draft-ietf-oauth-resource-indicators-03.txt   draft-ietf-oauth-resource-indicators-04.txt 
OAuth Working Group B. Campbell OAuth Working Group B. Campbell
Internet-Draft Ping Identity Internet-Draft Ping Identity
Intended status: Standards Track J. Bradley Intended status: Standards Track J. Bradley
Expires: January 21, 2020 Yubico Expires: January 22, 2020 Yubico
H. Tschofenig H. Tschofenig
Arm Limited Arm Limited
July 20, 2019 July 21, 2019
Resource Indicators for OAuth 2.0 Resource Indicators for OAuth 2.0
draft-ietf-oauth-resource-indicators-03 draft-ietf-oauth-resource-indicators-04
Abstract Abstract
An extension to the OAuth 2.0 Authorization Framework defining An extension to the OAuth 2.0 Authorization Framework defining
request parameters that enable a client to explicitly signal to an request parameters that enable a client to explicitly signal to an
authorization server about the identity of the protected resource(s) authorization server about the identity of the protected resource(s)
to which it is requesting access. to which it is requesting access.
Status of This Memo Status of This Memo
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 21, 2020. This Internet-Draft will expire on January 22, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 7, line 14 skipping to change at page 7, line 14
When requesting a token, the client can indicate the desired target When requesting a token, the client can indicate the desired target
service(s) where it intends to use that token by way of the service(s) where it intends to use that token by way of the
"resource" parameter and can indicate the desired scope of the "resource" parameter and can indicate the desired scope of the
requested token using the "scope" parameter. The semantics of such a requested token using the "scope" parameter. The semantics of such a
request are that the client is asking for a token with the requested request are that the client is asking for a token with the requested
scope that is usable at all the requested target services. scope that is usable at all the requested target services.
Effectively, the requested access rights of the token are the Effectively, the requested access rights of the token are the
cartesian product of all the scopes at all the target services. To cartesian product of all the scopes at all the target services. To
the extent possible, when issuing access tokens, the authorization the extent possible, when issuing access tokens, the authorization
server should adapt the scope value associated with an access token server should downscope the scope value associated with an access
to the value the respective resource is able to process and needs to token to the value the respective resource is able to process and
know. This further improves privacy as scope values give an needs to know. This further improves privacy as scope values give an
indication of what services the resource owner uses and it improves indication of what services the resource owner uses and downscoping a
security as scope values may contain confidential data. As specified token to only that which is needed for a particular service can limit
in Section 5.1 of [RFC6749], the authorization server must indicate the extent to which such information is revealed across different
the access token's effective scope to the client in the "scope" services. As specified in Section 5.1 of [RFC6749], the
response parameter value when it differs from the scope requested by authorization server must indicate the access token's effective scope
the client. to the client in the "scope" response parameter value when it differs
from the scope requested by the client.
Following from the code flow authorization request shown in Figure 2, Following from the code flow authorization request shown in Figure 2,
the below examples show an "authorization_code" grant type access the below examples show an "authorization_code" grant type access
token request (Figure 3) and response (Figure 4) where the client token request (Figure 3) and response (Figure 4) where the client
tells the authorization server that it wants the access token for use tells the authorization server that it wants the access token for use
at "https://cal.example.com/" (extra line breaks and indentation are at "https://cal.example.com/" (extra line breaks and indentation are
for display purposes only). for display purposes only).
POST /as/token.oauth2 HTTP/1.1 POST /as/token.oauth2 HTTP/1.1
Host: authorization-server.example.com Host: authorization-server.example.com
skipping to change at page 12, line 11 skipping to change at page 12, line 11
Vittorio Bertocci, Sergey Beryozkin, Roman Danyliw, William Denniss, Vittorio Bertocci, Sergey Beryozkin, Roman Danyliw, William Denniss,
Vladimir Dzhuvinov, George Fletcher, Dick Hardt, Phil Hunt, Michael Vladimir Dzhuvinov, George Fletcher, Dick Hardt, Phil Hunt, Michael
Jones, Torsten Lodderstedt, Anthony Nadalin, Justin Richer, Nat Jones, Torsten Lodderstedt, Anthony Nadalin, Justin Richer, Nat
Sakimura, Rifaat Shekh-Yusef, Filip Skokan, and Hans Zandbelt. Sakimura, Rifaat Shekh-Yusef, Filip Skokan, and Hans Zandbelt.
Appendix B. Document History Appendix B. Document History
[[ to be removed by the RFC Editor before publication as an RFC ]] [[ to be removed by the RFC Editor before publication as an RFC ]]
draft-ietf-oauth-resource-indicators-04
o Editorial updates from AD review that were overlooked in -03.
draft-ietf-oauth-resource-indicators-03 draft-ietf-oauth-resource-indicators-03
o Editorial updates from AD review. o Editorial updates from AD review.
o Update draft-ietf-oauth-jwsreq ref to -19. o Update draft-ietf-oauth-jwsreq ref to -19.
o Update the IANA requests to say they update the registries. o Update the IANA requests to say they update the registries.
draft-ietf-oauth-resource-indicators-02 draft-ietf-oauth-resource-indicators-02
o Clarify that the value of the "resource" parameter is a URI which o Clarify that the value of the "resource" parameter is a URI which
can be an abstract identifier for the target resource and doesn't can be an abstract identifier for the target resource and doesn't
skipping to change at page 12, line 48 skipping to change at page 13, line 5
draft-ietf-oauth-resource-indicators-00 draft-ietf-oauth-resource-indicators-00
o First version of the working group document. A replica of draft- o First version of the working group document. A replica of draft-
campbell-oauth-resource-indicators-02. campbell-oauth-resource-indicators-02.
draft-campbell-oauth-resource-indicators-02 draft-campbell-oauth-resource-indicators-02
o No changes. o No changes.
draft-campbell-oauth-resource-indicators-01
o Move Hannes Tschofenig, who wrote https://tools.ietf.org/html/ o Move Hannes Tschofenig, who wrote https://tools.ietf.org/html/
draft-tschofenig-oauth-audience in '13, from Acknowledgements to draft-tschofenig-oauth-audience in '13, from Acknowledgements to
Authors. Authors.
o Added IANA Considerations to register the "resource" parameter and o Added IANA Considerations to register the "resource" parameter and
"invalid_resource" error code. "invalid_resource" error code.
draft-campbell-oauth-resource-indicators-00 draft-campbell-oauth-resource-indicators-00
o Initial draft to define a resource parameter for OAuth 2.0. o Initial draft to define a resource parameter for OAuth 2.0.
 End of changes. 7 change blocks. 
14 lines changed or deleted 18 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/