draft-ietf-oauth-v2-bearer-10.txt   draft-ietf-oauth-v2-bearer-11.txt 
Network Working Group M. Jones Network Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track D. Hardt Intended status: Standards Track D. Hardt
Expires: April 21, 2012 independent Expires: April 27, 2012 independent
D. Recordon D. Recordon
Facebook Facebook
October 19, 2011 October 25, 2011
The OAuth 2.0 Authorization Protocol: Bearer Tokens The OAuth 2.0 Authorization Protocol: Bearer Tokens
draft-ietf-oauth-v2-bearer-10 draft-ietf-oauth-v2-bearer-11
Abstract Abstract
This specification describes how to use bearer tokens in HTTP This specification describes how to use bearer tokens in HTTP
requests to access OAuth 2.0 protected resources. Any party in requests to access OAuth 2.0 protected resources. Any party in
possession of a bearer token (a "bearer") can use it to get access to possession of a bearer token (a "bearer") can use it to get access to
granted resources (without demonstrating possession of a granted resources (without demonstrating possession of a
cryptographic key). To prevent misuse, the bearer token MUST be cryptographic key). To prevent misuse, the bearer token MUST be
protected from disclosure in storage and in transport. protected from disclosure in storage and in transport.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 21, 2012. This Internet-Draft will expire on April 27, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 5, line 14 skipping to change at page 5, line 14
F) The resource server validates the access token, and if valid, F) The resource server validates the access token, and if valid,
serves the request. serves the request.
2. Authenticated Requests 2. Authenticated Requests
Clients MAY use bearer tokens to make authenticated requests to Clients MAY use bearer tokens to make authenticated requests to
access protected resources. This section defines three methods of access protected resources. This section defines three methods of
sending bearer access tokens in resource requests to resource sending bearer access tokens in resource requests to resource
servers. Clients MUST NOT use more than one method to transmit the servers. Clients MUST NOT use more than one method to transmit the
token in each request token in each request.
2.1. The Authorization Request Header Field 2.1. The Authorization Request Header Field
When sending the access token in the "Authorization" request header When sending the access token in the "Authorization" request header
field defined by [I-D.ietf-httpbis-p7-auth], the client uses the field defined by [I-D.ietf-httpbis-p7-auth], the client uses the
"Bearer" authentication scheme to transmit the access token. "Bearer" authentication scheme to transmit the access token.
For example: For example:
GET /resource HTTP/1.1 GET /resource HTTP/1.1
skipping to change at page 7, line 15 skipping to change at page 7, line 15
3. The WWW-Authenticate Response Header Field 3. The WWW-Authenticate Response Header Field
If the protected resource request does not include authentication If the protected resource request does not include authentication
credentials or does not contain an access token that enables access credentials or does not contain an access token that enables access
to the protected resource, the resource server MUST include the HTTP to the protected resource, the resource server MUST include the HTTP
"WWW-Authenticate" response header field; it MAY include it in "WWW-Authenticate" response header field; it MAY include it in
response to other conditions as well. The "WWW-Authenticate" header response to other conditions as well. The "WWW-Authenticate" header
field uses the framework defined by [I-D.ietf-httpbis-p7-auth] as field uses the framework defined by [I-D.ietf-httpbis-p7-auth] as
follows: follows:
challenge = "Bearer" [ 1*SP 1#param ] challenge = "Bearer" [ 1*SP 1#param ]
param = realm / scope / param = realm / scope /
error / error-desc / error-uri / error / error-desc / error-uri /
auth-param auth-param
scope = "scope" "=" <"> scope-val *( SP scope-val ) <"> scope = "scope" "=" DQUOTE scope-val *( SP scope-val ) DQUOTE
scope-val = 1*scope-val-char scope-val = 1*scope-val-char
scope-val-char = %x21 / %x23-5B / %x5D-7E scope-val-char = %x21 / %x23-5B / %x5D-7E
; HTTPbis P1 qdtext except whitespace, restricted to US-ASCII ; HTTPbis P1 qdtext except whitespace, restricted to US-ASCII
error = "error" "=" quoted-string error = "error" "=" quoted-string
error-desc = "error_description" "=" <"> *error-desc-char <"> error-desc = "error_description" "=" DQUOTE *error-desc-char DQUOTE
error-desc-char = SP / VCHAR error-desc-char = SP / VCHAR
error-uri = "error_uri" "=" <"> URI-reference <"> error-uri = "error_uri" "=" DQUOTE URI-reference DQUOTE
The "scope" attribute is a space-delimited list of scope values The "scope" attribute is a space-delimited list of scope values
indicating the required scope of the access token for accessing the indicating the required scope of the access token for accessing the
requested resource. The "scope" attribute MUST NOT appear more than requested resource. The "scope" attribute MUST NOT appear more than
once. The "scope" value is intended for programmatic use and is not once. The "scope" value is intended for programmatic use and is not
meant to be displayed to end users. meant to be displayed to end users.
If the protected resource request included an access token and failed If the protected resource request included an access token and failed
authentication, the resource server SHOULD include the "error" authentication, the resource server SHOULD include the "error"
attribute to provide the client with the reason why the access attribute to provide the client with the reason why the access
skipping to change at page 14, line 29 skipping to change at page 14, line 29
Hammer-Lahav, Chasen Le Hara, Michael B. Jones, Torsten Lodderstedt, Hammer-Lahav, Chasen Le Hara, Michael B. Jones, Torsten Lodderstedt,
Eve Maler, James Manger, Laurence Miao, Chuck Mortimore, Anthony Eve Maler, James Manger, Laurence Miao, Chuck Mortimore, Anthony
Nadalin, Justin Richer, Peter Saint-Andre, Nat Sakimura, Rob Sayre, Nadalin, Justin Richer, Peter Saint-Andre, Nat Sakimura, Rob Sayre,
Marius Scurtescu, Naitik Shah, Justin Smith, Jeremy Suriel, Christian Marius Scurtescu, Naitik Shah, Justin Smith, Jeremy Suriel, Christian
Stuebner, Paul Tarjan, and Franklin Tse. Stuebner, Paul Tarjan, and Franklin Tse.
Appendix B. Document History Appendix B. Document History
[[ to be removed by the RFC editor before publication as an RFC ]] [[ to be removed by the RFC editor before publication as an RFC ]]
-11
o Replaced uses of <"> with DQUOTE to pass ABNF syntax check.
-10 -10
o Removed the #auth-param option from Authorization header syntax o Removed the #auth-param option from Authorization header syntax
(leaving only the b64token syntax). (leaving only the b64token syntax).
o Restricted the "scope" value character set to %x21 / %x23-5B / o Restricted the "scope" value character set to %x21 / %x23-5B /
%x5D-7E (printable ASCII characters excluding double-quote and %x5D-7E (printable ASCII characters excluding double-quote and
backslash). Indicated that scope is intended for programmatic use backslash). Indicated that scope is intended for programmatic use
and is not meant to be displayed to end users. and is not meant to be displayed to end users.
 End of changes. 10 change blocks. 
17 lines changed or deleted 21 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/