draft-ietf-oauth-v2-bearer-22.txt   draft-ietf-oauth-v2-bearer-23.txt 
OAuth Working Group M. Jones OAuth Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track D. Hardt Intended status: Standards Track D. Hardt
Expires: January 13, 2013 independent Expires: February 2, 2013 independent
D. Recordon August 1, 2012
Facebook
July 12, 2012
The OAuth 2.0 Authorization Framework: Bearer Token Usage The OAuth 2.0 Authorization Framework: Bearer Token Usage
draft-ietf-oauth-v2-bearer-22 draft-ietf-oauth-v2-bearer-23
Abstract Abstract
This specification describes how to use bearer tokens in HTTP This specification describes how to use bearer tokens in HTTP
requests to access OAuth 2.0 protected resources. Any party in requests to access OAuth 2.0 protected resources. Any party in
possession of a bearer token (a "bearer") can use it to get access to possession of a bearer token (a "bearer") can use it to get access to
the associated resources (without demonstrating possession of a the associated resources (without demonstrating possession of a
cryptographic key). To prevent misuse, bearer tokens need to be cryptographic key). To prevent misuse, bearer tokens need to be
protected from disclosure in storage and in transport. protected from disclosure in storage and in transport.
skipping to change at page 1, line 38 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 13, 2013. This Internet-Draft will expire on February 2, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 38 skipping to change at page 2, line 36
6.1.1. The "Bearer" OAuth Access Token Type . . . . . . . . . 14 6.1.1. The "Bearer" OAuth Access Token Type . . . . . . . . . 14
6.2. OAuth Extensions Error Registration . . . . . . . . . . . 14 6.2. OAuth Extensions Error Registration . . . . . . . . . . . 14
6.2.1. The "invalid_request" Error Value . . . . . . . . . . 15 6.2.1. The "invalid_request" Error Value . . . . . . . . . . 15
6.2.2. The "invalid_token" Error Value . . . . . . . . . . . 15 6.2.2. The "invalid_token" Error Value . . . . . . . . . . . 15
6.2.3. The "insufficient_scope" Error Value . . . . . . . . . 15 6.2.3. The "insufficient_scope" Error Value . . . . . . . . . 15
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16
7.1. Normative References . . . . . . . . . . . . . . . . . . . 16 7.1. Normative References . . . . . . . . . . . . . . . . . . . 16
7.2. Informative References . . . . . . . . . . . . . . . . . . 17 7.2. Informative References . . . . . . . . . . . . . . . . . . 17
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 17 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 17
Appendix B. Document History . . . . . . . . . . . . . . . . . . 18 Appendix B. Document History . . . . . . . . . . . . . . . . . . 18
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 25 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 26
1. Introduction 1. Introduction
OAuth enables clients to access protected resources by obtaining an OAuth enables clients to access protected resources by obtaining an
access token, which is defined in OAuth 2.0 Authorization access token, which is defined in OAuth 2.0 Authorization
[I-D.ietf-oauth-v2] as "a string representing an access authorization [I-D.ietf-oauth-v2] as "a string representing an access authorization
issued to the client", rather than using the resource owner's issued to the client", rather than using the resource owner's
credentials directly. credentials directly.
Tokens are issued to clients by an authorization server with the Tokens are issued to clients by an authorization server with the
skipping to change at page 16, line 16 skipping to change at page 16, line 16
IETF IETF
Specification document(s): Specification document(s):
[[ this document ]] [[ this document ]]
7. References 7. References
7.1. Normative References 7.1. Normative References
[I-D.ietf-oauth-v2] [I-D.ietf-oauth-v2]
Hardt, D. and D. Recordon, "The OAuth 2.0 Authorization Hardt, D., "The OAuth 2.0 Authorization Framework",
Framework", draft-ietf-oauth-v2-29 (work in progress), draft-ietf-oauth-v2-31 (work in progress), July 2012.
July 2012.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
RFC 2246, January 1999. RFC 2246, January 1999.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
skipping to change at page 17, line 49 skipping to change at page 17, line 47
Mortimore, C., and E. Jay, "OpenID Connect Messages 1.0", Mortimore, C., and E. Jay, "OpenID Connect Messages 1.0",
June 2012. June 2012.
