| draft-ietf-oauth-saml2-bearer-15.txt | draft-ietf-oauth-saml2-bearer-16.txt | |||
|---|---|---|---|---|
| OAuth Working Group B. Campbell | OAuth Working Group B. Campbell | |||
| Internet-Draft Ping Identity | Internet-Draft Ping Identity | |||
| Intended status: Standards Track C. Mortimore | Intended status: Standards Track C. Mortimore | |||
| Expires: May 11, 2013 Salesforce | Expires: September 30, 2013 Salesforce | |||
| November 7, 2012 | M.B. Jones | |||
| Microsoft | ||||
| March 29, 2013 | ||||
| SAML 2.0 Bearer Assertion Profiles for OAuth 2.0 | SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization | |||
| draft-ietf-oauth-saml2-bearer-15 | Grants | |||
| draft-ietf-oauth-saml2-bearer-16 | ||||
| Abstract | Abstract | |||
| This specification defines the use of a SAML 2.0 Bearer Assertion as | This specification defines the use of a SAML 2.0 Bearer Assertion as | |||
| a means for requesting an OAuth 2.0 access token as well as for use | a means for requesting an OAuth 2.0 access token as well as for use | |||
| as a means of client authentication. | as a means of client authentication. | |||
| Status of this Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on May 11, 2013. | This Internet-Draft will expire on September 30, 2013. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2013 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 4 | 1.1. Notational Conventions . . . . . . . . . . . . . . . . . 4 | |||
| 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 | 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. HTTP Parameter Bindings for Transporting Assertions . . . . . 4 | 2. HTTP Parameter Bindings for Transporting Assertions . . . . . 4 | |||
| 2.1. Using SAML Assertions as Authorization Grants . . . . . . 4 | 2.1. Using SAML Assertions as Authorization Grants . . . . . . 4 | |||
| 2.2. Using SAML Assertions for Client Authentication . . . . . 5 | 2.2. Using SAML Assertions for Client Authentication . . . . . 5 | |||
| 3. Assertion Format and Processing Requirements . . . . . . . . . 6 | 3. Assertion Format and Processing Requirements . . . . . . . . 6 | |||
| 3.1. Authorization Grant Processing . . . . . . . . . . . . . . 8 | 3.1. Authorization Grant Processing . . . . . . . . . . . . . 8 | |||
| 3.2. Client Authentication Processing . . . . . . . . . . . . . 8 | 3.2. Client Authentication Processing . . . . . . . . . . . . 9 | |||
| 4. Authorization Grant Example . . . . . . . . . . . . . . . . . 9 | 4. Authorization Grant Example . . . . . . . . . . . . . . . . . 9 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | 5. Interoperability Considerations . . . . . . . . . . . . . . . 11 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | |||
| 6.1. Sub-Namespace Registration of | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | |||
| urn:ietf:params:oauth:grant-type:saml2-bearer . . . . . . 10 | 7.1. Sub-Namespace Registration of urn:ietf:params:oauth | |||
| 6.2. Sub-Namespace Registration of | :grant-type:saml2-bearer . . . . . . . . . . . . . . . . 11 | |||
| urn:ietf:params:oauth:client-assertion-type:saml2-bearer . 10 | 7.2. Sub-Namespace Registration of urn:ietf:params:oauth | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | :client-assertion-type:saml2-bearer . . . . . . . . . . . 11 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . . 11 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . . 11 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 12 | |||
| Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 12 | 8.2. Informative References . . . . . . . . . . . . . . . . . 12 | |||
| Appendix B. Document History . . . . . . . . . . . . . . . . . . 12 | Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 13 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17 | Appendix B. Document History . . . . . . . . . . . . . . . . . . 13 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 | ||||
| 1. Introduction | 1. Introduction | |||
| The Security Assertion Markup Language (SAML) 2.0 | The Security Assertion Markup Language (SAML) 2.0 | |||
| [OASIS.saml-core-2.0-os] is an XML-based framework that allows | [OASIS.saml-core-2.0-os] is an XML-based framework that allows | |||
| identity and security information to be shared across security | identity and security information to be shared across security | |||
| domains. The SAML specification, while primarily targeted at | domains. The SAML specification, while primarily targeted at | |||
| providing cross domain Web browser single sign-on, was also designed | providing cross domain Web browser single sign-on, was also designed | |||
| to be modular and extensible to facilitate use in other contexts. | to be modular and extensible to facilitate use in other contexts. | |||
| The Assertion, an XML security token, is a fundamental construct of | The Assertion, an XML security token, is a fundamental construct of | |||
| SAML that is often adopted for use in other protocols and | SAML that is often adopted for use in other protocols and | |||
| specifications. An Assertion is generally issued by an identity | specifications. An Assertion is generally issued by an identity | |||
| provider and consumed by a service provider who relies on its content | provider and consumed by a service provider who relies on its content | |||
| to identify the Assertion's subject for security related purposes. | to identify the Assertion's subject for security related purposes. | |||
| The OAuth 2.0 Authorization Protocol [RFC6749] provides a method for | The OAuth 2.0 Authorization Framework [RFC6749] provides a method for | |||
| making authenticated HTTP requests to a resource using an access | making authenticated HTTP requests to a resource using an access | |||
| token. Access tokens are issued to third-party clients by an | token. Access tokens are issued to third-party clients by an | |||
| authorization server (AS) with the (sometimes implicit) approval of | authorization server (AS) with the (sometimes implicit) approval of | |||
| the resource owner. In OAuth, an authorization grant is an abstract | the resource owner. In OAuth, an authorization grant is an abstract | |||
| term used to describe intermediate credentials that represent the | term used to describe intermediate credentials that represent the | |||
| resource owner authorization. An authorization grant is used by the | resource owner authorization. An authorization grant is used by the | |||
| client to obtain an access token. Several authorization grant types | client to obtain an access token. Several authorization grant types | |||
| are defined to support a wide range of client types and user | are defined to support a wide range of client types and user | |||
| experiences. OAuth also allows for the definition of new extension | experiences. OAuth also allows for the definition of new extension | |||
| grant types to support additional clients or to provide a bridge | grant types to support additional clients or to provide a bridge | |||
| between OAuth and other trust frameworks. Finally, OAuth allows the | between OAuth and other trust frameworks. Finally, OAuth allows the | |||
| definition of additional authentication mechanisms to be used by | definition of additional authentication mechanisms to be used by | |||
| clients when interacting with the authorization server. | clients when interacting with the authorization server. | |||
| The OAuth 2.0 Assertion Profile [I-D.ietf-oauth-assertions] is an | The Assertion Framework for OAuth 2.0 Client Authentication and | |||
