[OAUTH-WG] RFC 8628 on OAuth 2.0 Device Authorization Grant
A new Request for Comments is now available in online RFC libraries. RFC 8628 Title: OAuth 2.0 Device Authorization Grant Author: W. Denniss, J. Bradley, M. Jones, H. Tschofenig Status: Standards Track Stream: IETF Date: August 2019 Mailbox:wdenn...@google.com, ve7...@ve7jtb.com, m...@microsoft.com, hannes.tschofe...@gmx.net Pages: 21 Characters: 46718 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-oauth-device-flow-15.txt URL:https://www.rfc-editor.org/info/rfc8628 DOI:10.17487/RFC8628 The OAuth 2.0 device authorization grant is designed for Internet- connected devices that either lack a browser to perform a user-agent- based authorization or are input constrained to the extent that requiring the user to input text in order to authenticate during the authorization flow is impractical. It enables OAuth clients on such devices (like smart TVs, media consoles, digital picture frames, and printers) to obtain user authorization to access protected resources by using a user agent on a separate device. This document is a product of the Web Authorization Protocol Working Group of the IETF. This is now a Proposed Standard. STANDARDS TRACK: This document specifies an Internet Standards Track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the Official Internet Protocol Standards (https://www.rfc-editor.org/standards) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] RFC 8693 on OAuth 2.0 Token Exchange
A new Request for Comments is now available in online RFC libraries. RFC 8693 Title: OAuth 2.0 Token Exchange Author: M. Jones, A. Nadalin, B. Campbell, Ed., J. Bradley, C. Mortimore Status: Standards Track Stream: IETF Date: January 2020 Mailbox:m...@microsoft.com, tony...@microsoft.com, brian.d.campb...@gmail.com, ve7...@ve7jtb.com, chuck.mortim...@visa.com Pages: 27 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-oauth-token-exchange-19.txt URL:https://www.rfc-editor.org/info/rfc8693 DOI:10.17487/RFC8693 This specification defines a protocol for an HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation. This document is a product of the Web Authorization Protocol Working Group of the IETF. This is now a Proposed Standard. STANDARDS TRACK: This document specifies an Internet Standards Track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the Official Internet Protocol Standards (https://www.rfc-editor.org/standards) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] BCP 225, RFC 8725 on JSON Web Token Best Current Practices
A new Request for Comments is now available in online RFC libraries. BCP 225 RFC 8725 Title: JSON Web Token Best Current Practices Author: Y. Sheffer, D. Hardt, M. Jones Status: Best Current Practice Stream: IETF Date: February 2020 Mailbox:yaronf.i...@gmail.com, dick.ha...@gmail.com, m...@microsoft.com Pages: 13 Updates:RFC 7519 See Also: BCP 225 I-D Tag:draft-ietf-oauth-jwt-bcp-07.txt URL:https://www.rfc-editor.org/info/rfc8725 DOI:10.17487/RFC8725 JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security tokens that contain a set of claims that can be signed and/or encrypted. JWTs are being widely used and deployed as a simple security token format in numerous protocols and applications, both in the area of digital identity and in other application areas. This Best Current Practices document updates RFC 7519 to provide actionable guidance leading to secure implementation and deployment of JWTs. This document is a product of the Web Authorization Protocol Working Group of the IETF. BCP: This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] RFC 8705 on OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
A new Request for Comments is now available in online RFC libraries. RFC 8705 Title: OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens Author: B. Campbell, J. Bradley, N. Sakimura, T. Lodderstedt Status: Standards Track Stream: IETF Date: February 2020 Mailbox:brian.d.campb...@gmail.com, ve7...@ve7jtb.com, n-sakim...@nri.co.jp, tors...@lodderstedt.net Pages: 24 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-oauth-mtls-17.txt URL:https://www.rfc-editor.org/info/rfc8705 DOI:10.17487/RFC8705 This document describes OAuth client authentication and certificate-bound access and refresh tokens using mutual Transport Layer Security (TLS) authentication with X.509 certificates. OAuth clients are provided a mechanism for authentication to the authorization server using mutual TLS, based on either self-signed certificates or public key infrastructure (PKI). OAuth authorization servers are provided a mechanism for binding access tokens to a client's mutual-TLS certificate, and OAuth protected resources are provided a method for ensuring that such an access token presented to it was issued to the client presenting the token. This document is a product of the Web Authorization Protocol Working Group of the IETF. This is now a Proposed Standard. STANDARDS TRACK: This document specifies an Internet Standards Track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the Official Internet Protocol Standards (https://www.rfc-editor.org/standards) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] RFC 8707 on Resource Indicators for OAuth 2.0
