diff options
Diffstat (limited to 'doc/rfc/rfc6749.txt')
-rw-r--r-- | doc/rfc/rfc6749.txt | 4259 |
1 files changed, 4259 insertions, 0 deletions
diff --git a/doc/rfc/rfc6749.txt b/doc/rfc/rfc6749.txt new file mode 100644 index 0000000..5a0046c --- /dev/null +++ b/doc/rfc/rfc6749.txt @@ -0,0 +1,4259 @@ + + + + + + +Internet Engineering Task Force (IETF) D. Hardt, Ed. +Request for Comments: 6749 Microsoft +Obsoletes: 5849 October 2012 +Category: Standards Track +ISSN: 2070-1721 + + + The OAuth 2.0 Authorization Framework + +Abstract + + The OAuth 2.0 authorization framework enables a third-party + application to obtain limited access to an HTTP service, either on + behalf of a resource owner by orchestrating an approval interaction + between the resource owner and the HTTP service, or by allowing the + third-party application to obtain access on its own behalf. This + specification replaces and obsoletes the OAuth 1.0 protocol described + in RFC 5849. + +Status of This Memo + + This is an Internet Standards Track document. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Further information on + Internet Standards is available in Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc6749. + +Copyright Notice + + Copyright (c) 2012 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + + + + +Hardt Standards Track [Page 1] + +RFC 6749 OAuth 2.0 October 2012 + + +Table of Contents + + 1. Introduction ....................................................4 + 1.1. Roles ......................................................6 + 1.2. Protocol Flow ..............................................7 + 1.3. Authorization Grant ........................................8 + 1.3.1. Authorization Code ..................................8 + 1.3.2. Implicit ............................................8 + 1.3.3. Resource Owner Password Credentials .................9 + 1.3.4. Client Credentials ..................................9 + 1.4. Access Token ..............................................10 + 1.5. Refresh Token .............................................10 + 1.6. TLS Version ...............................................12 + 1.7. HTTP Redirections .........................................12 + 1.8. Interoperability ..........................................12 + 1.9. Notational Conventions ....................................13 + 2. Client Registration ............................................13 + 2.1. Client Types ..............................................14 + 2.2. Client Identifier .........................................15 + 2.3. Client Authentication .....................................16 + 2.3.1. Client Password ....................................16 + 2.3.2. Other Authentication Methods .......................17 + 2.4. Unregistered Clients ......................................17 + 3. Protocol Endpoints .............................................18 + 3.1. Authorization Endpoint ....................................18 + 3.1.1. Response Type ......................................19 + 3.1.2. Redirection Endpoint ...............................19 + 3.2. Token Endpoint ............................................21 + 3.2.1. Client Authentication ..............................22 + 3.3. Access Token Scope ........................................23 + 4. Obtaining Authorization ........................................23 + 4.1. Authorization Code Grant ..................................24 + 4.1.1. Authorization Request ..............................25 + 4.1.2. Authorization Response .............................26 + 4.1.3. Access Token Request ...............................29 + 4.1.4. Access Token Response ..............................30 + 4.2. Implicit Grant ............................................31 + 4.2.1. Authorization Request ..............................33 + 4.2.2. Access Token Response ..............................35 + 4.3. Resource Owner Password Credentials Grant .................37 + 4.3.1. Authorization Request and Response .................39 + 4.3.2. Access Token Request ...............................39 + 4.3.3. Access Token Response ..............................40 + 4.4. Client Credentials Grant ..................................40 + 4.4.1. Authorization Request and Response .................41 + 4.4.2. Access Token Request ...............................41 + 4.4.3. Access Token Response ..............................42 + 4.5. Extension Grants ..........................................42 + + + +Hardt Standards Track [Page 2] + +RFC 6749 OAuth 2.0 October 2012 + + + 5. Issuing an Access Token ........................................43 + 5.1. Successful Response .......................................43 + 5.2. Error Response ............................................45 + 6. Refreshing an Access Token .....................................47 + 7. Accessing Protected Resources ..................................48 + 7.1. Access Token Types ........................................49 + 7.2. Error Response ............................................49 + 8. Extensibility ..................................................50 + 8.1. Defining Access Token Types ...............................50 + 8.2. Defining New Endpoint Parameters ..........................50 + 8.3. Defining New Authorization Grant Types ....................51 + 8.4. Defining New Authorization Endpoint Response Types ........51 + 8.5. Defining Additional Error Codes ...........................51 + 9. Native Applications ............................................52 + 10. Security Considerations .......................................53 + 10.1. Client Authentication ....................................53 + 10.2. Client Impersonation .....................................54 + 10.3. Access Tokens ............................................55 + 10.4. Refresh Tokens ...........................................55 + 10.5. Authorization Codes ......................................56 + 10.6. Authorization Code Redirection URI Manipulation ..........56 + 10.7. Resource Owner Password Credentials ......................57 + 10.8. Request Confidentiality ..................................58 + 10.9. Ensuring Endpoint Authenticity ...........................58 + 10.10. Credentials-Guessing Attacks ............................58 + 10.11. Phishing Attacks ........................................58 + 10.12. Cross-Site Request Forgery ..............................59 + 10.13. Clickjacking ............................................60 + 10.14. Code Injection and Input Validation .....................60 + 10.15. Open Redirectors ........................................60 + 10.16. Misuse of Access Token to Impersonate Resource + Owner in Implicit Flow ..................................61 + 11. IANA Considerations ...........................................62 + 11.1. OAuth Access Token Types Registry ........................62 + 11.1.1. Registration Template .............................62 + 11.2. OAuth Parameters Registry ................................63 + 11.2.1. Registration Template .............................63 + 11.2.2. Initial Registry Contents .........................64 + 11.3. OAuth Authorization Endpoint Response Types Registry .....66 + 11.3.1. Registration Template .............................66 + 11.3.2. Initial Registry Contents .........................67 + 11.4. OAuth Extensions Error Registry ..........................67 + 11.4.1. Registration Template .............................68 + 12. References ....................................................68 + 12.1. Normative References .....................................68 + 12.2. Informative References ...................................70 + + + + + +Hardt Standards Track [Page 3] + +RFC 6749 OAuth 2.0 October 2012 + + + Appendix A. Augmented Backus-Naur Form (ABNF) Syntax ..............71 + A.1. "client_id" Syntax ........................................71 + A.2. "client_secret" Syntax ....................................71 + A.3. "response_type" Syntax ....................................71 + A.4. "scope" Syntax ............................................72 + A.5. "state" Syntax ............................................72 + A.6. "redirect_uri" Syntax .....................................72 + A.7. "error" Syntax ............................................72 + A.8. "error_description" Syntax ................................72 + A.9. "error_uri" Syntax ........................................72 + A.10. "grant_type" Syntax .......................................73 + A.11. "code" Syntax .............................................73 + A.12. "access_token" Syntax .....................................73 + A.13. "token_type" Syntax .......................................73 + A.14. "expires_in" Syntax .......................................73 + A.15. "username" Syntax .........................................73 + A.16. "password" Syntax .........................................73 + A.17. "refresh_token" Syntax ....................................74 + A.18. Endpoint Parameter Syntax .................................74 + Appendix B. Use of application/x-www-form-urlencoded Media Type ...74 + Appendix C. Acknowledgements ......................................75 + +1. Introduction + + In the traditional client-server authentication model, the client + requests an access-restricted resource (protected resource) on the + server by authenticating with the server using the resource owner's + credentials. In order to provide third-party applications access to + restricted resources, the resource owner shares its credentials with + the third party. This creates several problems and limitations: + + o Third-party applications are required to store the resource + owner's credentials for future use, typically a password in + clear-text. + + o Servers are required to support password authentication, despite + the security weaknesses inherent in passwords. + + o Third-party applications gain overly broad access to the resource + owner's protected resources, leaving resource owners without any + ability to restrict duration or access to a limited subset of + resources. + + o Resource owners cannot revoke access to an individual third party + without revoking access to all third parties, and must do so by + changing the third party's password. + + + + + +Hardt Standards Track [Page 4] + +RFC 6749 OAuth 2.0 October 2012 + + + o Compromise of any third-party application results in compromise of + the end-user's password and all of the data protected by that + password. + + OAuth addresses these issues by introducing an authorization layer + and separating the role of the client from that of the resource + owner. In OAuth, the client requests access to resources controlled + by the resource owner and hosted by the resource server, and is + issued a different set of credentials than those of the resource + owner. + + Instead of using the resource owner's credentials to access protected + resources, the client obtains an access token -- a string denoting a + specific scope, lifetime, and other access attributes. Access tokens + are issued to third-party clients by an authorization server with the + approval of the resource owner. The client uses the access token to + access the protected resources hosted by the resource server. + + For example, an end-user (resource owner) can grant a printing + service (client) access to her protected photos stored at a photo- + sharing service (resource server), without sharing her username and + password with the printing service. Instead, she authenticates + directly with a server trusted by the photo-sharing service + (authorization server), which issues the printing service delegation- + specific credentials (access token). + + This specification is designed for use with HTTP ([RFC2616]). The + use of OAuth over any protocol other than HTTP is out of scope. + + The OAuth 1.0 protocol ([RFC5849]), published as an informational + document, was the result of a small ad hoc community effort. This + Standards Track specification builds on the OAuth 1.0 deployment + experience, as well as additional use cases and extensibility + requirements gathered from the wider IETF community. The OAuth 2.0 + protocol is not backward compatible with OAuth 1.0. The two versions + may co-exist on the network, and implementations may choose to + support both. However, it is the intention of this specification + that new implementations support OAuth 2.0 as specified in this + document and that OAuth 1.0 is used only to support existing + deployments. The OAuth 2.0 protocol shares very few implementation + details with the OAuth 1.0 protocol. Implementers familiar with + OAuth 1.0 should approach this document without any assumptions as to + its structure and details. + + + + + + + + +Hardt Standards Track [Page 5] + +RFC 6749 OAuth 2.0 October 2012 + + +1.1. Roles + + OAuth defines four roles: + + resource owner + An entity capable of granting access to a protected resource. + When the resource owner is a person, it is referred to as an + end-user. + + resource server + The server hosting the protected resources, capable of accepting + and responding to protected resource requests using access tokens. + + client + An application making protected resource requests on behalf of the + resource owner and with its authorization. The term "client" does + not imply any particular implementation characteristics (e.g., + whether the application executes on a server, a desktop, or other + devices). + + authorization server + The server issuing access tokens to the client after successfully + authenticating the resource owner and obtaining authorization. + + The interaction between the authorization server and resource server + is beyond the scope of this specification. The authorization server + may be the same server as the resource server or a separate entity. + A single authorization server may issue access tokens accepted by + multiple resource servers. + + + + + + + + + + + + + + + + + + + + + + +Hardt Standards Track [Page 6] + +RFC 6749 OAuth 2.0 October 2012 + + +1.2. Protocol Flow + + +--------+ +---------------+ + | |--(A)- Authorization Request ->| Resource | + | | | Owner | + | |<-(B)-- Authorization Grant ---| | + | | +---------------+ + | | + | | +---------------+ + | |--(C)-- Authorization Grant -->| Authorization | + | Client | | Server | + | |<-(D)----- Access Token -------| | + | | +---------------+ + | | + | | +---------------+ + | |--(E)----- Access Token ------>| Resource | + | | | Server | + | |<-(F)--- Protected Resource ---| | + +--------+ +---------------+ + + Figure 1: Abstract Protocol Flow + + The abstract OAuth 2.0 flow illustrated in Figure 1 describes the + interaction between the four roles and includes the following steps: + + (A) The client requests authorization from the resource owner. The + authorization request can be made directly to the resource owner + (as shown), or preferably indirectly via the authorization + server as an intermediary. + + (B) The client receives an authorization grant, which is a + credential representing the resource owner's authorization, + expressed using one of four grant types defined in this + specification or using an extension grant type. The + authorization grant type depends on the method used by the + client to request authorization and the types supported by the + authorization server. + + (C) The client requests an access token by authenticating with the + authorization server and presenting the authorization grant. + + (D) The authorization server authenticates the client and validates + the authorization grant, and if valid, issues an access token. + + + + + + + + +Hardt Standards Track [Page 7] + +RFC 6749 OAuth 2.0 October 2012 + + + (E) The client requests the protected resource from the resource + server and authenticates by presenting the access token. + + (F) The resource server validates the access token, and if valid, + serves the request. + + The preferred method for the client to obtain an authorization grant + from the resource owner (depicted in steps (A) and (B)) is to use the + authorization server as an intermediary, which is illustrated in + Figure 3 in Section 4.1. + +1.3. Authorization Grant + + An authorization grant is a credential representing the resource + owner's authorization (to access its protected resources) used by the + client to obtain an access token. This specification defines four + grant types -- authorization code, implicit, resource owner password + credentials, and client credentials -- as well as an extensibility + mechanism for defining additional types. + +1.3.1. Authorization Code + + The authorization code is obtained by using an authorization server + as an intermediary between the client and resource owner. Instead of + requesting authorization directly from the resource owner, the client + directs the resource owner to an authorization server (via its + user-agent as defined in [RFC2616]), which in turn directs the + resource owner back to the client with the authorization code. + + Before directing the resource owner back to the client with the + authorization code, the authorization server authenticates the + resource owner and obtains authorization. Because the resource owner + only authenticates with the authorization server, the resource + owner's credentials are never shared with the client. + + The authorization code provides a few important security benefits, + such as the ability to authenticate the client, as well as the + transmission of the access token directly to the client without + passing it through the resource owner's user-agent and potentially + exposing it to others, including the resource owner. + +1.3.2. Implicit + + The implicit grant is a simplified authorization code flow optimized + for clients implemented in a browser using a scripting language such + as JavaScript. In the implicit flow, instead of issuing the client + an authorization code, the client is issued an access token directly + + + + +Hardt Standards Track [Page 8] + +RFC 6749 OAuth 2.0 October 2012 + + + (as the result of the resource owner authorization). The grant type + is implicit, as no intermediate credentials (such as an authorization + code) are issued (and later used to obtain an access token). + + When issuing an access token during the implicit grant flow, the + authorization server