draft-ietf-kitten-sasl-oauth-06.txt   draft-ietf-kitten-sasl-oauth-07.txt 
KITTEN W. Mills KITTEN W. Mills
Internet-Draft Yahoo! Inc. Internet-Draft Yahoo! Inc.
Intended status: Standards Track T. Showalter Intended status: Standards Track T. Showalter
Expires: March 5, 2013 Expires: March 17, 2013
H. Tschofenig H. Tschofenig
Nokia Siemens Networks Nokia Siemens Networks
September 1, 2012 September 13, 2012
A set of SASL and GSS-API Mechanisms for OAuth A set of SASL and GSS-API Mechanisms for OAuth
draft-ietf-kitten-sasl-oauth-06 draft-ietf-kitten-sasl-oauth-07
Abstract Abstract
OAuth enables a third-party application to obtain limited access to a OAuth enables a third-party application to obtain limited access to a
protected resource, either on behalf of a resource owner by protected resource, either on behalf of a resource owner by
orchestrating an approval interaction, or by allowing the third-party orchestrating an approval interaction, or by allowing the third-party
application to obtain access on its own behalf. application to obtain access on its own behalf.
This document defines how an application client uses credentials This document defines how an application client uses credentials
obtained via OAuth over the Simple Authentication and Security Layer obtained via OAuth over the Simple Authentication and Security Layer
skipping to change at page 2, line 4 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 5, 2013. This Internet-Draft will expire on March 17, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 20 skipping to change at page 3, line 20
3.1. Initial Client Response . . . . . . . . . . . . . . . . . 9 3.1. Initial Client Response . . . . . . . . . . . . . . . . . 9
3.1.1. Reserved Key/Values . . . . . . . . . . . . . . . . . 10 3.1.1. Reserved Key/Values . . . . . . . . . . . . . . . . . 10
3.1.2. Use of the gs2-header . . . . . . . . . . . . . . . . 10 3.1.2. Use of the gs2-header . . . . . . . . . . . . . . . . 10
3.2. Server's Response . . . . . . . . . . . . . . . . . . . . 10 3.2. Server's Response . . . . . . . . . . . . . . . . . . . . 10
3.2.1. Mapping to SASL Identities . . . . . . . . . . . . . . 11 3.2.1. Mapping to SASL Identities . . . . . . . . . . . . . . 11
3.2.2. Canonicalization . . . . . . . . . . . . . . . . . . . 11 3.2.2. Canonicalization . . . . . . . . . . . . . . . . . . . 11
3.2.3. Server response to failed authentication. . . . . . . 11 3.2.3. Server response to failed authentication. . . . . . . 11
3.2.4. Completing an error message sequence. . . . . . . . . 12 3.2.4. Completing an error message sequence. . . . . . . . . 12
3.3. Use of Signature Type Authorization . . . . . . . . . . . 12 3.3. Use of Signature Type Authorization . . . . . . . . . . . 12
3.4. Channel Binding . . . . . . . . . . . . . . . . . . . . . 13 3.4. Channel Binding . . . . . . . . . . . . . . . . . . . . . 13
4. GSS-API OAuth Mechanism Specification . . . . . . . . . . . . 14 4. GSS-API OAuth Mechanism Specification . . . . . . . . . . . . 15
5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
5.1. Successful Bearer Token Exchange . . . . . . . . . . . . . 16 5.1. Successful Bearer Token Exchange . . . . . . . . . . . . . 17
5.2. OAuth 1.0a Authorization with Channel Binding . . . . . . 17 5.2. OAuth 1.0a Authorization with Channel Binding . . . . . . 18
5.3. Failed Exchange . . . . . . . . . . . . . . . . . . . . . 18 5.3. Failed Exchange . . . . . . . . . . . . . . . . . . . . . 19
5.4. Failed Channel Binding . . . . . . . . . . . . . . . . . . 19 5.4. Failed Channel Binding . . . . . . . . . . . . . . . . . . 20
5.5. SMTP Example of a failed negotiation. . . . . . . . . . . 19 5.5. SMTP Example of a failed negotiation. . . . . . . . . . . 20
6. Security Considerations . . . . . . . . . . . . . . . . . . . 21 6. Security Considerations . . . . . . . . . . . . . . . . . . . 22
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23
7.1. SASL Registration . . . . . . . . . . . . . . . . . . . . 22 7.1. SASL Registration . . . . . . . . . . . . . . . . . . . . 23
7.2. GSS-API Registration . . . . . . . . . . . . . . . . . . . 23 7.2. GSS-API Registration . . . . . . . . . . . . . . . . . . . 24