A new Request for Comments is now available in online RFC libraries. RFC 8707 Title: Resource Indicators for OAuth 2.0 Author: B. Campbell, J. Bradley, H. Tschofenig Status: Standards Track Stream: IETF Date: February 2020 Mailbox:brian.d.campb...@gmail.com, ve7...@ve7jtb.com, hannes.tschofe...@gmx.net Pages: 11 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-oauth-resource-indicators-08.txt URL:https://www.rfc-editor.org/info/rfc8707 DOI:10.17487/RFC8707 This document specifies an extension to the OAuth 2.0 Authorization Framework defining request parameters that enable a client to explicitly signal to an authorization server about the identity of the protected resource(s) to which it is requesting access. This document is a product of the Web Authorization Protocol Working Group of the IETF. This is now a Proposed Standard. STANDARDS TRACK: This document specifies an Internet Standards Track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the Official Internet Protocol Standards (https://www.rfc-editor.org/standards) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] RFC 7009 on OAuth 2.0 Token Revocation
A new Request for Comments is now available in online RFC libraries. RFC 7009 Title: OAuth 2.0 Token Revocation Author: T. Lodderstedt, Ed., S. Dronia, M. Scurtescu Status: Standards Track Stream: IETF Date: August 2013 Mailbox:tors...@lodderstedt.net, sdro...@gmx.de, mscurte...@google.com Pages: 11 Characters: 23517 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-oauth-revocation-11.txt URL:http://www.rfc-editor.org/rfc/rfc7009.txt This document proposes an additional endpoint for OAuth authorization servers, which allows clients to notify the authorization server that a previously obtained refresh or access token is no longer needed. This allows the authorization server to clean up security credentials. A revocation request will invalidate the actual token and, if applicable, other tokens based on the same authorization grant. This document is a product of the Web Authorization Protocol Working Group of the IETF. This is now a Proposed Standard. STANDARDS TRACK: This document specifies an Internet standards track protocol for the Internet community,and requests discussion and suggestions for improvements. Please refer to the current edition of the Internet Official Protocol Standards (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see http://www.ietf.org/mailman/listinfo/ietf-announce http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see http://www.rfc-editor.org/search/rfc_search.php For downloading RFCs, see http://www.rfc-editor.org/rfc.html Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] [Editorial Errata Reported] RFC7009 (3808)
Greetings, The RFC errata system is used for the RFCs as available from rfc-editor.org (in this case, http://www.rfc-editor.org/rfc/rfc7009.txt), as noted on http://www.rfc-editor.org/errata.php. Your report regarding http://tools.ietf.org/html/rfc7009 has been sent to the webmaster for tools.ietf.org, the maintainer of that site's HTML versions, which are created by the script rfcmarkup. The erratum has been removed. Thank you. RFC Editor/ar On Nov 21, 2013, at 12:10 PM, RFC Errata System wrote: > The following errata report has been submitted for RFC7009, > "OAuth 2.0 Token Revocation". > > -- > You may review the report below and at: > http://www.rfc-editor.org/errata_search.php?rfc=7009&eid=3808 > > -- > Type: Editorial > Reported by: Charles MARAIS > > Section: 2.1 > > Original Text > - > The link concerning the description of the client authentication > (Section 2.3) is : > http://tools.ietf.org/html/rfc7009#section-2.3 > > Corrected Text > -- > The link concerning the description of the client authentication > (Section 2.3) should be : > http://tools.ietf.org/html/rfc6749#section-2.3 > > Notes > - > In fact the pointed document is not the right one. > > Instructions: > - > This errata is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party (IESG) > can log in to change the status and edit the report, if necessary. > > -- > RFC7009 (draft-ietf-oauth-revocation-11) > -- > Title : OAuth 2.0 Token Revocation > Publication Date: August 2013 > Author(s) : T. Lodderstedt, Ed., S. Dronia, M. Scurtescu > Category: PROPOSED STANDARD > Source : Web Authorization Protocol > Area: Security > Stream : IETF > Verifying Party : IESG ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] [Editorial Errata Reported] RFC6749 (4024)
FYI, this report has been removed because it was junk. RFC Editor/ar On Jun 24, 2014, at 2:56 PM, RFC Errata System wrote: > The following errata report has been submitted for RFC6749, > "The OAuth 2.0 Authorization Framework". > > -- > You may review the report below and at: > http://www.rfc-editor.org/errata_search.php?rfc=6749&eid=4024 > > -- > Type: Editorial > Reported by: Ebrahim Jodeiri dallalan > > Section: s > > Original Text > - > s > > Corrected Text > -- > s > > Notes > - > s > > Instructions: > - > This errata is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party (IESG) > can log in to change the status and edit the report, if necessary. > > -- > RFC6749 (draft-ietf-oauth-v2-31) > -- > Title : The OAuth 2.0 Authorization Framework > Publication Date: October 2012 > Author(s) : D. Hardt, Ed. > Category: PROPOSED STANDARD > Source : Web Authorization Protocol > Area: Security > Stream : IETF > Verifying Party : IESG ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] RFC 7519 on JSON Web Token (JWT)
