a direct interaction between the 544 client and the authorization server. When supported by the 545 authorization server, registration can rely on other means for 546 establishing trust and obtaining the required client properties (e.g. 547 redirection URI, client type). For example, registration can be 548 accomplished using a self-issued or third-party-issued assertion, or 549 by the authorization server performing client discovery using a 550 trusted channel. 552 When registering a client, the client developer SHALL: 554 o specifies the client type as described in Section 2.1, 555 o provides its client redirection URIs as described in 556 Section 3.1.2, and 557 o includes any other information required by the authorization 558 server (e.g. application name, website, description, logo image, 559 the acceptance of legal terms). 561 2.1. Client Types 563 OAuth defines two client types, based on their ability to 564 authenticate securely with the authorization server (i.e. ability to 565 maintain the confidentiality of their client credentials): 567 confidential 568 Clients capable of maintaining the confidentiality of their 569 credentials (e.g. client implemented on a secure server with 570 restricted access to the client credentials), or capable of secure 571 client authentication using other means. 572 public 573 Clients incapable of maintaining the confidentiality of their 574 credentials (e.g. clients executing on the device used by the 575 resource owner such as an installed native application or a web 576 browser-based application), and incapable of secure client 577 authentication via any other means. 579 The client type designation is based on the authorization server's 580 definition of secure authentication and its acceptable exposure 581 levels of client credentials. The authorization server SHOULD NOT 582 make assumptions about the client type. 584 A client may be implemented as a distributed set of components, each 585 with a different client type and security context (e.g. a distributed 586 client with both a confidential server-based component and a public 587 browser-based component). If the authorization server does not 588 provide support for such clients, or does not provide guidance with 589 regard to their registration, the client SHOULD register each 590 component as a separate client. 592 This specification has been designed around the following client 593 profiles: 595 web application 596 A web application is a confidential client running on a web 597 server. Resource owners access the client via an HTML user 598 interface rendered in a user-agent on the device used by the 599 resource owner. The client credentials as well as any access 600 token issued to the client are stored on the web server and are 601 not exposed to or accessible by the resource owner. 602 user-agent-based application 603 A user-agent-based application is a public client in which the 604 client code is downloaded from a web server and executes within a 605 user-agent (e.g. web browser) on the device used by the resource 606 owner. Protocol data and credentials are easily accessible (and 607 often visible) to the resource owner. Since such applications 608 reside within the user-agent, they can make seamless use of the 609 user-agent capabilities when requesting authorization. 610 native application 611 A native application is a public client installed and executed on 612 the device used by the resource owner. Protocol data and 613 credentials are accessible to the resource owner. It is assumed 614 that any client authentication credentials included in the 615 application can be extracted. On the other hand, dynamically 616 issued credentials such as access tokens or refresh tokens can 617 receive an acceptable level of protection. At a minimum, these 618 credentials are protected from hostile servers with which the 619 application may interact with. On some platforms these 620 credentials might be protected from other applications residing on 621 the same device. 623 2.2. Client Identifier 625 The authorization server issues the registered client a client 626 identifier - a unique string representing the registration 627 information provided by the client. The client identifier is not a 628 secret, it is exposed to the resource owner, and MUST NOT be used 629 alone for client authentication. The client identifier is unique to 630 the authorization server. 632 The client identifier string size is left undefined by this 633 specification. The client should avoid making assumptions about the 634 identifier size. The authorization server SHOULD document the size 635 of any identifier it issues. 637 2.3. Client Authentication 639 If the client type is confidential, the client and authorization 640 server establish a client authentication method suitable for the 641 security requirements of the authorization server. The authorization 642 server MAY accept any form of client authentication meeting its 643 security requirements. 645 Confidential clients are typically issued (or establish) a set of 646 client credentials used for authenticating with the authorization 647 server (e.g. password, public/private key pair). 649 The authorization server MAY establish a client authentication method 650 with public clients. However, the authorization server MUST NOT rely 651 on public client authentication for the purpose of identifying the 652 client. 654 The client MUST NOT use more than one authentication method in each 655 request. 657 2.3.1. Client Password 659 Clients in possession of a client password MAY use the HTTP Basic 660 authentication scheme as defined in [RFC2617] to authenticate with 661 the authorization server. The client identifier is used as the 662 username, and the client password is used as the password. The 663 authorization server MUST support the HTTP Basic authentication 664 scheme for authenticating clients which were issued a client 665 password. 667 For example (extra line breaks are for display purposes only): 669 Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3 671 Alternatively, the authorization server MAY support including the 672 client credentials in the request body using the following 673 parameters: 675 client_id 676 REQUIRED. The client identifier issued to the client during 677 the registration process described by Section 2.2. 678 client_secret 679 REQUIRED. The client secret. The client MAY omit the 680 parameter if the client secret is an empty string. 682 Including the client credentials in the request body using the two 683 parameters is NOT RECOMMENDED, and SHOULD be limited to clients 684 unable to directly utilize the HTTP Basic authentication scheme (or 685 other password-based HTTP authentication schemes). The parameters 686 can only be transmitted in the request body and MUST NOT be included 687 in the request URI. 689 For example, requesting to refresh an access token (Section 6) using 690 the body parameters (extra line breaks are for display purposes 691 only): 693 POST /token HTTP/1.1 694 Host: server.example.com 695 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 697 grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA 698 &client_id=s6BhdRkqt3&client_secret=7Fjfp0ZBr1KtDRbnfVdmIw 700 The authorization server MUST require the use of TLS as described in 701 Section 1.6 when sending requests using password authentication. 703 Since this client authentication method involves a password, the 704 authorization server MUST protect any endpoint utilizing it against 705 brute force attacks. 707 2.3.2. Other Authentication Methods 709 The authorization server MAY support any suitable HTTP authentication 710 scheme matching its security requirements. When using other 711 authentication methods, the authorization server MUST define a 712 mapping between the client identifier (registration record) and 713 authentication scheme. 715 2.4. Unregistered Clients 717 This specification does not exclude the use of unregistered clients. 718 However, the use with such clients is beyond the scope of this 719 specification, and requires additional security analysis and review 720 of its interoperability impact. 722 3. Protocol Endpoints 724 The authorization process utilizes two authorization server endpoints 725 (HTTP resources): 727 o Authorization endpoint - used by the client to obtain 728 authorization from the resource owner via user-agent redirection. 729 o Token endpoint - used by the client to exchange an authorization 730 grant for an access token, typically with client authentication. 732 As well as one client endpoint: 734 o Redirection endpoint - used by the authorization server to return 735 authorization credentials responses to the client via the resource 736 owner user-agent. 738 Not every authorization grant type utilizes both endpoints. 739 Extension grant types MAY define additional endpoints as needed. 741 3.1. Authorization Endpoint 743 The authorization endpoint is used to interact with the resource 744 owner and obtain an authorization grant. The authorization server 745 MUST first verify the identity of the resource owner. The way in 746 which the authorization server authenticates the resource owner (e.g. 747 username and password login, session cookies) is beyond the scope of 748 this specification. 750 The means through which the client obtains the location of the 751 authorization endpoint are beyond the scope of this specification, 752 but the location is typically provided in the service documentation. 754 The endpoint URI MAY include an "application/x-www-form-urlencoded" 755 formatted ([W3C.REC-html401-19991224]) query component ([RFC3986] 756 section 3.4), which MUST be retained when adding additional query 757 parameters. The endpoint URI MUST NOT include a fragment component. 759 Since requests to the authorization endpoint result in user 760 authentication and the transmission of clear-text credentials (in the 761 HTTP response), the authorization server MUST require the use of TLS 762 as described in Section 1.6 when sending requests to the 763 authorization endpoint. 765 The authorization server MUST support the use of the HTTP "GET" 766 method [RFC2616] for the authorization endpoint, and MAY support the 767 use of the "POST" method as well. 769 Parameters sent without a value MUST be treated as if they were 770 omitted from the request. The authorization server MUST ignore 771 unrecognized request parameters. Request and response parameters 772 MUST NOT be included more than once. 774 3.1.1. Response Type 776 The authorization endpoint is used by the authorization code grant 777 type and implicit grant type flows. The client informs the 778 authorization server of the desired grant type using the following 779 parameter: 781 response_type 782 REQUIRED. The value MUST be one of "code" for requesting an 783 authorization code as described by Section 4.1.1, "token" for 784 requesting an access token (implicit grant) as described by 785 Section 4.2.1, or a registered extension value as described by 786 Section 8.4. 788 Extension response types MAY contain a space-delimited (%x20) list of 789 values, where the order of values does not matter (e.g. response type 790 "a b" is the same as "b a"). The meaning of such composite response 791 types is defined by their respective specifications. 793 If an authorization request is missing the "response_type" parameter, 794 or if the response type is not understood, the authorization server 795 MUST return an error response as described in Section 4.1.2.1. 797 3.1.2. Redirection Endpoint 799 After completing its interaction with the resource owner, the 800 authorization server directs the resource owner's user-agent back to 801 the client. The authorization server redirects the user-agent to the 802 client's redirection endpoint previously established with the 803 authorization server during the client registration process or when 804 making the authorization request. 806 The redirection endpoint URI MUST be an absolute URI as defined by 807 [RFC3986] section 4.3. The endpoint URI MAY include an 808 "application/x-www-form-urlencoded" formatted 809 ([W3C.REC-html401-19991224]) query component ([RFC3986] section 3.4), 810 which MUST be retained when adding additional query parameters. The 811 endpoint URI MUST NOT include a fragment component. 813 3.1.2.1. Endpoint Request Confidentiality 815 The redirection endpoint SHOULD require the use of TLS as described 816 in Section 1.6 when the requested response type is "code" or "token", 817 or when the redirection request will result in the transmission of 818 sensitive credentials over an open network. This specification does 819 not mandate the use of TLS because at the time of this writing, 820 requiring clients to deploy TLS is a significant hurdle for many 821 client developers. If TLS is not available, the authorization server 822 SHOULD warn the resource owner about the insecure endpoint prior to 823 redirection (e.g. display a message during the authorization 824 request). 826 Lack of transport-layer security can have a severe impact on the 827 security of the client and the protected resources it is authorized 828 to access. The use of transport-layer security is particularly 829 critical when the authorization process is used as a form of 830 delegated end-user authentication by the client (e.g. third-party 831 sign-in service). 