draft-ietf-oauth-device-flow-10.txt   draft-ietf-oauth-device-flow-11.txt 
OAuth W. Denniss OAuth W. Denniss
Internet-Draft Google Internet-Draft Google
Intended status: Standards Track J. Bradley Intended status: Standards Track J. Bradley
Expires: December 3, 2018 Ping Identity Expires: January 18, 2019 Ping Identity
M. Jones M. Jones
Microsoft Microsoft
H. Tschofenig H. Tschofenig
ARM Limited ARM Limited
June 01, 2018 July 17, 2018
OAuth 2.0 Device Flow for Browserless and Input Constrained Devices OAuth 2.0 Device Flow for Browserless and Input Constrained Devices
draft-ietf-oauth-device-flow-10 draft-ietf-oauth-device-flow-11
Abstract Abstract
This OAuth 2.0 authorization flow for browserless and input This OAuth 2.0 authorization flow for browserless and input
constrained devices, often referred to as the device flow, enables constrained devices, often referred to as the device flow, enables
OAuth clients to request user authorization from devices that have an OAuth clients to request user authorization from devices that have an
Internet connection, but don't have an easy input method (such as a Internet connection, but don't have an easy input method (such as a
smart TV, media console, picture frame, or printer), or lack a smart TV, media console, picture frame, or printer), or lack a
suitable browser for a more traditional OAuth flow. This suitable browser for a more traditional OAuth flow. This
authorization flow instructs the user to perform the authorization authorization flow instructs the user to perform the authorization
skipping to change at page 1, line 44 skipping to change at page 1, line 44
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 3, 2018. This Internet-Draft will expire on January 18, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 11, line 13 skipping to change at page 11, line 13
this flow useful in many scenarios. For example, an HTML application this flow useful in many scenarios. For example, an HTML application
on a TV that can only make outbound requests. If a return channel on a TV that can only make outbound requests. If a return channel
were to exist for the chosen user interaction interface, then the were to exist for the chosen user interaction interface, then the
device MAY wait until notified on that channel that the user has device MAY wait until notified on that channel that the user has
completed the action before initiating the token request. Such completed the action before initiating the token request. Such
behavior is, however, outside the scope of this specification. behavior is, however, outside the scope of this specification.
4. Discovery Metadata 4. Discovery Metadata
Support for the device flow MAY be declared in the OAuth 2.0 Support for the device flow MAY be declared in the OAuth 2.0
Authorization Server Metadata [I-D.ietf-oauth-discovery] with the Authorization Server Metadata [RFC8414] with the following metadata:
following metadata:
device_authorization_endpoint device_authorization_endpoint
OPTIONAL. URL of the authorization server's device authorization OPTIONAL. URL of the authorization server's device authorization
endpoint defined in Section 3.1. endpoint defined in Section 3.1.
5. Security Considerations 5. Security Considerations
5.1. User Code Brute Forcing 5.1. User Code Brute Forcing
Since the user code is typed by the user, shorter codes are more Since the user code is typed by the user, shorter codes are more
skipping to change at page 15, line 41 skipping to change at page 15, line 41
o Error name: expired_token o Error name: expired_token
o Error usage location: Token endpoint response o Error usage location: Token endpoint response
o Related protocol extension: [[ this specification ]] o Related protocol extension: [[ this specification ]]
o Change controller: IETF o Change controller: IETF
o Specification Document: Section 3.5 of [[ this specification ]] o Specification Document: Section 3.5 of [[ this specification ]]
7.3. OAuth 2.0 Authorization Server Metadata 7.3. OAuth 2.0 Authorization Server Metadata
This specification registers the following values in the IANA "OAuth This specification registers the following values in the IANA "OAuth
2.0 Authorization Server Metadata" registry [IANA.OAuth.Parameters] 2.0 Authorization Server Metadata" registry [IANA.OAuth.Parameters]
established by [I-D.ietf-oauth-discovery]. established by [RFC8414].
7.3.1. Registry Contents 7.3.1. Registry Contents
o Metadata name: device_authorization_endpoint o Metadata name: device_authorization_endpoint
o Metadata Description: The Device Authorization Endpoint. o Metadata Description: The Device Authorization Endpoint.
o Change controller: IESG o Change controller: IESG
o Specification Document: Section 4 of [[ this specification ]] o Specification Document: Section 4 of [[ this specification ]]
8. Normative References 8. Normative References
[I-D.ietf-oauth-discovery]
Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0
Authorization Server Metadata", draft-ietf-oauth-
discovery-10 (work in progress), March 2018.