| Authorization Grants [I-D.ietf-oauth-assertions] specification is an | ||||
| abstract extension to OAuth 2.0 that provides a general framework for | abstract extension to OAuth 2.0 that provides a general framework for | |||
| the use of Assertions as client credentials and/or authorization | the use of Assertions as client credentials and/or authorization | |||
| grants with OAuth 2.0. This specification profiles the OAuth 2.0 | grants with OAuth 2.0. This specification profiles the Assertion | |||
| Assertion Profile [I-D.ietf-oauth-assertions] to define an extension | Framework for OAuth 2.0 Client Authentication and Authorization | |||
| grant type that uses a SAML 2.0 Bearer Assertion to request an OAuth | Grants [I-D.ietf-oauth-assertions] specification to define an | |||
| 2.0 access token as well as for use as client credentials. The | extension grant type that uses a SAML 2.0 Bearer Assertion to request | |||
| format and processing rules for the SAML Assertion defined in this | an OAuth 2.0 access token as well as for use as client credentials. | |||
| specification are intentionally similar, though not identical, to | The format and processing rules for the SAML Assertion defined in | |||
| those in the Web Browser SSO Profile defined in SAML Profiles | this specification are intentionally similar, though not identical, | |||
| [OASIS.saml-profiles-2.0-os]. This specification is reusing, to the | to those in the Web Browser SSO Profile defined in the SAML Profiles | |||
| extent reasonable, concepts and patterns from that well-established | [OASIS.saml-profiles-2.0-os] specification. This specification is | |||
| Profile. | reusing, to the extent reasonable, concepts and patterns from that | |||
| well-established Profile. | ||||
| This document defines how a SAML Assertion can be used to request an | This document defines how a SAML Assertion can be used to request an | |||
| access token when a client wishes to utilize an existing trust | access token when a client wishes to utilize an existing trust | |||
| relationship, expressed through the semantics of (and digital | relationship, expressed through the semantics of (and digital | |||
| signature calculated over) the SAML Assertion, without a direct user | signature or keyed message digest calculated over) the SAML | |||
| approval step at the authorization server. It also defines how a | Assertion, without a direct user approval step at the authorization | |||
| SAML Assertion can be used as a client authentication mechanism. The | server. It also defines how a SAML Assertion can be used as a client | |||
| use of an Assertion for client authentication is orthogonal to and | authentication mechanism. The use of an Assertion for client | |||
| separable from using an Assertion as an authorization grant. They | authentication is orthogonal to and separable from using an Assertion | |||
| can be used either in combination or separately. Client assertion | as an authorization grant. They can be used either in combination or | |||
| authentication is nothing more than an alternative way for a client | separately. Client assertion authentication is nothing more than an | |||
| to authenticate to the token endpoint and must be used in conjunction | alternative way for a client to authenticate to the token endpoint | |||
| with some grant type to form a complete and meaningful protocol | and must be used in conjunction with some grant type to form a | |||
| request. Assertion authorization grants may be used with or without | complete and meaningful protocol request. Assertion authorization | |||
| client authentication or identification. Whether or not client | grants may be used with or without client authentication or | |||
| authentication is needed in conjunction with an assertion | identification. Whether or not client authentication is needed in | |||
| authorization grant, as well as the supported types of client | conjunction with an assertion authorization grant, as well as the | |||
| authentication, are policy decisions at the discretion of the | supported types of client authentication, are policy decisions at the | |||
| authorization server. | discretion of the authorization server. | |||
| The process by which the client obtains the SAML Assertion, prior to | The process by which the client obtains the SAML Assertion, prior to | |||
| exchanging it with the authorization server or using it for client | exchanging it with the authorization server or using it for client | |||
| authentication, is out of scope. | authentication, is out of scope. | |||
| 1.1. Notational Conventions | 1.1. Notational Conventions | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
| Unless otherwise noted, all the protocol parameter names and values | Unless otherwise noted, all the protocol parameter names and values | |||
| are case sensitive. | are case sensitive. | |||
| 1.2. Terminology | 1.2. Terminology | |||
| All terms are as defined in The OAuth 2.0 Authorization Protocol | All terms are as defined in The OAuth 2.0 Authorization Framework | |||
| [RFC6749], OAuth 2.0 Assertion Profile [I-D.ietf-oauth-assertions], | [RFC6749], the Assertion Framework for OAuth 2.0 Client | |||
| and Security Assertion Markup Language (SAML) 2.0 | Authentication and Authorization Grants [I-D.ietf-oauth-assertions], | |||
| [OASIS.saml-core-2.0-os]. | and the Security Assertion Markup Language (SAML) 2.0 | |||
| [OASIS.saml-core-2.0-os] specifications. | ||||
| 2. HTTP Parameter Bindings for Transporting Assertions | 2. HTTP Parameter Bindings for Transporting Assertions | |||
| The OAuth 2.0 Assertion Profile [I-D.ietf-oauth-assertions] defines | The Assertion Framework for OAuth 2.0 Client Authentication and | |||
| generic HTTP parameters for transporting Assertions during | Authorization Grants [I-D.ietf-oauth-assertions] specification | |||
| interactions with a token endpoint. This section defines the values | defines generic HTTP parameters for transporting Assertions during | |||
| of those parameters for use with SAML 2.0 Bearer Assertions. | interactions with a token endpoint. This section defines specific | |||
| parameters and treatments of those parameters for use with SAML 2.0 | ||||
| Bearer Assertions. | ||||
| 2.1. Using SAML Assertions as Authorization Grants | 2.1. Using SAML Assertions as Authorization Grants | |||
| To use a SAML Bearer Assertion as an authorization grant, use the | To use a SAML Bearer Assertion as an authorization grant, use an | |||
| following parameter values and encodings. | access token request as defined in Section 4 of the Assertion | |||
| Framework for OAuth 2.0 Client Authentication and Authorization | ||||
| Grants [I-D.ietf-oauth-assertions] specification with the following | ||||
| specific parameter values and encodings. | ||||
| The value of the "grant_type" parameter MUST be | The value of the "grant_type" parameter MUST be | |||
| "urn:ietf:params:oauth:grant-type:saml2-bearer". | "urn:ietf:params:oauth:grant-type:saml2-bearer". | |||
| The value of the "assertion" parameter MUST contain a single SAML 2.0 | The value of the "assertion" parameter MUST contain a single SAML 2.0 | |||
| Assertion. The SAML Assertion XML data MUST be encoded using | Assertion. The SAML Assertion XML data MUST be encoded using | |||
| base64url, where the encoding adheres to the definition in Section 5 | base64url, where the encoding adheres to the definition in Section 5 | |||