does not authenticate the client. In some + cases, the client identity can be verified via the redirection URI + used to deliver the access token to the client. The access token may + be exposed to the resource owner or other applications with access to + the resource owner's user-agent. + + Implicit grants improve the responsiveness and efficiency of some + clients (such as a client implemented as an in-browser application), + since it reduces the number of round trips required to obtain an + access token. However, this convenience should be weighed against + the security implications of using implicit grants, such as those + described in Sections 10.3 and 10.16, especially when the + authorization code grant type is available. + +1.3.3. Resource Owner Password Credentials + + The resource owner password credentials (i.e., username and password) + can be used directly as an authorization grant to obtain an access + token. The credentials should only be used when there is a high + degree of trust between the resource owner and the client (e.g., the + client is part of the device operating system or a highly privileged + application), and when other authorization grant types are not + available (such as an authorization code). + + Even though this grant type requires direct client access to the + resource owner credentials, the resource owner credentials are used + for a single request and are exchanged for an access token. This + grant type can eliminate the need for the client to store the + resource owner credentials for future use, by exchanging the + credentials with a long-lived access token or refresh token. + +1.3.4. Client Credentials + + The client credentials (or other forms of client authentication) can + be used as an authorization grant when the authorization scope is + limited to the protected resources under the control of the client, + or to protected resources previously arranged with the authorization + server. Client credentials are used as an authorization grant + typically when the client is acting on its own behalf (the client is + also the resource owner) or is requesting access to protected + resources based on an authorization previously arranged with the + authorization server. + + + + +Hardt Standards Track [Page 9] + +RFC 6749 OAuth 2.0 October 2012 + + +1.4. Access Token + + Access tokens are credentials used to access protected resources. An + access token is a string representing an authorization issued to the + client. The string is usually opaque to the client. Tokens + represent specific scopes and durations of access, granted by the + resource owner, and enforced by the resource server and authorization + server. + + The token may denote an identifier used to retrieve the authorization + information or may self-contain the authorization information in a + verifiable manner (i.e., a token string consisting of some data and a + signature). Additional authentication credentials, which are beyond + the scope of this specification, may be required in order for the + client to use a token. + + The access token provides an abstraction layer, replacing different + authorization constructs (e.g., username and password) with a single + token understood by the resource server. This abstraction enables + issuing access tokens more restrictive than the authorization grant + used to obtain them, as well as removing the resource server's need + to understand a wide range of authentication methods. + + Access tokens can have different formats, structures, and methods of + utilization (e.g., cryptographic properties) based on the resource + server security requirements. Access token attributes and the + methods used to access protected resources are beyond the scope of + this specification and are defined by companion specifications such + as [RFC6750]. + +1.5. Refresh Token + + Refresh tokens are credentials used to obtain access tokens. Refresh + tokens are issued to the client by the authorization server and are + used to obtain a new access token when the current access token + becomes invalid or expires, or to obtain additional access tokens + with identical or narrower scope (access tokens may have a shorter + lifetime and fewer permissions than authorized by the resource + owner). Issuing a refresh token is optional at the discretion of the + authorization server. If the authorization server issues a refresh + token, it is included when issuing an access token (i.e., step (D) in + Figure 1). + + A refresh token is a string representing the authorization granted to + the client by the resource owner. The string is usually opaque to + the client. The token denotes an identifier used to retrieve the + + + + + +Hardt Standards Track [Page 10] + +RFC 6749 OAuth 2.0 October 2012 + + + authorization information. Unlike access tokens, refresh tokens are + intended for use only with authorization servers and are never sent + to resource servers. + + +--------+ +---------------+ + | |--(A)------- Authorization Grant --------->| | + | | | | + | |<-(B)----------- Access Token -------------| | + | | & Refresh Token | | + | | | | + | | +----------+ | | + | |--(C)---- Access Token ---->| | | | + | | | | | | + | |<-(D)- Protected Resource --| Resource | | Authorization | + | Client | | Server | | Server | + | |--(E)---- Access Token ---->| | | | + | | | | | | + | |<-(F)- Invalid Token Error -| | | | + | | +----------+ | | + | | | | + | |--(G)----------- Refresh Token ----------->| | + | | | | + | |<-(H)----------- Access Token -------------| | + +--------+ & Optional Refresh Token +---------------+ + + Figure 2: Refreshing an Expired Access Token + + The flow illustrated in Figure 2 includes the following steps: + + (A) The client requests an access token by authenticating with the + authorization server and presenting an authorization grant. + + (B) The authorization server authenticates the client and validates + the authorization grant, and if valid, issues an access token + and a refresh token. + + (C) The client makes a protected resource request to the resource + server by presenting the access token. + + (D) The resource server validates the access token, and if valid, + serves the request. + + (E) Steps (C) and (D) repeat until the access token expires. If the + client knows the access token expired, it skips to step (G); + otherwise, it makes another protected resource request. + + (F) Since the access token is invalid, the resource server returns + an invalid token error. + + + +Hardt Standards Track [Page 11] + +RFC 6749 OAuth 2.0 October 2012 + + + (G) The client requests a new access token by authenticating with + the authorization server and presenting the refresh token. The + client authentication requirements are based on the client type + and on the authorization server policies. + + (H) The authorization server authenticates the client and validates + the refresh token, and if valid, issues a new access token (and, + optionally, a new refresh token). + + Steps (C), (D), (E), and (F) are outside the scope of this + specification, as described in Section 7. + +1.6. TLS Version + + Whenever Transport Layer Security (TLS) is used by this + specification, the appropriate version (or versions) of TLS will vary + over time, based on the widespread deployment and known security + vulnerabilities. At the time of this writing, TLS version 1.2 + [RFC5246] is the most recent version, but has a very limited + deployment base and might not be readily available for + implementation. TLS version 1.0 [RFC2246] is the most widely + deployed version and will provide the broadest interoperability. + + Implementations MAY also support additional transport-layer security + mechanisms that meet their security requirements. + +1.7. HTTP Redirections + + This specification makes extensive use of HTTP redirections, in which + the client or the authorization server directs the resource owner's + user-agent to another destination. While the examples in this + specification show the use of the HTTP 302 status code, any other + method available via the user-agent to accomplish this redirection is + allowed and is considered to be an implementation detail. + +1.8. Interoperability + + OAuth 2.0 provides a rich authorization framework with well-defined + security properties. However, as a rich and highly extensible + framework with many optional components, on its own, this + specification is likely to produce a wide range of non-interoperable + implementations. + + In addition, this specification leaves a few required components + partially or fully undefined (e.g., client registration, + authorization server capabilities, endpoint discovery). Without + + + + + +Hardt Standards Track [Page 12] + +RFC 6749 OAuth 2.0 October 2012 + + + these components, clients must be manually and specifically + configured against a specific authorization server and resource + server in order to interoperate. + + This framework was designed with the clear expectation that future + work will define prescriptive profiles and extensions necessary to + achieve full web-scale interoperability. + +1.9. Notational Conventions + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + specification are to be interpreted as described in [RFC2119]. + + This specification uses the Augmented Backus-Naur Form (ABNF) + notation of [RFC5234]. Additionally, the rule URI-reference is + included from "Uniform Resource Identifier (URI): Generic Syntax" + [RFC3986]. + + Certain security-related terms are to be understood in the sense + defined in [RFC4949]. These terms include, but are not limited to, + "attack", "authentication", "authorization", "certificate", + "confidentiality", "credential", "encryption", "identity", "sign", + "signature", "trust", "validate", and "verify". + + Unless otherwise noted, all the protocol parameter names and values + are case sensitive. + +2. Client Registration + + Before initiating the protocol, the client registers with the + authorization server. The means through which the client registers + with the authorization server are beyond the scope of this + specification but typically involve end-user interaction with an HTML + registration form. + + Client registration does not require a direct interaction between the + client and the authorization server. When supported by the + authorization server, registration can rely on other means for + establishing trust and obtaining the required client properties + (e.g., redirection URI, client type). For example, registration can + be accomplished using a self-issued or third-party-issued assertion, + or by the authorization server performing client discovery using a + trusted channel. + + + + + + + +Hardt Standards Track [Page 13] + +RFC 6749 OAuth 2.0 October 2012 + + + When registering a client, the client developer SHALL: + + o specify the client type as described in Section 2.1, + + o provide its client redirection URIs as described in Section 3.1.2, + and + + o include any other information required by the authorization server + (e.g., application name, website, description, logo image, the + acceptance of legal terms). + +2.1. Client Types + + OAuth defines two client types, based on their ability to + authenticate securely with the authorization server (i.e., ability to + maintain the confidentiality of their client credentials): + + confidential + Clients capable of maintaining the confidentiality of their + credentials (e.g., client implemented on a secure server with + restricted access to the client credentials), or capable of secure + client authentication using other means. + + public + Clients incapable of maintaining the confidentiality of their + credentials (e.g., clients executing on the device used by the + resource owner, such as an installed native application or a web + browser-based application), and incapable of secure client + authentication via any other means. + + The client type designation is based on the authorization server's + definition of secure authentication and its acceptable exposure + levels of client credentials. The authorization server SHOULD NOT + make assumptions about the client type. + + A client may be implemented as a distributed set of components, each + with a different client type and security context (e.g., a + distributed client with both a confidential server-based component + and a public browser-based component). If the authorization server + does not provide support for such clients or does not provide + guidance with regard to their registration, the client SHOULD + register each component as a separate client. + + + + + + + + + +Hardt Standards Track [Page 14] + +RFC 6749 OAuth 2.0 October 2012 + + + This specification has been designed around the following client + profiles: + + web application + A web application is a confidential client running on a web + server. Resource owners access the client via an HTML user + interface rendered in a user-agent on the device used by the + resource owner. The client credentials as well as any access + token issued to the client are stored on the web server and are + not exposed to or accessible by the resource owner. + + user-agent-based application + A user-agent-based application is a public client in which the + client code is downloaded from a web server and executes within a + user-agent (e.g., web browser) on the device used by the resource + owner. Protocol data and credentials are easily accessible (and + often visible) to the resource owner. Since such applications + reside within the user-agent, they can make seamless use of the + user-agent capabilities when requesting authorization. + + native application + A native application is a public client installed and executed on + the device used by the resource owner. Protocol data and + credentials are accessible to the resource owner. It is assumed + that any client authentication credentials included in the + application can be extracted. On the other hand, dynamically + issued credentials such as access tokens or refresh tokens can + receive an acceptable level of protection. At a minimum, these + credentials are protected from hostile servers with which the + application may interact. On some platforms, these credentials + might be protected from other applications residing on the same + device. + +2.2. Client Identifier + + The authorization server issues the registered client a client + identifier -- a unique string representing the registration + information provided by the client. The client identifier is not a + secret; it is exposed to the resource owner and MUST NOT be used + alone for client authentication. The client identifier is unique to + the authorization server. + + The client identifier string size is left undefined by this + specification. The client should avoid making assumptions about the + identifier size. The authorization server SHOULD document the size + of any identifier it issues. + + + + + +Hardt Standards Track [Page 15] + +RFC 6749 OAuth 2.0 October 2012 + + +2.3. Client Authentication + + If the client type is confidential, the client and authorization + server establish a client authentication method suitable for the + security requirements of the authorization server. The authorization + server MAY accept any form of client authentication meeting its + security requirements. + + Confidential clients are typically issued (or establish) a set of + client credentials used for authenticating with the authorization + server (e.g., password, public/private key pair). + + The authorization server MAY establish a client authentication method + with public clients. However, the authorization server MUST NOT rely + on public client authentication for the purpose of identifying the + client. + + The client MUST NOT use more than one authentication method in each + request. + +2.3.1. Client Password + + Clients in possession of a client password MAY use the HTTP Basic + authentication scheme as defined in [RFC2617] to authenticate with + the authorization server. The client identifier is encoded using the + "application/x-www-form-urlencoded" encoding algorithm per + Appendix B, and the encoded value is used as the username; the client + password is encoded using the same algorithm and used as the + password. The authorization server MUST support the HTTP Basic + authentication scheme for authenticating clients that were issued a + client password. + + For example (with extra line breaks for display purposes only): + + Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3 + + Alternatively, the authorization server MAY support including the + client credentials in the request-body using the following + parameters: + + client_id + REQUIRED. The client identifier issued to the client during + the registration process described by Section 2.2. + + client_secret + REQUIRED. The client secret. The client MAY omit the + parameter if the client secret is an empty string. + + + + +Hardt Standards Track [Page 16] + +RFC 6749 OAuth 2.0 October 2012 + + + Including the client credentials in the request-body using the two + parameters is NOT RECOMMENDED and SHOULD be limited to clients unable + to directly utilize the HTTP Basic authentication scheme (or other + password-based HTTP authentication schemes). The parameters can only + be transmitted in the request-body and MUST NOT be included in the + request URI. + + For example, a request to refresh an access token (Section 6) using + the body parameters (with extra line breaks for display purposes + only): + + POST /token HTTP/1.1 + Host: server.example.com + Content-Type: application/x-www-form-urlencoded + + grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA + &client_id=s6BhdRkqt3&client_secret=7Fjfp0ZBr1KtDRbnfVdmIw + + The authorization server MUST require the use of TLS as described in + Section 1.6 when sending requests using password authentication. + + Since this client authentication method involves a password, the + authorization server MUST protect any endpoint utilizing it against + brute force attacks. + +2.3.2. Other Authentication Methods + + The authorization server MAY support any suitable HTTP authentication + scheme matching its security requirements. When using other + authentication methods, the authorization server MUST define a + mapping between the client identifier (registration record) and + authentication scheme. + +2.4. Unregistered