833 3.1.2.2. Registration Requirements 835 The authorization server MUST require the following clients to 836 register their redirection endpoint: 838 o Public clients. 839 o Confidential clients utilizing the implicit grant type. 841 The authorization server SHOULD require all clients to register their 842 redirection endpoint prior to utilizing the authorization endpoint. 844 The authorization server SHOULD require the client to provide the 845 complete redirection URI (the client MAY use the "state" request 846 parameter to achieve per-request customization). If requiring the 847 registration of the complete redirection URI is not possible, the 848 authorization server SHOULD require the registration of the URI 849 scheme, authority, and path (allowing the client to dynamically vary 850 only the query component of the redirection URI when requesting 851 authorization). 853 The authorization server MAY allow the client to register multiple 854 redirection endpoints. 856 Lack of a redirection URI registration requirement can enable an 857 attacker to use the authorization endpoint as open redirector as 858 described in Section 10.15. 860 3.1.2.3. Dynamic Configuration 862 If multiple redirection URIs have been registered, if only part of 863 the redirection URI has been registered, or if no redirection URI has 864 been registered, the client MUST include a redirection URI with the 865 authorization request using the "redirect_uri" request parameter. 867 When a redirection URI is included in an authorization request, the 868 authorization server MUST compare and match the value received 869 against at least one of the registered redirection URIs (or URI 870 components) as defined in [RFC3986] section 6, if any redirection 871 URIs were registered. If the client registration included the full 872 redirection URI, the authorization server MUST compare the two URIs 873 using simple string comparison as defined in [RFC3986] section 6.2.1. 875 3.1.2.4. Invalid Endpoint 877 If an authorization request fails validation due to a missing, 878 invalid, or mismatching redirection URI, the authorization server 879 SHOULD inform the resource owner of the error, and MUST NOT 880 automatically redirect the user-agent to the invalid redirection URI. 882 3.1.2.5. Endpoint Content 884 The redirection request to the client's endpoint typically results in 885 an HTML document response, processed by the user-agent. If the HTML 886 response is served directly as the result of the redirection request, 887 any script included in the HTML document will execute with full 888 access to the redirection URI and the credentials it contains. 890 The client SHOULD NOT include any third-party scripts (e.g. third- 891 party analytics, social plug-ins, ad networks) in the redirection 892 endpoint response. Instead, it SHOULD extract the credentials from 893 the URI and redirect the user-agent again to another endpoint without 894 exposing the credentials (in the URI or elsewhere). If third-party 895 scripts are included, the client MUST ensure that its own scripts 896 (used to extract and remove the credentials from the URI) will 897 execute first. 899 3.2. Token Endpoint 901 The token endpoint is used by the client to obtain an access token by 902 presenting its authorization grant or refresh token. The token 903 endpoint is used with every authorization grant except for the 904 implicit grant type (since an access token is issued directly). 906 The means through which the client obtains the location of the token 907 endpoint are beyond the scope of this specification but is typically 908 provided in the service documentation. 910 The endpoint URI MAY include an "application/x-www-form-urlencoded" 911 formatted ([W3C.REC-html401-19991224]) query component ([RFC3986] 912 section 3.4), which MUST be retained when adding additional query 913 parameters. The endpoint URI MUST NOT include a fragment component. 915 Since requests to the token endpoint result in the transmission of 916 clear-text credentials (in the HTTP request and response), the 917 authorization server MUST require the use of TLS as described in 918 Section 1.6 when sending requests to the token endpoint. 920 The client MUST use the HTTP "POST" method when making access token 921 requests. 923 Parameters sent without a value MUST be treated as if they were 924 omitted from the request. The authorization server MUST ignore 925 unrecognized request parameters. Request and response parameters 926 MUST NOT be included more than once. 928 3.2.1. Client Authentication 930 Confidential clients or other clients issued client credentials MUST 931 authenticate with the authorization server as described in 932 Section 2.3 when making requests to the token endpoint. Client 933 authentication is used for: 935 o Enforcing the binding of refresh tokens and authorization codes to 936 the client they were issued to. Client authentication is critical 937 when an authorization code is transmitted to the redirection 938 endpoint over an insecure channel, or when the redirection URI has 939 not been registered in full. 941 o Recovering from a compromised client by disabling the client or 942 changing its credentials, thus preventing an attacker from abusing 943 stolen refresh tokens. Changing a single set of client 944 credentials is significantly faster than revoking an entire set of 945 refresh tokens. 946 o Implementing authentication management best practices which 947 require periodic credential rotation. Rotation of an entire set 948 of refresh tokens can be challenging, while rotation of a single 949 set of client credentials is significantly easier. 951 A public client that was not issued a client password MAY use the 952 "client_id" request parameter to identify itself when sending 953 requests to the token endpoint (e.g. for the purpose of providing 954 end-user context, client usage statistics). 956 3.3. Access Token Scope 958 The authorization and token endpoints allow the client to specify the 959 scope of the access request using the "scope" request parameter. In 960 turn, the authorization server uses the "scope" response parameter to 961 inform the client of the scope of the access token issued. 963 The value of the scope parameter is expressed as a list of space- 964 delimited, case sensitive strings. The strings are defined by the 965 authorization server. If the value contains multiple space-delimited 966 strings, their order does not matter, and each string adds an 967 additional access range to the requested scope. 969 scope = scope-token *( SP scope-token ) 970 scope-token = 1*( %x21 / %x23-5B / %x5D-7E ) 972 The authorization server MAY fully or partially ignore the scope 973 requested by the client based on the authorization server policy or 974 the resource owner's instructions. If the issued access token scope 975 is different from the one requested by the client, the authorization 976 server MUST include the "scope" response parameter to inform the 977 client of the actual scope granted. 979 If the client omits the scope parameter when requesting 980 authorization, the authorization server MUST either process the 981 request using a pre-defined default value, or fail the request 982 indicating an invalid scope. The authorization server SHOULD 983 document its scope requirements and default value (if defined). 985 4. Obtaining Authorization 987 To request an access token, the client obtains authorization from the 988 resource owner. The authorization is expressed in the form of an 989 authorization grant which the client uses to request the access 990 token. OAuth defines four grant types: authorization code, implicit, 991 resource owner password credentials, and client credentials. It also 992 provides an extension mechanism for defining additional grant types. 994 4.1. Authorization Code Grant 996 The authorization code grant type is used to obtain both access 997 tokens and refresh tokens and is optimized for confidential clients. 998 As a redirection-based flow, the client must be capable of 999 interacting with the resource owner's user-agent (typically a web 1000 browser) and capable of receiving incoming requests (via redirection) 1001 from the authorization server. 1003 +----------+ 1004 | resource | 1005 | owner | 1006 | | 1007 +----------+ 1008 ^ 1009 | 1010 (B) 1011 +----|-----+ Client Identifier +---------------+ 1012 | -+----(A)-- & Redirection URI ---->| | 1013 | User- | | Authorization | 1014 | Agent -+----(B)-- User authenticates --->| Server | 1015 | | | | 1016 | -+----(C)-- Authorization Code ---<| | 1017 +-|----|---+ +---------------+ 1018 | | ^ v 1019 (A) (C) | | 1020 | | | | 1021 ^ v | | 1022 +---------+ | | 1023 | |>---(D)-- Authorization Code ---------' | 1024 | Client | & Redirection URI | 1025 | | | 1026 | |<---(E)----- Access Token -------------------' 1027 +---------+ (w/ Optional Refresh Token) 1029 Note: The lines illustrating steps A, B, and C are broken into two 1030 parts as they pass through the user-agent. 1032 Figure 3: Authorization Code Flow 1034 The flow illustrated in Figure 3 includes the following steps: 1036 (A) The client initiates the flow by directing the resource owner's 1037 user-agent to the authorization endpoint. The client includes 1038 its client identifier, requested scope, local state, and a 1039 redirection URI to which the authorization server will send the 1040 user-agent back once access is granted (or denied). 1041 (B) The authorization server authenticates the resource owner (via 1042 the user-agent) and establishes whether the resource owner 1043 grants or denies the client's access request. 1044 (C) Assuming the resource owner grants access, the authorization 1045 server redirects the user-agent back to the client using the 1046 redirection URI provided earlier (in the request or during 1047 client registration). The redirection URI includes an 1048 authorization code and any local state provided by the client 1049 earlier. 1050 (D) The client requests an access token from the authorization 1051 server's token endpoint by including the authorization code 1052 received in the previous step. When making the request, the 1053 client authenticates with the authorization server. The client 1054 includes the redirection URI used to obtain the authorization 1055 code for verification. 1056 (E) The authorization server authenticates the client, validates the 1057 authorization code, and ensures the redirection URI received 1058 matches the URI used to redirect the client in step (C). If 1059 valid, the authorization server responds back with an access 1060 token and optionally, a refresh token. 1062 4.1.1. Authorization Request 1064 The client constructs the request URI by adding the following 1065 parameters to the query component of the authorization endpoint URI 1066 using the "application/x-www-form-urlencoded" format as defined by 1067 [W3C.REC-html401-19991224]: 1069 response_type 1070 REQUIRED. Value MUST be set to "code". 1071 client_id 1072 REQUIRED. The client identifier as described in Section 2.2. 1073 redirect_uri 1074 OPTIONAL. As described in Section 3.1.2. 1075 scope 1076 OPTIONAL. The scope of the access request as described by 1077 Section 3.3. 1079 state 1080 RECOMMENDED. An opaque value used by the client to maintain 1081 state between the request and callback. The authorization 1082 server includes this value when redirecting the user-agent back 1083 to the client. The parameter SHOULD be used for preventing 1084 cross-site request forgery as described in Section 10.12. 1086 The client directs the resource owner to the constructed URI using an 1087 HTTP redirection response, or by other means available to it via the 1088 user-agent. 1090 For example, the client directs the user-agent to make the following 1091 HTTP request using TLS (extra line breaks are for display purposes 1092 only): 1094 GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz 1095 &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 1096 Host: server.example.com 1098 The authorization server validates the request to ensure all required 1099 parameters are present and valid. If the request is valid, the 1100 authorization server authenticates the resource owner and obtains an 1101 authorization decision (by asking the resource owner or by 1102 establishing approval via other means). 1104 When a decision is established, the authorization server directs the 1105 user-agent to the provided client redirection URI using an HTTP 1106 redirection response, or by other means available to it via the user- 1107 agent. 1109 4.1.2. Authorization Response 1111 If the resource owner grants the access request, the authorization 1112 server issues an authorization code and delivers it to the client by 1113 adding the following parameters to the query component of the 1114 redirection URI using the "application/x-www-form-urlencoded" format: 1116 code 1117 REQUIRED. The authorization code generated by the 1118 authorization server. The authorization code MUST expire 1119 shortly after it is issued to mitigate the risk of leaks. A 1120 maximum authorization code lifetime of 10 minutes is 1121 RECOMMENDED. The client MUST NOT use the authorization code 1122 more than once. If an authorization code is used more than 1123 once, the authorization server MUST deny the request and SHOULD 1124 revoke (when possible) all tokens previously issued based on 1125 that authorization code. The authorization code is bound to 1126 the client identifier and redirection URI. 1127 state 1128 REQUIRED if the "state" parameter was present in the client 1129 authorization request. The exact value received from the 1130 client. 