draft-ietf-oauth-v2-24.txt   draft-ietf-oauth-v2-25.txt 
Network Working Group E. Hammer, Ed. Network Working Group E. Hammer, Ed.
Internet-Draft Internet-Draft
Obsoletes: 5849 (if approved) D. Recordon Obsoletes: 5849 (if approved) D. Recordon
Intended status: Standards Track Facebook Intended status: Standards Track Facebook
Expires: September 9, 2012 D. Hardt Expires: September 9, 2012 D. Hardt
Microsoft Microsoft
March 8, 2012 March 8, 2012
The OAuth 2.0 Authorization Protocol The OAuth 2.0 Authorization Protocol
draft-ietf-oauth-v2-24 draft-ietf-oauth-v2-25
Abstract Abstract
The OAuth 2.0 authorization protocol enables a third-party The OAuth 2.0 authorization protocol enables a third-party
application to obtain limited access to an HTTP service, either on application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing the between the resource owner and the HTTP service, or by allowing the
third-party application to obtain access on its own behalf. This third-party application to obtain access on its own behalf. This
specification replaces and obsoletes the OAuth 1.0 protocol described specification replaces and obsoletes the OAuth 1.0 protocol described
in RFC 5849. in RFC 5849.
skipping to change at page 20, line 33 skipping to change at page 20, line 33
an HTML document response, processed by the user-agent. If the HTML an HTML document response, processed by the user-agent. If the HTML
response is served directly as the result of the redirection request, response is served directly as the result of the redirection request,
any script included in the HTML document will execute with full any script included in the HTML document will execute with full
access to the redirection URI and the credentials it contains. access to the redirection URI and the credentials it contains.
The client SHOULD NOT include any third-party scripts (e.g. third- The client SHOULD NOT include any third-party scripts (e.g. third-
party analytics, social plug-ins, ad networks) in the redirection party analytics, social plug-ins, ad networks) in the redirection
endpoint response. Instead, it SHOULD extract the credentials from endpoint response. Instead, it SHOULD extract the credentials from
the URI and redirect the user-agent again to another endpoint without the URI and redirect the user-agent again to another endpoint without
exposing the credentials (in the URI or elsewhere). If third-party exposing the credentials (in the URI or elsewhere). If third-party
scripts are included, the client MUST NOT ensure that its own scripts scripts are included, the client MUST ensure that its own scripts
(used to extract and remove the credentials from the URI) will (used to extract and remove the credentials from the URI) will
execute first. execute first.
3.2. Token Endpoint 3.2. Token Endpoint
The token endpoint is used by the client to obtain an access token by The token endpoint is used by the client to obtain an access token by
presenting its authorization grant or refresh token. The token presenting its authorization grant or refresh token. The token
endpoint is used with every authorization grant except for the endpoint is used with every authorization grant except for the
implicit grant type (since an access token is issued directly). implicit grant type (since an access token is issued directly).
 End of changes. 2 change blocks. 
2 lines changed or deleted 2 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/