Clients + + This specification does not exclude the use of unregistered clients. + However, the use of such clients is beyond the scope of this + specification and requires additional security analysis and review of + its interoperability impact. + + + + + + + + + + + + +Hardt Standards Track [Page 17] + +RFC 6749 OAuth 2.0 October 2012 + + +3. Protocol Endpoints + + The authorization process utilizes two authorization server endpoints + (HTTP resources): + + o Authorization endpoint - used by the client to obtain + authorization from the resource owner via user-agent redirection. + + o Token endpoint - used by the client to exchange an authorization + grant for an access token, typically with client authentication. + + As well as one client endpoint: + + o Redirection endpoint - used by the authorization server to return + responses containing authorization credentials to the client via + the resource owner user-agent. + + Not every authorization grant type utilizes both endpoints. + Extension grant types MAY define additional endpoints as needed. + +3.1. Authorization Endpoint + + The authorization endpoint is used to interact with the resource + owner and obtain an authorization grant. The authorization server + MUST first verify the identity of the resource owner. The way in + which the authorization server authenticates the resource owner + (e.g., username and password login, session cookies) is beyond the + scope of this specification. + + The means through which the client obtains the location of the + authorization endpoint are beyond the scope of this specification, + but the location is typically provided in the service documentation. + + The endpoint URI MAY include an "application/x-www-form-urlencoded" + formatted (per Appendix B) query component ([RFC3986] Section 3.4), + which MUST be retained when adding additional query parameters. The + endpoint URI MUST NOT include a fragment component. + + Since requests to the authorization endpoint result in user + authentication and the transmission of clear-text credentials (in the + HTTP response), the authorization server MUST require the use of TLS + as described in Section 1.6 when sending requests to the + authorization endpoint. + + The authorization server MUST support the use of the HTTP "GET" + method [RFC2616] for the authorization endpoint and MAY support the + use of the "POST" method as well. + + + + +Hardt Standards Track [Page 18] + +RFC 6749 OAuth 2.0 October 2012 + + + Parameters sent without a value MUST be treated as if they were + omitted from the request. The authorization server MUST ignore + unrecognized request parameters. Request and response parameters + MUST NOT be included more than once. + +3.1.1. Response Type + + The authorization endpoint is used by the authorization code grant + type and implicit grant type flows. The client informs the + authorization server of the desired grant type using the following + parameter: + + response_type + REQUIRED. The value MUST be one of "code" for requesting an + authorization code as described by Section 4.1.1, "token" for + requesting an access token (implicit grant) as described by + Section 4.2.1, or a registered extension value as described by + Section 8.4. + + Extension response types MAY contain a space-delimited (%x20) list of + values, where the order of values does not matter (e.g., response + type "a b" is the same as "b a"). The meaning of such composite + response types is defined by their respective specifications. + + If an authorization request is missing the "response_type" parameter, + or if the response type is not understood, the authorization server + MUST return an error response as described in Section 4.1.2.1. + +3.1.2. Redirection Endpoint + + After completing its interaction with the resource owner, the + authorization server directs the resource owner's user-agent back to + the client. The authorization server redirects the user-agent to the + client's redirection endpoint previously established with the + authorization server during the client registration process or when + making the authorization request. + + The redirection endpoint URI MUST be an absolute URI as defined by + [RFC3986] Section 4.3. The endpoint URI MAY include an + "application/x-www-form-urlencoded" formatted (per Appendix B) query + component ([RFC3986] Section 3.4), which MUST be retained when adding + additional query parameters. The endpoint URI MUST NOT include a + fragment component. + + + + + + + + +Hardt Standards Track [Page 19] + +RFC 6749 OAuth 2.0 October 2012 + + +3.1.2.1. Endpoint Request Confidentiality + + The redirection endpoint SHOULD require the use of TLS as described + in Section 1.6 when the requested response type is "code" or "token", + or when the redirection request will result in the transmission of + sensitive credentials over an open network. This specification does + not mandate the use of TLS because at the time of this writing, + requiring clients to deploy TLS is a significant hurdle for many + client developers. If TLS is not available, the authorization server + SHOULD warn the resource owner about the insecure endpoint prior to + redirection (e.g., display a message during the authorization + request). + + Lack of transport-layer security can have a severe impact on the + security of the client and the protected resources it is authorized + to access. The use of transport-layer security is particularly + critical when the authorization process is used as a form of + delegated end-user authentication by the client (e.g., third-party + sign-in service). + +3.1.2.2. Registration Requirements + + The authorization server MUST require the following clients to + register their redirection endpoint: + + o Public clients. + + o Confidential clients utilizing the implicit grant type. + + The authorization server SHOULD require all clients to register their + redirection endpoint prior to utilizing the authorization endpoint. + + The authorization server SHOULD require the client to provide the + complete redirection URI (the client MAY use the "state" request + parameter to achieve per-request customization). If requiring the + registration of the complete redirection URI is not possible, the + authorization server SHOULD require the registration of the URI + scheme, authority, and path (allowing the client to dynamically vary + only the query component of the redirection URI when requesting + authorization). + + The authorization server MAY allow the client to register multiple + redirection endpoints. + + Lack of a redirection URI registration requirement can enable an + attacker to use the authorization endpoint as an open redirector as + described in Section 10.15. + + + + +Hardt Standards Track [Page 20] + +RFC 6749 OAuth 2.0 October 2012 + + +3.1.2.3. Dynamic Configuration + + If multiple redirection URIs have been registered, if only part of + the redirection URI has been registered, or if no redirection URI has + been registered, the client MUST include a redirection URI with the + authorization request using the "redirect_uri" request parameter. + + When a redirection URI is included in an authorization request, the + authorization server MUST compare and match the value received + against at least one of the registered redirection URIs (or URI + components) as defined in [RFC3986] Section 6, if any redirection + URIs were registered. If the client registration included the full + redirection URI, the authorization server MUST compare the two URIs + using simple string comparison as defined in [RFC3986] Section 6.2.1. + +3.1.2.4. Invalid Endpoint + + If an authorization request fails validation due to a missing, + invalid, or mismatching redirection URI, the authorization server + SHOULD inform the resource owner of the error and MUST NOT + automatically redirect the user-agent to the invalid redirection URI. + +3.1.2.5. Endpoint Content + + The redirection request to the client's endpoint typically results in + an HTML document response, processed by the user-agent. If the HTML + response is served directly as the result of the redirection request, + any script included in the HTML document will execute with full + access to the redirection URI and the credentials it contains. + + The client SHOULD NOT include any third-party scripts (e.g., third- + party analytics, social plug-ins, ad networks) in the redirection + endpoint response. Instead, it SHOULD extract the credentials from + the URI and redirect the user-agent again to another endpoint without + exposing the credentials (in the URI or elsewhere). If third-party + scripts are included, the client MUST ensure that its own scripts + (used to extract and remove the credentials from the URI) will + execute first. + +3.2. Token Endpoint + + The token endpoint is used by the client to obtain an access token by + presenting its authorization grant or refresh token. The token + endpoint is used with every authorization grant except for the + implicit grant type (since an access token is issued directly). + + + + + + +Hardt Standards Track [Page 21] + +RFC 6749 OAuth 2.0 October 2012 + + + The means through which the client obtains the location of the token + endpoint are beyond the scope of this specification, but the location + is typically provided in the service documentation. + + The endpoint URI MAY include an "application/x-www-form-urlencoded" + formatted (per Appendix B) query component ([RFC3986] Section 3.4), + which MUST be retained when adding additional query parameters. The + endpoint URI MUST NOT include a fragment component. + + Since requests to the token endpoint result in the transmission of + clear-text credentials (in the HTTP request and response), the + authorization server MUST require the use of TLS as described in + Section 1.6 when sending requests to the token endpoint. + + The client MUST use the HTTP "POST" method when making access token + requests. + + Parameters sent without a value MUST be treated as if they were + omitted from the request. The authorization server MUST ignore + unrecognized request parameters. Request and response parameters + MUST NOT be included more than once. + +3.2.1. Client Authentication + + Confidential clients or other clients issued client credentials MUST + authenticate with the authorization server as described in + Section 2.3 when making requests to the token endpoint. Client + authentication is used for: + + o Enforcing the binding of refresh tokens and authorization codes to + the client they were issued to. Client authentication is critical + when an authorization code is transmitted to the redirection + endpoint over an insecure channel or when the redirection URI has + not been registered in full. + + o Recovering from a compromised client by disabling the client or + changing its credentials, thus preventing an attacker from abusing + stolen refresh tokens. Changing a single set of client + credentials is significantly faster than revoking an entire set of + refresh tokens. + + o Implementing authentication management best practices, which + require periodic credential rotation. Rotation of an entire set + of refresh tokens can be challenging, while rotation of a single + set of client credentials is significantly easier. + + + + + + +Hardt Standards Track [Page 22] + +RFC 6749 OAuth 2.0 October 2012 + + + A client MAY use the "client_id" request parameter to identify itself + when sending requests to the token endpoint. In the + "authorization_code" "grant_type" request to the token endpoint, an + unauthenticated client MUST send its "client_id" to prevent itself + from inadvertently accepting a code intended for a client with a + different "client_id". This protects the client from substitution of + the authentication code. (It provides no additional security for the + protected resource.) + +3.3. Access Token Scope + + The authorization and token endpoints allow the client to specify the + scope of the access request using the "scope" request parameter. In + turn, the authorization server uses the "scope" response parameter to + inform the client of the scope of the access token issued. + + The value of the scope parameter is expressed as a list of space- + delimited, case-sensitive strings. The strings are defined by the + authorization server. If the value contains multiple space-delimited + strings, their order does not matter, and each string adds an + additional access range to the requested scope. + + scope = scope-token *( SP scope-token ) + scope-token = 1*( %x21 / %x23-5B / %x5D-7E ) + + The authorization server MAY fully or partially ignore the scope + requested by the client, based on the authorization server policy or + the resource owner's instructions. If the issued access token scope + is different from the one requested by the client, the authorization + server MUST include the "scope" response parameter to inform the + client of the actual scope granted. + + If the client omits the scope parameter when requesting + authorization, the authorization server MUST either process the + request using a pre-defined default value or fail the request + indicating an invalid scope. The authorization server SHOULD + document its scope requirements and default value (if defined). + +4. Obtaining Authorization + + To request an access token, the client obtains authorization from the + resource owner. The authorization is expressed in the form of an + authorization grant, which the client uses to request the access + token. OAuth defines four grant types: authorization code, implicit, + resource owner password credentials, and client credentials. It also + provides an extension mechanism for defining additional grant types. + + + + + +Hardt Standards Track [Page 23] + +RFC 6749 OAuth 2.0 October 2012 + + +4.1. Authorization Code Grant + + The authorization code grant type is used to obtain both access + tokens and refresh tokens and is optimized for confidential clients. + Since this is a redirection-based flow, the client must be capable of + interacting with the resource owner's user-agent (typically a web + browser) and capable of receiving incoming requests (via redirection) + from the authorization server. + + +----------+ + | Resource | + | Owner | + | | + +----------+ + ^ + | + (B) + +----|-----+ Client Identifier +---------------+ + | -+----(A)-- & Redirection URI ---->| | + | User- | | Authorization | + | Agent -+----(B)-- User authenticates --->| Server | + | | | | + | -+----(C)-- Authorization Code ---<| | + +-|----|---+ +---------------+ + | | ^ v + (A) (C) | | + | | | | + ^ v | | + +---------+ | | + | |>---(D)-- Authorization Code ---------' | + | Client | & Redirection URI | + | | | + | |<---(E)----- Access Token -------------------' + +---------+ (w/ Optional Refresh Token) + + Note: The lines illustrating steps (A), (B), and (C) are broken into + two parts as they pass through the user-agent. + + Figure 3: Authorization Code Flow + + + + + + + + + + + + +Hardt Standards Track [Page 24] + +RFC 6749 OAuth 2.0 October 2012 + + + The flow illustrated in Figure 3 includes the following steps: + + (A) The client initiates the flow by directing the resource owner's + user-agent to the authorization endpoint. The client includes + its client identifier, requested scope, local state, and a + redirection URI to which the authorization server will send the + user-agent back once access is granted (or denied). + + (B) The authorization server authenticates the resource owner (via + the user-agent) and establishes whether the resource owner + grants or denies the client's access request. + + (C) Assuming the resource owner grants access, the authorization + server redirects the user-agent back to the client using the + redirection URI provided earlier (in the request or during + client registration). The redirection URI includes an + authorization code and any local state provided by the client + earlier. + + (D) The client requests an access token from the authorization + server's token endpoint by including the authorization code + received in the previous step. When making the request, the + client authenticates with the authorization server. The client + includes the redirection URI used to obtain the authorization + code for verification. + + (E) The authorization server authenticates the client, validates the + authorization code, and ensures that the redirection URI + received matches the URI used to redirect the client in + step (C). If valid, the authorization server responds back with + an access token and, optionally, a refresh token. + +4.1.1. Authorization Request + + The client constructs the request URI by adding the following + parameters to the query component of the authorization endpoint URI + using the "application/x-www-form-urlencoded" format, per Appendix B: + + response_type + REQUIRED. Value MUST be set to "code". + + client_id + REQUIRED. The client identifier as described in Section 2.2. + + redirect_uri + OPTIONAL. As described in Section 3.1.2. + + + + + +Hardt Standards Track [Page 25] + +RFC 6749 OAuth 2.0 October 2012 + + + scope + OPTIONAL. The scope of the access request as described by + Section 3.3. + + state + RECOMMENDED. An opaque value used by the client to maintain + state between the request and callback. The authorization + server includes this value when redirecting the user-agent back + to the client. The parameter SHOULD be used for preventing + cross-site request forgery as described in Section 10.12. + + The client directs the resource owner to the constructed URI using an + HTTP redirection response, or by other means available to it via the + user-agent. + + For example, the client directs the user-agent to make the following + HTTP request using TLS (with extra line breaks for display purposes + only): + + GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz + &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 + Host: server.example.com + + The authorization server validates the request to ensure that all + required parameters are present and valid. If the request is valid, + the authorization server authenticates the resource owner and obtains + an authorization decision (by asking the resource owner or by + establishing approval via other means). + + When a decision is established, the authorization server directs the + user-agent to the provided client redirection