1132 For example, the authorization server redirects the user-agent by 1133 sending the following HTTP response: 1135 HTTP/1.1 302 Found 1136 Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA 1137 &state=xyz 1139 The client MUST ignore unrecognized response parameters. The 1140 authorization code string size is left undefined by this 1141 specification. The client should avoid making assumptions about code 1142 value sizes. The authorization server SHOULD document the size of 1143 any value it issues. 1145 4.1.2.1. Error Response 1147 If the request fails due to a missing, invalid, or mismatching 1148 redirection URI, or if the client identifier is missing or invalid, 1149 the authorization server SHOULD inform the resource owner of the 1150 error, and MUST NOT automatically redirect the user-agent to the 1151 invalid redirection URI. 1153 If the resource owner denies the access request or if the request 1154 fails for reasons other than a missing or invalid redirection URI, 1155 the authorization server informs the client by adding the following 1156 parameters to the query component of the redirection URI using the 1157 "application/x-www-form-urlencoded" format: 1159 error 1160 REQUIRED. A single error code from the following: 1161 invalid_request 1162 The request is missing a required parameter, includes an 1163 invalid parameter value, includes a parameter more than 1164 once, or is otherwise malformed. 1165 unauthorized_client 1166 The client is not authorized to request an authorization 1167 code using this method. 1169 access_denied 1170 The resource owner or authorization server denied the 1171 request. 1172 unsupported_response_type 1173 The authorization server does not support obtaining an 1174 authorization code using this method. 1175 invalid_scope 1176 The requested scope is invalid, unknown, or malformed. 1177 server_error 1178 The authorization server encountered an unexpected 1179 condition which prevented it from fulfilling the request. 1180 temporarily_unavailable 1181 The authorization server is currently unable to handle 1182 the request due to a temporary overloading or maintenance 1183 of the server. 1184 error_description 1185 OPTIONAL. A human-readable UTF-8 encoded text providing 1186 additional information, used to assist the client developer in 1187 understanding the error that occurred. 1188 error_uri 1189 OPTIONAL. A URI identifying a human-readable web page with 1190 information about the error, used to provide the client 1191 developer with additional information about the error. 1192 state 1193 REQUIRED if a "state" parameter was present in the client 1194 authorization request. The exact value received from the 1195 client. 1197 For example, the authorization server redirects the user-agent by 1198 sending the following HTTP response: 1200 HTTP/1.1 302 Found 1201 Location: https://client.example.com/cb?error=access_denied&state=xyz 1203 4.1.3. Access Token Request 1205 The client makes a request to the token endpoint by adding the 1206 following parameters using the "application/x-www-form-urlencoded" 1207 format in the HTTP request entity-body: 1209 grant_type 1210 REQUIRED. Value MUST be set to "authorization_code". 1212 code 1213 REQUIRED. The authorization code received from the 1214 authorization server. 1215 redirect_uri 1216 REQUIRED, if the "redirect_uri" parameter was included in the 1217 authorization request as described in Section 4.1.1, and their 1218 values MUST be identical. 1220 If the client type is confidential or the client was issued client 1221 credentials (or assigned other authentication requirements), the 1222 client MUST authenticate with the authorization server as described 1223 in Section 3.2.1. 1225 For example, the client makes the following HTTP request using TLS 1226 (extra line breaks are for display purposes only): 1228 POST /token HTTP/1.1 1229 Host: server.example.com 1230 Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW 1231 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 1233 grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA 1234 &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb 1236 The authorization server MUST: 1238 o require client authentication for confidential clients or for any 1239 client that was issued client credentials (or with other 1240 authentication requirements), 1241 o authenticate the client if client authentication is included and 1242 ensure the authorization code was issued to the authenticated 1243 client, 1244 o verify that the authorization code is valid, and 1245 o ensure that the "redirect_uri" parameter is present if the 1246 "redirect_uri" parameter was included in the initial authorization 1247 request as described in Section 4.1.1, and if included ensure 1248 their values are identical. 1250 4.1.4. Access Token Response 1252 If the access token request is valid and authorized, the 1253 authorization server issues an access token and optional refresh 1254 token as described in Section 5.1. If the request client 1255 authentication failed or is invalid, the authorization server returns 1256 an error response as described in Section 5.2. 1258 An example successful response: 1260 HTTP/1.1 200 OK 1261 Content-Type: application/json;charset=UTF-8 1262 Cache-Control: no-store 1263 Pragma: no-cache 1265 { 1266 "access_token":"2YotnFZFEjr1zCsicMWpAA", 1267 "token_type":"example", 1268 "expires_in":3600, 1269 "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", 1270 "example_parameter":"example_value" 1271 } 1273 4.2. Implicit Grant 1275 The implicit grant type is used to obtain access tokens (it does not 1276 support the issuance of refresh tokens) and is optimized for public 1277 clients known to operate a particular redirection URI. These clients 1278 are typically implemented in a browser using a scripting language 1279 such as JavaScript. 1281 As a redirection-based flow, the client must be capable of 1282 interacting with the resource owner's user-agent (typically a web 1283 browser) and capable of receiving incoming requests (via redirection) 1284 from the authorization server. 1286 Unlike the authorization code grant type in which the client makes 1287 separate requests for authorization and access token, the client 1288 receives the access token as the result of the authorization request. 1290 The implicit grant type does not include client authentication, and 1291 relies on the presence of the resource owner and the registration of 1292 the redirection URI. Because the access token is encoded into the 1293 redirection URI, it may be exposed to the resource owner and other 1294 applications residing on the same device. 1296 +----------+ 1297 | Resource | 1298 | Owner | 1299 | | 1300 +----------+ 1301 ^ 1302 | 1303 (B) 1304 +----|-----+ Client Identifier +---------------+ 1305 | -+----(A)-- & Redirection URI --->| | 1306 | User- | | Authorization | 1307 | Agent -|----(B)-- User authenticates -->| Server | 1308 | | | | 1309 | |<---(C)--- Redirection URI ----<| | 1310 | | with Access Token +---------------+ 1311 | | in Fragment 1312 | | +---------------+ 1313 | |----(D)--- Redirection URI ---->| Web-Hosted | 1314 | | without Fragment | Client | 1315 | | | Resource | 1316 | (F) |<---(E)------- Script ---------<| | 1317 | | +---------------+ 1318 +-|--------+ 1319 | | 1320 (A) (G) Access Token 1321 | | 1322 ^ v 1323 +---------+ 1324 | | 1325 | Client | 1326 | | 1327 +---------+ 1329 Note: The lines illustrating steps A and B are broken into two parts 1330 as they pass through the user-agent. 1332 Figure 4: Implicit Grant Flow 1334 The flow illustrated in Figure 4 includes the following steps: 1336 (A) The client initiates the flow by directing the resource owner's 1337 user-agent to the authorization endpoint. The client includes 1338 its client identifier, requested scope, local state, and a 1339 redirection URI to which the authorization server will send the 1340 user-agent back once access is granted (or denied). 1342 (B) The authorization server authenticates the resource owner (via 1343 the user-agent) and establishes whether the resource owner 1344 grants or denies the client's access request. 1345 (C) Assuming the resource owner grants access, the authorization 1346 server redirects the user-agent back to the client using the 1347 redirection URI provided earlier. The redirection URI includes 1348 the access token in the URI fragment. 1349 (D) The user-agent follows the redirection instructions by making a 1350 request to the web-hosted client resource (which does not 1351 include the fragment per [RFC2616]). The user-agent retains the 1352 fragment information locally. 1353 (E) The web-hosted client resource returns a web page (typically an 1354 HTML document with an embedded script) capable of accessing the 1355 full redirection URI including the fragment retained by the 1356 user-agent, and extracting the access token (and other 1357 parameters) contained in the fragment. 1358 (F) The user-agent executes the script provided by the web-hosted 1359 client resource locally, which extracts the access token and 1360 passes it to the client. 1362 4.2.1. Authorization Request 1364 The client constructs the request URI by adding the following 1365 parameters to the query component of the authorization endpoint URI 1366 using the "application/x-www-form-urlencoded" format: 1368 response_type 1369 REQUIRED. Value MUST be set to "token". 1370 client_id 1371 REQUIRED. The client identifier as described in Section 2.2. 1372 redirect_uri 1373 OPTIONAL. As described in Section 3.1.2. 1374 scope 1375 OPTIONAL. The scope of the access request as described by 1376 Section 3.3. 1377 state 1378 RECOMMENDED. An opaque value used by the client to maintain 1379 state between the request and callback. The authorization 1380 server includes this value when redirecting the user-agent back 1381 to the client. The parameter SHOULD be used for preventing 1382 cross-site request forgery as described in Section 10.12. 1384 The client directs the resource owner to the constructed URI using an 1385 HTTP redirection response, or by other means available to it via the 1386 user-agent. 1388 For example, the client directs the user-agent to make the following 1389 HTTP request using TLS (extra line breaks are for display purposes 1390 only): 1392 GET /authorize?response_type=token&client_id=s6BhdRkqt3&state=xyz 1393 &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 1394 Host: server.example.com 1396 The authorization server validates the request to ensure all required 1397 parameters are present and valid. The authorization server MUST 1398 verify that the redirection URI to which it will redirect the access 1399 token matches a redirection URI registered by the client as described 1400 in Section 3.1.2. 1402 If the request is valid, the authorization server authenticates the 1403 resource owner and obtains an authorization decision (by asking the 1404 resource owner or by establishing approval via other means). 1406 When a decision is established, the authorization server directs the 1407 user-agent to the provided client redirection URI using an HTTP 1408 redirection response, or by other means available to it via the user- 1409 agent. 1411 4.2.2. Access Token Response 1413 If the resource owner grants the access request, the authorization 1414 server issues an access token and delivers it to the client by adding 1415 the following parameters to the fragment component of the redirection 1416 URI using the "application/x-www-form-urlencoded" format: 1418 access_token 1419 REQUIRED. The access token issued by the authorization server. 1420 token_type 1421 REQUIRED. The type of the token issued as described in 1422 Section 7.1. Value is case insensitive. 1423 expires_in 1424 RECOMMENDED. The lifetime in seconds of the access token. For 1425 example, the value "3600" denotes that the access token will 1426 expire in one hour from the time the response was generated. 1427 If omitted, the authorization server SHOULD provide the 1428 expiration time via other means or document the default value. 1429 scope 1430 OPTIONAL, if identical to the scope requested by the client, 1431 otherwise REQUIRED. The scope of the access token as described 1432 by Section 3.3. 1434 state 1435 REQUIRED if the "state" parameter was present in the client 1436 authorization request. The exact value received from the 1437 client. 1439 The authorization server MUST NOT issue a refresh token. 1441 For example, the authorization server redirects the user-agent by 1442 sending the following HTTP response (URI extra line breaks are for 1443 display purposes only): 1445 HTTP/1.1 302 Found 1446 Location: http://example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA 1447 &state=xyz&token_type=example&expires_in=3600 1449 Developers should note that some user-agents do not support the 1450 inclusion of a fragment component in the HTTP "Location" response 1451 header field. Such clients will require using other methods for 1452 redirecting the client than a 3xx redirection response. For example, 1453 returning an HTML page which includes a 'continue' button with an 1454 action linked to the redirection URI. 1456 The client MUST ignore unrecognized response parameters. The access 1457 token string size is left undefined by this specification. The 1458 client should avoid making assumptions about value sizes. The 1459 authorization server SHOULD document the size of any value it issues. 