| of RFC4648 [RFC4648] and where the padding bits are set to zero. To | of RFC 4648 [RFC4648] and where the padding bits are set to zero. To | |||
| avoid the need for subsequent encoding steps (by "application/ | avoid the need for subsequent encoding steps (by "application/x-www- | |||
| x-www-form-urlencoded" [W3C.REC-html401-19991224], for example), the | form-urlencoded" [W3C.REC-html401-19991224], for example), the | |||
| base64url encoded data SHOULD NOT be line wrapped and pad characters | base64url encoded data SHOULD NOT be line wrapped and pad characters | |||
| ("=") SHOULD NOT be included. | ("=") SHOULD NOT be included. | |||
| The "scope" parameter may be used, as defined in the Assertion | ||||
| Framework for OAuth 2.0 Client Authentication and Authorization | ||||
| Grants [I-D.ietf-oauth-assertions] specification, to indicate the | ||||
| requested scope. | ||||
| Authentication of the client is optional, as described in | ||||
| Section 3.2.1 of OAuth 2.0 [RFC6749] and consequently, the | ||||
| "client_id" is only needed when a form of client authentication that | ||||
| relies on the parameter is used. | ||||
| The following non-normative example demonstrates an Access Token | The following non-normative example demonstrates an Access Token | |||
| Request with an assertion as an authorization grant (with extra line | Request with an assertion as an authorization grant (with extra line | |||
| breaks for display purposes only): | breaks for display purposes only): | |||
| POST /token.oauth2 HTTP/1.1 | POST /token.oauth2 HTTP/1.1 | |||
| Host: as.example.com | Host: as.example.com | |||
| Content-Type: application/x-www-form-urlencoded | Content-Type: application/x-www-form-urlencoded | |||
| grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer& | grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer& | |||
| assertion=PHNhbWxwOl...[omitted for brevity]...ZT4 | assertion=PHNhbWxwOl...[omitted for brevity]...ZT4 | |||
| skipping to change at page 5, line 39 | skipping to change at page 5, line 46 | |||
| To use a SAML Bearer Assertion for client authentication, use the | To use a SAML Bearer Assertion for client authentication, use the | |||
| following parameter values and encodings. | following parameter values and encodings. | |||
| The value of the "client_assertion_type" parameter MUST be | The value of the "client_assertion_type" parameter MUST be | |||
| "urn:ietf:params:oauth:client-assertion-type:saml2-bearer". | "urn:ietf:params:oauth:client-assertion-type:saml2-bearer". | |||
| The value of the "client_assertion" parameter MUST contain a single | The value of the "client_assertion" parameter MUST contain a single | |||
| SAML 2.0 Assertion. The SAML Assertion XML data MUST be encoded | SAML 2.0 Assertion. The SAML Assertion XML data MUST be encoded | |||
| using base64url, where the encoding adheres to the definition in | using base64url, where the encoding adheres to the definition in | |||
| Section 5 of RFC4648 [RFC4648] and where the padding bits are set to | Section 5 of RFC 4648 [RFC4648] and where the padding bits are set to | |||
| zero. To avoid the need for subsequent encoding steps (by | zero. To avoid the need for subsequent encoding steps (by | |||
| "application/x-www-form-urlencoded" [W3C.REC-html401-19991224], for | "application/x-www-form-urlencoded" [W3C.REC-html401-19991224], for | |||
| example), the base64url encoded data SHOULD NOT be line wrapped and | example), the base64url encoded data SHOULD NOT be line wrapped and | |||
| pad characters ("=") SHOULD NOT be included. | pad characters ("=") SHOULD NOT be included. | |||
| The following non-normative example demonstrates a client | The following non-normative example demonstrates a client | |||
| authenticating using an assertion during the presentation of an | authenticating using an assertion during the presentation of an | |||
| authorization code grant in an Access Token Request (with extra line | authorization code grant in an Access Token Request (with extra line | |||
| breaks for display purposes only): | breaks for display purposes only): | |||
| skipping to change at page 6, line 17 | skipping to change at page 6, line 22 | |||
| Content-Type: application/x-www-form-urlencoded | Content-Type: application/x-www-form-urlencoded | |||
| grant_type=authorization_code& | grant_type=authorization_code& | |||
| code=vAZEIHjQTHuGgaSvyW9hO0RpusLzkvTOww3trZBxZpo& | code=vAZEIHjQTHuGgaSvyW9hO0RpusLzkvTOww3trZBxZpo& | |||
| client_assertion_type=urn%3Aietf%3Aparams%3Aoauth | client_assertion_type=urn%3Aietf%3Aparams%3Aoauth | |||
| %3Aclient-assertion-type%3Asaml2-bearer& | %3Aclient-assertion-type%3Asaml2-bearer& | |||
| client_assertion=PHNhbW...[omitted for brevity]...ZT | client_assertion=PHNhbW...[omitted for brevity]...ZT | |||
| 3. Assertion Format and Processing Requirements | 3. Assertion Format and Processing Requirements | |||
| In order to issue an access token response as described in The OAuth | In order to issue an access token response as described in OAuth 2.0 | |||
| 2.0 Authorization Protocol [RFC6749] or to rely on an Assertion for | [RFC6749] or to rely on an Assertion for client authentication, the | |||
| client authentication, the authorization server MUST validate the | authorization server MUST validate the Assertion according to the | |||
| Assertion according to the criteria below. Application of additional | criteria below. Application of additional restrictions and policy | |||
| restrictions and policy are at the discretion of the authorization | are at the discretion of the authorization server. | |||
| server. | ||||
| o The Assertion's <Issuer> element MUST contain a unique identifier | 1. The Assertion's <Issuer> element MUST contain a unique | |||
| for the entity that issued the Assertion. | identifier for the entity that issued the Assertion. | |||
| o The Assertion MUST contain <Conditions> element with an | 2. The Assertion MUST contain a <Conditions> element with an | |||
| <AudienceRestriction> element with an <Audience> element | <AudienceRestriction> element with an <Audience> element that | |||
| containing a URI reference that identifies the authorization | identifies the authorization server as an intended audience. | |||
| server, or the service provider SAML entity of its controlling | Section 2.5.1.4 of Assertions and Protocols for the OASIS | |||
| domain, as an intended audience. The token endpoint URL of the | Security Assertion Markup Language [OASIS.saml-core-2.0-os] | |||
| authorization server MAY be used as an acceptable value for an | defines the <AudienceRestriction> and <Audience> elements and, | |||
| <Audience> element. The authorization server MUST verify that it | in addition to the URI references discussed there, the token | |||
| is an intended audience for the Assertion. | endpoint URL of the authorization server MAY be used as a URI | |||
| that identifies the authorization server as an intended | ||||
| audience. Assertions that do not identify the Authorization | ||||
| Server as an intended audience MUST be rejected. | ||||
| o The Assertion MUST contain a <Subject> element. The subject MAY | 3. The Assertion MUST contain a <Subject> element. The subject MAY | |||
| identify the resource owner for whom the access token is being | identify the resource owner for Additional information | |||
| requested. For client authentication, the Subject MUST be the | identifying the subject/principal of the transaction MAY be | |||