URI using an HTTP + redirection response, or by other means available to it via the + user-agent. + +4.1.2. Authorization Response + + If the resource owner grants the access request, the authorization + server issues an authorization code and delivers it to the client by + adding the following parameters to the query component of the + redirection URI using the "application/x-www-form-urlencoded" format, + per Appendix B: + + code + REQUIRED. The authorization code generated by the + authorization server. The authorization code MUST expire + shortly after it is issued to mitigate the risk of leaks. A + maximum authorization code lifetime of 10 minutes is + RECOMMENDED. The client MUST NOT use the authorization code + + + +Hardt Standards Track [Page 26] + +RFC 6749 OAuth 2.0 October 2012 + + + more than once. If an authorization code is used more than + once, the authorization server MUST deny the request and SHOULD + revoke (when possible) all tokens previously issued based on + that authorization code. The authorization code is bound to + the client identifier and redirection URI. + + state + REQUIRED if the "state" parameter was present in the client + authorization request. The exact value received from the + client. + + For example, the authorization server redirects the user-agent by + sending the following HTTP response: + + HTTP/1.1 302 Found + Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA + &state=xyz + + The client MUST ignore unrecognized response parameters. The + authorization code string size is left undefined by this + specification. The client should avoid making assumptions about code + value sizes. The authorization server SHOULD document the size of + any value it issues. + +4.1.2.1. Error Response + + If the request fails due to a missing, invalid, or mismatching + redirection URI, or if the client identifier is missing or invalid, + the authorization server SHOULD inform the resource owner of the + error and MUST NOT automatically redirect the user-agent to the + invalid redirection URI. + + If the resource owner denies the access request or if the request + fails for reasons other than a missing or invalid redirection URI, + the authorization server informs the client by adding the following + parameters to the query component of the redirection URI using the + "application/x-www-form-urlencoded" format, per Appendix B: + + error + REQUIRED. A single ASCII [USASCII] error code from the + following: + + invalid_request + The request is missing a required parameter, includes an + invalid parameter value, includes a parameter more than + once, or is otherwise malformed. + + + + + +Hardt Standards Track [Page 27] + +RFC 6749 OAuth 2.0 October 2012 + + + unauthorized_client + The client is not authorized to request an authorization + code using this method. + + access_denied + The resource owner or authorization server denied the + request. + + unsupported_response_type + The authorization server does not support obtaining an + authorization code using this method. + + invalid_scope + The requested scope is invalid, unknown, or malformed. + + server_error + The authorization server encountered an unexpected + condition that prevented it from fulfilling the request. + (This error code is needed because a 500 Internal Server + Error HTTP status code cannot be returned to the client + via an HTTP redirect.) + + temporarily_unavailable + The authorization server is currently unable to handle + the request due to a temporary overloading or maintenance + of the server. (This error code is needed because a 503 + Service Unavailable HTTP status code cannot be returned + to the client via an HTTP redirect.) + + Values for the "error" parameter MUST NOT include characters + outside the set %x20-21 / %x23-5B / %x5D-7E. + + error_description + OPTIONAL. Human-readable ASCII [USASCII] text providing + additional information, used to assist the client developer in + understanding the error that occurred. + Values for the "error_description" parameter MUST NOT include + characters outside the set %x20-21 / %x23-5B / %x5D-7E. + + error_uri + OPTIONAL. A URI identifying a human-readable web page with + information about the error, used to provide the client + developer with additional information about the error. + Values for the "error_uri" parameter MUST conform to the + URI-reference syntax and thus MUST NOT include characters + outside the set %x21 / %x23-5B / %x5D-7E. + + + + + +Hardt Standards Track [Page 28] + +RFC 6749 OAuth 2.0 October 2012 + + + state + REQUIRED if a "state" parameter was present in the client + authorization request. The exact value received from the + client. + + For example, the authorization server redirects the user-agent by + sending the following HTTP response: + + HTTP/1.1 302 Found + Location: https://client.example.com/cb?error=access_denied&state=xyz + +4.1.3. Access Token Request + + The client makes a request to the token endpoint by sending the + following parameters using the "application/x-www-form-urlencoded" + format per Appendix B with a character encoding of UTF-8 in the HTTP + request entity-body: + + grant_type + REQUIRED. Value MUST be set to "authorization_code". + + code + REQUIRED. The authorization code received from the + authorization server. + + redirect_uri + REQUIRED, if the "redirect_uri" parameter was included in the + authorization request as described in Section 4.1.1, and their + values MUST be identical. + + client_id + REQUIRED, if the client is not authenticating with the + authorization server as described in Section 3.2.1. + + If the client type is confidential or the client was issued client + credentials (or assigned other authentication requirements), the + client MUST authenticate with the authorization server as described + in Section 3.2.1. + + + + + + + + + + + + + +Hardt Standards Track [Page 29] + +RFC 6749 OAuth 2.0 October 2012 + + + For example, the client makes the following HTTP request using TLS + (with extra line breaks for display purposes only): + + POST /token HTTP/1.1 + Host: server.example.com + Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW + Content-Type: application/x-www-form-urlencoded + + grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA + &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb + + The authorization server MUST: + + o require client authentication for confidential clients or for any + client that was issued client credentials (or with other + authentication requirements), + + o authenticate the client if client authentication is included, + + o ensure that the authorization code was issued to the authenticated + confidential client, or if the client is public, ensure that the + code was issued to "client_id" in the request, + + o verify that the authorization code is valid, and + + o ensure that the "redirect_uri" parameter is present if the + "redirect_uri" parameter was included in the initial authorization + request as described in Section 4.1.1, and if included ensure that + their values are identical. + +4.1.4. Access Token Response + + If the access token request is valid and authorized, the + authorization server issues an access token and optional refresh + token as described in Section 5.1. If the request client + authentication failed or is invalid, the authorization server returns + an error response as described in Section 5.2. + + + + + + + + + + + + + + +Hardt Standards Track [Page 30] + +RFC 6749 OAuth 2.0 October 2012 + + + An example successful response: + + HTTP/1.1 200 OK + Content-Type: application/json;charset=UTF-8 + Cache-Control: no-store + Pragma: no-cache + + { + "access_token":"2YotnFZFEjr1zCsicMWpAA", + "token_type":"example", + "expires_in":3600, + "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", + "example_parameter":"example_value" + } + +4.2. Implicit Grant + + The implicit grant type is used to obtain access tokens (it does not + support the issuance of refresh tokens) and is optimized for public + clients known to operate a particular redirection URI. These clients + are typically implemented in a browser using a scripting language + such as JavaScript. + + Since this is a redirection-based flow, the client must be capable of + interacting with the resource owner's user-agent (typically a web + browser) and capable of receiving incoming requests (via redirection) + from the authorization server. + + Unlike the authorization code grant type, in which the client makes + separate requests for authorization and for an access token, the + client receives the access token as the result of the authorization + request. + + The implicit grant type does not include client authentication, and + relies on the presence of the resource owner and the registration of + the redirection URI. Because the access token is encoded into the + redirection URI, it may be exposed to the resource owner and other + applications residing on the same device. + + + + + + + + + + + + + +Hardt Standards Track [Page 31] + +RFC 6749 OAuth 2.0 October 2012 + + + +----------+ + | Resource | + | Owner | + | | + +----------+ + ^ + | + (B) + +----|-----+ Client Identifier +---------------+ + | -+----(A)-- & Redirection URI --->| | + | User- | | Authorization | + | Agent -|----(B)-- User authenticates -->| Server | + | | | | + | |<---(C)--- Redirection URI ----<| | + | | with Access Token +---------------+ + | | in Fragment + | | +---------------+ + | |----(D)--- Redirection URI ---->| Web-Hosted | + | | without Fragment | Client | + | | | Resource | + | (F) |<---(E)------- Script ---------<| | + | | +---------------+ + +-|--------+ + | | + (A) (G) Access Token + | | + ^ v + +---------+ + | | + | Client | + | | + +---------+ + + Note: The lines illustrating steps (A) and (B) are broken into two + parts as they pass through the user-agent. + + Figure 4: Implicit Grant Flow + + + + + + + + + + + + + + +Hardt Standards Track [Page 32] + +RFC 6749 OAuth 2.0 October 2012 + + + The flow illustrated in Figure 4 includes the following steps: + + (A) The client initiates the flow by directing the resource owner's + user-agent to the authorization endpoint. The client includes + its client identifier, requested scope, local state, and a + redirection URI to which the authorization server will send the + user-agent back once access is granted (or denied). + + (B) The authorization server authenticates the resource owner (via + the user-agent) and establishes whether the resource owner + grants or denies the client's access request. + + (C) Assuming the resource owner grants access, the authorization + server redirects the user-agent back to the client using the + redirection URI provided earlier. The redirection URI includes + the access token in the URI fragment. + + (D) The user-agent follows the redirection instructions by making a + request to the web-hosted client resource (which does not + include the fragment per [RFC2616]). The user-agent retains the + fragment information locally. + + (E) The web-hosted client resource returns a web page (typically an + HTML document with an embedded script) capable of accessing the + full redirection URI including the fragment retained by the + user-agent, and extracting the access token (and other + parameters) contained in the fragment. + + (F) The user-agent executes the script provided by the web-hosted + client resource locally, which extracts the access token. + + (G) The user-agent passes the access token to the client. + + See Sections 1.3.2 and 9 for background on using the implicit grant. + See Sections 10.3 and 10.16 for important security considerations + when using the implicit grant. + +4.2.1. Authorization Request + + The client constructs the request URI by adding the following + parameters to the query component of the authorization endpoint URI + using the "application/x-www-form-urlencoded" format, per Appendix B: + + response_type + REQUIRED. Value MUST be set to "token". + + client_id + REQUIRED. The client identifier as described in Section 2.2. + + + +Hardt Standards Track [Page 33] + +RFC 6749 OAuth 2.0 October 2012 + + + redirect_uri + OPTIONAL. As described in Section 3.1.2. + + scope + OPTIONAL. The scope of the access request as described by + Section 3.3. + + state + RECOMMENDED. An opaque value used by the client to maintain + state between the request and callback. The authorization + server includes this value when redirecting the user-agent back + to the client. The parameter SHOULD be used for preventing + cross-site request forgery as described in Section 10.12. + + The client directs the resource owner to the constructed URI using an + HTTP redirection response, or by other means available to it via the + user-agent. + + For example, the client directs the user-agent to make the following + HTTP request using TLS (with extra line breaks for display purposes + only): + + GET /authorize?response_type=token&client_id=s6BhdRkqt3&state=xyz + &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 + Host: server.example.com + + The authorization server validates the request to ensure that all + required parameters are present and valid. The authorization server + MUST verify that the redirection URI to which it will redirect the + access token matches a redirection URI registered by the client as + described in Section 3.1.2. + + If the request is valid, the authorization server authenticates the + resource owner and obtains an authorization decision (by asking the + resource owner or by establishing approval via other means). + + When a decision is established, the authorization server directs the + user-agent to the provided client redirection URI using an HTTP + redirection response, or by other means available to it via the + user-agent. + + + + + + + + + + + +Hardt Standards Track [Page 34] + +RFC 6749 OAuth 2.0 October 2012 + + +4.2.2. Access Token Response + + If the resource owner grants the access request, the authorization + server issues an access token and delivers it to the client by adding + the following parameters to the fragment component of the redirection + URI using the "application/x-www-form-urlencoded" format, per + Appendix B: + + access_token + REQUIRED. The access token issued by the authorization server. + + token_type + REQUIRED. The type of the token issued as described in + Section 7.1. Value is case insensitive. + + expires_in + RECOMMENDED. The lifetime in seconds of the access token. For + example, the value "3600" denotes that the access token will + expire in one hour from the time the response was generated. + If omitted, the authorization server SHOULD provide the + expiration time via other means or document the default value. + + scope + OPTIONAL, if identical to the scope requested by the client; + otherwise, REQUIRED. The scope of the access token as + described by Section 3.3. + + state + REQUIRED if the "state" parameter was present in the client + authorization request. The exact value received from the + client. + + The authorization server MUST NOT issue a refresh token. + + For example, the authorization server redirects the user-agent by + sending the following HTTP response (with extra line breaks for + display purposes only): + + HTTP/1.1 302 Found + Location: http://example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA + &state=xyz&token_type=example&expires_in=3600 + + Developers should note that some user-agents do not support the + inclusion of a fragment component in the HTTP "Location" response + header field. Such clients will require using other methods for + redirecting the client than a 3xx redirection response -- for + example, returning an HTML page that includes a 'continue' button + with an action linked to the redirection URI. + + + +Hardt Standards Track [Page 35] + +RFC 6749 OAuth 2.0 October 2012 + + + The client MUST ignore unrecognized response parameters. The access + token string size is left undefined by this specification. The + client should avoid making assumptions about value sizes. The + authorization server SHOULD document the size of any value it issues. + +4.2.2.1. Error Response + + If the request fails due to a missing, invalid, or mismatching + redirection URI, or if the client identifier is missing or invalid, + the authorization server SHOULD inform the resource owner of the + error and MUST NOT automatically redirect the user-agent to the + invalid redirection URI. + + If the resource owner denies the access request or if the request + fails for reasons other than a missing or invalid redirection URI, + the authorization server informs the client by adding the following + parameters to the fragment component of the redirection URI using the + "application/x-www-form-urlencoded" format, per Appendix B: + + error + REQUIRED. A single ASCII [USASCII] error code from the + following: + + invalid_request + The request is missing a required parameter, includes an + invalid parameter value, includes a parameter more than + once, or is otherwise malformed. + + unauthorized_client + The client is not authorized to request an access token + using this method. + + access_denied + The resource owner or authorization server denied the + request. + + unsupported_response_type + The authorization server does not support obtaining an + access token using this method. + + invalid_scope + The requested scope is invalid, unknown, or malformed. + + + + + + + + + +Hardt Standards Track [Page 36] + +RFC 6749 OAuth 2.0 October 2012 + + + server_error + The authorization server encountered an unexpected + condition that prevented it from fulfilling the request. + (This error code is needed because a 500 Internal Server + Error HTTP status code cannot be returned to the client + via an HTTP redirect.) + + temporarily_unavailable + The authorization server is currently unable to handle + the request due to a temporary overloading or maintenance + of the server. (This error code is needed because a 503 + Service Unavailable HTTP status code cannot be returned + to the client via an HTTP redirect.) + + Values for the "error" parameter MUST NOT include characters + outside the set %x20-21 / %x23-5B / %x5D-7E. + + error_description + OPTIONAL. Human-readable ASCII [USASCII] text providing + additional information, used to assist the client developer in + understanding the error that occurred. + Values for the "error_description" parameter MUST NOT include + characters outside the set %x20-21 / %x23-5B / %x5D-7E. + + error_uri + OPTIONAL. A URI identifying a human-readable web page with + information about the error, used to provide the client + developer with additional information about the error. + Values for the "error_uri" parameter MUST conform to the + URI-reference syntax and thus MUST NOT include characters + outside the set %x21 / %x23-5B / %x5D-7E. + + state + REQUIRED if a "state" parameter was present in the client + authorization request. The exact value received from the + client. + + For example, the authorization server redirects the user-agent by + sending the following HTTP response: + + HTTP/1.1 302 Found + Location: https://client.example.com/cb#error=access_denied&state=xyz + +4.3. Resource Owner Password Credentials Grant + + The resource owner password credentials grant type is suitable in + cases where the resource owner has a trust relationship with the + client, such as the device operating system or a highly privileged + + + +Hardt Standards Track [Page 37] + +RFC 6749 OAuth 2.0 October 2012 + + + application. The authorization server should take special care when + enabling this grant type and only allow it when other flows are not + viable. + + This grant type is suitable for clients capable of obtaining the + resource owner's credentials (username and password, typically using + an interactive form). It is also used to migrate existing clients + using direct authentication schemes such as HTTP Basic or Digest + authentication to OAuth by converting the stored credentials to an + access token. + + +----------+ + | Resource | + | Owner | + | | + +----------+ + v + | Resource Owner + (A) Password Credentials + | + v + +---------+ +---------------+ + | |>--(B)---- Resource Owner ------->| | + | | Password Credentials | Authorization | + | Client | | Server | + | |<--(C)---- Access Token ---------<| | + | | (w/ Optional Refresh Token) | | + +---------+ +---------------+ + + Figure 5: Resource Owner Password Credentials Flow + + The flow illustrated in Figure 5 includes the following steps: + + (A) The resource owner provides the client with its username and + password. + + (B) The client requests an access token from the authorization + server's token endpoint by including the credentials received + from the resource owner. When making the request, the client + authenticates with the authorization server. + + (C) The authorization server authenticates the client and validates + the resource owner credentials, and if valid, issues an access + token. + + + + + + + +Hardt Standards Track [Page 38] + +RFC 6749 OAuth 2.0 October 2012 + + +4.3.1. Authorization Request and Response + + The method through which the client obtains the resource owner + credentials is beyond the scope of this specification. The client + MUST discard the credentials once an access token has been obtained. + +4.3.2. Access Token Request + + The client makes a request to the token endpoint by adding the + following parameters using the "application/x-www-form-urlencoded" + format per Appendix B with a character encoding of UTF-8 in the HTTP + request entity-body: + + grant_type + REQUIRED. Value MUST be set to "password". + + username + REQUIRED. The resource owner username. + + password + REQUIRED. The resource owner password. + + scope + OPTIONAL. The scope of the access request as described by + Section 3.3. + + If the client type is confidential or the client was issued client + credentials (or assigned other authentication requirements), the + client MUST authenticate with the authorization server as described + in Section 3.2.1. + + For example, the client makes the following HTTP request using + transport-layer security (with extra line breaks for display purposes + only): + + POST /token HTTP/1.1 + Host: server.example.com + Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW + Content-Type: application/x-www-form-urlencoded + + grant_type=password&username=johndoe&password=A3ddj3w + + + + + + + + + + +Hardt Standards Track [Page 39] + +RFC 6749 OAuth 2.0 October 2012 + + + The authorization server MUST: + + o require client authentication for confidential clients or for any + client that was issued client credentials (or with other + authentication requirements), + + o authenticate the client if client authentication is included, and + + o validate the resource owner password credentials using its + existing password validation algorithm. + + Since this access token request utilizes the resource owner's + password, the authorization server MUST protect the endpoint against + brute force attacks (e.g., using rate-limitation or generating + alerts). + +4.3.3. Access Token Response + + If the access token request is valid and authorized, the + authorization server issues an access token and optional refresh + token as described in Section 5.1. If the request failed client + authentication or is invalid, the authorization server returns an + error response as described in Section 5.2. + + An example successful response: + + HTTP/1.1 200 OK + Content-Type: application/json;charset=UTF-8 + Cache-Control: no-store + Pragma: no-cache + + { + "access_token":"2YotnFZFEjr1zCsicMWpAA", + "token_type":"example", + "expires_in":3600, + "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", + "example_parameter":"example_value" + } + +4.4. Client Credentials Grant + + The client can request an access token using only its client + credentials (or other supported means of authentication) when the + client is requesting access to the protected resources under its + control, or those of another resource owner that have been previously + arranged with the authorization server (the method of which is beyond + the scope of this specification). + + + + +Hardt Standards Track [Page 40] + +RFC 6749 OAuth 2.0 October 2012 + + + The client credentials grant type MUST only be used by confidential + clients. + + +---------+ +---------------+ + | | | | + | |>--(A)- Client Authentication --->| Authorization | + | Client | | Server | + | |<--(B)---- Access Token ---------<| | + | | | | + +---------+ +---------------+ + + Figure 6: Client Credentials Flow + + The flow illustrated in Figure 6 includes the following steps: + + (A) The client authenticates with the authorization server and + requests an access token from the token endpoint. + + (B) The authorization server authenticates the client, and if valid, + issues an access token. + +4.4.1. Authorization Request and Response + + Since the client authentication is used as the authorization grant, + no additional authorization request is needed. + +4.4.2. Access Token Request + + The client makes a request to the token endpoint by adding the + following parameters using the "application/x-www-form-urlencoded" + format per Appendix B with a character encoding of UTF-8 in the HTTP + request entity-body: + + grant_type + REQUIRED. Value MUST be set to "client_credentials". + + scope + OPTIONAL. The scope of the access request as described by + Section 3.3. + + The client MUST authenticate with the authorization server as + described in Section 3.2.1. + + + + + + + + + +Hardt Standards Track [Page 41] + +RFC 6749 OAuth 2.0 October 2012 + + + For example, the client makes the following HTTP request using + transport-layer security (with extra line breaks for display purposes + only): + + POST /token HTTP/1.1 + Host: server.example.com + Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW + Content-Type: application/x-www-form-urlencoded + + grant_type=client_credentials + + The authorization server MUST authenticate the client. + +4.4.3. Access Token Response + + If the access token request is valid and authorized, the + authorization server issues an access token as described in + Section 5.1. A refresh token SHOULD NOT be included. If the request + failed client authentication or is invalid, the authorization server + returns an error response as described in Section 5.2. + + An example successful response: + + HTTP/1.1 200 OK + Content-Type: application/json;charset=UTF-8 + Cache-Control: no-store + Pragma: no-cache + + { + "access_token":"2YotnFZFEjr1zCsicMWpAA", + "token_type":"example", + "expires_in":3600, + "example_parameter":"example_value" + } + +4.5. Extension Grants + + The client uses an extension grant type by specifying the grant type + using an absolute URI (defined by the authorization server) as the + value of the "grant_type" parameter of the token endpoint, and by + adding any additional parameters necessary. + + + + + + + + + + +Hardt Standards Track [Page 42] + +RFC 6749 OAuth 2.0 October 2012 + + + For example, to request an access token using a Security Assertion + Markup Language (SAML) 2.0 assertion grant type as defined by + [OAuth-SAML2], the client could make the following HTTP request using + TLS (with extra line breaks for display purposes only): + + POST /token HTTP/1.1 + Host: server.example.com + Content-Type: application/x-www-form-urlencoded + + grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2- + bearer&assertion=PEFzc2VydGlvbiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDU + [...omitted for brevity...]aG5TdGF0ZW1lbnQ-PC9Bc3NlcnRpb24- + + If the access token request is valid and authorized, the + authorization server issues an access token and optional refresh + token as described in Section 5.1. If the request failed client + authentication or is invalid, the authorization server returns an + error response as described in Section 5.2. + +5. Issuing an Access Token + + If the access token request is valid and authorized, the + authorization server issues an access token and optional refresh + token as described in Section 5.1. If the request failed client + authentication or is invalid, the authorization server returns an + error response as described in Section 5.2. + +5.1. Successful Response + + The authorization server issues an access token and optional refresh + token, and constructs the response by adding the following parameters + to the entity-body of the HTTP response with a 200 (OK) status code: + + access_token + REQUIRED. The access token issued by the authorization server. + + token_type + REQUIRED. The type of the token issued as described in + Section 7.1. Value is case insensitive. + + expires_in + RECOMMENDED. The lifetime in seconds of the access token. For + example, the value "3600" denotes that the access token will + expire in one hour from the time the response was generated. + If omitted, the authorization server SHOULD provide the + expiration time via other means or document the default value. + + + + + +Hardt Standards Track [Page 43] + +RFC 6749 OAuth 2.0 October 2012 + + + refresh_token + OPTIONAL. The refresh token, which can be used to obtain new + access tokens using the same authorization grant as described + in Section 6. + + scope + OPTIONAL, if identical to the scope requested by the client; + otherwise, REQUIRED. The scope of the access token as + described by Section 3.3. + + The parameters are included in the entity-body of the HTTP response + using the "application/json" media type as defined by [RFC4627]. The + parameters are serialized into a JavaScript Object Notation (JSON) + structure by adding each parameter at the highest structure level. + Parameter names and string values are included as JSON strings. + Numerical values are included as JSON numbers. The order of + parameters does not matter and can vary. + + The authorization server MUST include the HTTP "Cache-Control" + response header field [RFC2616] with a value of "no-store" in any + response containing tokens, credentials, or other sensitive + information, as well as the "Pragma" response header field [RFC2616] + with a value of "no-cache". + + For example: + + HTTP/1.1 200 OK + Content-Type: application/json;charset=UTF-8 + Cache-Control: no-store + Pragma: no-cache + + { + "access_token":"2YotnFZFEjr1zCsicMWpAA", + "token_type":"example", + "expires_in":3600, + "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", + "example_parameter":"example_value" + } + + The client MUST ignore unrecognized value names in the response. The + sizes of tokens and other values received from the authorization + server are left undefined. The client should avoid making + assumptions about value sizes. The authorization server SHOULD + document the size of any value it issues. + + + + + + + +Hardt Standards Track [Page 44] + +RFC 6749 OAuth 2.0 October 2012 + + +5.2. Error Response + + The authorization server responds with an HTTP 400 (Bad Request) + status code (unless specified otherwise) and includes the following + parameters with the response: + + error + REQUIRED. A single ASCII [USASCII] error code from the + following: + + invalid_request + The request is missing a required parameter, includes an + unsupported parameter value (other than grant type), + repeats a parameter, includes multiple credentials, + utilizes more than one mechanism for authenticating the + client, or is otherwise malformed. + + invalid_client + Client authentication failed (e.g., unknown client, no + client authentication included, or unsupported + authentication method). The authorization server MAY + return an HTTP 401 (Unauthorized) status code to indicate + which HTTP authentication schemes are supported. If the + client attempted to authenticate via the "Authorization" + request header field, the authorization server MUST + respond with an HTTP 401 (Unauthorized) status code and + include the "WWW-Authenticate" response header field + matching the authentication scheme used by the client. + + invalid_grant + The provided authorization grant (e.g., authorization + code, resource owner credentials) or refresh token is + invalid, expired, revoked, does not match the redirection + URI used in the authorization request, or was issued to + another client. + + unauthorized_client + The authenticated client is not authorized to use this + authorization grant type. + + unsupported_grant_type + The authorization grant type is not supported by the + authorization server. + + + + + + + + +Hardt Standards Track [Page 45] + +RFC 6749 OAuth 2.0 October 2012 + + + invalid_scope + The requested scope is invalid, unknown, malformed, or + exceeds the scope granted by the resource owner. + + Values for the "error" parameter MUST NOT include characters + outside the set %x20-21 / %x23-5B / %x5D-7E. + + error_description + OPTIONAL. Human-readable ASCII [USASCII] text providing + additional information, used to assist the client developer in + understanding the error that occurred. + Values for the "error_description" parameter MUST NOT include + characters outside the set %x20-21 / %x23-5B / %x5D-7E. + + error_uri + OPTIONAL. A URI identifying a human-readable web page with + information about the error, used to provide the client + developer with additional information about the error. + Values for the "error_uri" parameter MUST conform to the + URI-reference syntax and thus MUST NOT include characters + outside the set %x21 / %x23-5B / %x5D-7E. + + The parameters are included in the entity-body of the HTTP response + using the "application/json" media type as defined by [RFC4627]. The + parameters are serialized into a JSON structure by adding each + parameter at the highest structure level. Parameter names and string + values are included as JSON strings. Numerical values are included + as JSON numbers. The order of parameters does not matter and can + vary. + + For example: + + HTTP/1.1 400 Bad Request + Content-Type: application/json;charset=UTF-8 + Cache-Control: no-store + Pragma: no-cache + + { + "error":"invalid_request" + } + + + + + + + + + + + +Hardt Standards Track [Page 46] + +RFC 6749 OAuth 2.0 October 2012 + + +6. Refreshing an Access Token + + If the authorization server issued a refresh token to the client, the + client makes a refresh request to the token endpoint by adding the + following parameters using the "application/x-www-form-urlencoded" + format per Appendix B with a character encoding of UTF-8 in the HTTP + request entity-body: + + grant_type + REQUIRED. Value MUST be set to "refresh_token". + + refresh_token + REQUIRED. The refresh token issued to the client. + + scope + OPTIONAL. The scope of the access request as described by + Section 3.3. The requested scope MUST NOT include any scope + not originally granted by the resource owner, and if omitted is + treated as equal to the scope originally granted by the + resource owner. + + Because refresh tokens are typically long-lasting credentials used to + request additional access tokens, the refresh token is bound to the + client to which it was issued. If the client type is confidential or + the client was issued client credentials (or assigned other + authentication requirements), the client MUST authenticate with the + authorization server as described in Section 3.2.1. + + For example, the client makes the following HTTP request using + transport-layer security (with extra line breaks for display purposes + only): + + POST /token HTTP/1.1 + Host: server.example.com + Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW + Content-Type: application/x-www-form-urlencoded + + grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA + + + + + + + + + + + + + +Hardt Standards Track [Page 47] + +RFC 6749 OAuth 2.0 October 2012 + + + The authorization server MUST: + + o require client authentication for confidential clients or for any + client that was issued client credentials (or with other + authentication requirements), + + o authenticate the client if client authentication is included and + ensure that the refresh token was issued to the authenticated + client, and + + o validate the refresh token. + + If valid and authorized, the authorization server issues an access + token as described in Section 5.1. If the request failed + verification or is invalid, the authorization server returns an error + response as described in Section 5.2. + + The authorization server MAY issue a new refresh token, in which case + the client MUST discard the old refresh token and replace it with the + new refresh token. The authorization server MAY revoke the old + refresh token after issuing a new refresh token to the client. If a + new refresh token is issued, the refresh token scope MUST be + identical to that of the refresh token included by the client in the + request. + +7. Accessing Protected Resources + + The client accesses protected resources by presenting the access + token to the resource server. The resource server MUST validate the + access token and ensure that it has not expired and that its scope + covers the requested resource. The methods used by the resource + server to validate the access token (as well as any error responses) + are beyond the scope of this specification but generally involve an + interaction or coordination between the resource server and the + authorization server. + + The method in which the client utilizes the access token to + authenticate with the resource server depends on the type of access + token issued by the authorization server. Typically, it involves + using the HTTP "Authorization" request header field [RFC2617] with an + authentication scheme defined by the specification of the access + token type used, such as [RFC6750]. + + + + + + + + + +Hardt Standards Track [Page 48] + +RFC 6749 OAuth 2.0 October 2012 + + +7.1. Access Token Types + + The access token type provides the client with the information + required to successfully utilize the access token to make a protected + resource request (along with type-specific attributes). The client + MUST NOT use an access token if it does not understand the token + type. + + For example, the "bearer" token type defined in [RFC6750] is utilized + by simply including the access token string in the request: + + GET /resource/1 HTTP/1.1 + Host: example.com + Authorization: Bearer mF_9.B5f-4.1JqM + + while the "mac" token type defined in [OAuth-HTTP-MAC] is utilized by + issuing a Message Authentication Code (MAC) key together with the + access token that is used to sign certain components of the HTTP + requests: + + GET /resource/1 HTTP/1.1 + Host: example.com + Authorization: MAC id="h480djs93hd8", + nonce="274312:dj83hs9s", + mac="kDZvddkndxvhGRXZhvuDjEWhGeE=" + + The above examples are provided for illustration purposes only. + Developers are advised to consult the [RFC6750] and [OAuth-HTTP-MAC] + specifications before use. + + Each access token type definition specifies the additional attributes + (if any) sent to the client together with the "access_token" response + parameter. It also defines the HTTP authentication method used to + include the access token when making a protected resource request. + +7.2. Error Response + + If a resource access request fails, the resource server SHOULD inform + the client of the error. While the specifics of such error responses + are beyond the scope of this specification, this document establishes + a common registry in Section 11.4 for error values to be shared among + OAuth token authentication schemes. + + New authentication schemes designed primarily for OAuth token + authentication SHOULD define a mechanism for providing an error + status code to the client, in which the error values allowed are + registered in the error registry established by this specification. + + + + +Hardt Standards Track [Page 49] + +RFC 6749 OAuth 2.0 October 2012 + + + Such schemes MAY limit the set of valid error codes to a subset of + the registered values. If the error code is returned using a named + parameter, the parameter name SHOULD be "error". + + Other schemes capable of being used for OAuth token authentication, + but not primarily designed for that purpose, MAY bind their error + values to the registry in the same manner. + + New authentication schemes MAY choose to also specify the use of the + "error_description" and "error_uri" parameters to return error + information in a manner parallel to their usage in this + specification. + +8. Extensibility + +8.1. Defining Access Token Types + + Access token types can be defined in one of two ways: registered in + the Access Token Types registry (following the procedures in + Section 11.1), or by using a unique absolute URI as its name. + + Types utilizing a URI name SHOULD be limited to vendor-specific + implementations that are not commonly applicable, and are specific to + the implementation details of the resource server where they are + used. + + All other types MUST be registered. Type names MUST conform to the + type-name ABNF. If the type definition includes a new HTTP + authentication scheme, the type name SHOULD be identical to the HTTP + authentication scheme name (as defined by [RFC2617]). The token type + "example" is reserved for use in examples. + + type-name = 1*name-char + name-char = "-" / "." / "_" / DIGIT / ALPHA + +8.2. Defining New Endpoint Parameters + + New request or response parameters for use with the authorization + endpoint or the token endpoint are defined and registered in the + OAuth Parameters registry following the procedure in Section 11.2. + + Parameter names MUST conform to the param-name ABNF, and parameter + values syntax MUST be well-defined (e.g., using ABNF, or a reference + to the syntax of an existing parameter). + + param-name = 1*name-char + name-char = "-" / "." / "_" / DIGIT / ALPHA + + + + +Hardt Standards Track [Page 50] + +RFC 6749 OAuth 2.0 October 2012 + + + Unregistered vendor-specific parameter extensions that are not + commonly applicable and that are specific to the implementation + details of the authorization server where they are used SHOULD + utilize a vendor-specific prefix that is not likely to conflict with + other registered values (e.g., begin with 'companyname_'). + +8.3. Defining New Authorization Grant Types + + New authorization grant types can be defined by assigning them a + unique absolute URI for use with the "grant_type" parameter. If the + extension grant type requires additional token endpoint parameters, + they MUST be registered in the OAuth Parameters registry as described + by Section 11.2. + +8.4. Defining New Authorization Endpoint Response Types + + New response types for use with the authorization endpoint are + defined and registered in the Authorization Endpoint Response Types + registry following the procedure in Section 11.3. Response type + names MUST conform to the response-type ABNF. + + response-type = response-name *( SP response-name ) + response-name = 1*response-char + response-char = "_" / DIGIT / ALPHA + + If a response type contains one or more space characters (%x20), it + is compared as a space-delimited list of values in which the order of + values does not matter. Only one order of values can be registered, + which covers all other arrangements of the same set of values. + + For example, the response type "token code" is left undefined by this + specification. However, an extension can define and register the + "token code" response type. Once registered, the same combination + cannot be registered as "code token", but both values can be used to + denote the same response type. + +8.5. Defining Additional Error Codes + + In cases where protocol extensions (i.e., access token types, + extension parameters, or extension grant types) require additional + error codes to be used with the authorization code grant error + response (Section 4.1.2.1), the implicit grant error response + (Section 4.2.2.1), the token error response (Section 5.2), or the + resource access error response (Section 7.2), such error codes MAY be + defined. + + + + + + +Hardt Standards Track [Page 51] + +RFC 6749 OAuth 2.0 October 2012 + + + Extension error codes MUST be registered (following the procedures in + Section 11.4) if the extension they are used in conjunction with is a + registered access token type, a registered endpoint parameter, or an + extension grant type. Error codes used with unregistered extensions + MAY be registered. + + Error codes MUST conform to the error ABNF and SHOULD be prefixed by + an identifying name when possible. For example, an error identifying + an invalid value set to the extension parameter "example" SHOULD be + named "example_invalid". + + error = 1*error-char + error-char = %x20-21 / %x23-5B / %x5D-7E + +9. Native Applications + + Native applications are clients installed and executed on the device + used by the resource owner (i.e., desktop application, native mobile + application). Native applications require special consideration + related to security, platform capabilities, and overall end-user + experience. + + The authorization endpoint requires interaction between the client + and the resource owner's user-agent. Native applications can invoke + an external user-agent or embed a user-agent within the application. + For example: + + o External user-agent - the native application can capture the + response from the authorization server using a redirection URI + with a scheme registered with the operating system to invoke the + client as the handler, manual copy-and-paste of the credentials, + running a local web server, installing a user-agent extension, or + by providing a redirection URI identifying a server-hosted + resource under the client's control, which in turn makes the + response available to the native application. + + o Embedded user-agent - the native application obtains the response + by directly communicating with the embedded user-agent by + monitoring state changes emitted during the resource load, or + accessing the user-agent's cookies storage. + + When choosing between an external or embedded user-agent, developers + should consider the following: + + o An external user-agent may improve completion rate, as the + resource owner may already have an active session with the + authorization server, removing the need to re-authenticate. It + provides a familiar end-user experience and functionality. The + + + +Hardt Standards Track [Page 52] + +RFC 6749 OAuth 2.0 October 2012 + + + resource owner may also rely on user-agent features or extensions + to assist with authentication (e.g., password manager, 2-factor + device reader). + + o An embedded user-agent may offer improved usability, as it removes + the need to switch context and open new windows. + + o An embedded user-agent poses a security challenge because resource + owners are authenticating in an unidentified window without access + to the visual protections found in most external user-agents. An + embedded user-agent educates end-users to trust unidentified + requests for authentication (making phishing attacks easier to + execute). + + When choosing between the implicit grant type and the authorization + code grant type, the following should be considered: + + o Native applications that use the authorization code grant type + SHOULD do so without using client credentials, due to the native + application's inability to keep client credentials confidential. + + o When using the implicit grant type flow, a refresh token is not + returned, which requires repeating the authorization process once + the access token expires. + +10. Security Considerations + + As a flexible and extensible framework, OAuth's security + considerations depend on many factors. The following sections + provide implementers with security guidelines focused on the three + client profiles described in Section 2.1: web application, + user-agent-based application, and native application. + + A comprehensive OAuth security model and analysis, as well as + background for the protocol design, is provided by + [OAuth-THREATMODEL]. + +10.1. Client Authentication + + The authorization server establishes client credentials with web + application clients for the purpose of client authentication. The + authorization server is encouraged to consider stronger client + authentication means than a client password. Web application clients + MUST ensure confidentiality of client passwords and other client + credentials. + + + + + + +Hardt Standards Track [Page 53] + +RFC 6749 OAuth 2.0 October 2012 + + + The authorization server MUST NOT issue client passwords or other + client credentials to native application or user-agent-based + application clients for the purpose of client authentication. The + authorization server MAY issue a client password or other credentials + for a specific installation of a native application client on a + specific device. + + When client authentication is not possible, the authorization server + SHOULD employ other means to validate the client's identity -- for + example, by requiring the registration of the client redirection URI + or enlisting the resource owner to confirm identity. A valid + redirection URI is not sufficient to verify the client's identity + when asking for resource owner authorization but can be used to + prevent delivering credentials to a counterfeit client after + obtaining resource owner authorization. + + The authorization server must consider the security implications of + interacting with unauthenticated clients and take measures to limit + the potential exposure of other credentials (e.g., refresh tokens) + issued to such clients. + +10.2. Client Impersonation + + A malicious client can impersonate another client and obtain access + to protected resources if the impersonated client fails to, or is + unable to, keep its client credentials confidential. + + The authorization server MUST authenticate the client whenever + possible. If the authorization server cannot authenticate the client + due to the client's nature, the authorization server MUST require the + registration of any redirection URI used for receiving authorization + responses and SHOULD utilize other means to protect resource owners + from such potentially malicious clients. For example, the + authorization server can engage the resource owner to assist in + identifying the client and its origin. + + The authorization server SHOULD enforce explicit resource owner + authentication and provide the resource owner with information about + the client and the requested authorization scope and lifetime. It is + up to the resource owner to review the information in the context of + the current client and to authorize or deny the request. + + The authorization server SHOULD NOT process repeated authorization + requests automatically (without active resource owner interaction) + without authenticating the client or relying on other measures to + ensure that the repeated request comes from the original client and + not an impersonator. + + + + +Hardt Standards Track [Page 54] + +RFC 6749 OAuth 2.0 October 2012 + + +10.3. Access Tokens + + Access token credentials (as well as any confidential access token + attributes) MUST be kept confidential in transit and storage, and + only shared among the authorization server, the resource servers the + access token is valid for, and the client to whom the access token is + issued. Access token credentials MUST only be transmitted using TLS + as described in Section 1.6 with server authentication as defined by + [RFC2818]. + + When using the implicit grant type, the access token is transmitted + in the URI fragment, which can expose it to unauthorized parties. + + The authorization server MUST ensure that access tokens cannot be + generated, modified, or guessed to produce valid access tokens by + unauthorized parties. + + The client SHOULD request access tokens with the minimal scope + necessary. The authorization server SHOULD take the client identity + into account when choosing how to honor the requested scope and MAY + issue an access token with less rights than requested. + + This specification does not provide any methods for the resource + server to ensure that an access token presented to it by a given + client was issued to that client by the authorization server. + +10.4. Refresh Tokens + + Authorization servers MAY issue refresh tokens to web application + clients and native application clients. + + Refresh tokens MUST be kept confidential in transit and storage, and + shared only among the authorization server and the client to whom the + refresh tokens were issued. The authorization server MUST maintain + the binding between a refresh token and the client to whom it was + issued. Refresh tokens MUST only be transmitted using TLS as + described in Section 1.6 with server authentication as defined by + [RFC2818]. + + The authorization server MUST verify the binding between the refresh + token and client identity whenever the client identity can be + authenticated. When client authentication is not possible, the + authorization server SHOULD deploy other means to detect refresh + token abuse. + + For example, the authorization server could employ refresh token + rotation in which a new refresh token is issued with every access + token refresh response. The previous refresh token is invalidated + + + +Hardt Standards Track [Page 55] + +RFC 6749 OAuth 2.0 October 2012 + + + but retained by the authorization server. If a refresh token is + compromised and subsequently used by both the attacker and the + legitimate client, one of them will present an invalidated refresh + token, which will inform the authorization server of the breach. + + The authorization server MUST ensure that refresh tokens cannot be + generated, modified, or guessed to produce valid refresh tokens by + unauthorized parties. + +10.5. Authorization Codes + + The transmission of authorization codes SHOULD be made over a secure + channel, and the client SHOULD require the use of TLS with its + redirection URI if the URI identifies a network resource. Since + authorization codes are transmitted via user-agent redirections, they + could potentially be disclosed through user-agent history and HTTP + referrer headers. + + Authorization codes operate as plaintext bearer credentials, used to + verify that the resource owner who granted authorization at the + authorization server is the same resource owner returning to the + client to complete the process. Therefore, if the client relies on + the authorization code for its own resource owner authentication, the + client redirection endpoint MUST require the use of TLS. + + Authorization codes MUST be short lived and single-use. If the + authorization server observes multiple attempts to exchange an + authorization code for an access token, the authorization server + SHOULD attempt to revoke all access tokens already granted based on + the compromised authorization code. + + If the client can be authenticated, the authorization servers MUST + authenticate the client and ensure that the authorization code was + issued to the same client. + +10.6. Authorization Code Redirection URI Manipulation + + When