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 25
8.1. Normative References . . . . . . . . . . . . . . . . . . . 24 8.1. Normative References . . . . . . . . . . . . . . . . . . . 25
8.2. Informative References . . . . . . . . . . . . . . . . . . 25 8.2. Informative References . . . . . . . . . . . . . . . . . . 26
Appendix A. Acknowlegements . . . . . . . . . . . . . . . . . . . 26 Appendix A. Acknowlegements . . . . . . . . . . . . . . . . . . . 27
Appendix B. Document History . . . . . . . . . . . . . . . . . . 27 Appendix B. Document History . . . . . . . . . . . . . . . . . . 28
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 29 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 30
1. Introduction 1. Introduction
OAuth [I-D.ietf-oauth-v2] enables a third-party application to obtain OAuth [I-D.ietf-oauth-v2] enables a third-party application to obtain
limited access to a protected resource, either on behalf of a limited access to a protected resource, either on behalf of a
resource owner by orchestrating an approval interaction, or by resource owner by orchestrating an approval interaction, or by
allowing the third-party application to obtain access on its own allowing the third-party application to obtain access on its own
behalf. The core OAuth specification [I-D.ietf-oauth-v2] does not behalf. The core OAuth specification [I-D.ietf-oauth-v2] does not
define the interaction between the client and the resource server define the interaction between the client and the resource server
with the access to a protected resource using an Access Token. This with the access to a protected resource using an Access Token. This
skipping to change at page 8, line 45 skipping to change at page 8, line 45
server in order to allow the server to finish the exchange. Some server in order to allow the server to finish the exchange. Some
protocols and common SASL implementations do not support both sending protocols and common SASL implementations do not support both sending
a SASL message and finalizing a SASL negotiation, the additional a SASL message and finalizing a SASL negotiation, the additional
client message in the error case deals with this problem. This client message in the error case deals with this problem. This
exchange is: exchange is:
o Client sends an invalid initial client response. o Client sends an invalid initial client response.
o Server responds with an error message. o Server responds with an error message.
o Client sends an empty client reponse. o Client sends a dummy client reponse.
o Server fails the authentication. o Server fails the authentication.
3.1. Initial Client Response 3.1. Initial Client Response
Client responses are a key/value pair sequence. The initial client Client responses are a key/value pair sequence. The initial client
response includes a gs2-header as defined in GS2 [RFC5801], which response includes a gs2-header as defined in GS2 [RFC5801], which
carries the authorization ID. These key/value pairs carry the carries the authorization ID. These key/value pairs carry the
equivalent values from an HTTP context in order to be able to equivalent values from an HTTP context in order to be able to
complete an OAuth style HTTP authorization. The client MUST send an complete an OAuth style HTTP authorization. The ABNF [RFC5234]
authorization ID in the gs2-header. The ABNF [RFC5234] syntax is: syntax is:
kvsep = %x01 kvsep = %x01
key = 1*ALPHA key = 1*ALPHA
value = *(VCHAR | SP | HTAB | CR | LF ) value = *(VCHAR | SP | HTAB | CR | LF )
kvpair = key "=" value kvsep kvpair = key "=" value kvsep
client_resp = 0*kvpair kvsep client_resp = 0*kvpair kvsep
;; gs2-header = As defined in GSS-API ;; gs2-header = As defined in GSS-API
initial_client_resp = gs2-header kvsep client_resp initial_client_resp = gs2-header kvsep client_resp
The following key/value pairs are defined in the client response: The following key/value pairs are defined in the client response:
skipping to change at page 10, line 29 skipping to change at page 10, line 29
post (RESERVED): HTTP post data, the default value is "". post (RESERVED): HTTP post data, the default value is "".