| "client_id" of the OAuth client. When using an Assertion as an | included in an <AttributeStatement>. | |||
| authorization grant, the Subject SHOULD identify an authorized | ||||
| accessor for whom the access token is being requested (typically | ||||
| the resource owner, or an authorized delegate). Additional | ||||
| information identifying the subject/principal of the transaction | ||||
| MAY be included in an <AttributeStatement>. | ||||
| o The Assertion MUST have an expiry that limits the time window | a. When using an Assertion as an authorization grant, the | |||
| during which it can be used. The expiry can be expressed either | Subject SHOULD identify an authorized accessor for whom the | |||
| as the NotOnOrAfter attribute of the <Conditions> element or as | access token is being requested (typically the resource | |||
| the NotOnOrAfter attribute of a suitable <SubjectConfirmationData> | owner, or an authorized delegate). | |||
| element. | ||||
| o The <Subject> element MUST contain at least one | b. For client authentication, the Subject MUST be the | |||
| <SubjectConfirmation> element that allows the authorization server | "client_id" of the OAuth client. | |||
| to confirm it as a Bearer Assertion. Such a <SubjectConfirmation> | ||||
| element MUST have a Method attribute with a value of | ||||
| "urn:oasis:names:tc:SAML:2.0:cm:bearer". The | ||||
| <SubjectConfirmation> element MUST contain a | ||||
| <SubjectConfirmationData> element, unless the Assertion has a | ||||
| suitable NotOnOrAfter attribute on the <Conditions> element, in | ||||
| which case the <SubjectConfirmationData> element MAY be omitted. | ||||
| When present, the <SubjectConfirmationData> element MUST have a | ||||
| Recipient attribute with a value indicating the token endpoint URL | ||||
| of the authorization server (or an acceptable alias). The | ||||
| authorization server MUST verify that the value of the Recipient | ||||
| attribute matches the token endpoint URL (or an acceptable alias) | ||||
| to which the Assertion was delivered. The | ||||
| <SubjectConfirmationData> element MUST have a NotOnOrAfter | ||||
| attribute that limits the window during which the Assertion can be | ||||
| confirmed. The <SubjectConfirmationData> element MAY also contain | ||||
| an Address attribute limiting the client address from which the | ||||
| Assertion can be delivered. Verification of the Address is at the | ||||
| discretion of the authorization server. | ||||
| o The authorization server MUST verify that the NotOnOrAfter instant | 4. The Assertion MUST have an expiry that limits the time window | |||
| has not passed, subject to allowable clock skew between systems. | during which it can be used. The expiry can be expressed either | |||
| An invalid NotOnOrAfter instant on the <Conditions> element | as the NotOnOrAfter attribute of the <Conditions> element or as | |||
| invalidates the entire Assertion. An invalid NotOnOrAfter instant | the NotOnOrAfter attribute of a suitable | |||
| on a <SubjectConfirmationData> element only invalidates the | <SubjectConfirmationData> element. | |||
| individual <SubjectConfirmation>. The authorization server MAY | ||||
| reject Assertions with a NotOnOrAfter instant that is unreasonably | ||||
| far in the future. The authorization server MAY ensure that | ||||
| Bearer Assertions are not replayed, by maintaining the set of used | ||||
| ID values for the length of time for which the Assertion would be | ||||
| considered valid based on the applicable NotOnOrAfter instant. | ||||
| o If the Assertion issuer authenticated the subject, the Assertion | 5. The <Subject> element MUST contain at least one | |||
| SHOULD contain a single <AuthnStatement> representing that | <SubjectConfirmation> element that allows the authorization | |||
| authentication event. | server to confirm it as a Bearer Assertion. Such a | |||
| <SubjectConfirmation> element MUST have a Method attribute with | ||||
| a value of "urn:oasis:names:tc:SAML:2.0:cm:bearer". The | ||||
| <SubjectConfirmation> element MUST contain a | ||||
| <SubjectConfirmationData> element, unless the Assertion has a | ||||
| suitable NotOnOrAfter attribute on the <Conditions> element, in | ||||
| which case the <SubjectConfirmationData> element MAY be omitted. | ||||
| When present, the <SubjectConfirmationData> element MUST have a | ||||
| Recipient attribute with a value indicating the token endpoint | ||||
| URL of the authorization server (or an acceptable alias). The | ||||
| authorization server MUST verify that the value of the Recipient | ||||
| attribute matches the token endpoint URL (or an acceptable | ||||
| alias) to which the Assertion was delivered. The | ||||
| <SubjectConfirmationData> element MUST have a NotOnOrAfter | ||||
| attribute that limits the window during which the Assertion can | ||||
| be confirmed. The <SubjectConfirmationData> element MAY also | ||||
| contain an Address attribute limiting the client address from | ||||
| which the Assertion can be delivered. Verification of the | ||||
| Address is at the discretion of the authorization server. | ||||
| o If the Assertion was issued with the intention that the presenter | 6. The authorization server MUST verify that the NotOnOrAfter | |||
| act autonomously on behalf of the subject, an <AuthnStatement> | instant has not passed, subject to allowable clock skew between | |||
| SHOULD NOT be included. The presenter SHOULD be identified in the | systems. An invalid NotOnOrAfter instant on the <Conditions> | |||
| <NameID> or similar element, the <SubjectConfirmation> element, or | element invalidates the entire Assertion. An invalid | |||
| by other available means like [OASIS.saml-deleg-cs]. | NotOnOrAfter instant on a <SubjectConfirmationData> element only | |||
| invalidates the individual <SubjectConfirmation>. The | ||||
| authorization server MAY reject Assertions with a NotOnOrAfter | ||||
| instant that is unreasonably far in the future. The | ||||
| authorization server MAY ensure that Bearer Assertions are not | ||||
| replayed, by maintaining the set of used ID values for the | ||||
| length of time for which the Assertion would be considered valid | ||||
| based on the applicable NotOnOrAfter instant. | ||||
| o Other statements, in particular <AttributeStatement> elements, MAY | 7. If the Assertion issuer authenticated the subject, the Assertion | |||
| be included in the Assertion. | SHOULD contain a single <AuthnStatement> representing that | |||
| authentication event. | ||||
| o The Assertion MUST be digitally signed by the issuer and the | 8. If the Assertion was issued with the intention that the | |||
| authorization server MUST verify the signature. | presenter act autonomously on behalf of the subject, an | |||
| <AuthnStatement> SHOULD NOT be included. The presenter SHOULD | ||||
| be identified in the <NameID> or similar element in the | ||||
| <SubjectConfirmation> element, or by other available means like | ||||
| SAML V2.0 Condition for Delegation Restriction | ||||
| [OASIS.saml-deleg-cs]. | ||||
| o Encrypted elements MAY appear in place of their plain text | 9. Other statements, in particular <AttributeStatement> elements, | |||
| counterparts as defined in [OASIS.saml-core-2.0-os]. | MAY be included in the Assertion. | |||
| o The authorization server MUST verify that the Assertion is valid | 10. The Assertion MUST be digitally signed or have a keyed message | |||
| in all other respects per [OASIS.saml-core-2.0-os], such as (but | digest applied by the issuer. The authorization server MUST | |||