A new Request for Comments is now available in online RFC libraries. RFC 7519 Title: JSON Web Token (JWT) Author: M. Jones, J. Bradley, N. Sakimura Status: Standards Track Stream: IETF Date: May 2015 Mailbox:m...@microsoft.com, ve7...@ve7jtb.com, n-sakim...@nri.co.jp Pages: 30 Characters: 63039 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-oauth-json-web-token-32.txt URL:https://www.rfc-editor.org/info/rfc7519 DOI:http://dx.doi.org/10.17487/RFC7519 JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted. This document is a product of the Web Authorization Protocol Working Group of the IETF. This is now a Proposed Standard. STANDARDS TRACK: This document specifies an Internet Standards Track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the Official Internet Protocol Standards (https://www.rfc-editor.org/standards) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/rfc.html Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] RFC 7521 on Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
A new Request for Comments is now available in online RFC libraries. RFC 7521 Title: Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants Author: B. Campbell, C. Mortimore, M. Jones, Y. Goland Status: Standards Track Stream: IETF Date: May 2015 Mailbox:brian.d.campb...@gmail.com, cmortim...@salesforce.com, m...@microsoft.com, yar...@microsoft.com Pages: 20 Characters: 44458 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-oauth-assertions-18.txt URL:https://www.rfc-editor.org/info/rfc7521 DOI:http://dx.doi.org/10.17487/RFC7521 This specification provides a framework for the use of assertions with OAuth 2.0 in the form of a new client authentication mechanism and a new authorization grant type. Mechanisms are specified for transporting assertions during interactions with a token endpoint; general processing rules are also specified. The intent of this specification is to provide a common framework for OAuth 2.0 to interwork with other identity systems using assertions and to provide alternative client authentication mechanisms. Note that this specification only defines abstract message flows and processing rules. In order to be implementable, companion specifications are necessary to provide the corresponding concrete instantiations. This document is a product of the Web Authorization Protocol Working Group of the IETF. This is now a Proposed Standard. STANDARDS TRACK: This document specifies an Internet Standards Track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the Official Internet Protocol Standards (https://www.rfc-editor.org/standards) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/rfc.html Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] RFC 7522 on Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants
A new Request for Comments is now available in online RFC libraries. RFC 7522 Title: Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants Author: B. Campbell, C. Mortimore, M. Jones Status: Standards Track Stream: IETF Date: May 2015 Mailbox:brian.d.campb...@gmail.com, cmortim...@salesforce.com, m...@microsoft.com Pages: 15 Characters: 33890 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-oauth-saml2-bearer-23.txt URL:https://www.rfc-editor.org/info/rfc7522 DOI:http://dx.doi.org/10.17487/RFC7522 This specification defines the use of a Security Assertion Markup Language (SAML) 2.0 Bearer Assertion as a means for requesting an OAuth 2.0 access token as well as for client authentication. This document is a product of the Web Authorization Protocol Working Group of the IETF. This is now a Proposed Standard. STANDARDS TRACK: This document specifies an Internet Standards Track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the Official Internet Protocol Standards (https://www.rfc-editor.org/standards) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/rfc.html Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] RFC 7523 on JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
A new Request for Comments is now available in online RFC libraries. RFC 7523 Title: JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants Author: M. Jones, B. Campbell, C. Mortimore Status: Standards Track Stream: IETF Date: May 2015 Mailbox:m...@microsoft.com, brian.d.campb...@gmail.com, cmortim...@salesforce.com Pages: 12 Characters: 26459 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-oauth-jwt-bearer-12.txt URL:https://www.rfc-editor.org/info/rfc7523 DOI:http://dx.doi.org/10.17487/RFC7523 This specification defines the use of a JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for client authentication. This document is a product of the Web Authorization Protocol Working Group of the IETF. This is now a Proposed Standard. STANDARDS TRACK: This document specifies an Internet Standards Track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the Official Internet Protocol Standards (https://www.rfc-editor.org/standards) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/rfc.html Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] RFC 7591 on OAuth 2.0 Dynamic Client Registration Protocol