1461 4.2.2.1. Error Response 1463 If the request fails due to a missing, invalid, or mismatching 1464 redirection URI, or if the client identifier is missing or invalid, 1465 the authorization server SHOULD inform the resource owner of the 1466 error, and MUST NOT automatically redirect the user-agent to the 1467 invalid redirection URI. 1469 If the resource owner denies the access request or if the request 1470 fails for reasons other than a missing or invalid redirection URI, 1471 the authorization server informs the client by adding the following 1472 parameters to the fragment component of the redirection URI using the 1473 "application/x-www-form-urlencoded" format: 1475 error 1476 REQUIRED. A single error code from the following: 1478 invalid_request 1479 The request is missing a required parameter, includes an 1480 invalid parameter value, includes a parameter more than 1481 once, or is otherwise malformed. 1482 unauthorized_client 1483 The client is not authorized to request an access token 1484 using this method. 1485 access_denied 1486 The resource owner or authorization server denied the 1487 request. 1488 unsupported_response_type 1489 The authorization server does not support obtaining an 1490 access token using this method. 1491 invalid_scope 1492 The requested scope is invalid, unknown, or malformed. 1493 server_error 1494 The authorization server encountered an unexpected 1495 condition which prevented it from fulfilling the request. 1496 temporarily_unavailable 1497 The authorization server is currently unable to handle 1498 the request due to a temporary overloading or maintenance 1499 of the server. 1500 error_description 1501 OPTIONAL. A human-readable UTF-8 encoded text providing 1502 additional information, used to assist the client developer in 1503 understanding the error that occurred. 1504 error_uri 1505 OPTIONAL. A URI identifying a human-readable web page with 1506 information about the error, used to provide the client 1507 developer with additional information about the error. 1508 state 1509 REQUIRED if a "state" parameter was present in the client 1510 authorization request. The exact value received from the 1511 client. 1513 For example, the authorization server redirects the user-agent by 1514 sending the following HTTP response: 1516 HTTP/1.1 302 Found 1517 Location: https://client.example.com/cb#error=access_denied&state=xyz 1519 4.3. Resource Owner Password Credentials Grant 1521 The resource owner password credentials grant type is suitable in 1522 cases where the resource owner has a trust relationship with the 1523 client, such as the device operating system or a highly privileged 1524 application. The authorization server should take special care when 1525 enabling this grant type, and only allow it when other flows are not 1526 viable. 1528 The grant type is suitable for clients capable of obtaining the 1529 resource owner's credentials (username and password, typically using 1530 an interactive form). It is also used to migrate existing clients 1531 using direct authentication schemes such as HTTP Basic or Digest 1532 authentication to OAuth by converting the stored credentials to an 1533 access token. 1535 +----------+ 1536 | Resource | 1537 | Owner | 1538 | | 1539 +----------+ 1540 v 1541 | Resource Owner 1542 (A) Password Credentials 1543 | 1544 v 1545 +---------+ +---------------+ 1546 | |>--(B)---- Resource Owner ------->| | 1547 | | Password Credentials | Authorization | 1548 | Client | | Server | 1549 | |<--(C)---- Access Token ---------<| | 1550 | | (w/ Optional Refresh Token) | | 1551 +---------+ +---------------+ 1553 Figure 5: Resource Owner Password Credentials Flow 1555 The flow illustrated in Figure 5 includes the following steps: 1557 (A) The resource owner provides the client with its username and 1558 password. 1559 (B) The client requests an access token from the authorization 1560 server's token endpoint by including the credentials received 1561 from the resource owner. When making the request, the client 1562 authenticates with the authorization server. 1563 (C) The authorization server authenticates the client and validates 1564 the resource owner credentials, and if valid issues an access 1565 token. 1567 4.3.1. Authorization Request and Response 1569 The method through which the client obtains the resource owner 1570 credentials is beyond the scope of this specification. The client 1571 MUST discard the credentials once an access token has been obtained. 1573 4.3.2. Access Token Request 1575 The client makes a request to the token endpoint by adding the 1576 following parameters using the "application/x-www-form-urlencoded" 1577 format in the HTTP request entity-body: 1579 grant_type 1580 REQUIRED. Value MUST be set to "password". 1581 username 1582 REQUIRED. The resource owner username, encoded as UTF-8. 1583 password 1584 REQUIRED. The resource owner password, encoded as UTF-8. 1585 scope 1586 OPTIONAL. The scope of the access request as described by 1587 Section 3.3. 1589 If the client type is confidential or the client was issued client 1590 credentials (or assigned other authentication requirements), the 1591 client MUST authenticate with the authorization server as described 1592 in Section 3.2.1. 1594 For example, the client makes the following HTTP request using 1595 transport-layer security (extra line breaks are for display purposes 1596 only): 1598 POST /token HTTP/1.1 1599 Host: server.example.com 1600 Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW 1601 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 1603 grant_type=password&username=johndoe&password=A3ddj3w 1605 The authorization server MUST: 1607 o require client authentication for confidential clients or for any 1608 client that was issued client credentials (or with other 1609 authentication requirements), 1610 o authenticate the client if client authentication is included, and 1611 o validate the resource owner password credentials using its 1612 existing password validation algorithm. 1614 Since this access token request utilizes the resource owner's 1615 password, the authorization server MUST protect the endpoint against 1616 brute force attacks (e.g. using rate-limitation or generating 1617 alerts). 1619 4.3.3. Access Token Response 1621 If the access token request is valid and authorized, the 1622 authorization server issues an access token and optional refresh 1623 token as described in Section 5.1. If the request failed client 1624 authentication or is invalid, the authorization server returns an 1625 error response as described in Section 5.2. 1627 An example successful response: 1629 HTTP/1.1 200 OK 1630 Content-Type: application/json;charset=UTF-8 1631 Cache-Control: no-store 1632 Pragma: no-cache 1634 { 1635 "access_token":"2YotnFZFEjr1zCsicMWpAA", 1636 "token_type":"example", 1637 "expires_in":3600, 1638 "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", 1639 "example_parameter":"example_value" 1640 } 1642 4.4. Client Credentials Grant 1644 The client can request an access token using only its client 1645 credentials (or other supported means of authentication) when the 1646 client is requesting access to the protected resources under its 1647 control, or those of another resource owner which has been previously 1648 arranged with the authorization server (the method of which is beyond 1649 the scope of this specification). 1651 The client credentials grant type MUST only be used by confidential 1652 clients. 1654 +---------+ +---------------+ 1655 | | | | 1656 | |>--(A)- Client Authentication --->| Authorization | 1657 | Client | | Server | 1658 | |<--(B)---- Access Token ---------<| | 1659 | | | | 1660 +---------+ +---------------+ 1662 Figure 6: Client Credentials Flow 1664 The flow illustrated in Figure 6 includes the following steps: 1666 (A) The client authenticates with the authorization server and 1667 requests an access token from the token endpoint. 1668 (B) The authorization server authenticates the client, and if valid 1669 issues an access token. 1671 4.4.1. Authorization Request and Response 1673 Since the client authentication is used as the authorization grant, 1674 no additional authorization request is needed. 1676 4.4.2. Access Token Request 1678 The client makes a request to the token endpoint by adding the 1679 following parameters using the "application/x-www-form-urlencoded" 1680 format in the HTTP request entity-body: 1682 grant_type 1683 REQUIRED. Value MUST be set to "client_credentials". 1684 scope 1685 OPTIONAL. The scope of the access request as described by 1686 Section 3.3. 1688 The client MUST authenticate with the authorization server as 1689 described in Section 3.2.1. 1691 For example, the client makes the following HTTP request using 1692 transport-layer security (extra line breaks are for display purposes 1693 only): 1695 POST /token HTTP/1.1 1696 Host: server.example.com 1697 Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW 1698 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 1699 grant_type=client_credentials 1701 The authorization server MUST authenticate the client. 1703 4.4.3. Access Token Response 1705 If the access token request is valid and authorized, the 1706 authorization server issues an access token as described in 1707 Section 5.1. A refresh token SHOULD NOT be included. If the request 1708 failed client authentication or is invalid, the authorization server 1709 returns an error response as described in Section 5.2. 1711 An example successful response: 1713 HTTP/1.1 200 OK 1714 Content-Type: application/json;charset=UTF-8 1715 Cache-Control: no-store 1716 Pragma: no-cache 1718 { 1719 "access_token":"2YotnFZFEjr1zCsicMWpAA", 1720 "token_type":"example", 1721 "expires_in":3600, 1722 "example_parameter":"example_value" 1723 } 1725 4.5. Extension Grants 1727 The client uses an extension grant type by specifying the grant type 1728 using an absolute URI (defined by the authorization server) as the 1729 value of the "grant_type" parameter of the token endpoint, and by 1730 adding any additional parameters necessary. 1732 For example, to request an access token using a SAML 2.0 assertion 1733 grant type as defined by [I-D.ietf-oauth-saml2-bearer], the client 1734 makes the following HTTP request using TLS (line breaks are for 1735 display purposes only): 1737 POST /token HTTP/1.1 1738 Host: server.example.com 1739 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 1741 grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2- 1742 bearer&assertion=PEFzc2VydGlvbiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDU 1744 [...omitted for brevity...]aG5TdGF0ZW1lbnQ-PC9Bc3NlcnRpb24- 1746 If the access token request is valid and authorized, the 1747 authorization server issues an access token and optional refresh 1748 token as described in Section 5.1. If the request failed client 1749 authentication or is invalid, the authorization server returns an 1750 error response as described in Section 5.2. 1752 5. Issuing an Access Token 1754 If the access token request is valid and authorized, the 1755 authorization server issues an access token and optional refresh 1756 token as described in Section 5.1. If the request failed client 1757 authentication or is invalid, the authorization server returns an 1758 error response as described in Section 5.2. 1760 5.1. Successful Response 1762 The authorization server issues an access token and optional refresh 1763 token, and constructs the response by adding the following parameters 1764 to the entity body of the HTTP response with a 200 (OK) status code: 1766 access_token 1767 REQUIRED. The access token issued by the authorization server. 1768 token_type 1769 REQUIRED. The type of the token issued as described in 1770 Section 7.1. Value is case insensitive. 1771 expires_in 1772 RECOMMENDED. The lifetime in seconds of the access token. For 1773 example, the value "3600" denotes that the access token will 1774 expire in one hour from the time the response was generated. 1775 If omitted, the authorization server SHOULD provide the 1776 expiration time via other means or document the default value. 1777 refresh_token 1778 OPTIONAL. The refresh token which can be used to obtain new 1779 access tokens using the same authorization grant as described 1780 in Section 6. 1781 scope 1782 OPTIONAL, if identical to the scope requested by the client, 1783 otherwise REQUIRED. The scope of the access token as described 1784 by Section 3.3. 1786 The parameters are included in the entity body of the HTTP response 1787 using the "application/json" media type as defined by [RFC4627]. The 1788 parameters are serialized into a JSON structure by adding each 1789 parameter at the highest structure level. Parameter names and string 1790 values are included as JSON strings. Numerical values are included 1791 as JSON numbers. The order of parameters does not matter and can 1792 vary. 1794 The authorization server MUST include the HTTP "Cache-Control" 1795 response header field [RFC2616] with a value of "no-store" in any 1796 response containing tokens, credentials, or other sensitive 1797 information, as well as the "Pragma" response header field [RFC2616] 1798 with a value of "no-cache". 