3.1.2. Use of the gs2-header 3.1.2. Use of the gs2-header
The OAuth scheme related mechanisms are also GSS-API mechanisms, see The OAuth scheme related mechanisms are also GSS-API mechanisms, see
Section 4 for further detail. The gs2-header is used as follows: Section 4 for further detail. The gs2-header is used as follows:
o The "gs2-nonstd-flag" MUST NOT be present. o The "gs2-nonstd-flag" MUST NOT be present.
o The "gs2-authzid" carries the authorization identity as specified o The "gs2-authzid" carries the authorization identity as specified
in [RFC5801]. This MUST agree with the identity asserted in the in [RFC5801]. If present the application MUST determine whether
OAuth credential. access is granted for the identity asserted in the OAuth
credential, if it does not the server MUST fail the negotiation.
In the non "-PLUS" mechanisms the "gs2-cb-flag" MUST be set to "n" In the non "-PLUS" mechanisms the "gs2-cb-flag" MUST be set to "n"
because channel-binding [RFC5056] data is not expected. In the because channel-binding [RFC5056] data is not expected. In the
OAUTH10A-PLUS mechanism (or other -PLUS variants based on this OAUTH10A-PLUS mechanism (or other -PLUS variants based on this
specification) the "gs2-cb-flag" MUST be set appropriately by the specification) the "gs2-cb-flag" MUST be set appropriately by the
client. client.
3.2. Server's Response 3.2. Server's Response
The server validates the response per the specification for the The server validates the response per the specification for the
skipping to change at page 10, line 50 skipping to change at page 11, line 4
The server validates the response per the specification for the The server validates the response per the specification for the
authorization scheme used. If the authorization scheme used includes authorization scheme used. If the authorization scheme used includes
signing of the request parameters the client must provide a client signing of the request parameters the client must provide a client
response that satisfies the data requirements for the scheme in use. response that satisfies the data requirements for the scheme in use.
In a "-PLUS" mechanism the server examines the channel binding data, In a "-PLUS" mechanism the server examines the channel binding data,
extracts the channel binding unique prefix, and extracts the raw extracts the channel binding unique prefix, and extracts the raw
channel biding data based on the channel binding type used. It then channel biding data based on the channel binding type used. It then
computes it's own copy of the channel binding payload and compares computes it's own copy of the channel binding payload and compares
that to the payload sent by the client in the cbdata key/value. that to the payload sent by the client in the cbdata key/value.
Those two must be equal for channel binding to succeed. Those two must be equal for channel binding to succeed.
The server responds to a successfully verified client message by The server responds to a successfully verified client message by
completing the SASL negotiation. The authorization scheme MUST carry completing the SASL negotiation. The authenticated identity reported
the user ID to be used as the authorization identity (identity to act by the mechanism is the identity which the mechanism has securely
as). The server MUST use the ID obtained from the credential as the established for the client with the OAuth credential.
user being authorized.
3.2.1. Mapping to SASL Identities 3.2.1. Mapping to SASL Identities
Some OAuth mechanisms can provide both an authorization identity and Note that the semantics of the authz-id are specified by the SASL
an authentication identity. An example of this is OAuth 1.0a framework [RFC4422]. A SASL application is, of course, free to apply
[RFC5849] where the consumer key (oauth_consumer_key) identifies the mappings of the OAuth authcid to authz-ids as per-SASL, and it is
entity using the token which equates to the SASL authentication free to apply mappings common to non-SASL OAuth applications.
identity, and is authenticated using the shared secret. The server
MAY use a consumer key, a value derived from it, or other comparable Some OAuth schemes can carry both a user identity and a "proxy"
identity in the OAuth authorization scheme to allow SASL an identity, for example an OAuth 1.0a [RFC5849] mechanism where the
authentication identity different from the authorization identity to consumer key (oauth_consumer_key) identifies the entity using the
be set. token and the token itself identifies the user. If both identities
are needed by an application the developer will need to provide a way
to communicate that from the SASL mechanism back to the application
such as a GS2 [RFC2473] named type like GSS_C_NT_USER_NAME or a
comparable newly defined GS2 attribute.
3.2.2. Canonicalization 3.2.2. Canonicalization
The identity asserted by the OAuth authorization server is canonical The identity asserted by the OAuth authorization server is canonical
for display. The server MAY provide a different canonical form based for display. The server MAY provide a different canonical form based
on local data. on local data.