requesting authorization using the authorization code grant + type, the client can specify a redirection URI via the "redirect_uri" + parameter. If an attacker can manipulate the value of the + redirection URI, it can cause the authorization server to redirect + the resource owner user-agent to a URI under the control of the + attacker with the authorization code. + + An attacker can create an account at a legitimate client and initiate + the authorization flow. When the attacker's user-agent is sent to + the authorization server to grant access, the attacker grabs the + authorization URI provided by the legitimate client and replaces the + + + +Hardt Standards Track [Page 56] + +RFC 6749 OAuth 2.0 October 2012 + + + client's redirection URI with a URI under the control of the + attacker. The attacker then tricks the victim into following the + manipulated link to authorize access to the legitimate client. + + Once at the authorization server, the victim is prompted with a + normal, valid request on behalf of a legitimate and trusted client, + and authorizes the request. The victim is then redirected to an + endpoint under the control of the attacker with the authorization + code. The attacker completes the authorization flow by sending the + authorization code to the client using the original redirection URI + provided by the client. The client exchanges the authorization code + with an access token and links it to the attacker's client account, + which can now gain access to the protected resources authorized by + the victim (via the client). + + In order to prevent such an attack, the authorization server MUST + ensure that the redirection URI used to obtain the authorization code + is identical to the redirection URI provided when exchanging the + authorization code for an access token. The authorization server + MUST require public clients and SHOULD require confidential clients + to register their redirection URIs. If a redirection URI is provided + in the request, the authorization server MUST validate it against the + registered value. + +10.7. Resource Owner Password Credentials + + The resource owner password credentials grant type is often used for + legacy or migration reasons. It reduces the overall risk of storing + usernames and passwords by the client but does not eliminate the need + to expose highly privileged credentials to the client. + + This grant type carries a higher risk than other grant types because + it maintains the password anti-pattern this protocol seeks to avoid. + The client could abuse the password, or the password could + unintentionally be disclosed to an attacker (e.g., via log files or + other records kept by the client). + + Additionally, because the resource owner does not have control over + the authorization process (the resource owner's involvement ends when + it hands over its credentials to the client), the client can obtain + access tokens with a broader scope than desired by the resource + owner. The authorization server should consider the scope and + lifetime of access tokens issued via this grant type. + + The authorization server and client SHOULD minimize use of this grant + type and utilize other grant types whenever possible. + + + + + +Hardt Standards Track [Page 57] + +RFC 6749 OAuth 2.0 October 2012 + + +10.8. Request Confidentiality + + Access tokens, refresh tokens, resource owner passwords, and client + credentials MUST NOT be transmitted in the clear. Authorization + codes SHOULD NOT be transmitted in the clear. + + The "state" and "scope" parameters SHOULD NOT include sensitive + client or resource owner information in plain text, as they can be + transmitted over insecure channels or stored insecurely. + +10.9. Ensuring Endpoint Authenticity + + In order to prevent man-in-the-middle attacks, the authorization + server MUST require the use of TLS with server authentication as + defined by [RFC2818] for any request sent to the authorization and + token endpoints. The client MUST validate the authorization server's + TLS certificate as defined by [RFC6125] and in accordance with its + requirements for server identity authentication. + +10.10. Credentials-Guessing Attacks + + The authorization server MUST prevent attackers from guessing access + tokens, authorization codes, refresh tokens, resource owner + passwords, and client credentials. + + The probability of an attacker guessing generated tokens (and other + credentials not intended for handling by end-users) MUST be less than + or equal to 2^(-128) and SHOULD be less than or equal to 2^(-160). + + The authorization server MUST utilize other means to protect + credentials intended for end-user usage. + +10.11. Phishing Attacks + + Wide deployment of this and similar protocols may cause end-users to + become inured to the practice of being redirected to websites where + they are asked to enter their passwords. If end-users are not + careful to verify the authenticity of these websites before entering + their credentials, it will be possible for attackers to exploit this + practice to steal resource owners' passwords. + + Service providers should attempt to educate end-users about the risks + phishing attacks pose and should provide mechanisms that make it easy + for end-users to confirm the authenticity of their sites. Client + developers should consider the security implications of how they + interact with the user-agent (e.g., external, embedded), and the + ability of the end-user to verify the authenticity of the + authorization server. + + + +Hardt Standards Track [Page 58] + +RFC 6749 OAuth 2.0 October 2012 + + + To reduce the risk of phishing attacks, the authorization servers + MUST require the use of TLS on every endpoint used for end-user + interaction. + +10.12. Cross-Site Request Forgery + + Cross-site request forgery (CSRF) is an exploit in which an attacker + causes the user-agent of a victim end-user to follow a malicious URI + (e.g., provided to the user-agent as a misleading link, image, or + redirection) to a trusting server (usually established via the + presence of a valid session cookie). + + A CSRF attack against the client's redirection URI allows an attacker + to inject its own authorization code or access token, which can + result in the client using an access token associated with the + attacker's protected resources rather than the victim's (e.g., save + the victim's bank account information to a protected resource + controlled by the attacker). + + The client MUST implement CSRF protection for its redirection URI. + This is typically accomplished by requiring any request sent to the + redirection URI endpoint to include a value that binds the request to + the user-agent's authenticated state (e.g., a hash of the session + cookie used to authenticate the user-agent). The client SHOULD + utilize the "state" request parameter to deliver this value to the + authorization server when making an authorization request. + + Once authorization has been obtained from the end-user, the + authorization server redirects the end-user's user-agent back to the + client with the required binding value contained in the "state" + parameter. The binding value enables the client to verify the + validity of the request by matching the binding value to the + user-agent's authenticated state. The binding value used for CSRF + protection MUST contain a non-guessable value (as described in + Section 10.10), and the user-agent's authenticated state (e.g., + session cookie, HTML5 local storage) MUST be kept in a location + accessible only to the client and the user-agent (i.e., protected by + same-origin policy). + + A CSRF attack against the authorization server's authorization + endpoint can result in an attacker obtaining end-user authorization + for a malicious client without involving or alerting the end-user. + + The authorization server MUST implement CSRF protection for its + authorization endpoint and ensure that a malicious client cannot + obtain authorization without the awareness and explicit consent of + the resource owner. + + + + +Hardt Standards Track [Page 59] + +RFC 6749 OAuth 2.0 October 2012 + + +10.13. Clickjacking + + In a clickjacking attack, an attacker registers a legitimate client + and then constructs a malicious site in which it loads the + authorization server's authorization endpoint web page in a + transparent iframe overlaid on top of a set of dummy buttons, which + are carefully constructed to be placed directly under important + buttons on the authorization page. When an end-user clicks a + misleading visible button, the end-user is actually clicking an + invisible button on the authorization page (such as an "Authorize" + button). This allows an attacker to trick a resource owner into + granting its client access without the end-user's knowledge. + + To prevent this form of attack, native applications SHOULD use + external browsers instead of embedding browsers within the + application when requesting end-user authorization. For most newer + browsers, avoidance of iframes can be enforced by the authorization + server using the (non-standard) "x-frame-options" header. This + header can have two values, "deny" and "sameorigin", which will block + any framing, or framing by sites with a different origin, + respectively. For older browsers, JavaScript frame-busting + techniques can be used but may not be effective in all browsers. + +10.14. Code Injection and Input Validation + + A code injection attack occurs when an input or otherwise external + variable is used by an application unsanitized and causes + modification to the application logic. This may allow an attacker to + gain access to the application device or its data, cause denial of + service, or introduce a wide range of malicious side-effects. + + The authorization server and client MUST sanitize (and validate when + possible) any value received -- in particular, the value of the + "state" and "redirect_uri" parameters. + +10.15. Open Redirectors + + The authorization server, authorization endpoint, and client + redirection endpoint can be improperly configured and operate as open + redirectors. An open redirector is an endpoint using a parameter to + automatically redirect a user-agent to the location specified by the + parameter value without any validation. + + Open redirectors can be used in phishing attacks, or by an attacker + to get end-users to visit malicious sites by using the URI authority + component of a familiar and trusted destination. In addition, if the + authorization server allows the client to register only part of the + redirection URI, an attacker can use an open redirector operated by + + + +Hardt Standards Track [Page 60] + +RFC 6749 OAuth 2.0 October 2012 + + + the client to construct a redirection URI that will pass the + authorization server validation but will send the authorization code + or access token to an endpoint under the control of the attacker. + +10.16. Misuse of Access Token to Impersonate Resource Owner in Implicit + Flow + + For public clients using implicit flows, this specification does not + provide any method for the client to determine what client an access + token was issued to. + + A resource owner may willingly delegate access to a resource by + granting an access token to an attacker's malicious client. This may + be due to phishing or some other pretext. An attacker may also steal + a token via some other mechanism. An attacker may then attempt to + impersonate the resource owner by providing the access token to a + legitimate public client. + + In the implicit flow (response_type=token), the attacker can easily + switch the token in the response from the authorization server, + replacing the real access token with the one previously issued to the + attacker. + + Servers communicating with native applications that rely on being + passed an access token in the back channel to identify the user of + the client may be similarly compromised by an attacker creating a + compromised application that can inject arbitrary stolen access + tokens. + + Any public client that makes the assumption that only the resource + owner can present it with a valid access token for the resource is + vulnerable to this type of attack. + + This type of attack may expose information about the resource owner + at the legitimate client to the attacker (malicious client). This + will also allow the attacker to perform operations at the legitimate + client with the same permissions as the resource owner who originally + granted the access token or authorization code. + + Authenticating resource owners to clients is out of scope for this + specification. Any specification that uses the authorization process + as a form of delegated end-user authentication to the client (e.g., + third-party sign-in service) MUST NOT use the implicit flow without + additional security mechanisms that would enable the client to + determine if the access token was issued for its use (e.g., audience- + restricting the access token). + + + + + +Hardt Standards Track [Page 61] + +RFC 6749 OAuth 2.0 October 2012 + + +11. IANA Considerations + +11.1. OAuth Access Token Types Registry + + This specification establishes the OAuth Access Token Types registry. + + Access token types are registered with a Specification Required + ([RFC5226]) after a two-week review period on the + oauth-ext-review@ietf.org mailing list, on the advice of one or more + Designated Experts. However, to allow for the allocation of values + prior to publication, the Designated Expert(s) may approve + registration once they are satisfied that such a specification will + be published. + + Registration requests must be sent to the oauth-ext-review@ietf.org + mailing list for review and comment, with an appropriate subject + (e.g., "Request for access token type: example"). + + Within the review period, the Designated Expert(s) will either + approve or deny the registration request, communicating this decision + to the review list and IANA. Denials should include an explanation + and, if applicable, suggestions as to how to make the request + successful. + + IANA must only accept registry updates from the Designated Expert(s) + and should direct all requests for registration to the review mailing + list. + +11.1.1. Registration Template + + Type name: + The name requested (e.g., "example"). + + Additional Token Endpoint Response Parameters: + Additional response parameters returned together with the + "access_token" parameter. New parameters MUST be separately + registered in the OAuth Parameters registry as described by + Section 11.2. + + HTTP Authentication Scheme(s): + The HTTP authentication scheme name(s), if any, used to + authenticate protected resource requests using access tokens of + this type. + + Change controller: + For Standards Track RFCs, state "IETF". For others, give the name + of the responsible party. Other details (e.g., postal address, + email address, home page URI) may also be included. + + + +Hardt Standards Track [Page 62] + +RFC 6749 OAuth 2.0 October 2012 + + + Specification document(s): + Reference to the document(s) that specify the parameter, + preferably including a URI that can be used to retrieve a copy of + the document(s). An indication of the relevant sections may also + be included but is not required. + +11.2. OAuth Parameters Registry + + This specification establishes the OAuth Parameters registry. + + Additional parameters for inclusion in the authorization endpoint + request, the authorization endpoint response, the token endpoint + request, or the token endpoint response are registered with a + Specification Required ([RFC5226]) after a two-week review period on + the oauth-ext-review@ietf.org mailing list, on the advice of one or + more Designated Experts. However, to allow for the allocation of + values prior to publication, the Designated Expert(s) may approve + registration once they are satisfied that such a specification will + be published. + + Registration requests must be sent to the oauth-ext-review@ietf.org + mailing list for review and comment, with an appropriate subject + (e.g., "Request for parameter: example"). + + Within the review period, the Designated Expert(s) will either + approve or deny the registration request, communicating this decision + to the review list and IANA. Denials should include an explanation + and, if applicable, suggestions as to how to make the request + successful. + + IANA must only accept registry updates from the Designated Expert(s) + and should direct all requests for registration to the review mailing + list. + +11.2.1. Registration Template + + Parameter name: + The name requested (e.g., "example"). + + Parameter usage location: + The location(s) where parameter can be used. The possible + locations are authorization request, authorization response, token + request, or token response. + + Change controller: + For Standards Track RFCs, state "IETF". For others, give the name + of the responsible party. Other details (e.g., postal address, + email address, home page URI) may also be included. + + + +Hardt Standards Track [Page 63] + +RFC 6749 OAuth 2.0 October 2012 + + + Specification document(s): + Reference to the document(s) that specify the parameter, + preferably including a URI that can be used to retrieve a copy of + the document(s). An indication of the relevant sections may also + be included but is not required. + +11.2.2. Initial Registry Contents + + The OAuth Parameters registry's initial contents are: + + o Parameter name: client_id + o Parameter usage location: authorization request, token request + o Change controller: IETF + o Specification document(s): RFC 6749 + + o Parameter name: client_secret + o Parameter usage location: token request + o Change controller: IETF + o Specification document(s): RFC 6749 + + o Parameter name: response_type + o Parameter usage location: authorization request + o Change controller: IETF + o Specification document(s): RFC 6749 + + o Parameter name: redirect_uri + o Parameter usage location: authorization request, token request + o Change controller: IETF + o Specification document(s): RFC 6749 + + o Parameter name: scope + o Parameter usage location: authorization request, authorization + response, token request, token response + o Change controller: IETF + o Specification document(s): RFC 6749 + + o Parameter