A new Request for Comments is now available in online RFC libraries. RFC 7591 Title: OAuth 2.0 Dynamic Client Registration Protocol Author: J. Richer, Ed., M. Jones, J. Bradley, M. Machulak, P. Hunt Status: Standards Track Stream: IETF Date: July 2015 Mailbox:i...@justin.richer.org, m...@microsoft.com, ve7...@ve7jtb.com, maciej.machu...@gmail.com, phil.h...@yahoo.com Pages: 39 Characters: 87811 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-oauth-dyn-reg-30.txt URL:https://www.rfc-editor.org/info/rfc7591 DOI:http://dx.doi.org/10.17487/RFC7591 This specification defines mechanisms for dynamically registering OAuth 2.0 clients with authorization servers. Registration requests send a set of desired client metadata values to the authorization server. The resulting registration responses return a client identifier to use at the authorization server and the client metadata values registered for the client. The client can then use this registration information to communicate with the authorization server using the OAuth 2.0 protocol. This specification also defines a set of common client metadata fields and values for clients to use during registration. This document is a product of the Web Authorization Protocol Working Group of the IETF. This is now a Proposed Standard. STANDARDS TRACK: This document specifies an Internet Standards Track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the Official Internet Protocol Standards (https://www.rfc-editor.org/standards) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/rfc.html Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] RFC 7592 on OAuth 2.0 Dynamic Client Registration Management Protocol
A new Request for Comments is now available in online RFC libraries. RFC 7592 Title: OAuth 2.0 Dynamic Client Registration Management Protocol Author: J. Richer, Ed., M. Jones, J. Bradley, M. Machulak Status: Experimental Stream: IETF Date: July 2015 Mailbox:i...@justin.richer.org, m...@microsoft.com, ve7...@ve7jtb.com, maciej.machu...@gmail.com Pages: 18 Characters: 38044 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-oauth-dyn-reg-management-15.txt URL:https://www.rfc-editor.org/info/rfc7592 DOI:http://dx.doi.org/10.17487/RFC7592 This specification defines methods for management of OAuth 2.0 dynamic client registrations for use cases in which the properties of a registered client may need to be changed during the lifetime of the client. Not all authorization servers supporting dynamic client registration will support these management methods. This document is a product of the Web Authorization Protocol Working Group of the IETF. EXPERIMENTAL: This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/rfc.html Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] RFC 7636 on Proof Key for Code Exchange by OAuth Public Clients
A new Request for Comments is now available in online RFC libraries. RFC 7636 Title: Proof Key for Code Exchange by OAuth Public Clients Author: N. Sakimura, Ed., J. Bradley, N. Agarwal Status: Standards Track Stream: IETF Date: September 2015 Mailbox:n-sakim...@nri.co.jp, ve7...@ve7jtb.com, n...@google.com Pages: 20 Characters: 39482 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-oauth-spop-15.txt URL:https://www.rfc-editor.org/info/rfc7636 DOI:http://dx.doi.org/10.17487/RFC7636 OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. This specification describes the attack as well as a technique to mitigate against the threat through the use of Proof Key for Code Exchange (PKCE, pronounced "pixy"). This document is a product of the Web Authorization Protocol Working Group of the IETF. This is now a Proposed Standard. STANDARDS TRACK: This document specifies an Internet Standards Track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the Official Internet Protocol Standards (https://www.rfc-editor.org/standards) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/rfc.html Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] RFC 7662 on OAuth 2.0 Token Introspection
A new Request for Comments is now available in online RFC libraries. RFC 7662 Title: OAuth 2.0 Token Introspection Author: J. Richer, Ed. Status: Standards Track Stream: IETF Date: October 2015 Mailbox:i...@justin.richer.org Pages: 17 Characters: 36591 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-oauth-introspection-11.txt URL:https://www.rfc-editor.org/info/rfc7662 DOI:http://dx.doi.org/10.17487/RFC7662 This specification defines a method for a protected resource to query an OAuth 2.0 authorization server to determine the active state of an OAuth 2.0 token and to determine meta-information about this token. OAuth 2.0 deployments can use this method to convey information about the authorization context of the token from the authorization server to the protected resource. This document is a product of the Web Authorization Protocol Working Group of the IETF. This is now a Proposed Standard. STANDARDS TRACK: This document specifies an Internet Standards Track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the Official Internet Protocol Standards (https://www.rfc-editor.org/standards) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/rfc.html Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] RFC 7800 on Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)