| not limited to) evaluating all content within the Conditions | reject assertions with an invalid signature or keyed message | |||
| element including the NotOnOrAfter and NotBefore attributes, | digest. | |||
| rejecting unknown condition types, etc. | ||||
| 11. Encrypted elements MAY appear in place of their plain text | ||||
| counterparts as defined in [OASIS.saml-core-2.0-os]. | ||||
| 12. The authorization server MUST verify that the Assertion is valid | ||||
| in all other respects per [OASIS.saml-core-2.0-os], such as (but | ||||
| not limited to) evaluating all content within the Conditions | ||||
| element including the NotOnOrAfter and NotBefore attributes, | ||||
| rejecting unknown condition types, etc. | ||||
| 3.1. Authorization Grant Processing | 3.1. Authorization Grant Processing | |||
| If present, the authorization server MUST also validate the client | Assertion authorization grants may be used with or without client | |||
| credentials. | authentication or identification. Whether or not client | |||
| authentication is needed in conjunction with an assertion | ||||
| authorization grant, as well as the supported types of client | ||||
| authentication, are policy decisions at the discretion of the | ||||
| authorization server. However, if client credentials are present in | ||||
| the request, the authorization server MUST validate them. | ||||
| If the Assertion is not valid, or its subject confirmation | If the Assertion is not valid, or its subject confirmation | |||
| requirements cannot be met, the authorization server MUST construct | requirements cannot be met, the authorization server MUST construct | |||
| an error response as defined in OAuth 2.0 [RFC6749]. The value of | an error response as defined in OAuth 2.0 [RFC6749]. The value of | |||
| the "error" parameter MUST be the "invalid_grant" error code. The | the "error" parameter MUST be the "invalid_grant" error code. The | |||
| authorization server MAY include additional information regarding the | authorization server MAY include additional information regarding the | |||
| reasons the Assertion was considered invalid using the | reasons the Assertion was considered invalid using the | |||
| "error_description" or "error_uri" parameters. | "error_description" or "error_uri" parameters. | |||
| For example: | For example: | |||
| skipping to change at page 9, line 10 | skipping to change at page 9, line 29 | |||
| the "error" parameter MUST be the "invalid_client" error code. The | the "error" parameter MUST be the "invalid_client" error code. The | |||
| authorization server MAY include additional information regarding the | authorization server MAY include additional information regarding the | |||
| reasons the Assertion was considered invalid using the | reasons the Assertion was considered invalid using the | |||
| "error_description" or "error_uri" parameters. | "error_description" or "error_uri" parameters. | |||
| 4. Authorization Grant Example | 4. Authorization Grant Example | |||
| Though non-normative, the following examples illustrate what a | Though non-normative, the following examples illustrate what a | |||
| conforming Assertion and access token request would look like. | conforming Assertion and access token request would look like. | |||
| The example shows an assertion issued and signed by the SAML Identity | ||||
| Provider identified as "https://saml-idp.example.com". The subject | ||||
| of the assertion is identified by email address as | ||||
| "brian@example.com", who authenticated to the Identity Provider by | ||||
| means of a digital signature where the key was validated as part of | ||||
| an X.509 Public Key Infrastructure. The intended audience of the | ||||
| assertion is "https://saml-sp.example.net", which is an identifier | ||||
| for a SAML Service Provider with which the authorization server | ||||
| identifies itself. The assertion is sent as part of an access token | ||||
| request to the authorization server's token endpoint at "https:// | ||||
| authz.example.net/token.oauth2". | ||||
| Below is an example SAML 2.0 Assertion (whitespace formatting is for | Below is an example SAML 2.0 Assertion (whitespace formatting is for | |||
| display purposes only): | display purposes only): | |||
| <Assertion IssueInstant="2010-10-01T20:07:34.619Z" | <Assertion IssueInstant="2010-10-01T20:07:34.619Z" | |||
| ID="ef1xsbZxPV2oqjd7HTLRLIBlBb7" | ID="ef1xsbZxPV2oqjd7HTLRLIBlBb7" | |||
| Version="2.0" | Version="2.0" | |||
| xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> | xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> | |||
| <Issuer>https://saml-idp.example.com</Issuer> | <Issuer>https://saml-idp.example.com</Issuer> | |||
| <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> | <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> | |||
| [...omitted for brevity...] | [...omitted for brevity...] | |||
| </ds:Signature> | </ds:Signature> | |||
| <Subject> | <Subject> | |||
| <NameID | <NameID | |||
| Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> | Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> | |||
| brian@example.com | brian@example.com | |||
| </NameID> | </NameID> | |||
| <SubjectConfirmation | <SubjectConfirmation | |||
| Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> | Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> | |||
| <SubjectConfirmationData | <SubjectConfirmationData | |||
| NotOnOrAfter="2010-10-01T20:12:34.619Z" | NotOnOrAfter="2010-10-01T20:12:34.619Z" | |||
| Recipient="https://authz.example.net/token.oauth2"/> | Recipient="https://authz.example.net/token.oauth2"/> | |||
| </SubjectConfirmation> | </SubjectConfirmation> | |||
| </Subject> | </Subject> | |||
| <Conditions> | <Conditions> | |||
| <AudienceRestriction> | <AudienceRestriction> | |||
| <Audience>https://saml-sp.example.net</Audience> | <Audience>https://saml-sp.example.net</Audience> | |||
| </AudienceRestriction> | </AudienceRestriction> | |||
| </Conditions> | </Conditions> | |||
| <AuthnStatement AuthnInstant="2010-10-01T20:07:34.371Z"> | <AuthnStatement AuthnInstant="2010-10-01T20:07:34.371Z"> | |||
| <AuthnContext> | <AuthnContext> | |||
| <AuthnContextClassRef> | <AuthnContextClassRef> | |||
| urn:oasis:names:tc:SAML:2.0:ac:classes:X509 | urn:oasis:names:tc:SAML:2.0:ac:classes:X509 | |||
| </AuthnContextClassRef> | </AuthnContextClassRef> | |||
| </AuthnContext> | </AuthnContext> | |||
| </AuthnStatement> | </AuthnStatement> | |||
| </Assertion> | </Assertion> | |||
| Figure 1: Example SAML 2.0 Assertion | Figure 1: Example SAML 2.0 Assertion | |||
| To present the Assertion shown in the previous example as part of an | To present the Assertion shown in the previous example as part of an | |||
| access token request, for example, the client might make the | access token request, for example, the client might make the | |||
| following HTTPS request (with extra line breaks for display purposes | following HTTPS request (with extra line breaks for display purposes | |||
| only): | only): | |||
| POST /token.oauth2 HTTP/1.1 | POST /token.oauth2 HTTP/1.1 | |||
| Host: authz.example.net | Host: authz.example.net | |||
| skipping to change at page 10, line 17 | skipping to change at page 11, line 4 | |||
| following HTTPS request (with extra line breaks for display purposes | following HTTPS request (with extra line breaks for display purposes | |||
| only): | only): | |||
| POST /token.oauth2 HTTP/1.1 | POST /token.oauth2 HTTP/1.1 | |||