name: state + o Parameter usage location: authorization request, authorization + response + o Change controller: IETF + o Specification document(s): RFC 6749 + + o Parameter name: code + o Parameter usage location: authorization response, token request + o Change controller: IETF + o Specification document(s): RFC 6749 + + + + + +Hardt Standards Track [Page 64] + +RFC 6749 OAuth 2.0 October 2012 + + + o Parameter name: error_description + o Parameter usage location: authorization response, token response + o Change controller: IETF + o Specification document(s): RFC 6749 + + o Parameter name: error_uri + o Parameter usage location: authorization response, token response + o Change controller: IETF + o Specification document(s): RFC 6749 + + o Parameter name: grant_type + o Parameter usage location: token request + o Change controller: IETF + o Specification document(s): RFC 6749 + + o Parameter name: access_token + o Parameter usage location: authorization response, token response + o Change controller: IETF + o Specification document(s): RFC 6749 + + o Parameter name: token_type + o Parameter usage location: authorization response, token response + o Change controller: IETF + o Specification document(s): RFC 6749 + + o Parameter name: expires_in + o Parameter usage location: authorization response, token response + o Change controller: IETF + o Specification document(s): RFC 6749 + + o Parameter name: username + o Parameter usage location: token request + o Change controller: IETF + o Specification document(s): RFC 6749 + + o Parameter name: password + o Parameter usage location: token request + o Change controller: IETF + o Specification document(s): RFC 6749 + + o Parameter name: refresh_token + o Parameter usage location: token request, token response + o Change controller: IETF + o Specification document(s): RFC 6749 + + + + + + + +Hardt Standards Track [Page 65] + +RFC 6749 OAuth 2.0 October 2012 + + +11.3. OAuth Authorization Endpoint Response Types Registry + + This specification establishes the OAuth Authorization Endpoint + Response Types registry. + + Additional response types for use with the authorization endpoint are + registered with a Specification Required ([RFC5226]) after a two-week + review period on the oauth-ext-review@ietf.org mailing list, on the + advice of one or more Designated Experts. However, to allow for the + allocation of values prior to publication, the Designated Expert(s) + may approve registration once they are satisfied that such a + specification will be published. + + Registration requests must be sent to the oauth-ext-review@ietf.org + mailing list for review and comment, with an appropriate subject + (e.g., "Request for response type: example"). + + Within the review period, the Designated Expert(s) will either + approve or deny the registration request, communicating this decision + to the review list and IANA. Denials should include an explanation + and, if applicable, suggestions as to how to make the request + successful. + + IANA must only accept registry updates from the Designated Expert(s) + and should direct all requests for registration to the review mailing + list. + +11.3.1. Registration Template + + Response type name: + The name requested (e.g., "example"). + + Change controller: + For Standards Track RFCs, state "IETF". For others, give the name + of the responsible party. Other details (e.g., postal address, + email address, home page URI) may also be included. + + Specification document(s): + Reference to the document(s) that specify the type, preferably + including a URI that can be used to retrieve a copy of the + document(s). An indication of the relevant sections may also be + included but is not required. + + + + + + + + + +Hardt Standards Track [Page 66] + +RFC 6749 OAuth 2.0 October 2012 + + +11.3.2. Initial Registry Contents + + The OAuth Authorization Endpoint Response Types registry's initial + contents are: + + o Response type name: code + o Change controller: IETF + o Specification document(s): RFC 6749 + + o Response type name: token + o Change controller: IETF + o Specification document(s): RFC 6749 + +11.4. OAuth Extensions Error Registry + + This specification establishes the OAuth Extensions Error registry. + + Additional error codes used together with other protocol extensions + (i.e., extension grant types, access token types, or extension + parameters) are registered with a Specification Required ([RFC5226]) + after a two-week review period on the oauth-ext-review@ietf.org + mailing list, on the advice of one or more Designated Experts. + However, to allow for the allocation of values prior to publication, + the Designated Expert(s) may approve registration once they are + satisfied that such a specification will be published. + + Registration requests must be sent to the oauth-ext-review@ietf.org + mailing list for review and comment, with an appropriate subject + (e.g., "Request for error code: example"). + + Within the review period, the Designated Expert(s) will either + approve or deny the registration request, communicating this decision + to the review list and IANA. Denials should include an explanation + and, if applicable, suggestions as to how to make the request + successful. + + IANA must only accept registry updates from the Designated Expert(s) + and should direct all requests for registration to the review mailing + list. + + + + + + + + + + + + +Hardt Standards Track [Page 67] + +RFC 6749 OAuth 2.0 October 2012 + + +11.4.1. Registration Template + + Error name: + The name requested (e.g., "example"). Values for the error name + MUST NOT include characters outside the set %x20-21 / %x23-5B / + %x5D-7E. + + Error usage location: + The location(s) where the error can be used. The possible + locations are authorization code grant error response + (Section 4.1.2.1), implicit grant error response + (Section 4.2.2.1), token error response (Section 5.2), or resource + access error response (Section 7.2). + + Related protocol extension: + The name of the extension grant type, access token type, or + extension parameter that the error code is used in conjunction + with. + + Change controller: + For Standards Track RFCs, state "IETF". For others, give the name + of the responsible party. Other details (e.g., postal address, + email address, home page URI) may also be included. + + Specification document(s): + Reference to the document(s) that specify the error code, + preferably including a URI that can be used to retrieve a copy of + the document(s). An indication of the relevant sections may also + be included but is not required. + +12. References + +12.1. Normative References + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", + RFC 2246, January 1999. + + [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., + Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext + Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. + + [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., + Leach, P., Luotonen, A., and L. Stewart, "HTTP + Authentication: Basic and Digest Access Authentication", + RFC 2617, June 1999. + + + +Hardt Standards Track [Page 68] + +RFC 6749 OAuth 2.0 October 2012 + + + [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. + + [RFC3629] Yergeau, F., "UTF-8, a transformation format of + ISO 10646", STD 63, RFC 3629, November 2003. + + [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform + Resource Identifier (URI): Generic Syntax", STD 66, + RFC 3986, January 2005. + + [RFC4627] Crockford, D., "The application/json Media Type for + JavaScript Object Notation (JSON)", RFC 4627, July 2006. + + [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", + RFC 4949, August 2007. + + [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an + IANA Considerations Section in RFCs", BCP 26, RFC 5226, + May 2008. + + [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax + Specifications: ABNF", STD 68, RFC 5234, January 2008. + + [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security + (TLS) Protocol Version 1.2", RFC 5246, August 2008. + + [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and + Verification of Domain-Based Application Service Identity + within Internet Public Key Infrastructure Using X.509 + (PKIX) Certificates in the Context of Transport Layer + Security (TLS)", RFC 6125, March 2011. + + [USASCII] American National Standards Institute, "Coded Character + Set -- 7-bit American Standard Code for Information + Interchange", ANSI X3.4, 1986. + + [W3C.REC-html401-19991224] + Raggett, D., Le Hors, A., and I. Jacobs, "HTML 4.01 + Specification", World Wide Web Consortium + Recommendation REC-html401-19991224, December 1999, + <http://www.w3.org/TR/1999/REC-html401-19991224>. + + [W3C.REC-xml-20081126] + Bray, T., Paoli, J., Sperberg-McQueen, C., Maler, E., + and F. Yergeau, "Extensible Markup Language (XML) 1.0 + (Fifth Edition)", World Wide Web Consortium + Recommendation REC-xml-20081126, November 2008, + <http://www.w3.org/TR/2008/REC-xml-20081126>. + + + + +Hardt Standards Track [Page 69] + +RFC 6749 OAuth 2.0 October 2012 + + +12.2. Informative References + + [OAuth-HTTP-MAC] + Hammer-Lahav, E., Ed., "HTTP Authentication: MAC Access + Authentication", Work in Progress, February 2012. + + [OAuth-SAML2] + Campbell, B. and C. Mortimore, "SAML 2.0 Bearer Assertion + Profiles for OAuth 2.0", Work in Progress, September 2012. + + [OAuth-THREATMODEL] + Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0 + Threat Model and Security Considerations", Work + in Progress, October 2012. + + [OAuth-WRAP] + Hardt, D., Ed., Tom, A., Eaton, B., and Y. Goland, "OAuth + Web Resource Authorization Profiles", Work in Progress, + January 2010. + + [RFC5849] Hammer-Lahav, E., "The OAuth 1.0 Protocol", RFC 5849, + April 2010. + + [RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization + Framework: Bearer Token Usage", RFC 6750, October 2012. + + + + + + + + + + + + + + + + + + + + + + + + + + +Hardt Standards Track [Page 70] + +RFC 6749 OAuth 2.0 October 2012 + + +Appendix A. Augmented Backus-Naur Form (ABNF) Syntax + + This section provides Augmented Backus-Naur Form (ABNF) syntax + descriptions for the elements defined in this specification using the + notation of [RFC5234]. The ABNF below is defined in terms of Unicode + code points [W3C.REC-xml-20081126]; these characters are typically + encoded in UTF-8. Elements are presented in the order first defined. + + Some of the definitions that follow use the "URI-reference" + definition from [RFC3986]. + + Some of the definitions that follow use these common definitions: + + VSCHAR = %x20-7E + NQCHAR = %x21 / %x23-5B / %x5D-7E + NQSCHAR = %x20-21 / %x23-5B / %x5D-7E + UNICODECHARNOCRLF = %x09 /%x20-7E / %x80-D7FF / + %xE000-FFFD / %x10000-10FFFF + + (The UNICODECHARNOCRLF definition is based upon the Char definition + in Section 2.2 of [W3C.REC-xml-20081126], but omitting the Carriage + Return and Linefeed characters.) + +A.1. "client_id" Syntax + + The "client_id" element is defined in Section 2.3.1: + + client-id = *VSCHAR + +A.2. "client_secret" Syntax + + The "client_secret" element is defined in Section 2.3.1: + + client-secret = *VSCHAR + +A.3. "response_type" Syntax + + The "response_type" element is defined in Sections 3.1.1 and 8.4: + + response-type = response-name *( SP response-name ) + response-name = 1*response-char + response-char = "_" / DIGIT / ALPHA + + + + + + + + + +Hardt Standards Track [Page 71] + +RFC 6749 OAuth 2.0 October 2012 + + +A.4. "scope" Syntax + + The "scope" element is defined in Section 3.3: + + scope = scope-token *( SP scope-token ) + scope-token = 1*NQCHAR + +A.5. "state" Syntax + + The "state" element is defined in Sections 4.1.1, 4.1.2, 4.1.2.1, + 4.2.1, 4.2.2, and 4.2.2.1: + + state = 1*VSCHAR + +A.6. "redirect_uri" Syntax + + The "redirect_uri" element is defined in Sections 4.1.1, 4.1.3, + and 4.2.1: + + redirect-uri = URI-reference + +A.7. "error" Syntax + + The "error" element is defined in Sections 4.1.2.1, 4.2.2.1, 5.2, + 7.2, and 8.5: + + error = 1*NQSCHAR + +A.8. "error_description" Syntax + + The "error_description" element is defined in Sections 4.1.2.1, + 4.2.2.1, 5.2, and 7.2: + + error-description = 1*NQSCHAR + +A.9. "error_uri" Syntax + + The "error_uri" element is defined in Sections 4.1.2.1, 4.2.2.1, 5.2, + and 7.2: + + error-uri = URI-reference + + + + + + + + + + +Hardt Standards Track [Page 72] + +RFC 6749 OAuth 2.0 October 2012 + + +A.10. "grant_type" Syntax + + The "grant_type" element is defined in Sections 4.1.3, 4.3.2, 4.4.2, + 4.5, and 6: + + grant-type = grant-name / URI-reference + grant-name = 1*name-char + name-char = "-" / "." / "_" / DIGIT / ALPHA + +A.11. "code" Syntax + + The "code" element is defined in Section 4.1.3: + + code = 1*VSCHAR + +A.12. "access_token" Syntax + + The "access_token" element is defined in Sections 4.2.2 and 5.1: + + access-token = 1*VSCHAR + +A.13. "token_type" Syntax + + The "token_type" element is defined in Sections 4.2.2, 5.1, and 8.1: + + token-type = type-name / URI-reference + type-name = 1*name-char + name-char = "-" / "." / "_" / DIGIT / ALPHA + +A.14. "expires_in" Syntax + + The "expires_in" element is defined in Sections 4.2.2 and 5.1: + + expires-in = 1*DIGIT + +A.15. "username" Syntax + + The "username" element is defined in Section 4.3.2: + + username = *UNICODECHARNOCRLF + +A.16. "password" Syntax + + The "password" element is defined in Section 4.3.2: + + password = *UNICODECHARNOCRLF + + + + + +Hardt Standards Track [Page 73] + +RFC 6749 OAuth 2.0 October 2012 + + +A.17. "refresh_token" Syntax + + The "refresh_token" element is defined in Sections 5.1 and 6: + + refresh-token = 1*VSCHAR + +A.18. Endpoint Parameter Syntax + + The syntax for new endpoint parameters is defined in Section 8.2: + + param-name = 1*name-char + name-char = "-" / "." / "_" / DIGIT / ALPHA + +Appendix B. Use of application/x-www-form-urlencoded Media Type + + At the time of publication of this specification, the + "application/x-www-form-urlencoded" media type was defined in + Section 17.13.4 of [W3C.REC-html401-19991224] but not registered in + the IANA MIME Media Types registry + (<http://www.iana.org/assignments/media-types>). Furthermore, that + definition is incomplete, as it does not consider non-US-ASCII + characters. + + To address this shortcoming when generating payloads using this media + type, names and values MUST be encoded using the UTF-8 character + encoding scheme [RFC3629] first; the resulting octet sequence then + needs to be further encoded using the escaping rules defined in + [W3C.REC-html401-19991224]. + + When parsing data from a payload using this media type, the names and + values resulting from reversing the name/value encoding consequently + need to be treated as octet sequences, to be decoded using the UTF-8 + character encoding scheme. + + For example, the value consisting of the six Unicode code points + (1) U+0020 (SPACE), (2) U+0025 (PERCENT SIGN), + (3) U+0026 (AMPERSAND), (4) U+002B (PLUS SIGN), + (5) U+00A3 (POUND SIGN), and (6) U+20AC (EURO SIGN) would be encoded + into the octet sequence below (using hexadecimal notation): + + 20 25 26 2B C2 A3 E2 82 AC + + and then represented in the payload as: + + +%25%26%2B%C2%A3%E2%82%AC + + + + + + +Hardt Standards Track [Page 74] + +RFC 6749 OAuth 2.0 October 2012 + + +Appendix C. Acknowledgements + + The initial OAuth 2.0 protocol specification was edited by David + Recordon, based on two previous publications: the OAuth 1.0 community + specification [RFC5849], and OAuth WRAP (OAuth Web Resource + Authorization Profiles) [OAuth-WRAP]. Eran Hammer then edited many + of the intermediate drafts that evolved into this RFC. The Security + Considerations section was drafted by Torsten Lodderstedt, Mark + McGloin, Phil Hunt, Anthony Nadalin, and John Bradley. The section + on use of the "application/x-www-form-urlencoded" media type was + drafted by Julian Reschke. The ABNF section was drafted by Michael + B. Jones. + + The OAuth 1.0 community specification was edited by Eran Hammer and + authored by Mark Atwood, Dirk Balfanz, Darren Bounds, Richard M. + Conlan, Blaine Cook, Leah Culver, Breno de Medeiros, Brian Eaton, + Kellan Elliott-McCrea, Larry Halff, Eran Hammer, Ben Laurie, Chris + Messina, John Panzer, Sam Quigley, David Recordon, Eran Sandler, + Jonathan Sergent, Todd Sieling, Brian Slesinsky, and Andy Smith. + + The OAuth WRAP specification was edited by Dick Hardt and authored by + Brian Eaton, Yaron Y. Goland, Dick Hardt, and Allen Tom. + + This specification is the work of the OAuth Working Group, which + includes dozens of active and dedicated participants. In particular, + the following individuals contributed ideas, feedback, and wording + that shaped and formed the final specification: + + Michael Adams, Amanda Anganes, Andrew Arnott, Dirk Balfanz, Aiden + Bell, John Bradley, Marcos Caceres, Brian Campbell, Scott Cantor, + Blaine Cook, Roger Crew, Leah Culver, Bill de hOra, Andre DeMarre, + Brian Eaton, Wesley Eddy, Wolter Eldering, Brian Ellin, Igor + Faynberg, George Fletcher, Tim Freeman, Luca Frosini, Evan Gilbert, + Yaron Y. Goland, Brent Goldman, Kristoffer Gronowski, Eran Hammer, + Dick Hardt, Justin Hart, Craig Heath, Phil Hunt, Michael B. Jones, + Terry Jones, John Kemp, Mark Kent, Raffi Krikorian, Chasen Le Hara, + Rasmus Lerdorf, Torsten Lodderstedt, Hui-Lan Lu, Casey Lucas, Paul + Madsen, Alastair Mair, Eve Maler, James Manger, Mark McGloin, + Laurence Miao, William Mills, Chuck Mortimore, Anthony Nadalin, + Julian Reschke, Justin Richer, Peter Saint-Andre, Nat Sakimura, Rob + Sayre, Marius Scurtescu, Naitik Shah, Luke Shepard, Vlad Skvortsov, + Justin Smith, Haibin Song, Niv Steingarten, Christian Stuebner, + Jeremy Suriel, Paul Tarjan, Christopher Thomas, Henry S. Thompson, + Allen Tom, Franklin Tse, Nick Walker, Shane Weeden, and Skylar + Woodward. + + + + + + +Hardt Standards Track [Page 75] + +RFC 6749 OAuth 2.0 October 2012 + + + This document was produced under the chairmanship of Blaine Cook, + Peter Saint-Andre, Hannes Tschofenig, Barry Leiba, and Derek Atkins. + The area directors included Lisa Dusseault, Peter Saint-Andre, and + Stephen Farrell. + +Author's Address + + Dick Hardt (editor) + Microsoft + + EMail: dick.hardt@gmail.com + URI: http://dickhardt.org/ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Hardt Standards Track [Page 76] + |