3.2.3. Server response to failed authentication. 3.2.3. Server response to failed authentication.
For a failed authentication the server returns a JSON [RFC4627] For a failed authentication the server returns a JSON [RFC4627]
skipping to change at page 17, line 29 skipping to change at page 18, line 29
5.2. OAuth 1.0a Authorization with Channel Binding 5.2. OAuth 1.0a Authorization with Channel Binding
This example shows channel binding in the context of an OAuth 1.0a This example shows channel binding in the context of an OAuth 1.0a
signed authorization request. Note that line breaks are inserted for signed authorization request. Note that line breaks are inserted for
readability. readability.
S: * CAPABILITY IMAP4rev1 AUTH=OAUTH10A-PLUS SASL-IR IMAP4rev1 Server S: * CAPABILITY IMAP4rev1 AUTH=OAUTH10A-PLUS SASL-IR IMAP4rev1 Server
Ready Ready
S: t0 OK Completed S: t0 OK Completed
C: t1 AUTHENTICATE OAUTH10A-PLUS eSxhPXVzZXJAZXhhbXBsZS5jb20BaG9zdD1zZ C: t1 AUTHENTICATE OAUTH10A-PLUS cCxhPXVzZXJAZXhhbXBsZS5jb20BaG9zdD1zZ
XJ2ZXIuZXhhbXBsZS5jb20BcG9ydD0xNDMBYXV0aD1PQXV0aCByZWFsbT0iRXhhb XJ2ZXIuZXhhbXBsZS5jb20BcG9ydD0xNDMBYXV0aD1PQXV0aCByZWFsbT0iRXhhb
XBsZSIsb2F1dGhfY29uc3VtZXJfa2V5PSI5ZGpkajgyaDQ4ZGpzOWQyIixvYXV0a XBsZSIsb2F1dGhfY29uc3VtZXJfa2V5PSI5ZGpkajgyaDQ4ZGpzOWQyIixvYXV0a
F90b2tlbj0ia2trOWQ3ZGgzazM5c2p2NyIsb2F1dGhfc2lnbmF0dXJlX21ldGhvZ F90b2tlbj0ia2trOWQ3ZGgzazM5c2p2NyIsb2F1dGhfc2lnbmF0dXJlX21ldGhvZ
D0iSE1BQy1TSEExIixvYXV0aF90aW1lc3RhbXA9IjEzNzEzMTIwMSIsb2F1dGhfb D0iSE1BQy1TSEExIixvYXV0aF90aW1lc3RhbXA9IjEzNzEzMTIwMSIsb2F1dGhfb
m9uY2U9IjdkOGYzZTRhIixvYXV0aF9zaWduYXR1cmU9IlNTZHRJR0VnYkdsMGRHe m9uY2U9IjdkOGYzZTRhIixvYXV0aF9zaWduYXR1cmU9IlNTZHRJR0VnYkdsMGRHe
GxJSFJsWVNCd2IzUXUiAXFzPWNiZGF0YT10bHMtdW5pcXVlOlNHOTNJR0pwWnlCc GxJSFJsWVNCd2IzUXUiAXFzPWNiZGF0YT10bHMtdW5pcXVlOlNHOTNJR0pwWnlCc
GN5QmhJRlJNVXlCbWFXNWhiQ0J0WlhOellXZGxQd289AQE= GN5QmhJRlJNVXlCbWFXNWhiQ0J0WlhOellXZGxQd289AQE=
S: t1 OK SASL authentication succeeded S: t1 OK SASL authentication succeeded
As required by IMAP [RFC3501], the payloads are base64-encoded. The As required by IMAP [RFC3501], the payloads are base64-encoded. The
decoded initial client response (with %x01 represented as ^A and decoded initial client response (with %x01 represented as ^A and
lines wrapped for readability) is: lines wrapped for readability) is:
y,a=user@example.com^A p,a=user@example.com^A
host=server.example.com^A host=server.example.com^A
port=143^A port=143^A
auth=OAuth realm="Example", auth=OAuth realm="Example",
oauth_consumer_key="9djdj82h48djs9d2", oauth_consumer_key="9djdj82h48djs9d2",
oauth_token="kkk9d7dh3k39sjv7", oauth_token="kkk9d7dh3k39sjv7",
oauth_signature_method="HMAC-SHA1", oauth_signature_method="HMAC-SHA1",
oauth_timestamp="137131201", oauth_timestamp="137131201",
oauth_nonce="7d8f3e4a", oauth_nonce="7d8f3e4a",
oauth_signature="SSdtIGEgbGl0dGxlIHRlYSBwb3Qu"^A oauth_signature="SSdtIGEgbGl0dGxlIHRlYSBwb3Qu"^A
qs=cbdata=tls-unique:SG93IGJpZyBpcyBhIFRMUyBmaW5hbCBtZXNzYWdlPwo=^A^A qs=cbdata=tls-unique:SG93IGJpZyBpcyBhIFRMUyBmaW5hbCBtZXNzYWdlPwo=^A^A
skipping to change at page 19, line 10 skipping to change at page 20, line 10
n,a=user@example.com,^Ahost=server.example.com^A n,a=user@example.com,^Ahost=server.example.com^A
port=143^Aauth=^A^A port=143^Aauth=^A^A
The decoded server error response is: The decoded server error response is:
{ {
"status":"401", "status":"401",
"scope":"example_scope" "scope":"example_scope"
} }
The client responds with the required empty response. The client responds with the required dummy response.