| Host: authz.example.net | Host: authz.example.net | |||
| Content-Type: application/x-www-form-urlencoded | Content-Type: application/x-www-form-urlencoded | |||
| grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2- | grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2- | |||
| bearer&assertion=PEFzc2VydGlvbiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDU | bearer&assertion=PEFzc2VydGlvbiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDU | |||
| [...omitted for brevity...]aG5TdGF0ZW1lbnQ-PC9Bc3NlcnRpb24- | [...omitted for brevity...]aG5TdGF0ZW1lbnQ-PC9Bc3NlcnRpb24- | |||
| Figure 2: Example Request | Figure 2: Example Request | |||
| 5. Security Considerations | 5. Interoperability Considerations | |||
| Agreement between system entities regarding identifiers, keys, and | ||||
| endpoints is required in order to achieve interoperable deployments | ||||
| of this profile. Specific items that require agreement are as | ||||
| follows: values for the issuer and audience identifiers, the location | ||||
| of the token endpoint, and the key used to apply and verify the | ||||
| digital signature over the assertion. The exchange of such | ||||
| information is explicitly out of scope for this specification and | ||||
| typical deployment of it will be done alongside existing SAML Web SSO | ||||
| deployments that have already established a means of exchanging such | ||||
| information. Metadata for the OASIS Security Assertion Markup | ||||
| Language (SAML) V2.0 [OASIS.saml-metadata-2.0-os] is one common | ||||
| method of exchanging SAML related information about system entities. | ||||
| 6. Security Considerations | ||||
| No additional security considerations apply beyond those described | No additional security considerations apply beyond those described | |||
| within The OAuth 2.0 Authorization Protocol [RFC6749], the OAuth 2.0 | within The OAuth 2.0 Authorization Framework [RFC6749], the Assertion | |||
| Assertion Profile [I-D.ietf-oauth-assertions], and in the Security | Framework for OAuth 2.0 Client Authentication and Authorization | |||
| and Privacy Considerations for the OASIS Security Assertion Markup | Grants [I-D.ietf-oauth-assertions], and the Security and Privacy | |||
| Language (SAML) V2.0 [OASIS.saml-sec-consider-2.0-os]. | Considerations for the OASIS Security Assertion Markup Language | |||
| (SAML) V2.0 [OASIS.saml-sec-consider-2.0-os] specifications. | ||||
| 6. IANA Considerations | 7. IANA Considerations | |||
| 6.1. Sub-Namespace Registration of | 7.1. Sub-Namespace Registration of urn:ietf:params:oauth:grant- | |||
| urn:ietf:params:oauth:grant-type:saml2-bearer | type:saml2-bearer | |||
| This is a request to IANA to please register the value | This is a request to IANA to please register the value "grant- | |||
| "grant-type:saml2-bearer" in the registry urn:ietf:params:oauth | type:saml2-bearer" in the registry urn:ietf:params:oauth established | |||
| established in An IETF URN Sub-Namespace for OAuth [RFC6755]. | in An IETF URN Sub-Namespace for OAuth [RFC6755]. | |||
| o URN: urn:ietf:params:oauth:grant-type:saml2-bearer | o URN: urn:ietf:params:oauth:grant-type:saml2-bearer | |||
| o Common Name: SAML 2.0 Bearer Assertion Grant Type Profile for | o Common Name: SAML 2.0 Bearer Assertion Grant Type Profile for | |||
| OAuth 2.0 | OAuth 2.0 | |||
| o Change controller: IETF | o Change controller: IETF | |||
| o Specification Document: [[this document]] | o Specification Document: [[this document]] | |||
| 6.2. Sub-Namespace Registration of | 7.2. Sub-Namespace Registration of urn:ietf:params:oauth:client- | |||
| urn:ietf:params:oauth:client-assertion-type:saml2-bearer | assertion-type:saml2-bearer | |||
| This is a request to IANA to please register the value | This is a request to IANA to please register the value "client- | |||
| "client-assertion-type:saml2-bearer" in the registry | assertion-type:saml2-bearer" in the registry urn:ietf:params:oauth | |||
| urn:ietf:params:oauth established in An IETF URN Sub-Namespace for | established in An IETF URN Sub-Namespace for OAuth [RFC6755]. | |||
| OAuth [RFC6755]. | ||||
| o URN: urn:ietf:params:oauth:client-assertion-type:saml2-bearer | o URN: urn:ietf:params:oauth:client-assertion-type:saml2-bearer | |||
| o Common Name: SAML 2.0 Bearer Assertion Profile for OAuth 2.0 | o Common Name: SAML 2.0 Bearer Assertion Profile for OAuth 2.0 | |||
| Client Authentication | Client Authentication | |||
| o Change controller: IETF | o Change controller: IETF | |||
| o Specification Document: [[this document]] | o Specification Document: [[this document]] | |||
| 7. References | 8. References | |||
| 7.1. Normative References | 8.1. Normative References | |||
| [I-D.ietf-oauth-assertions] | [I-D.ietf-oauth-assertions] | |||
| Campbell, B., Mortimore, C., Jones, M., and Y. Goland, | Campbell, B., Mortimore, C., Jones, M., and Y. Goland, | |||
| "Assertion Framework for OAuth 2.0", | "Assertion Framework for OAuth 2.0", draft-ietf-oauth- | |||
| draft-ietf-oauth-assertions-06 (work in progress), | assertions-10 (work in progress), January 2013. | |||
| September 2012. | ||||
| [OASIS.saml-core-2.0-os] | [OASIS.saml-core-2.0-os] | |||
| Cantor, S., Kemp, J., Philpott, R., and E. Maler, | Cantor, S., Kemp, J., Philpott, R., and E. Maler, | |||
| "Assertions and Protocol for the OASIS Security Assertion | "Assertions and Protocol for the OASIS Security Assertion | |||
| Markup Language (SAML) V2.0", OASIS Standard saml-core- | Markup Language (SAML) V2.0", OASIS Standard saml- | |||
| 2.0-os, March 2005. | core-2.0-os, March 2005. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data | [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data | |||
| Encodings", RFC 4648, October 2006. | Encodings", RFC 4648, October 2006. | |||
| [RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", | [RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC | |||
| RFC 6749, October 2012. | 6749, October 2012. | |||
| [RFC6755] Campbell, B. and H. Tschofenig, "An IETF URN Sub-Namespace | [RFC6755] Campbell, B. and H. Tschofenig, "An IETF URN Sub-Namespace | |||
| for OAuth", RFC 6755, October 2012. | for OAuth", RFC 6755, October 2012. | |||
| 7.2. Informative References | 8.2. Informative References | |||
| [OASIS.saml-deleg-cs] | [OASIS.saml-deleg-cs] | |||
| Cantor, S., Ed., "SAML V2.0 Condition for Delegation | Cantor, S., Ed., "SAML V2.0 Condition for Delegation | |||
| Restriction", Nov 2009. | Restriction", Nov 2009. | |||
| [OASIS.saml-metadata-2.0-os] | ||||
| Cantor, S., Moreh, J., Philpott, R., and E. Maler, | ||||
| "Metadata for the Security Assertion Markup Language | ||||
| (SAML) V2.0", OASIS Standard saml-metadata-2.0-os, March | ||||
| 2005. | ||||
| [OASIS.saml-profiles-2.0-os] | [OASIS.saml-profiles-2.0-os] | |||
| Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra, | Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra, | |||
| P., Philpott, R., and E. Maler, "Profiles for the OASIS | P., Philpott, R., and E. Maler, "Profiles for the OASIS | |||
| Security Assertion Markup Language (SAML) V2.0", OASIS | Security Assertion Markup Language (SAML) V2.0", OASIS | |||
| Standard OASIS.saml-profiles-2.0-os, March 2005. | Standard OASIS.saml-profiles-2.0-os, March 2005. | |||
| [OASIS.saml-sec-consider-2.0-os] | [OASIS.saml-sec-consider-2.0-os] | |||
| Hirsch, F., Philpott, R., and E. Maler, "Security and | Hirsch, F., Philpott, R., and E. Maler, "Security and | |||
| Privacy Considerations for the OASIS Security Markup | Privacy Considerations for the OASIS Security Markup | |||