A new Request for Comments is now available in online RFC libraries. RFC 7800 Title: Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) Author: M. Jones, J. Bradley, H. Tschofenig Status: Standards Track Stream: IETF Date: April 2016 Mailbox:m...@microsoft.com, ve7...@ve7jtb.com, hannes.tschofe...@gmx.net Pages: 15 Characters: 33625 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-oauth-proof-of-possession-11.txt URL:https://www.rfc-editor.org/info/rfc7800 DOI:http://dx.doi.org/10.17487/RFC7800 This specification describes how to declare in a JSON Web Token (JWT) that the presenter of the JWT possesses a particular proof-of- possession key and how the recipient can cryptographically confirm proof of possession of the key by the presenter. Being able to prove possession of a key is also sometimes described as the presenter being a holder-of-key. This document is a product of the Web Authorization Protocol Working Group of the IETF. This is now a Proposed Standard. STANDARDS TRACK: This document specifies an Internet Standards Track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the Official Internet Protocol Standards (https://www.rfc-editor.org/standards) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] RFC 8176 on Authentication Method Reference Values
A new Request for Comments is now available in online RFC libraries. RFC 8176 Title: Authentication Method Reference Values Author: M. Jones, P. Hunt, A. Nadalin Status: Standards Track Stream: IETF Date: June 2017 Mailbox:m...@microsoft.com, phil.h...@yahoo.com, tony...@microsoft.com Pages: 15 Characters: 30765 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-oauth-amr-values-08.txt URL:https://www.rfc-editor.org/info/rfc8176 DOI:10.17487/RFC8176 The "amr" (Authentication Methods References) claim is defined and registered in the IANA "JSON Web Token Claims" registry, but no standard Authentication Method Reference values are currently defined. This specification establishes a registry for Authentication Method Reference values and defines an initial set of Authentication Method Reference values. This document is a product of the Web Authorization Protocol Working Group of the IETF. This is now a Proposed Standard. STANDARDS TRACK: This document specifies an Internet Standards Track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the Official Internet Protocol Standards (https://www.rfc-editor.org/standards) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] BCP 212, RFC 8252 on OAuth 2.0 for Native Apps
A new Request for Comments is now available in online RFC libraries. BCP 212 RFC 8252 Title: OAuth 2.0 for Native Apps Author: W. Denniss, J. Bradley Status: Best Current Practice Stream: IETF Date: October 2017 Mailbox:rfc8...@wdenniss.com, rfc8...@ve7jtb.com Pages: 21 Characters: 49680 Updates:RFC 6749 See Also: BCP 212 I-D Tag:draft-ietf-oauth-native-apps-12.txt URL:https://www.rfc-editor.org/info/rfc8252 DOI:10.17487/RFC8252 OAuth 2.0 authorization requests from native apps should only be made through external user-agents, primarily the user's browser. This specification details the security and usability reasons why this is the case and how native apps and authorization servers can implement this best practice. This document is a product of the Web Authorization Protocol Working Group of the IETF. BCP: This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] RFC 8414 on OAuth 2.0 Authorization Server Metadata
A new Request for Comments is now available in online RFC libraries. RFC 8414 Title: OAuth 2.0 Authorization Server Metadata Author: M. Jones, N. Sakimura, J. Bradley Status: Standards Track Stream: IETF Date: June 2018 Mailbox:m...@microsoft.com, n-sakim...@nri.co.jp, rfc8...@ve7jtb.com Pages: 23 Characters: 53831 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-oauth-discovery-10.txt URL:https://www.rfc-editor.org/info/rfc8414 DOI:10.17487/RFC8414 This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities. This document is a product of the Web Authorization Protocol Working Group of the IETF. This is now a Proposed Standard. STANDARDS TRACK: This document specifies an Internet Standards Track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the Official Internet Protocol Standards (https://www.rfc-editor.org/standards) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] RFC 9101 on The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)
A new Request for Comments is now available in online RFC libraries. RFC 9101 Title: The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR) Author: N. Sakimura, J. Bradley, M. Jones Status: Standards Track Stream: IETF Date: August 2021 Mailbox:nat@nat.consulting, rfc9...@ve7jtb.com, m...@microsoft.com Pages: 25 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-oauth-jwsreq-34.txt URL:https://www.rfc-editor.org/info/rfc9101 DOI:10.17487/RFC9101 The authorization request in OAuth 2.0 described in RFC 6749 utilizes query parameter serialization, which means that authorization request parameters are encoded in the URI of the request and sent through user agents such as web browsers. While it is easy to implement, it means that a) the communication through the user agents is not integrity protected and thus, the parameters can be tainted, b) the source of the communication is not authenticated, and c) the communication through the user agents can be monitored. Because of these weaknesses, several attacks to the protocol have now been put forward. This document introduces the ability to send request parameters in a JSON Web Token (JWT) instead, which allows the request to be signed with JSON Web Signature (JWS) and encrypted with JSON Web Encryption (JWE) so that the integrity, source authentication, and confidentiality properties of the authorization request are attained. The request can be sent by value or by reference. This document is a product of the Web Authorization Protocol Working Group of the IETF. This is now a Proposed Standard. STANDARDS TRACK: This document specifies an Internet Standards Track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the Official Internet Protocol Standards (https://www.rfc-editor.org/standards) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] RFC 9126 on OAuth 2.0 Pushed Authorization Requests
