draft-ietf-oauth-v2-29.txt   draft-ietf-oauth-v2-30.txt 
OAuth Working Group D. Hardt, Ed. OAuth Working Group D. Hardt, Ed.
Internet-Draft Microsoft Internet-Draft Microsoft
Obsoletes: 5849 (if approved) D. Recordon Obsoletes: 5849 (if approved) D. Recordon
Intended status: Standards Track Facebook Intended status: Standards Track Facebook
Expires: January 13, 2013 July 12, 2012 Expires: January 16, 2013 July 15, 2012
The OAuth 2.0 Authorization Framework The OAuth 2.0 Authorization Framework
draft-ietf-oauth-v2-29 draft-ietf-oauth-v2-30
Abstract Abstract
The OAuth 2.0 authorization framework enables a third-party The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing the between the resource owner and the HTTP service, or by allowing the
third-party application to obtain access on its own behalf. This third-party application to obtain access on its own behalf. This
specification replaces and obsoletes the OAuth 1.0 protocol described specification replaces and obsoletes the OAuth 1.0 protocol described
in RFC 5849. in RFC 5849.
skipping to change at page 1, line 37 skipping to change at page 1, line 37
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 13, 2013. This Internet-Draft will expire on January 16, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 27, line 8 skipping to change at page 27, line 8
request. request.
unsupported_response_type unsupported_response_type
The authorization server does not support obtaining an The authorization server does not support obtaining an
authorization code using this method. authorization code using this method.
invalid_scope invalid_scope
The requested scope is invalid, unknown, or malformed. The requested scope is invalid, unknown, or malformed.
server_error server_error
The authorization server encountered an unexpected The authorization server encountered an unexpected
condition that prevented it from fulfilling the request. condition that prevented it from fulfilling the request.
(This error code is needed because a 500 Internal Server
Error HTTP status code cannot be returned to the client
via a HTTP redirect.)
temporarily_unavailable temporarily_unavailable
The authorization server is currently unable to handle The authorization server is currently unable to handle
the request due to a temporary overloading or maintenance the request due to a temporary overloading or maintenance
of the server. of the server. (This error code is needed because a 503
Service Unavailable HTTP status code cannot be returned
to the client via a HTTP redirect.)
Values for the "error" parameter MUST NOT include characters Values for the "error" parameter MUST NOT include characters
outside the set %x20-21 / %x23-5B / %x5D-7E. outside the set %x20-21 / %x23-5B / %x5D-7E.
error_description error_description
OPTIONAL. A human-readable ASCII [USASCII] text providing OPTIONAL. A human-readable ASCII [USASCII] text providing
additional information, used to assist the client developer in additional information, used to assist the client developer in
understanding the error that occurred. understanding the error that occurred.
Values for the "error_description" parameter MUST NOT include Values for the "error_description" parameter MUST NOT include
characters outside the set %x20-21 / %x23-5B / %x5D-7E. characters outside the set %x20-21 / %x23-5B / %x5D-7E.
error_uri error_uri
OPTIONAL. A URI identifying a human-readable web page with OPTIONAL. A URI identifying a human-readable web page with
skipping to change at page 34, line 26 skipping to change at page 34, line 26
The resource owner or authorization server denied the The resource owner or authorization server denied the
request. request.
unsupported_response_type unsupported_response_type
The authorization server does not support obtaining an The authorization server does not support obtaining an
access token using this method. access token using this method.
invalid_scope invalid_scope
The requested scope is invalid, unknown, or malformed. The requested scope is invalid, unknown, or malformed.
server_error server_error
The authorization server encountered an unexpected The authorization server encountered an unexpected
condition that prevented it from fulfilling the request. condition that prevented it from fulfilling the request.
(This error code is needed because a 500 Internal Server
Error HTTP status code cannot be returned to the client
via a HTTP redirect.)
temporarily_unavailable temporarily_unavailable
The authorization server is currently unable to handle The authorization server is currently unable to handle
the request due to a temporary overloading or maintenance the request due to a temporary overloading or maintenance
of the server. of the server. (This error code is needed because a 503
Service Unavailable HTTP status code cannot be returned
to the client via a HTTP redirect.)
Values for the "error" parameter MUST NOT include characters Values for the "error" parameter MUST NOT include characters
outside the set %x20-21 / %x23-5B / %x5D-7E. outside the set %x20-21 / %x23-5B / %x5D-7E.
error_description error_description
OPTIONAL. A human-readable ASCII [USASCII] text providing OPTIONAL. A human-readable ASCII [USASCII] text providing
additional information, used to assist the client developer in additional information, used to assist the client developer in
understanding the error that occurred. understanding the error that occurred.