5.4. Failed Channel Binding 5.4. Failed Channel Binding
This example shows a channel binding failure in an empty request. This example shows a channel binding failure in an empty request.
The channel binding information is empty. Note that line breaks are The channel binding information is empty. Note that line breaks are
inserted for readability. inserted for readability.
S: * CAPABILITY IMAP4rev1 AUTH=OAUTH10A-PLUS SASL-IR IMAP4rev1 Server S: * CAPABILITY IMAP4rev1 AUTH=OAUTH10A-PLUS SASL-IR IMAP4rev1 Server
Ready Ready
S: t0 OK Completed S: t0 OK Completed
C: t1 AUTHENTICATE OAUTH10A-PLUS eSxhPXVzZXJAZXhhbXBsZS5jb20BaG9z C: t1 AUTHENTICATE OAUTH10A-PLUS cCxhPXVzZXJAZXhhbXBsZS5jb20BaG9z
dD1zZXJ2ZXIuZXhhbXBsZS5jb20BcG9ydD0xNDMBYXV0aD0BY2JkYXRhPQEB dD1zZXJ2ZXIuZXhhbXBsZS5jb20BcG9ydD0xNDMBYXV0aD0BY2JkYXRhPQEB
S: + ewoic3RhdHVzIjoiNDEyIiwKInNjb3BlIjoiZXhhbXBsZV9zY29wZSIKfQ== S: + ewoic3RhdHVzIjoiNDEyIiwKInNjb3BlIjoiZXhhbXBsZV9zY29wZSIKfQ==
C: + AQ== C: + AQ==
S: t1 NO SASL authentication failed S: t1 NO SASL authentication failed
The decoded initial client response is: The decoded initial client response is:
y,a=user@example.com,^Ahost=server.example.com^A p,a=user@example.com,^Ahost=server.example.com^A
port=143^Aauth=^Acbdata=^A^A port=143^Aauth=^Acbdata=^A^A
The decoded server response is: The decoded server response is:
{ {
"status":"412", "status":"412",
"scope":"example_scope" "scope":"example_scope"
} }
The client responds with the required empty response. The client responds with the required dummy response.
5.5. SMTP Example of a failed negotiation. 5.5. SMTP Example of a failed negotiation.
This example shows an authorization failure in an SMTP exchange. This example shows an authorization failure in an SMTP exchange.
Note that line breaks are inserted for readability, and that the SMTP Note that line breaks are inserted for readability, and that the SMTP
protocol terminates lines with CR and LF characters (ASCII values protocol terminates lines with CR and LF characters (ASCII values
0x0D and 0x0A), these are not displayed explicitly in the example. 0x0D and 0x0A), these are not displayed explicitly in the example.