A new Request for Comments is now available in online RFC libraries. RFC 9126 Title: OAuth 2.0 Pushed Authorization Requests Author: T. Lodderstedt, B. Campbell, N. Sakimura, D. Tonge, F. Skokan Status: Standards Track Stream: IETF Date: September 2021 Mailbox:tors...@lodderstedt.net, bcampb...@pingidentity.com, n...@sakimura.org, d...@tonge.org, panva...@gmail.com Pages: 18 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-oauth-par-10.txt URL:https://www.rfc-editor.org/info/rfc9126 DOI:10.17487/RFC9126 This document defines the pushed authorization request (PAR) endpoint, which allows clients to push the payload of an OAuth 2.0 authorization request to the authorization server via a direct request and provides them with a request URI that is used as reference to the data in a subsequent call to the authorization endpoint. This document is a product of the Web Authorization Protocol Working Group of the IETF. This is now a Proposed Standard. STANDARDS TRACK: This document specifies an Internet Standards Track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the Official Internet Protocol Standards (https://www.rfc-editor.org/standards) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] RFC 9068 on JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
A new Request for Comments is now available in online RFC libraries. RFC 9068 Title: JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens Author: V. Bertocci Status: Standards Track Stream: IETF Date: October 2021 Mailbox:vitto...@auth0.com Pages: 15 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-oauth-access-token-jwt-13.txt URL:https://www.rfc-editor.org/info/rfc9068 DOI:10.17487/RFC9068 This specification defines a profile for issuing OAuth 2.0 access tokens in JSON Web Token (JWT) format. Authorization servers and resource servers from different vendors can leverage this profile to issue and consume access tokens in an interoperable manner. This document is a product of the Web Authorization Protocol Working Group of the IETF. This is now a Proposed Standard. STANDARDS TRACK: This document specifies an Internet Standards Track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the Official Internet Protocol Standards (https://www.rfc-editor.org/standards) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] RFC 9207 on OAuth 2.0 Authorization Server Issuer Identification
A new Request for Comments is now available in online RFC libraries. RFC 9207 Title: OAuth 2.0 Authorization Server Issuer Identification Author: K. Meyer zu Selhausen, D. Fett Status: Standards Track Stream: IETF Date: March 2022 Mailbox:karsten.meyerzuselhau...@hackmanit.de, m...@danielfett.de Pages: 9 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-oauth-iss-auth-resp-05.txt URL:https://www.rfc-editor.org/info/rfc9207 DOI:10.17487/RFC9207 This document specifies a new parameter called iss. This parameter is used to explicitly include the issuer identifier of the authorization server in the authorization response of an OAuth authorization flow. The iss parameter serves as an effective countermeasure to "mix-up attacks". This document is a product of the Web Authorization Protocol Working Group of the IETF. This is now a Proposed Standard. STANDARDS TRACK: This document specifies an Internet Standards Track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the Official Internet Protocol Standards (https://www.rfc-editor.org/standards) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] RFC 9278 on JWK Thumbprint URI
A new Request for Comments is now available in online RFC libraries. RFC 9278 Title: JWK Thumbprint URI Author: M. Jones, K. Yasuda Status: Standards Track Stream: IETF Date: August 2022 Mailbox:m...@microsoft.com, kryas...@microsoft.com Pages: 6 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-oauth-jwk-thumbprint-uri-03.txt URL:https://www.rfc-editor.org/info/rfc9278 DOI:10.17487/RFC9278 This specification registers a kind of URI that represents a JSON Web Key (JWK) Thumbprint value. JWK Thumbprints are defined in RFC 7638. This enables JWK Thumbprints to be used, for instance, as key identifiers in contexts requiring URIs. This document is a product of the Web Authorization Protocol Working Group of the IETF. This is now a Proposed Standard. STANDARDS TRACK: This document specifies an Internet Standards Track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the Official Internet Protocol Standards (https://www.rfc-editor.org/standards) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] RFC 9449 on OAuth 2.0 Demonstrating Proof of Possession (DPoP)