Values for the "error_description" parameter MUST NOT include Values for the "error_description" parameter MUST NOT include
characters outside the set %x20-21 / %x23-5B / %x5D-7E. characters outside the set %x20-21 / %x23-5B / %x5D-7E.
error_uri error_uri
OPTIONAL. A URI identifying a human-readable web page with OPTIONAL. A URI identifying a human-readable web page with
skipping to change at page 65, line 37 skipping to change at page 65, line 37
Web Resource Authorization Profiles", January 2010. Web Resource Authorization Profiles", January 2010.
[I-D.ietf-oauth-saml2-bearer] [I-D.ietf-oauth-saml2-bearer]
Campbell, B. and C. Mortimore, "SAML 2.0 Bearer Assertion Campbell, B. and C. Mortimore, "SAML 2.0 Bearer Assertion
Profiles for OAuth 2.0", draft-ietf-oauth-saml2-bearer-13 Profiles for OAuth 2.0", draft-ietf-oauth-saml2-bearer-13
(work in progress), July 2012. (work in progress), July 2012.
[I-D.ietf-oauth-v2-bearer] [I-D.ietf-oauth-v2-bearer]
Jones, M., Hardt, D., and D. Recordon, "The OAuth 2.0 Jones, M., Hardt, D., and D. Recordon, "The OAuth 2.0
Authorization Framework: Bearer Token Usage", Authorization Framework: Bearer Token Usage",
draft-ietf-oauth-v2-bearer-21 (work in progress), draft-ietf-oauth-v2-bearer-22 (work in progress),
June 2012. July 2012.
[I-D.ietf-oauth-v2-http-mac] [I-D.ietf-oauth-v2-http-mac]
Hammer-Lahav, E., "HTTP Authentication: MAC Access Hammer-Lahav, E., "HTTP Authentication: MAC Access
Authentication", draft-ietf-oauth-v2-http-mac-01 (work in Authentication", draft-ietf-oauth-v2-http-mac-01 (work in
progress), February 2012. progress), February 2012.
[I-D.ietf-oauth-v2-threatmodel] [I-D.ietf-oauth-v2-threatmodel]
Lodderstedt, T., McGloin, M., and P. Hunt, "OAuth 2.0 Lodderstedt, T., McGloin, M., and P. Hunt, "OAuth 2.0
Threat Model and Security Considerations", Threat Model and Security Considerations",
draft-ietf-oauth-v2-threatmodel-06 (work in progress), draft-ietf-oauth-v2-threatmodel-06 (work in progress),
skipping to change at page 71, line 15 skipping to change at page 71, line 15
This document was produced under the chairmanship of Blaine Cook, This document was produced under the chairmanship of Blaine Cook,
Peter Saint-Andre, Hannes Tschofenig, Barry Leiba, and Derek Atkins. Peter Saint-Andre, Hannes Tschofenig, Barry Leiba, and Derek Atkins.
The area directors included Lisa Dusseault, Peter Saint-Andre, and The area directors included Lisa Dusseault, Peter Saint-Andre, and
Stephen Farrell. Stephen Farrell.
Appendix D. Document History Appendix D. Document History
[[ to be removed by the RFC editor before publication as an RFC ]] [[ to be removed by the RFC editor before publication as an RFC ]]
-30
o Added text explaining why the "server_error" and
"temporarily_unavailable" error codes are needed.
-29 -29
o Added "MUST" to "A public client that was not issued a client o Added "MUST" to "A public client that was not issued a client
password MUST use the "client_id" request parameter to identify password MUST use the "client_id" request parameter to identify
itself when sending requests to the token endpoint" and added text itself when sending requests to the token endpoint" and added text
explaining why this must be so. explaining why this must be so.
o Added that the authorization server MUST "ensure the authorization o Added that the authorization server MUST "ensure the authorization
code was issued to the authenticated confidential client or to the code was issued to the authenticated confidential client or to the
public client identified by the "client_id" in the request". public client identified by the "client_id" in the request".
o Added Security Considerations section "Misuse of Access Token to o Added Security Considerations section "Misuse of Access Token to
Impersonate Resource Owner in Implicit Flow". Impersonate Resource Owner in Implicit Flow".
 End of changes. 9 change blocks. 
7 lines changed or deleted 21 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/