draft-ietf-oauth-v2-14.txt   draft-ietf-oauth-v2-15.txt 
Network Working Group E. Hammer-Lahav, Ed. Network Working Group E. Hammer-Lahav, Ed.
Internet-Draft Yahoo! Internet-Draft Yahoo!
Obsoletes: 5849 (if approved) D. Recordon Obsoletes: 5849 (if approved) D. Recordon
Intended status: Standards Track Facebook Intended status: Standards Track Facebook
Expires: October 8, 2011 D. Hardt Expires: October 8, 2011 D. Hardt
Microsoft Microsoft
April 6, 2011 April 6, 2011
The OAuth 2.0 Authorization Protocol The OAuth 2.0 Authorization Protocol
draft-ietf-oauth-v2-14 draft-ietf-oauth-v2-15
Abstract Abstract
The OAuth 2.0 authorization protocol enables granting third-party The OAuth 2.0 authorization protocol enables granting third-party
applications limited access to HTTP service on behalf of an end-user applications limited access to HTTP service on behalf of an end-user
by orchestrating an approval interaction between the end-user and the by orchestrating an approval interaction between the end-user and the
HTTP service. HTTP service.
Status of this Memo Status of this Memo
skipping to change at page 11, line 29 skipping to change at page 11, line 29
resource owner. The way in which the authorization server resource owner. The way in which the authorization server
authenticates the resource owner (e.g. username and password login, authenticates the resource owner (e.g. username and password login,
session cookies) is beyond the scope of this specification. session cookies) is beyond the scope of this specification.
The means through which the client obtains the location of the The means through which the client obtains the location of the
authorization endpoint are beyond the scope of this specification but authorization endpoint are beyond the scope of this specification but
is typically provided in the service documentation. The endpoint URI is typically provided in the service documentation. The endpoint URI
MAY include a query component as defined by [RFC3986] section 3, MAY include a query component as defined by [RFC3986] section 3,
which MUST be retained when adding additional query parameters. which MUST be retained when adding additional query parameters.
Requests to the authorization endpoint result in resource owner Since requests to the authorization endpoint result in user
authentication and the transmission of sensitive information. If the authentication and the transmission of clear-text credentials (in the
response includes an access token, the authorization server MUST HTTP response), the authorization server MUST require the use of a
require TLS 1.2 as defined in [RFC5246] and MAY support additional transport-layer security mechanism when sending requests to the token
transport-layer mechanisms meeting its security requirements. If the endpoints. The authorization server MUST support TLS 1.2 as defined
response does not include an access token, the authorization server in [RFC5246], and MAY support additional transport-layer mechanisms
SHOULD require TLS 1.2 and any additional transport-layer mechanism
meeting its security requirements. meeting its security requirements.
The authorization server MUST support the use of the HTTP "GET" The authorization server MUST support the use of the HTTP "GET"
method [RFC2616] for the authorization endpoint, and MAY support the method [RFC2616] for the authorization endpoint, and MAY support the
use of the "POST" method as well. use of the "POST" method as well.
The REQUIRED "response_type" request parameter is used to identify The REQUIRED "response_type" request parameter is used to identify
which grant type the client is requesting: authorization code or which grant type the client is requesting: authorization code or
implicit, described in Section 4.1.1 and Section 4.2.1 respectively. implicit, described in Section 4.1.1 and Section 4.2.1 respectively.
If the request is missing the "response_type" parameter, the If the request is missing the "response_type" parameter, the
 End of changes. 2 change blocks. 
8 lines changed or deleted 7 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/