1800 For example: 1802 HTTP/1.1 200 OK 1803 Content-Type: application/json;charset=UTF-8 1804 Cache-Control: no-store 1805 Pragma: no-cache 1807 { 1808 "access_token":"2YotnFZFEjr1zCsicMWpAA", 1809 "token_type":"example", 1810 "expires_in":3600, 1811 "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", 1812 "example_parameter":"example_value" 1813 } 1815 The client MUST ignore unrecognized value names in the response. The 1816 sizes of tokens and other values received from the authorization 1817 server are left undefined. The client should avoid making 1818 assumptions about value sizes. The authorization server SHOULD 1819 document the size of any value it issues. 1821 5.2. Error Response 1823 The authorization server responds with an HTTP 400 (Bad Request) 1824 status code (unless specified otherwise) and includes the following 1825 parameters with the response: 1827 error 1828 REQUIRED. A single error code from the following: 1829 invalid_request 1830 The request is missing a required parameter, includes an 1831 unsupported parameter value (other than grant type), 1832 repeats a parameter, includes multiple credentials, 1833 utilizes more than one mechanism for authenticating the 1834 client, or is otherwise malformed. 1836 invalid_client 1837 Client authentication failed (e.g. unknown client, no 1838 client authentication included, or unsupported 1839 authentication method). The authorization server MAY 1840 return an HTTP 401 (Unauthorized) status code to indicate 1841 which HTTP authentication schemes are supported. If the 1842 client attempted to authenticate via the "Authorization" 1843 request header field, the authorization server MUST 1844 respond with an HTTP 401 (Unauthorized) status code, and 1845 include the "WWW-Authenticate" response header field 1846 matching the authentication scheme used by the client. 1847 invalid_grant 1848 The provided authorization grant (e.g. authorization 1849 code, resource owner credentials) or refresh token is 1850 invalid, expired, revoked, does not match the redirection 1851 URI used in the authorization request, or was issued to 1852 another client. 1853 unauthorized_client 1854 The authenticated client is not authorized to use this 1855 authorization grant type. 1856 unsupported_grant_type 1857 The authorization grant type is not supported by the 1858 authorization server. 1859 invalid_scope 1860 The requested scope is invalid, unknown, malformed, or 1861 exceeds the scope granted by the resource owner. 1862 error_description 1863 OPTIONAL. A human-readable UTF-8 encoded text providing 1864 additional information, used to assist the client developer in 1865 understanding the error that occurred. 1866 error_uri 1867 OPTIONAL. A URI identifying a human-readable web page with 1868 information about the error, used to provide the client 1869 developer with additional information about the error. 1871 The parameters are included in the entity body of the HTTP response 1872 using the "application/json" media type as defined by [RFC4627]. The 1873 parameters are serialized into a JSON structure by adding each 1874 parameter at the highest structure level. Parameter names and string 1875 values are included as JSON strings. Numerical values are included 1876 as JSON numbers. The order of parameters does not matter and can 1877 vary. 1879 For example: 1881 HTTP/1.1 400 Bad Request 1882 Content-Type: application/json;charset=UTF-8 1883 Cache-Control: no-store 1884 Pragma: no-cache 1886 { 1887 "error":"invalid_request" 1888 } 1890 6. Refreshing an Access Token 1892 If the authorization server issued a refresh token to the client, the 1893 client makes a refresh request to the token endpoint by adding the 1894 following parameters using the "application/x-www-form-urlencoded" 1895 format in the HTTP request entity-body: 1897 grant_type 1898 REQUIRED. Value MUST be set to "refresh_token". 1899 refresh_token 1900 REQUIRED. The refresh token issued to the client. 1901 scope 1902 OPTIONAL. The scope of the access request as described by 1903 Section 3.3. The requested scope MUST NOT include any scope 1904 not originally granted by the resource owner, and if omitted is 1905 treated as equal to the scope originally granted by the 1906 resource owner. 1908 Because refresh tokens are typically long-lasting credentials used to 1909 request additional access tokens, the refresh token is bound to the 1910 client which it was issued. If the client type is confidential or 1911 the client was issued client credentials (or assigned other 1912 authentication requirements), the client MUST authenticate with the 1913 authorization server as described in Section 3.2.1. 1915 For example, the client makes the following HTTP request using 1916 transport-layer security (extra line breaks are for display purposes 1917 only): 1919 POST /token HTTP/1.1 1920 Host: server.example.com 1921 Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW 1922 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 1923 grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA 1925 The authorization server MUST: 1927 o require client authentication for confidential clients or for any 1928 client that was issued client credentials (or with other 1929 authentication requirements), 1930 o authenticate the client if client authentication is included and 1931 ensure the refresh token was issued to the authenticated client, 1932 and 1933 o validate the refresh token. 1935 If valid and authorized, the authorization server issues an access 1936 token as described in Section 5.1. If the request failed 1937 verification or is invalid, the authorization server returns an error 1938 response as described in Section 5.2. 1940 The authorization server MAY issue a new refresh token, in which case 1941 the client MUST discard the old refresh token and replace it with the 1942 new refresh token. The authorization server MAY revoke the old 1943 refresh token after issuing a new refresh token to the client. If a 1944 new refresh token is issued, the refresh token scope MUST be 1945 identical to that of the refresh token included by the client in the 1946 request. 1948 7. Accessing Protected Resources 1950 The client accesses protected resources by presenting the access 1951 token to the resource server. The resource server MUST validate the 1952 access token and ensure it has not expired and that its scope covers 1953 the requested resource. The methods used by the resource server to 1954 validate the access token (as well as any error responses) are beyond 1955 the scope of this specification, but generally involve an interaction 1956 or coordination between the resource server and the authorization 1957 server. 1959 The method in which the client utilized the access token to 1960 authenticate with the resource server depends on the type of access 1961 token issued by the authorization server. Typically, it involves 1962 using the HTTP "Authorization" request header field [RFC2617] with an 1963 authentication scheme defined by the access token type specification. 1965 7.1. Access Token Types 1967 The access token type provides the client with the information 1968 required to successfully utilize the access token to make a protected 1969 resource request (along with type-specific attributes). The client 1970 MUST NOT use an access token if it does not understand the token 1971 type. 1973 For example, the "bearer" token type defined in 1974 [I-D.ietf-oauth-v2-bearer] is utilized by simply including the access 1975 token string in the request: 1977 GET /resource/1 HTTP/1.1 1978 Host: example.com 1979 Authorization: Bearer 7Fjfp0ZBr1KtDRbnfVdmIw 1981 while the "mac" token type defined in [I-D.ietf-oauth-v2-http-mac] is 1982 utilized by issuing a MAC key together with the access token which is 1983 used to sign certain components of the HTTP requests: 1985 GET /resource/1 HTTP/1.1 1986 Host: example.com 1987 Authorization: MAC id="h480djs93hd8", 1988 nonce="274312:dj83hs9s", 1989 mac="kDZvddkndxvhGRXZhvuDjEWhGeE=" 1991 The above examples are provided for illustration purposes only. 1992 Developers are advised to consult the [I-D.ietf-oauth-v2-bearer] and 1993 [I-D.ietf-oauth-v2-http-mac] specifications before use. 1995 Each access token type definition specifies the additional attributes 1996 (if any) sent to the client together with the "access_token" response 1997 parameter. It also defines the HTTP authentication method used to 1998 include the access token when making a protected resource request. 2000 8. Extensibility 2002 8.1. Defining Access Token Types 2004 Access token types can be defined in one of two ways: registered in 2005 the access token type registry (following the procedures in 2006 Section 11.1), or by using a unique absolute URI as its name. 2008 Types utilizing a URI name SHOULD be limited to vendor-specific 2009 implementations that are not commonly applicable, and are specific to 2010 the implementation details of the resource server where they are 2011 used. 2013 All other types MUST be registered. Type names MUST conform to the 2014 type-name ABNF. If the type definition includes a new HTTP 2015 authentication scheme, the type name SHOULD be identical to the HTTP 2016 authentication scheme name (as defined by [RFC2617]). The token type 2017 "example" is reserved for use in examples. 2019 type-name = 1*name-char 2020 name-char = "-" / "." / "_" / DIGIT / ALPHA 2022 8.2. Defining New Endpoint Parameters 2024 New request or response parameters for use with the authorization 2025 endpoint or the token endpoint are defined and registered in the 2026 parameters registry following the procedure in Section 11.2. 2028 Parameter names MUST conform to the param-name ABNF and parameter 2029 values syntax MUST be well-defined (e.g., using ABNF, or a reference 2030 to the syntax of an existing parameter). 2032 param-name = 1*name-char 2033 name-char = "-" / "." / "_" / DIGIT / ALPHA 2035 Unregistered vendor-specific parameter extensions that are not 2036 commonly applicable, and are specific to the implementation details 2037 of the authorization server where they are used SHOULD utilize a 2038 vendor-specific prefix that is not likely to conflict with other 2039 registered values (e.g. begin with 'companyname_'). 2041 8.3. Defining New Authorization Grant Types 2043 New authorization grant types can be defined by assigning them a 2044 unique absolute URI for use with the "grant_type" parameter. If the 2045 extension grant type requires additional token endpoint parameters, 2046 they MUST be registered in the OAuth parameters registry as described 2047 by Section 11.2. 2049 8.4. Defining New Authorization Endpoint Response Types 2051 New response types for use with the authorization endpoint are 2052 defined and registered in the authorization endpoint response type 2053 registry following the procedure in Section 11.3. Response type 2054 names MUST conform to the response-type ABNF. 2056 response-type = response-name *( SP response-name ) 2057 response-name = 1*response-char 2058 response-char = "_" / DIGIT / ALPHA 2060 If a response type contains one or more space characters (%x20), it 2061 is compared as a space-delimited list of values in which the order of 2062 values does not matter. Only one order of values can be registered, 2063 which covers all other arrangements of the same set of values. 2065 For example, the response type "token code" is left undefined by this 2066 specification. However, an extension can define and register the 2067 "token code" response type. Once registered, the same combination 2068 cannot be registered as "code token", but both values can be used to 2069 denote the same response type. 2071 8.5. Defining Additional Error Codes 2073 In cases where protocol extensions (i.e. access token types, 2074 extension parameters, or extension grant types) require additional 2075 error codes to be used with the authorization code grant error 2076 response (Section 4.1.2.1), the implicit grant error response 2077 (Section 4.2.2.1), or the token error response (Section 5.2), such 2078 error codes MAY be defined. 2080 Extension error codes MUST be registered (following the procedures in 2081 Section 11.4) if the extension they are used in conjunction with is a 2082 registered access token type, a registered endpoint parameter, or an 2083 extension grant type. Error codes used with unregistered extensions 2084 MAY be registered. 2086 Error codes MUST conform to the error-code ABNF, and SHOULD be 2087 prefixed by an identifying name when possible. For example, an error 2088 identifying an invalid value set to the extension parameter "example" 2089 SHOULD be named "example_invalid". 2091 error-code = ALPHA *error-char 2092 error-char = "-" / "." / "_" / DIGIT / ALPHA 2094 9. Native Applications 2096 Native applications are clients installed and executed on the device 2097 used by the resource owner (i.e. desktop application, native mobile 2098 application). Native applications require special consideration 2099 related to security, platform capabilities, and overall end-user 2100 experience. 2102 The authorization endpoint requires interaction between the client 2103 and the resource owner's user-agent. Native applications can invoke 2104 an external user-agent or embed a user-agent within the application. 