| Language (SAML) V2.0", OASIS Standard saml-sec-consider- | Language (SAML) V2.0", OASIS Standard saml-sec- | |||
| 2.0-os, March 2005. | consider-2.0-os, March 2005. | |||
| [W3C.REC-html401-19991224] | [W3C.REC-html401-19991224] | |||
| Hors, A., Raggett, D., and I. Jacobs, "HTML 4.01 | Hors, A., Raggett, D., and I. Jacobs, "HTML 4.01 | |||
| Specification", World Wide Web Consortium | Specification", World Wide Web Consortium Recommendation | |||
| Recommendation REC-html401-19991224, December 1999, | REC-html401-19991224, December 1999, | |||
| <http://www.w3.org/TR/1999/REC-html401-19991224>. | <http://www.w3.org/TR/1999/REC-html401-19991224>. | |||
| Appendix A. Acknowledgements | Appendix A. Acknowledgements | |||
| The following people contributed wording and concepts to this | The following people contributed wording and concepts to this | |||
| document: Paul Madsen, Patrick Harding, Peter Motykowski, Eran | document: Paul Madsen, Patrick Harding, Peter Motykowski, Eran | |||
| Hammer, Peter Saint-Andre, Ian Barnett, Eric Fazendin, Torsten | Hammer, Peter Saint-Andre, Ian Barnett, Eric Fazendin, Torsten | |||
| Lodderstedt, Susan Harper, Scott Tomilson, Scott Cantor, Michael B. | Lodderstedt, Susan Harper, Scott Tomilson, Scott Cantor, Hannes | |||
| Jones, Hannes Tschofenig, David Waite, Phil Hunt, and Mukesh | Tschofenig, David Waite, Phil Hunt, and Mukesh Bhatnagar. | |||
| Bhatnagar. | ||||
| Appendix B. Document History | Appendix B. Document History | |||
| [[ to be removed by RFC editor before publication as an RFC ]] | [[ to be removed by RFC editor before publication as an RFC ]] | |||
| draft-ietf-oauth-saml2-bearer-16 | ||||
| o Changed title from "SAML 2.0 Bearer Assertion Profiles for OAuth | ||||
| 2.0" to "SAML 2.0 Profile for OAuth 2.0 Client Authentication and | ||||
| Authorization Grants" to be more explicit about the scope of the | ||||
| document per http://www.ietf.org/mail-archive/web/oauth/current/ | ||||
| msg11063.html. | ||||
| o Fixed typo in text identifying the presenter from "or similar | ||||
| element, the" to "or similar element in the". | ||||
| o Numbered the list of processing rules. | ||||
| o Smallish editorial cleanups to try and improve readability and | ||||
| comprehensibility. | ||||
| o Cleaner split out of the processing rules in cases where they | ||||
| differ for client authentication and authorization grants. | ||||
| o Clarified the parameters that are used/available for authorization | ||||
| grants. | ||||
| o Added Interoperability Considerations section and info reference | ||||
| to SAML Metadata. | ||||
| o Added more explanatory context to the example in Section 4. | ||||
| draft-ietf-oauth-saml2-bearer-15 | draft-ietf-oauth-saml2-bearer-15 | |||
| o Reference RFC 6749 and RFC 6755. | o Reference RFC 6749 and RFC 6755. | |||
| o Update draft-ietf-oauth-assertions reference to -06. | o Update draft-ietf-oauth-assertions reference to -06. | |||
| o Remove extraneous word per | o Remove extraneous word per http://www.ietf.org/mail-archive/web/ | |||
| http://www.ietf.org/mail-archive/web/oauth/current/msg10055.html | oauth/current/msg10055.html | |||
| draft-ietf-oauth-saml2-bearer-14 | draft-ietf-oauth-saml2-bearer-14 | |||
| o Add more text to intro explaining that an assertion grant type can | o Add more text to intro explaining that an assertion grant type can | |||
| be used with or without client authentication/identification and | be used with or without client authentication/identification and | |||
| that client assertion authentication is nothing more than an | that client assertion authentication is nothing more than an | |||
| alternative way for a client to authenticate to the token endpoint | alternative way for a client to authenticate to the token endpoint | |||
| o Add examples to Sections 2.1 and 2.2 | o Add examples to Sections 2.1 and 2.2 | |||
| skipping to change at page 13, line 24 | skipping to change at page 15, line 5 | |||
| o Changed "Description" to "Specification Document" in both | o Changed "Description" to "Specification Document" in both | |||
| registration requests in IANA Considerations per changes to the | registration requests in IANA Considerations per changes to the | |||
| template in ietf-oauth-urn-sub-ns(-03) | template in ietf-oauth-urn-sub-ns(-03) | |||
| o Added "(or an acceptable alias)" so that it's in both sentences | o Added "(or an acceptable alias)" so that it's in both sentences | |||
| about Recipient and the token endpoint URL so there's no ambiguity | about Recipient and the token endpoint URL so there's no ambiguity | |||
| o Update area and workgroup (now Security and OAuth was Internet and | o Update area and workgroup (now Security and OAuth was Internet and | |||
| nothing) | nothing) | |||
| draft-ietf-oauth-saml2-bearer-12 | ||||
| o updated reference to draft-ietf-oauth-v2 from -25 to -26 and | o updated reference to draft-ietf-oauth-v2 from -25 to -26 and | |||
| draft-ietf-oauth-assertions from -02 to -03 | draft-ietf-oauth-assertions from -02 to -03 | |||
| draft-ietf-oauth-saml2-bearer-11 | draft-ietf-oauth-saml2-bearer-11 | |||
| o Removed text about limited lifetime access tokens and the SHOULD | o Removed text about limited lifetime access tokens and the SHOULD | |||
| NOT on issuing refresh tokens. The text was moved to | NOT on issuing refresh tokens. The text was moved to draft-ietf- | |||
| draft-ietf-oauth-assertions-02 and somewhat modified per | oauth-assertions-02 and somewhat modified per http://www.ietf.org/ | |||
| http://www.ietf.org/mail-archive/web/oauth/current/msg08298.html. | mail-archive/web/oauth/current/msg08298.html. | |||
| o Fixed typo/missing word per | o Fixed typo/missing word per http://www.ietf.org/mail-archive/web/ | |||
| http://www.ietf.org/mail-archive/web/oauth/current/msg08733.html. | oauth/current/msg08733.html. | |||
| o Added Terminology section. | o Added Terminology section. | |||
| draft-ietf-oauth-saml2-bearer-10 | draft-ietf-oauth-saml2-bearer-10 | |||
| o fix a spelling mistake | o fix a spelling mistake | |||
| draft-ietf-oauth-saml2-bearer-09 | draft-ietf-oauth-saml2-bearer-09 | |||
| o Attempt to address an ambiguity around validation requirements | o Attempt to address an ambiguity around validation requirements | |||
| skipping to change at page 14, line 19 | skipping to change at page 15, line 47 | |||
| though it's implied by schema) | though it's implied by schema) | |||
| o fix a typo | o fix a typo | |||
| draft-ietf-oauth-saml2-bearer-08 | draft-ietf-oauth-saml2-bearer-08 | |||
| o fix some typos | o fix some typos | |||
| draft-ietf-oauth-saml2-bearer-07 | draft-ietf-oauth-saml2-bearer-07 | |||
| o update reference from draft-campbell-oauth-urn-sub-ns to | o update reference from draft-campbell-oauth-urn-sub-ns to draft- | |||
| draft-ietf-oauth-urn-sub-ns | ietf-oauth-urn-sub-ns | |||
| o Updated to reference draft-ietf-oauth-v2-20 | o Updated to reference draft-ietf-oauth-v2-20 | |||
| draft-ietf-oauth-saml2-bearer-06 | ||||
| o Fix three typos NamseID->NameID and (2x) Namspace->Namespace | o Fix three typos NamseID->NameID and (2x) Namspace->Namespace | |||
| draft-ietf-oauth-saml2-bearer-05 | draft-ietf-oauth-saml2-bearer-05 | |||
| o Allow for subject confirmation data to be optional when Conditions | o Allow for subject confirmation data to be optional when Conditions | |||
| contain audience and NotOnOrAfter | contain audience and NotOnOrAfter | |||