[IANA.OAuth.Parameters] [IANA.OAuth.Parameters]
IANA, "OAuth Parameters", IANA, "OAuth Parameters",
<http://www.iana.org/assignments/oauth-parameters>. <http://www.iana.org/assignments/oauth-parameters>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
skipping to change at page 16, line 38 skipping to change at page 16, line 33
[RFC6819] Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0 [RFC6819] Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0
Threat Model and Security Considerations", RFC 6819, Threat Model and Security Considerations", RFC 6819,
DOI 10.17487/RFC6819, January 2013, DOI 10.17487/RFC6819, January 2013,
<https://www.rfc-editor.org/info/rfc6819>. <https://www.rfc-editor.org/info/rfc6819>.
[RFC8252] Denniss, W. and J. Bradley, "OAuth 2.0 for Native Apps", [RFC8252] Denniss, W. and J. Bradley, "OAuth 2.0 for Native Apps",
BCP 212, RFC 8252, DOI 10.17487/RFC8252, October 2017, BCP 212, RFC 8252, DOI 10.17487/RFC8252, October 2017,
<https://www.rfc-editor.org/info/rfc8252>. <https://www.rfc-editor.org/info/rfc8252>.
[RFC8414] Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0
Authorization Server Metadata", RFC 8414,
DOI 10.17487/RFC8414, June 2018,
<https://www.rfc-editor.org/info/rfc8414>.
Appendix A. Acknowledgements Appendix A. Acknowledgements
The starting point for this document was the Internet-Draft draft- The starting point for this document was the Internet-Draft draft-
recordon-oauth-v2-device, authored by David Recordon and Brent recordon-oauth-v2-device, authored by David Recordon and Brent
Goldman, which itself was based on content in draft versions of the Goldman, which itself was based on content in draft versions of the
OAuth 2.0 protocol specification removed prior to publication due to OAuth 2.0 protocol specification removed prior to publication due to
a then lack of sufficient deployment expertise. Thank you to the a then lack of sufficient deployment expertise. Thank you to the
OAuth working group members who contributed to those earlier drafts. OAuth working group members who contributed to those earlier drafts.
This document was produced in the OAuth working group under the This document was produced in the OAuth working group under the
skipping to change at page 17, line 17 skipping to change at page 17, line 17
Brian Campbell, Roshni Chandrashekhar, Eric Fazendin, Torsten Brian Campbell, Roshni Chandrashekhar, Eric Fazendin, Torsten
Lodderstedt, James Manger, Breno de Medeiros, Simon Moffatt, Stein Lodderstedt, James Manger, Breno de Medeiros, Simon Moffatt, Stein
Myrseth, Justin Richer, Nat Sakimura, Andrew Sciberras, Marius Myrseth, Justin Richer, Nat Sakimura, Andrew Sciberras, Marius
Scurtescu, Ken Wang, and Steven E. Wright. Scurtescu, Ken Wang, and Steven E. Wright.
Appendix B. Document History Appendix B. Document History
[[ to be removed by the RFC Editor before publication as an RFC ]] [[ to be removed by the RFC Editor before publication as an RFC ]]
-11
o Updated reference to OAuth 2.0 Authorization Server Metadata.
-10 -10
o Added a missing definition of access_denied for use on the token o Added a missing definition of access_denied for use on the token
endpoint. endpoint.
o Corrected text documenting which error code should be returned for o Corrected text documenting which error code should be returned for
expired tokens (it's "expired_token", not "invalid_grant"). expired tokens (it's "expired_token", not "invalid_grant").
o Corrected section reference to RFC 8252 (the section numbers had o Corrected section reference to RFC 8252 (the section numbers had
changed after the initial reference was made). changed after the initial reference was made).
o Fixed line length of one diagram (was causing xml2rfc warnings). o Fixed line length of one diagram (was causing xml2rfc warnings).
o Added line breaks so the URN grant_type is presented on an o Added line breaks so the URN grant_type is presented on an
 End of changes. 9 change blocks. 
12 lines changed or deleted 15 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/