2105 For example: 2107 o External user-agent - the native application can capture the 2108 response from the authorization server using a redirection URI 2109 with a scheme registered with the operating system to invoke the 2110 client as the handler, manual copy-and-paste of the credentials, 2111 running a local web server, installing a user-agent extension, or 2112 by providing a redirection URI identifying a server-hosted 2113 resource under the client's control, which in turn makes the 2114 response available to the native application. 2115 o Embedded user-agent - the native application obtains the response 2116 by directly communicating with the embedded user-agent by 2117 monitoring state changes emitted during the resource load, or 2118 accessing the user-agent's cookies storage. 2120 When choosing between an external or embedded user-agent, developers 2121 should consider: 2123 o An External user-agent may improve completion rate as the resource 2124 owner may already have an active session with the authorization 2125 server removing the need to re-authenticate. It provides a 2126 familiar end-user experience and functionality. The resource 2127 owner may also rely on user-agent features or extensions to assist 2128 with authentication (e.g. password manager, 2-factor device 2129 reader). 2130 o An embedded user-agent may offer improved usability, as it removes 2131 the need to switch context and open new windows. 2132 o An embedded user-agent poses a security challenge because resource 2133 owners are authenticating in an unidentified window without access 2134 to the visual protections found in most external user-agents. An 2135 embedded user-agent educates end-users to trust unidentified 2136 requests for authentication (making phishing attacks easier to 2137 execute). 2139 When choosing between the implicit grant type and the authorization 2140 code grant type, the following should be considered: 2142 o Native applications that use the authorization code grant type 2143 SHOULD do so without using client credentials, due to the native 2144 application's inability to keep client credentials confidential. 2145 o When using the implicit grant type flow a refresh token is not 2146 returned which requires repeating the authorization process once 2147 the access token expires. 2149 10. Security Considerations 2151 As a flexible and extensible framework, OAuth's security 2152 considerations depend on many factors. The following sections 2153 provide implementers with security guidelines focused on the three 2154 client profiles described in Section 2.1: web application, user- 2155 agent-based application, and native application. 2157 A comprehensive OAuth security model and analysis, as well as 2158 background for the protocol design is provided by 2159 [I-D.ietf-oauth-v2-threatmodel]. 2161 10.1. Client Authentication 2163 The authorization server establishes client credentials with web 2164 application clients for the purpose of client authentication. The 2165 authorization server is encouraged to consider stronger client 2166 authentication means than a client password. Web application clients 2167 MUST ensure confidentiality of client passwords and other client 2168 credentials. 2170 The authorization server MUST NOT issue client passwords or other 2171 client credentials to native application or user-agent-based 2172 application clients for the purpose of client authentication. The 2173 authorization server MAY issue a client password or other credentials 2174 for a specific installation of a native application client on a 2175 specific device. 2177 When client authentication is not possible, the authorization server 2178 SHOULD employ other means to validate the client's identity. For 2179 example, by requiring the registration of the client redirection URI 2180 or enlisting the resource owner to confirm identity. A valid 2181 redirection URI is not sufficient to verify the client's identity 2182 when asking for resource owner authorization, but can be used to 2183 prevent delivering credentials to a counterfeit client after 2184 obtaining resource owner authorization. 2186 The authorization server must consider the security implications of 2187 interacting with unauthenticated clients and take measures to limit 2188 the potential exposure of other credentials (e.g. refresh tokens) 2189 issued to such clients. 2191 10.2. Client Impersonation 2193 A malicious client can impersonate another client and obtain access 2194 to protected resources, if the impersonated client fails to, or is 2195 unable to, keep its client credentials confidential. 2197 The authorization server MUST authenticate the client whenever 2198 possible. If the authorization server cannot authenticate the client 2199 due to the client's nature, the authorization server MUST require the 2200 registration of any redirection URI used for receiving authorization 2201 responses, and SHOULD utilize other means to protect resource owners 2202 from such potentially malicious clients. For example, the 2203 authorization server can engage the resource owner to assist in 2204 identifying the client and its origin. 2206 The authorization server SHOULD enforce explicit resource owner 2207 authentication and provide the resource owner with information about 2208 the client and the requested authorization scope and lifetime. It is 2209 up to the resource owner to review the information in the context of 2210 the current client, and authorize or deny the request. 2212 The authorization server SHOULD NOT process repeated authorization 2213 requests automatically (without active resource owner interaction) 2214 without authenticating the client or relying on other measures to 2215 ensure the repeated request comes from the original client and not an 2216 impersonator. 2218 10.3. Access Tokens 2220 Access token credentials (as well as any confidential access token 2221 attributes) MUST be kept confidential in transit and storage, and 2222 only shared among the authorization server, the resource servers the 2223 access token is valid for, and the client to whom the access token is 2224 issued. Access token credentials MUST only be transmitted using TLS 2225 as described in Section 1.6 with server authentication as defined by 2226 [RFC2818]. 2228 When using the implicit grant type, the access token is transmitted 2229 in the URI fragment, which can expose it to unauthorized parties. 2231 The authorization server MUST ensure that access tokens cannot be 2232 generated, modified, or guessed to produce valid access tokens by 2233 unauthorized parties. 2235 The client SHOULD request access tokens with the minimal scope 2236 necessary. The authorization server SHOULD take the client identity 2237 into account when choosing how to honor the requested scope, and MAY 2238 issue an access token with a less rights than requested. 2240 This specification does not provide any methods for the resource 2241 server to ensure that an access token presented to it by a given 2242 client, was issued to the that client by the authorization server. 2244 10.4. Refresh Tokens 2246 Authorization servers MAY issue refresh tokens to web application 2247 clients and native application clients. 2249 Refresh tokens MUST be kept confidential in transit and storage, and 2250 shared only among the authorization server and the client to whom the 2251 refresh tokens were issued. The authorization server MUST maintain 2252 the binding between a refresh token and the client to whom it was 2253 issued. Refresh tokens MUST only be transmitted using TLS as 2254 described in Section 1.6 with server authentication as defined by 2255 [RFC2818]. 2257 The authorization server MUST verify the binding between the refresh 2258 token and client identity whenever the client identity can be 2259 authenticated. When client authentication is not possible, the 2260 authorization server SHOULD deploy other means to detect refresh 2261 token abuse. 2263 For example, the authorization server could employ refresh token 2264 rotation in which a new refresh token is issued with every access 2265 token refresh response. The previous refresh token is invalidated 2266 but retained by the authorization server. If a refresh token is 2267 compromised and subsequently used by both the attacker and the 2268 legitimate client, one of them will present an invalidated refresh 2269 token which will inform the authorization server of the breach. 2271 The authorization server MUST ensure that refresh tokens cannot be 2272 generated, modified, or guessed to produce valid refresh tokens by 2273 unauthorized parties. 2275 10.5. Authorization Codes 2277 The transmission of authorization codes SHOULD be made over a secure 2278 channel, and the client SHOULD require the use of TLS with its 2279 redirection URI if the URI identifies a network resource. Since 2280 authorization codes are transmitted via user-agent redirections, they 2281 could potentially be disclosed through user-agent history and HTTP 2282 referrer headers. 2284 Authorization codes operate as plaintext bearer credentials, used to 2285 verify that the resource owner who granted authorization at the 2286 authorization server is the same resource owner returning to the 2287 client to complete the process. Therefore, if the client relies on 2288 the authorization code for its own resource owner authentication, the 2289 client redirection endpoint MUST require the use of TLS. 2291 Authorization codes MUST be short lived and single use. If the 2292 authorization server observes multiple attempts to exchange an 2293 authorization code for an access token, the authorization server 2294 SHOULD attempt to revoke all access tokens already granted based on 2295 the compromised authorization code. 2297 If the client can be authenticated, the authorization servers MUST 2298 authenticate the client and ensure that the authorization code was 2299 issued to the same client. 2301 10.6. Authorization Code Redirection URI Manipulation 2303 When requesting authorization using the authorization code grant 2304 type, the client can specify a redirection URI via the "redirect_uri" 2305 parameter. If an attacker can manipulate the value of the 2306 redirection URI, it can cause the authorization server to redirect 2307 the resource owner user-agent to a URI under the control of the 2308 attacker with the authorization code. 2310 An attacker can create an account at a legitimate client and initiate 2311 the authorization flow. When the attacker's user-agent is sent to 2312 the authorization server to grant access, the attacker grabs the 2313 authorization URI provided by the legitimate client, and replaces the 2314 client's redirection URI with a URI under the control of the 2315 attacker. The attacker then tricks the victim into following the 2316 manipulated link to authorize access to the legitimate client. 2318 Once at the authorization server, the victim is prompted with a 2319 normal, valid request on behalf of a legitimate and trusted client, 2320 and authorizes the request. The victim is then redirected to an 2321 endpoint under the control of the attacker with the authorization 2322 code. The attacker completes the authorization flow by sending the 2323 authorization code to the client using the original redirection URI 2324 provided by the client. The client exchanges the authorization code 2325 with an access token and links it to the attacker's client account 2326 which can now gain access to the protected resources authorized by 2327 the victim (via the client). 2329 In order to prevent such an attack, the authorization server MUST 2330 ensure that the redirection URI used to obtain the authorization code 2331 is identical to the redirection URI provided when exchanging the 2332 authorization code for an access token. The authorization server 2333 MUST require public clients and SHOULD require confidential clients 2334 to register their redirection URIs. If a redirection URI is provided 2335 in the request, the authorization server MUST validate it against the 2336 registered value. 2338 10.7. Resource Owner Password Credentials 2340 The resource owner password credentials grant type is often used for 2341 legacy or migration reasons. It reduces the overall risk of storing 2342 username and password by the client, but does not eliminate the need 2343 to expose highly privileged credentials to the client. 2345 This grant type carries a higher risk than other grant types because 2346 it maintains the password anti-pattern this protocol seeks to avoid. 2347 The client could abuse the password or the password could 2348 unintentionally be disclosed to an attacker (e.g. via log files or 2349 other records kept by the client). 2351 Additionally, because the resource owner does not have control over 2352 the authorization process (the resource owner involvement ends when 2353 it hands over its credentials to the client), the client can obtain 2354 access tokens with a broader scope than desired by the resource 2355 owner. The authorization server should consider the scope and 2356 lifetime of access tokens issued via this grant type. 2358 The authorization server and client SHOULD minimize use of this grant 2359 type and utilize other grant types whenever possible. 2361 10.8. Request Confidentiality 2363 Access tokens, refresh tokens, resource owner passwords, and client 2364 credentials MUST NOT be transmitted in the clear. Authorization 2365 codes SHOULD NOT be transmitted in the clear. 2367 The "state" and "scope" parameters SHOULD NOT include sensitive 2368 client or resource owner information in plain text as they can be 2369 transmitted over insecure channels or stored insecurely. 