Appendix A. Acknowledgements Appendix A. Acknowledgements
The following people contributed to preliminary versions of this The following people contributed to preliminary versions of this
document: Blaine Cook (BT), Brian Eaton (Google), Yaron Y. Goland document: Blaine Cook (BT), Brian Eaton (Google), Yaron Y. Goland
(Microsoft), Brent Goldman (Facebook), Raffi Krikorian (Twitter), (Microsoft), Brent Goldman (Facebook), Raffi Krikorian (Twitter),
Luke Shepard (Facebook), and Allen Tom (Yahoo!). The content and Luke Shepard (Facebook), and Allen Tom (Yahoo!). The content and
concepts within are a product of the OAuth community, the WRAP concepts within are a product of the OAuth community, the WRAP
community, and the OAuth Working Group. community, and the OAuth Working Group. David Recordon created a
preliminary draft of this specification based upon a preliminary
version of OAuth 2.0 draft 11. Michael B. Jones created draft 00 of
this specification using portions of David's preliminary draft, and
edited all subsequent versions.
The OAuth Working Group has dozens of very active contributors who The OAuth Working Group has dozens of very active contributors who
proposed ideas and wording for this document, including: Michael proposed ideas and wording for this document, including: Michael
Adams, Amanda Anganes, Andrew Arnott, Derek Atkins, Dirk Balfanz, Adams, Amanda Anganes, Andrew Arnott, Derek Atkins, Dirk Balfanz,
John Bradley, Brian Campbell, Francisco Corella, Leah Culver, Bill de John Bradley, Brian Campbell, Francisco Corella, Leah Culver, Bill de
hOra, Breno de Medeiros, Brian Ellin, Stephen Farrell, Igor Faynberg, hOra, Breno de Medeiros, Brian Ellin, Stephen Farrell, Igor Faynberg,
George Fletcher, Tim Freeman, Evan Gilbert, Yaron Y. Goland, Thomas George Fletcher, Tim Freeman, Evan Gilbert, Yaron Y. Goland, Thomas
Hardjono, Justin Hart, Phil Hunt, John Kemp, Eran Hammer, Chasen Le Hardjono, Justin Hart, Phil Hunt, John Kemp, Eran Hammer, Chasen Le
Hara, Dick Hardt, Barry Leiba, Amos Jeffries, Michael B. Jones, Hara, Dick Hardt, Barry Leiba, Amos Jeffries, Michael B. Jones,
Torsten Lodderstedt, Paul Madsen, Eve Maler, James Manger, Laurence Torsten Lodderstedt, Paul Madsen, Eve Maler, James Manger, Laurence
skipping to change at page 18, line 24 skipping to change at page 18, line 27
Richards, Justin Richer, Peter Saint-Andre, Nat Sakimura, Rob Sayre, Richards, Justin Richer, Peter Saint-Andre, Nat Sakimura, Rob Sayre,
Marius Scurtescu, Naitik Shah, Justin Smith, Jeremy Suriel, Christian Marius Scurtescu, Naitik Shah, Justin Smith, Jeremy Suriel, Christian
Stuebner, Doug Tangren, Paul Tarjan, Hannes Tschofenig, Franklin Tse, Stuebner, Doug Tangren, Paul Tarjan, Hannes Tschofenig, Franklin Tse,
Sean Turner, Paul Walker, Shane Weeden, Skylar Woodward, and Zachary Sean Turner, Paul Walker, Shane Weeden, Skylar Woodward, and Zachary
Zeltsan. Zeltsan.
Appendix B. Document History Appendix B. Document History
[[ to be removed by the RFC editor before publication as an RFC ]] [[ to be removed by the RFC editor before publication as an RFC ]]
-23
o Removed David Recordon's name from the author list, at his
request.
-22 -22
o Removed uses of HTTPbis in favor of RFC 2616 and RFC 2617, since o Removed uses of HTTPbis in favor of RFC 2616 and RFC 2617, since
HTTPbis is not an approved standard. HTTPbis is not an approved standard.
o Match formatting of artwork elements with OAuth core o Match formatting of artwork elements with OAuth core
specification. specification.
-21 -21
skipping to change at page 26, line 18 skipping to change at line 1160
Microsoft Microsoft
Email: mbj@microsoft.com Email: mbj@microsoft.com
URI: http://self-issued.info/ URI: http://self-issued.info/
Dick Hardt Dick Hardt
independent independent
Email: dick.hardt@gmail.com Email: dick.hardt@gmail.com
URI: http://dickhardt.org/ URI: http://dickhardt.org/
David Recordon
Facebook
Email: dr@fb.com
URI: http://www.davidrecordon.com/
 End of changes. 8 change blocks. 
11 lines changed or deleted 17 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/