| o Rework most of the spec to profile draft-ietf-oauth-assertions for | o Rework most of the spec to profile draft-ietf-oauth-assertions for | |||
| both authn and authz including (but not limited to): | both authn and authz including (but not limited to): | |||
| * remove requirement for issuer to be | * remove requirement for issuer to be urn:oasis:names:tc:SAML:2.0 | |||
| urn:oasis:names:tc:SAML:2.0:nameid-format:entity | :nameid-format:entity | |||
| * change wording on Subject requirements | * change wording on Subject requirements | |||
| o using a MAY, explicitly say that the Audience can be token | o using a MAY, explicitly say that the Audience can be token | |||
| endpoint URL of the authorization server | endpoint URL of the authorization server | |||
| o Change title to be more generic (allowing for client authn too) | o Change title to be more generic (allowing for client authn too) | |||
| o added client authentication to the abstract | o added client authentication to the abstract | |||
| o register and use urn:ietf:params:oauth:grant-type:saml2-bearer for | o register and use urn:ietf:params:oauth:grant-type:saml2-bearer for | |||
| grant type rather than http://oauth.net/grant_type/saml/2.0/bearer | grant type rather than http://oauth.net/grant_type/saml/2.0/bearer | |||
| o register urn:ietf:params:oauth:client-assertion-type:saml2-bearer | o register urn:ietf:params:oauth:client-assertion-type:saml2-bearer | |||
| o remove scope parameter as it is defined in | o remove scope parameter as it is defined in http://tools.ietf.org/ | |||
| http://tools.ietf.org/html/draft-ietf-oauth-assertions | html/draft-ietf-oauth-assertions | |||
| o remove assertion param registration because it [should] be in | o remove assertion param registration because it [should] be in | |||
| http://tools.ietf.org/html/draft-ietf-oauth-assertions | http://tools.ietf.org/html/draft-ietf-oauth-assertions | |||
| o fix typo(s) and update/add references | o fix typo(s) and update/add references | |||
| draft-ietf-oauth-saml2-bearer-04 | draft-ietf-oauth-saml2-bearer-04 | |||
| o Changed the grant_type URI from | o Changed the grant_type URI from "http://oauth.net/grant_type/ | |||
| "http://oauth.net/grant_type/assertion/saml/2.0/bearer" to | assertion/saml/2.0/bearer" to "http://oauth.net/grant_type/saml/ | |||
| "http://oauth.net/grant_type/saml/2.0/bearer" - dropping the word | 2.0/bearer" - dropping the word assertion from the path. Recent | |||
| assertion from the path. Recent versions of draft-ietf-oauth-v2 | versions of draft-ietf-oauth-v2 no longer refer to extension | |||
| no longer refer to extension grants using the word assertion so | grants using the word assertion so this URI is more reflective of | |||
| this URI is more reflective of that. It also more closely aligns | that. It also more closely aligns with the grant type URI in | |||
| with the grant type URI in draft-jones-oauth-jwt-bearer-00 which | draft-jones-oauth-jwt-bearer-00 which is "http://oauth.net/ | |||
| is "http://oauth.net/grant_type/jwt/1.0/bearer". | grant_type/jwt/1.0/bearer". | |||
| o Added "case sensitive" to scope definition to align with | o Added "case sensitive" to scope definition to align with draft- | |||
| draft-ietf-oauth-v2-15/16. | ietf-oauth-v2-15/16. | |||
| o Updated to reference draft-ietf-oauth-v2-16 | o Updated to reference draft-ietf-oauth-v2-16 | |||
| draft-ietf-oauth-saml2-bearer-03 | draft-ietf-oauth-saml2-bearer-03 | |||
| o Cleanup of some editorial issues. | o Cleanup of some editorial issues. | |||
| draft-ietf-oauth-saml2-bearer-02 | draft-ietf-oauth-saml2-bearer-02 | |||
| o Added scope parameter with text copied from draft-ietf-oauth-v2-12 | o Added scope parameter with text copied from draft-ietf-oauth-v2-12 | |||
| (the reorg of draft-ietf-oauth-v2-12 made it so scope wasn't | (the reorg of draft-ietf-oauth-v2-12 made it so scope wasn't | |||
| really inherited by this spec anymore) | really inherited by this spec anymore) | |||
| o Change definition of the assertion parameter to be more generally | o Change definition of the assertion parameter to be more generally | |||
| applicable per the suggestion near the end of | applicable per the suggestion near the end of http://www.ietf.org/ | |||
| http://www.ietf.org/mail-archive/web/oauth/current/msg05253.html | mail-archive/web/oauth/current/msg05253.html | |||
| o Editorial changes based on feedback | o Editorial changes based on feedback | |||
| draft-ietf-oauth-saml2-bearer-01 | draft-ietf-oauth-saml2-bearer-01 | |||
| o Update spec name when referencing draft-ietf-oauth-v2 (The OAuth | o Update spec name when referencing draft-ietf-oauth-v2 (The OAuth | |||
| 2.0 Protocol Framework -> The OAuth 2.0 Authorization Protocol) | 2.0 Protocol Framework -> The OAuth 2.0 Authorization Protocol) | |||
| o Update wording in Introduction to talk about extension grant types | o Update wording in Introduction to talk about extension grant types | |||
| rather than the assertion grant type which is a term no longer | rather than the assertion grant type which is a term no longer | |||
| skipping to change at page 17, line 8 | skipping to change at page 18, line 35 | |||
| o Added some wording about identifying the client when the subject | o Added some wording about identifying the client when the subject | |||
| hasn't directly authenticated including an informative reference | hasn't directly authenticated including an informative reference | |||
| to SAML V2.0 Condition for Delegation Restriction. | to SAML V2.0 Condition for Delegation Restriction. | |||
| o Added a few examples to the language about verifying that the | o Added a few examples to the language about verifying that the | |||
| Assertion is valid in all other respects. | Assertion is valid in all other respects. | |||
| o Added some wording to the introduction about the similarities to | o Added some wording to the introduction about the similarities to | |||
| Web SSO in the format and processing rules | Web SSO in the format and processing rules | |||
| o Changed the grant_type (was assertion_type) URI from | o Changed the grant_type (was assertion_type) URI from http:// | |||
| http://oauth.net/assertion_type/saml/2.0/bearer to | oauth.net/assertion_type/saml/2.0/bearer to http://oauth.net/ | |||
| http://oauth.net/grant_type/assertion/saml/2.0/bearer | grant_type/assertion/saml/2.0/bearer | |||
| o Changed title to include "Grant Type" in it. | o Changed title to include "Grant Type" in it. | |||
| o Editorial updates based on feedback from the WG and others | o Editorial updates based on feedback from the WG and others | |||
| (including capitalization of Assertion when referring to SAML). | (including capitalization of Assertion when referring to SAML). | |||
| draft-campbell-oauth-saml-00 | draft-campbell-oauth-saml-00 | |||
| o Initial I-D | o Initial I-D | |||
| skipping to change at line 754 | skipping to change at page 19, line 16 | |||
| Brian Campbell | Brian Campbell | |||
| Ping Identity Corp. | Ping Identity Corp. | |||
| Email: brian.d.campbell@gmail.com | Email: brian.d.campbell@gmail.com | |||
| Chuck Mortimore | Chuck Mortimore | |||
| Salesforce.com | Salesforce.com | |||
| Email: cmortimore@salesforce.com | Email: cmortimore@salesforce.com | |||
| Michael B. Jones | ||||
| Microsoft | ||||
| Email: mbj@microsoft.com | ||||
| URI: http://self-issued.info/ | ||||
| End of changes. 64 change blocks. | ||||
| 254 lines changed or deleted | 343 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||