2371 10.9. Endpoints Authenticity 2373 In order to prevent man-in-the-middle attacks, the authorization 2374 server MUST require the use of TLS with server authentication as 2375 defined by [RFC2818] for any request sent to the authorization and 2376 token endpoints. The client MUST validate the authorization server's 2377 TLS certificate as defined by [RFC6125], and in accordance with its 2378 requirements for server identity authentication. 2380 10.10. Credentials Guessing Attacks 2382 The authorization server MUST prevent attackers from guessing access 2383 tokens, authorization codes, refresh tokens, resource owner 2384 passwords, and client credentials. 2386 The probability of an attacker guessing generated tokens (and other 2387 credentials not intended for handling by end-users) MUST be less than 2388 or equal to 2^(-128) and SHOULD be less than or equal to 2^(-160). 2390 The authorization server MUST utilize other means to protect 2391 credentials intended for end-user usage. 2393 10.11. Phishing Attacks 2395 Wide deployment of this and similar protocols may cause end-users to 2396 become inured to the practice of being redirected to websites where 2397 they are asked to enter their passwords. If end-users are not 2398 careful to verify the authenticity of these websites before entering 2399 their credentials, it will be possible for attackers to exploit this 2400 practice to steal resource owners' passwords. 2402 Service providers should attempt to educate end-users about the risks 2403 phishing attacks pose, and should provide mechanisms that make it 2404 easy for end-users to confirm the authenticity of their sites. 2405 Client developers should consider the security implications of how 2406 they interact with the user-agent (e.g., external, embedded), and the 2407 ability of the end-user to verify the authenticity of the 2408 authorization server. 2410 To reduce the risk of phishing attacks, the authorization servers 2411 MUST require the use of TLS on every endpoint used for end-user 2412 interaction. 2414 10.12. Cross-Site Request Forgery 2416 Cross-site request forgery (CSRF) is an exploit in which an attacker 2417 causes the user-agent of a victim end-user to follow a malicious URI 2418 (e.g. provided to the user-agent as a misleading link, image, or 2419 redirection) to a trusting server (usually established via the 2420 presence of a valid session cookie). 2422 A CSRF attack against the client's redirection URI allows an attacker 2423 to inject their own authorization code or access token, which can 2424 result in the client using an access token associated with the 2425 attacker's protected resources rather than the victim's (e.g. save 2426 the victim's bank account information to a protected resource 2427 controlled by the attacker). 2429 The client MUST implement CSRF protection for its redirection URI. 2430 This is typically accomplished by requiring any request sent to the 2431 redirection URI endpoint to include a value that binds the request to 2432 the user-agent's authenticated state (e.g. a hash of the session 2433 cookie used to authenticate the user-agent). The client SHOULD 2434 utilize the "state" request parameter to deliver this value to the 2435 authorization server when making an authorization request. 2437 Once authorization has been obtained from the end-user, the 2438 authorization server redirects the end-user's user-agent back to the 2439 client with the required binding value contained in the "state" 2440 parameter. The binding value enables the client to verify the 2441 validity of the request by matching the binding value to the user- 2442 agent's authenticated state. The binding value used for CSRF 2443 protection MUST contain a non-guessable value (as described in 2444 Section 10.10), and the user-agent's authenticated state (e.g. 2445 session cookie, HTML5 local storage) MUST be kept in a location 2446 accessible only to the client and the user-agent (i.e., protected by 2447 same-origin policy). 2449 A CSRF attack against the authorization server's authorization 2450 endpoint can result in an attacker obtaining end-user authorization 2451 for a malicious client without involving or alerting the end-user. 2453 The authorization server MUST implement CSRF protection for its 2454 authorization endpoint, and ensure that a malicious client cannot 2455 obtain authorization without the awareness and explicit consent of 2456 the resource owner. 2458 10.13. Clickjacking 2460 In a clickjacking attack, an attacker registers a legitimate client 2461 and then constructs a malicious site in which it loads the 2462 authorization server's authorization endpoint web page in a 2463 transparent iframe overlaid on top of a set of dummy buttons which 2464 are carefully constructed to be placed directly under important 2465 buttons on the authorization page. When an end-user clicks a 2466 misleading visible button, the end-user is actually clicking an 2467 invisible button on the authorization page (such as an "Authorize" 2468 button). This allows an attacker to trick a resource owner into 2469 granting its client access without their knowledge. 2471 To prevent this form of attack, native applications SHOULD use 2472 external browsers instead of embedding browsers within the 2473 application when requesting end-user authorization. For most newer 2474 browsers, avoidance of iframes can be enforced by the authorization 2475 server using the (non-standard) "x-frame-options" header. This 2476 header can have two values, "deny" and "sameorigin", which will block 2477 any framing, or framing by sites with a different origin, 2478 respectively. For older browsers, javascript framebusting techniques 2479 can be used but may not be effective in all browsers. 2481 10.14. Code Injection and Input Validation 2483 A code injection attack occurs when an input or otherwise external 2484 variable is used by an application unsanitized and causes 2485 modification to the application logic. This may allow an attacker to 2486 gain access to the application device or its data, cause denial of 2487 service, or a wide range of malicious side-effects. 2489 The Authorization server and client MUST sanitize (and validate when 2490 possible) any value received, in particular, the value of the "state" 2491 and "redirect_uri" parameters. 2493 10.15. Open Redirectors 2495 The authorization server authorization endpoint and the client 2496 redirection endpoint can be improperly configured and operate as open 2497 redirectors. An open redirector is an endpoint using a parameter to 2498 automatically redirect a user-agent to the location specified by the 2499 parameter value without any validation. 2501 Open redirectors can be used in phishing attacks, or by an attacker 2502 to get end-users to visit malicious sites by making the URI's 2503 authority look like a familiar and trusted destination. In addition, 2504 if the authorization server allows the client to register only part 2505 of the redirection URI, an attacker can use an open redirector 2506 operated by the client to construct a redirection URI that will pass 2507 the authorization server validation but will send the authorization 2508 code or access token to an endpoint under the control of the 2509 attacker. 2511 11. IANA Considerations 2513 11.1. The OAuth Access Token Type Registry 2515 This specification establishes the OAuth access token type registry. 2517 Access token types are registered with a Specification Required 2518 ([RFC5226]) after a two weeks review period on the [TBD]@ietf.org 2519 mailing list, on the advice of one or more Designated Experts. 2520 However, to allow for the allocation of values prior to publication, 2521 the Designated Expert(s) may approve registration once they are 2522 satisfied that such a specification will be published. 2524 Registration requests must be sent to the [TBD]@ietf.org mailing list 2525 for review and comment, with an appropriate subject (e.g., "Request 2526 for access token type: example"). [[ Note to RFC-EDITOR: The name of 2527 the mailing list should be determined in consultation with the IESG 2528 and IANA. Suggested name: oauth-ext-review. ]] 2530 Within the review period, the Designated Expert(s) will either 2531 approve or deny the registration request, communicating this decision 2532 to the review list and IANA. Denials should include an explanation 2533 and, if applicable, suggestions as to how to make the request 2534 successful. 2536 IANA must only accept registry updates from the Designated Expert(s), 2537 and should direct all requests for registration to the review mailing 2538 list. 2540 11.1.1. Registration Template 2542 Type name: 2543 The name requested (e.g., "example"). 2544 Additional Token Endpoint Response Parameters: 2545 Additional response parameters returned together with the 2546 "access_token" parameter. New parameters MUST be separately 2547 registered in the OAuth parameters registry as described by 2548 Section 11.2. 2549 HTTP Authentication Scheme(s): 2550 The HTTP authentication scheme name(s), if any, used to 2551 authenticate protected resources requests using access tokens of 2552 this type. 2553 Change controller: 2554 For standards-track RFCs, state "IETF". For others, give the name 2555 of the responsible party. Other details (e.g., postal address, 2556 e-mail address, home page URI) may also be included. 2557 Specification document(s): 2558 Reference to the document that specifies the parameter, preferably 2559 including a URI that can be used to retrieve a copy of the 2560 document. An indication of the relevant sections may also be 2561 included, but is not required. 2563 11.2. The OAuth Parameters Registry 2565 This specification establishes the OAuth parameters registry. 2567 Additional parameters for inclusion in the authorization endpoint 2568 request, the authorization endpoint response, the token endpoint 2569 request, or the token endpoint response are registered with a 2570 Specification Required ([RFC5226]) after a two weeks review period on 2571 the [TBD]@ietf.org mailing list, on the advice of one or more 2572 Designated Experts. However, to allow for the allocation of values 2573 prior to publication, the Designated Expert(s) may approve 2574 registration once they are satisfied that such a specification will 2575 be published. 2577 Registration requests must be sent to the [TBD]@ietf.org mailing list 2578 for review and comment, with an appropriate subject (e.g., "Request 2579 for parameter: example"). [[ Note to RFC-EDITOR: The name of the 2580 mailing list should be determined in consultation with the IESG and 2581 IANA. Suggested name: oauth-ext-review. ]] 2583 Within the review period, the Designated Expert(s) will either 2584 approve or deny the registration request, communicating this decision 2585 to the review list and IANA. Denials should include an explanation 2586 and, if applicable, suggestions as to how to make the request 2587 successful. 2589 IANA must only accept registry updates from the Designated Expert(s), 2590 and should direct all requests for registration to the review mailing 2591 list. 2593 11.2.1. Registration Template 2595 Parameter name: 2596 The name requested (e.g., "example"). 2597 Parameter usage location: 2598 The location(s) where parameter can be used. The possible 2599 locations are: authorization request, authorization response, 2600 token request, or token response. 2601 Change controller: 2602 For standards-track RFCs, state "IETF". For others, give the name 2603 of the responsible party. Other details (e.g., postal address, 2604 e-mail address, home page URI) may also be included. 2605 Specification document(s): 2606 Reference to the document that specifies the parameter, preferably 2607 including a URI that can be used to retrieve a copy of the 2608 document. An indication of the relevant sections may also be 2609 included, but is not required. 