[connection begins] [connection begins]
S: 220 mx.example.com ESMTP 12sm2095603fks.9 S: 220 mx.example.com ESMTP 12sm2095603fks.9
skipping to change at page 20, line 24 skipping to change at page 21, line 24
C: AUTH OAUTHBEARER bixhPT1zb21ldXNlckBleGFtcGxlLmNvbQFhdXRoPUJlYXJlciB2 C: AUTH OAUTHBEARER bixhPT1zb21ldXNlckBleGFtcGxlLmNvbQFhdXRoPUJlYXJlciB2
RjlkZnQ0cW1UYzJOdmIzUmxja0JoZEhSaGRtbHpkR0V1WTI5dENnPT0BAQ== RjlkZnQ0cW1UYzJOdmIzUmxja0JoZEhSaGRtbHpkR0V1WTI5dENnPT0BAQ==
S: 334 eyJzdGF0dXMiOiI0MDEiLCJzY2hlbWVzIjoiYmVhcmVyIG1hYyIsInNjb3BlIjoia S: 334 eyJzdGF0dXMiOiI0MDEiLCJzY2hlbWVzIjoiYmVhcmVyIG1hYyIsInNjb3BlIjoia
HR0cHM6Ly9tYWlsLmdvb2dsZS5jb20vIn0K HR0cHM6Ly9tYWlsLmdvb2dsZS5jb20vIn0K
C: AQ== C: AQ==
S: 535-5.7.1 Username and Password not accepted. Learn more at S: 535-5.7.1 Username and Password not accepted. Learn more at
S: 535 5.7.1 http://support.example.com/mail/oauth S: 535 5.7.1 http://support.example.com/mail/oauth
[connection continues...] [connection continues...]
The server returned an error message in the 334 SASL message, the The server returned an error message in the 334 SASL message, the
client responds with the required empty response, and the server client responds with the required dummy response, and the server
finalizes the negotiation. finalizes the negotiation.
6. Security Considerations 6. Security Considerations
This mechanism does not provide a security layer, but does provide a This mechanism does not provide a security layer, but does provide a
provision for channel binding. The OAuth 2 specification provision for channel binding. The OAuth 2 specification
[I-D.ietf-oauth-v2] allows for a variety of usages, and the security [I-D.ietf-oauth-v2] allows for a variety of usages, and the security
properties of these profiles vary. The usage of bearer tokens, for properties of these profiles vary. The usage of bearer tokens, for
example, provide security features similar to cookies. Applications example, provide security features similar to cookies. Applications
using this mechanism SHOULD exercise the same level of care using using this mechanism SHOULD exercise the same level of care using
skipping to change at page 24, line 22 skipping to change at page 25, line 22
[I-D.ietf-oauth-v2-bearer] [I-D.ietf-oauth-v2-bearer]
Jones, M. and D. Hardt, "The OAuth 2.0 Authorization Jones, M. and D. Hardt, "The OAuth 2.0 Authorization
Framework: Bearer Token Usage", Framework: Bearer Token Usage",
draft-ietf-oauth-v2-bearer-23 (work in progress), draft-ietf-oauth-v2-bearer-23 (work in progress),
August 2012. August 2012.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2473] Conta, A. and S. Deering, "Generic Packet Tunneling in
IPv6 Specification", RFC 2473, December 1998.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S.,
Leach, P., Luotonen, A., and L. Stewart, "HTTP Leach, P., Luotonen, A., and L. Stewart, "HTTP
Authentication: Basic and Digest Access Authentication", Authentication: Basic and Digest Access Authentication",
RFC 2617, June 1999. RFC 2617, June 1999.
[RFC2743] Linn, J., "Generic Security Service Application Program [RFC2743] Linn, J., "Generic Security Service Application Program
skipping to change at page 27, line 9 skipping to change at page 28, line 9
Appendix A. Acknowlegements Appendix A. Acknowlegements
The authors would like to thank the members of the Kitten working The authors would like to thank the members of the Kitten working
group, and in addition and specifically: Simon Josefson, Torsten group, and in addition and specifically: Simon Josefson, Torsten
Lodderstadt, Ryan Troll, and Nico Williams. Lodderstadt, Ryan Troll, and Nico Williams.
Appendix B. Document History Appendix B. Document History
[[ to be removed by RFC editor before publication as an RFC ]] [[ to be removed by RFC editor before publication as an RFC ]]
-07
o Struck the MUST langiage from authzid.
o
-06 -06
o Removed the user field. Fixed the examples again. o Removed the user field. Fixed the examples again.
o Added canonicalization language. o Added canonicalization language.
o o
-05 -05
 End of changes. 20 change blocks. 
46 lines changed or deleted 60 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/