A new Request for Comments is now available in online RFC libraries. RFC 9449 Title: OAuth 2.0 Demonstrating Proof of Possession (DPoP) Author: D. Fett, B. Campbell, J. Bradley, T. Lodderstedt, M. Jones, D. Waite Status: Standards Track Stream: IETF Date: September 2023 Mailbox:m...@danielfett.de, bcampb...@pingidentity.com, ve7...@ve7jtb.com, tors...@lodderstedt.net, michael_b_jo...@hotmail.com, da...@alkaline-solutions.com Pages: 39 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-oauth-dpop-16.txt URL:https://www.rfc-editor.org/info/rfc9449 DOI:10.17487/RFC9449 This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens. This document is a product of the Web Authorization Protocol Working Group of the IETF. This is now a Proposed Standard. STANDARDS TRACK: This document specifies an Internet Standards Track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the Official Internet Protocol Standards (https://www.rfc-editor.org/standards) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] RFC 9470 on OAuth 2.0 Step Up Authentication Challenge Protocol
A new Request for Comments is now available in online RFC libraries. RFC 9470 Title: OAuth 2.0 Step Up Authentication Challenge Protocol Author: V. Bertocci, B. Campbell Status: Standards Track Stream: IETF Date: September 2023 Mailbox:vitto...@auth0.com, bcampb...@pingidentity.com Pages: 14 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-oauth-step-up-authn-challenge-17.txt URL:https://www.rfc-editor.org/info/rfc9470 DOI:10.17487/RFC9470 It is not uncommon for resource servers to require different authentication strengths or recentness according to the characteristics of a request. This document introduces a mechanism that resource servers can use to signal to a client that the authentication event associated with the access token of the current request does not meet its authentication requirements and, further, how to meet them. This document also codifies a mechanism for a client to request that an authorization server achieve a specific authentication strength or recentness when processing an authorization request. This document is a product of the Web Authorization Protocol Working Group of the IETF. This is now a Proposed Standard. STANDARDS TRACK: This document specifies an Internet Standards Track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the Official Internet Protocol Standards (https://www.rfc-editor.org/standards) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] RFC 6755 on An IETF URN Sub-Namespace for OAuth
A new Request for Comments is now available in online RFC libraries. RFC 6755 Title: An IETF URN Sub-Namespace for OAuth Author: B. Campbell, H. Tschofenig Status: Informational Stream: IETF Date: October 2012 Mailbox:brian.d.campb...@gmail.com, hannes.tschofe...@gmx.net Pages: 5 Characters: 8336 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-oauth-urn-sub-ns-06.txt URL:http://www.rfc-editor.org/rfc/rfc6755.txt This document establishes an IETF URN Sub-namespace for use with OAuth-related specifications. This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Web Authorization Protocol Working Group of the IETF. INFORMATIONAL: This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see http://www.ietf.org/mailman/listinfo/ietf-announce http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see http://www.rfc-editor.org/rfcsearch.html. For downloading RFCs, see http://www.rfc-editor.org/rfc.html. Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] RFC 6749 on The OAuth 2.0 Authorization Framework
A new Request for Comments is now available in online RFC libraries. RFC 6749 Title: The OAuth 2.0 Authorization Framework Author: D. Hardt, Ed. Status: Standards Track Stream: IETF Date: October 2012 Mailbox:dick.ha...@gmail.com Pages: 76 Characters: 163498 Obsoletes: RFC5849 I-D Tag:draft-ietf-oauth-v2-31.txt URL:http://www.rfc-editor.org/rfc/rfc6749.txt The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK] This document is a product of the Web Authorization Protocol Working Group of the IETF. This is now a Proposed Standard Protocol. STANDARDS TRACK: This document specifies an Internet standards track protocol for the Internet community,and requests discussion and suggestions for improvements. Please refer to the current edition of the Internet Official Protocol Standards (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see http://www.ietf.org/mailman/listinfo/ietf-announce http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see http://www.rfc-editor.org/rfcsearch.html. For downloading RFCs, see http://www.rfc-editor.org/rfc.html. Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] RFC 6750 on The OAuth 2.0 Authorization Framework: Bearer Token Usage