2611 11.2.2. Initial Registry Contents 2613 The OAuth Parameters Registry's initial contents are: 2615 o Parameter name: client_id 2616 o Parameter usage location: authorization request, token request 2617 o Change controller: IETF 2618 o Specification document(s): [[ this document ]] 2620 o Parameter name: client_secret 2621 o Parameter usage location: token request 2622 o Change controller: IETF 2623 o Specification document(s): [[ this document ]] 2625 o Parameter name: response_type 2626 o Parameter usage location: authorization request 2627 o Change controller: IETF 2628 o Specification document(s): [[ this document ]] 2630 o Parameter name: redirect_uri 2631 o Parameter usage location: authorization request, token request 2632 o Change controller: IETF 2633 o Specification document(s): [[ this document ]] 2635 o Parameter name: scope 2636 o Parameter usage location: authorization request, authorization 2637 response, token request, token response 2638 o Change controller: IETF 2639 o Specification document(s): [[ this document ]] 2641 o Parameter name: state 2642 o Parameter usage location: authorization request, authorization 2643 response 2644 o Change controller: IETF 2645 o Specification document(s): [[ this document ]] 2647 o Parameter name: code 2648 o Parameter usage location: authorization response, token request 2649 o Change controller: IETF 2650 o Specification document(s): [[ this document ]] 2652 o Parameter name: error_description 2653 o Parameter usage location: authorization response, token response 2654 o Change controller: IETF 2655 o Specification document(s): [[ this document ]] 2657 o Parameter name: error_uri 2658 o Parameter usage location: authorization response, token response 2659 o Change controller: IETF 2660 o Specification document(s): [[ this document ]] 2662 o Parameter name: grant_type 2663 o Parameter usage location: token request 2664 o Change controller: IETF 2665 o Specification document(s): [[ this document ]] 2667 o Parameter name: access_token 2668 o Parameter usage location: authorization response, token response 2669 o Change controller: IETF 2670 o Specification document(s): [[ this document ]] 2672 o Parameter name: token_type 2673 o Parameter usage location: authorization response, token response 2674 o Change controller: IETF 2675 o Specification document(s): [[ this document ]] 2677 o Parameter name: expires_in 2678 o Parameter usage location: authorization response, token response 2679 o Change controller: IETF 2680 o Specification document(s): [[ this document ]] 2682 o Parameter name: username 2683 o Parameter usage location: token request 2684 o Change controller: IETF 2685 o Specification document(s): [[ this document ]] 2687 o Parameter name: password 2688 o Parameter usage location: token request 2689 o Change controller: IETF 2690 o Specification document(s): [[ this document ]] 2692 o Parameter name: refresh_token 2693 o Parameter usage location: token request, token response 2694 o Change controller: IETF 2695 o Specification document(s): [[ this document ]] 2697 11.3. The OAuth Authorization Endpoint Response Type Registry 2699 This specification establishes the OAuth authorization endpoint 2700 response type registry. 2702 Additional response type for use with the authorization endpoint are 2703 registered with a Specification Required ([RFC5226]) after a two 2704 weeks review period on the [TBD]@ietf.org mailing list, on the advice 2705 of one or more Designated Experts. However, to allow for the 2706 allocation of values prior to publication, the Designated Expert(s) 2707 may approve registration once they are satisfied that such a 2708 specification will be published. 2710 Registration requests must be sent to the [TBD]@ietf.org mailing list 2711 for review and comment, with an appropriate subject (e.g., "Request 2712 for response type: example"). [[ Note to RFC-EDITOR: The name of the 2713 mailing list should be determined in consultation with the IESG and 2714 IANA. Suggested name: oauth-ext-review. ]] 2716 Within the review period, the Designated Expert(s) will either 2717 approve or deny the registration request, communicating this decision 2718 to the review list and IANA. Denials should include an explanation 2719 and, if applicable, suggestions as to how to make the request 2720 successful. 2722 IANA must only accept registry updates from the Designated Expert(s), 2723 and should direct all requests for registration to the review mailing 2724 list. 2726 11.3.1. Registration Template 2728 Response type name: 2729 The name requested (e.g., "example"). 2730 Change controller: 2731 For standards-track RFCs, state "IETF". For others, give the name 2732 of the responsible party. Other details (e.g., postal address, 2733 e-mail address, home page URI) may also be included. 2734 Specification document(s): 2735 Reference to the document that specifies the type, preferably 2736 including a URI that can be used to retrieve a copy of the 2737 document. An indication of the relevant sections may also be 2738 included, but is not required. 2740 11.3.2. Initial Registry Contents 2742 The OAuth Authorization Endpoint Response Type Registry's initial 2743 contents are: 2745 o Response type name: code 2746 o Change controller: IETF 2747 o Specification document(s): [[ this document ]] 2749 o Response type name: token 2750 o Change controller: IETF 2751 o Specification document(s): [[ this document ]] 2753 11.4. The OAuth Extensions Error Registry 2755 This specification establishes the OAuth extensions error registry. 2757 Additional error codes used together with other protocol extensions 2758 (i.e. extension grant types, access token types, or extension 2759 parameters) are registered with a Specification Required ([RFC5226]) 2760 after a two weeks review period on the [TBD]@ietf.org mailing list, 2761 on the advice of one or more Designated Experts. However, to allow 2762 for the allocation of values prior to publication, the Designated 2763 Expert(s) may approve registration once they are satisfied that such 2764 a specification will be published. 2766 Registration requests must be sent to the [TBD]@ietf.org mailing list 2767 for review and comment, with an appropriate subject (e.g., "Request 2768 for error code: example"). [[ Note to RFC-EDITOR: The name of the 2769 mailing list should be determined in consultation with the IESG and 2770 IANA. Suggested name: oauth-ext-review. ]] 2772 Within the review period, the Designated Expert(s) will either 2773 approve or deny the registration request, communicating this decision 2774 to the review list and IANA. Denials should include an explanation 2775 and, if applicable, suggestions as to how to make the request 2776 successful. 2778 IANA must only accept registry updates from the Designated Expert(s), 2779 and should direct all requests for registration to the review mailing 2780 list. 2782 11.4.1. Registration Template 2784 Error name: 2785 The name requested (e.g., "example"). 2786 Error usage location: 2787 The location(s) where the error can be used. The possible 2788 locations are: authorization code grant error response 2789 (Section 4.1.2.1), implicit grant error response 2790 (Section 4.2.2.1), or token error response (Section 5.2). 2791 Related protocol extension: 2792 The name of the extension grant type, access token type, or 2793 extension parameter, the error code is used in conjunction with. 2794 Change controller: 2795 For standards-track RFCs, state "IETF". For others, give the name 2796 of the responsible party. Other details (e.g., postal address, 2797 e-mail address, home page URI) may also be included. 2798 Specification document(s): 2799 Reference to the document that specifies the error code, 2800 preferably including a URI that can be used to retrieve a copy of 2801 the document. An indication of the relevant sections may also be 2802 included, but is not required. 2804 12. Acknowledgements 2806 The initial OAuth 2.0 protocol specification was edited by David 2807 Recordon, based on two previous publications: the OAuth 1.0 community 2808 specification [RFC5849], and OAuth WRAP (OAuth Web Resource 2809 Authorization Profiles) [I-D.draft-hardt-oauth-01]. The Security 2810 Considerations section was drafted by Torsten Lodderstedt, Mark 2811 McGloin, Phil Hunt, and Anthony Nadalin. 2813 The OAuth 1.0 community specification was edited by Eran Hammer and 2814 authored by Mark Atwood, Dirk Balfanz, Darren Bounds, Richard M. 2815 Conlan, Blaine Cook, Leah Culver, Breno de Medeiros, Brian Eaton, 2816 Kellan Elliott-McCrea, Larry Halff, Eran Hammer, Ben Laurie, Chris 2817 Messina, John Panzer, Sam Quigley, David Recordon, Eran Sandler, 2818 Jonathan Sergent, Todd Sieling, Brian Slesinsky, and Andy Smith. 2820 The OAuth WRAP specification was edited by Dick Hardt and authored by 2821 Brian Eaton, Yaron Goland, Dick Hardt, and Allen Tom. 2823 This specification is the work of the OAuth Working Group which 2824 includes dozens of active and dedicated participants. In particular, 2825 the following individuals contributed ideas, feedback, and wording 2826 which shaped and formed the final specification: 2828 Michael Adams, Amanda Anganes, Andrew Arnott, Dirk Balfanz, Aiden 2829 Bell, Brian Campbell, Scott Cantor, Marcos Caceres, Blaine Cook, 2830 Roger Crew, Brian Eaton, Wesley Eddy, Leah Culver, Bill de hOra, 2831 Andre DeMarre, Brian Eaton, Wolter Eldering, Brian Ellin, Igor 2832 Faynberg, George Fletcher, Tim Freeman, Luca Frosini, Evan Gilbert, 2833 Yaron Goland, Brent Goldman, Kristoffer Gronowski, Justin Hart, Dick 2834 Hardt, Craig Heath, Phil Hunt, Michael B. Jones, Terry Jones, John 2835 Kemp, Mark Kent, Raffi Krikorian, Chasen Le Hara, Rasmus Lerdorf, 2836 Torsten Lodderstedt, Hui-Lan Lu, Casey Lucas, Paul Madsen, Alastair 2837 Mair, Eve Maler, James Manger, Mark McGloin, Laurence Miao, William 2838 Mills, Chuck Mortimore, Anthony Nadalin, Julian Reschke, Justin 2839 Richer, Peter Saint-Andre, Nat Sakimura, Rob Sayre, Marius Scurtescu, 2840 Naitik Shah, Luke Shepard, Vlad Skvortsov, Justin Smith, Haibin Song, 2841 Niv Steingarten, Christian Stubner, Jeremy Suriel, Paul Tarjan, 2842 Christopher Thomas, Henry S. Thompson, Allen Tom, Franklin Tse, Nick 2843 Walker, Shane Weeden, and Skylar Woodward. 2845 This document was produced under the chairmanship of Blaine Cook, 2846 Peter Saint-Andre, Hannes Tschofenig, and Barry Leiba. The area 2847 directors included Lisa Dusseault, Peter Saint-Andre, and Stephen 2848 Farrell. 2850 Appendix A. Editor's Notes 2852 While many people contributed to this specification throughout its 2853 long journey, the editor would like to acknowledge and thank a few 2854 individuals for their outstanding and invaluable efforts leading up 2855 to the publication of this specification. 2857 David Recordon for continuously being one of OAuth's most valuable 2858 assets, bringing pragmatism and urgency to the work, and helping 2859 shape it from its very beginning, as well as being one of the best 2860 collaborators I had the pleasure of working with. 2862 James Manger for his creative ideas and always insightful feedback. 2863 Brian Campbell, Torsten Lodderstedt, Chuck Mortimore, Justin Richer, 2864 Marius Scurtescu, and Luke Shepard for their continued participation 2865 and valuable feedback. 2867 Special thanks goes to Mike Curtis and Yahoo! for their unconditional 2868 support of this work for over three years. 2870 13. References 2872 13.1. Normative References 2874 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2875 Requirement Levels", BCP 14, RFC 2119, March 1997. 2877 [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", 2878 RFC 2246, January 1999. 2880 [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., 2881 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext 2882 Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. 2884 [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., 2885 Leach, P., Luotonen, A., and L. Stewart, "HTTP 2886 Authentication: Basic and Digest Access Authentication", 2887 RFC 2617, June 1999. 2889 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. 2891 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 2892 Resource Identifier (URI): Generic Syntax", STD 66, 2893 RFC 3986, January 2005. 2895 [RFC4627] Crockford, D., "The application/json Media Type for 2896 JavaScript Object Notation (JSON)", RFC 4627, July 2006. 2898 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", 2899 RFC 4949, August 2007. 2901 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 2902 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 2903 May 2008. 2905 [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax 2906 Specifications: ABNF", STD 68, RFC 5234, January 2008. 2908 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 2909 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 2911 [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and 2912 Verification of Domain-Based Application Service Identity 2913 within Internet Public Key Infrastructure Using X.509 2914 (PKIX) Certificates in the Context of Transport Layer 2915 Security (TLS)", RFC 6125, March 2011. 2917 [W3C.REC-html401-19991224] 2918 Hors, A., Raggett, D., and I. Jacobs, "HTML 4.01 2919 Specification", World Wide Web Consortium 2920 Recommendation REC-html401-19991224, December 1999, 2921 . 2923 13.2. Informative References 2925 [I-D.draft-hardt-oauth-01] 2926 Hardt, D., Ed., Tom, A., Eaton, B., and Y. Goland, "OAuth 2927 Web Resource Authorization Profiles", January 2010. 2929 [I-D.ietf-oauth-saml2-bearer] 2930 Mortimore, C., "SAML 2.0 Bearer Assertion Profiles for 2931 OAuth 2.0", draft-ietf-oauth-saml2-bearer-08 (work in 2932 progress), August 2011. 2934 [I-D.ietf-oauth-v2-bearer] 2935 Jones, M., Hardt, D., and D. Recordon, "The OAuth 2.0 2936 Protocol: Bearer Tokens", draft-ietf-oauth-v2-bearer-08 2937 (work in progress), July 2011. 2939 [I-D.ietf-oauth-v2-http-mac] 2940 Hammer-Lahav, E., Barth, A., and B. Adida, "HTTP 2941 Authentication: MAC Access Authentication", 2942 draft-ietf-oauth-v2-http-mac-00 (work in progress), 2943 May 2011. 2945 [I-D.ietf-oauth-v2-threatmodel] 2946 Lodderstedt, T., McGloin, M., and P. Hunt, "OAuth 2.0 2947 Threat Model and Security Considerations", 2948 draft-ietf-oauth-v2-threatmodel-00 (work in progress), 2949 July 2011. 2951 [OASIS.saml-core-2.0-os] 2952 Cantor, S., Kemp, J., Philpott, R., and E. Maler, 2953 "Assertions and Protocol for the OASIS Security Assertion 2954 Markup Language (SAML) V2.0", OASIS Standard saml-core- 2955 2.0-os, March 2005. 2957 [RFC5849] Hammer-Lahav, E., "The OAuth 1.0 Protocol", RFC 5849, 2958 April 2010. 2960 Authors' Addresses 2962 Eran Hammer (editor) 2964 Email: eran@hueniverse.com 2965 URI: http://hueniverse.com 2967 David Recordon 2968 Facebook 2970 Email: dr@fb.com 2971 URI: http://www.davidrecordon.com/ 2973 Dick Hardt 2974 Microsoft 2976 Email: dick.hardt@gmail.com 2977 URI: http://dickhardt.org/