A new Request for Comments is now available in online RFC libraries. RFC 6750 Title: The OAuth 2.0 Authorization Framework: Bearer Token Usage Author: M. Jones, D. Hardt Status: Standards Track Stream: IETF Date: October 2012 Mailbox:m...@microsoft.com, dick.ha...@gmail.com Pages: 18 Characters: 38949 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-oauth-v2-bearer-23.txt URL:http://www.rfc-editor.org/rfc/rfc6750.txt This specification describes how to use bearer tokens in HTTP requests to access OAuth 2.0 protected resources. Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens need to be protected from disclosure in storage and in transport. [STANDARDS-TRACK] This document is a product of the Web Authorization Protocol Working Group of the IETF. This is now a Proposed Standard Protocol. STANDARDS TRACK: This document specifies an Internet standards track protocol for the Internet community,and requests discussion and suggestions for improvements. Please refer to the current edition of the Internet Official Protocol Standards (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see http://www.ietf.org/mailman/listinfo/ietf-announce http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see http://www.rfc-editor.org/rfcsearch.html. For downloading RFCs, see http://www.rfc-editor.org/rfc.html. Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] RFC 6819 on OAuth 2.0 Threat Model and Security Considerations
A new Request for Comments is now available in online RFC libraries. RFC 6819 Title: OAuth 2.0 Threat Model and Security Considerations Author: T. Lodderstedt, Ed., M. McGloin, P. Hunt Status: Informational Stream: IETF Date: January 2013 Mailbox:tors...@lodderstedt.net, mark.mcgl...@ie.ibm.com, phil.h...@yahoo.com Pages: 71 Characters: 158332 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-oauth-v2-threatmodel-08.txt URL:http://www.rfc-editor.org/rfc/rfc6819.txt This document gives additional security considerations for OAuth, beyond those in the OAuth 2.0 specification, based on a comprehensive threat model for the OAuth 2.0 protocol. This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Web Authorization Protocol Working Group of the IETF. INFORMATIONAL: This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see http://www.ietf.org/mailman/listinfo/ietf-announce http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see http://www.rfc-editor.org/rfcsearch.html. For downloading RFCs, see http://www.rfc-editor.org/rfc.html. Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] RFC 9701 on JSON Web Token (JWT) Response for OAuth Token Introspection
A new Request for Comments is now available in online RFC libraries. RFC 9701 Title: JSON Web Token (JWT) Response for OAuth Token Introspection Author: T. Lodderstedt, Ed., V. Dzhuvinov Status: Standards Track Stream: IETF Date: January 2025 Mailbox:tors...@lodderstedt.net, vladi...@connect2id.com Pages: 13 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-oauth-jwt-introspection-response-12.txt URL:https://www.rfc-editor.org/info/rfc9701 DOI:10.17487/RFC9701 This specification proposes an additional response secured by JSON Web Token (JWT) for OAuth 2.0 Token Introspection. This document is a product of the Web Authorization Protocol Working Group of the IETF. This is now a Proposed Standard. STANDARDS TRACK: This document specifies an Internet Standards Track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the Official Internet Protocol Standards (https://www.rfc-editor.org/standards) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team ___ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
[OAUTH-WG] BCP 240, RFC 9700 on Best Current Practice for OAuth 2.0 Security
A new Request for Comments is now available in online RFC libraries. BCP 240 RFC 9700 Title: Best Current Practice for OAuth 2.0 Security Author: T. Lodderstedt, J. Bradley, A. Labunets, D. Fett Status: Best Current Practice Stream: IETF Date: January 2025 Mailbox:tors...@lodderstedt.net, ve7...@ve7jtb.com, isciu...@gmail.com, m...@danielfett.de Pages: 46 Updates:RFC 6749, RFC 6750, RFC 6819 See Also: BCP 240 I-D Tag:draft-ietf-oauth-security-topics-29.txt URL:https://www.rfc-editor.org/info/rfc9700 DOI:10.17487/RFC9700 This document describes best current security practice for OAuth 2.0. It updates and extends the threat model and security advice given in RFCs 6749, 6750, and 6819 to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0. Further, it deprecates some modes of operation that are deemed less secure or even insecure. This document is a product of the Web Authorization Protocol Working Group of the IETF. BCP: This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team ___ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
[OAUTH-WG] RFC 9728 on OAuth 2.0 Protected Resource Metadata
A new Request for Comments is now available in online RFC libraries. RFC 9728 Title: OAuth 2.0 Protected Resource Metadata Author: M.B. Jones, P. Hunt, A. Parecki Status: Standards Track Stream: IETF Date: April 2025 Mailbox:michael_b_jo...@hotmail.com, phil.h...@yahoo.com, aa...@parecki.com Pages: 25 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-oauth-resource-metadata-13.txt URL:https://www.rfc-editor.org/info/rfc9728 DOI:10.17487/RFC9728 This specification defines a metadata format that an OAuth 2.0 client or authorization server can use to obtain the information needed to interact with an OAuth 2.0 protected resource. This document is a product of the Web Authorization Protocol Working Group of the IETF. This is now a Proposed Standard. STANDARDS TRACK: This document specifies an Internet Standards Track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the Official Internet Protocol Standards (https://www.rfc-editor.org/standards) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team ___ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
