draft-ietf-oauth-v2-1-01.txt   draft-ietf-oauth-v2-1-02.txt 
OAuth Working Group D. Hardt OAuth Working Group D. Hardt
Internet-Draft SignIn.Org Internet-Draft SignIn.Org
Intended status: Standards Track A. Parecki Intended status: Standards Track A. Parecki
Expires: 5 August 2021 Okta Expires: 16 September 2021 Okta
T. Lodderstedt T. Lodderstedt
yes.com yes.com
1 February 2021 15 March 2021
The OAuth 2.1 Authorization Framework The OAuth 2.1 Authorization Framework
draft-ietf-oauth-v2-1-01 draft-ietf-oauth-v2-1-02
Abstract Abstract
The OAuth 2.1 authorization framework enables a third-party The OAuth 2.1 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction behalf of a resource owner by orchestrating an approval interaction
between the resource owner and an authorization service, or by between the resource owner and an authorization service, or by
allowing the third-party application to obtain access on its own allowing the third-party application to obtain access on its own
behalf. This specification replaces and obsoletes the OAuth 2.0 behalf. This specification replaces and obsoletes the OAuth 2.0
Authorization Framework described in RFC 6749. Authorization Framework described in RFC 6749.
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 5 August 2021. This Internet-Draft will expire on 16 September 2021.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 28 skipping to change at page 2, line 28
1.5. Refresh Token . . . . . . . . . . . . . . . . . . . . . . 10 1.5. Refresh Token . . . . . . . . . . . . . . . . . . . . . . 10
1.6. TLS Version . . . . . . . . . . . . . . . . . . . . . . . 12 1.6. TLS Version . . . . . . . . . . . . . . . . . . . . . . . 12
1.7. HTTP Redirections . . . . . . . . . . . . . . . . . . . . 12 1.7. HTTP Redirections . . . . . . . . . . . . . . . . . . . . 12
1.8. Interoperability . . . . . . . . . . . . . . . . . . . . 12 1.8. Interoperability . . . . . . . . . . . . . . . . . . . . 12
1.9. Compatibility with OAuth 2.0 . . . . . . . . . . . . . . 13 1.9. Compatibility with OAuth 2.0 . . . . . . . . . . . . . . 13
1.10. Notational Conventions . . . . . . . . . . . . . . . . . 13 1.10. Notational Conventions . . . . . . . . . . . . . . . . . 13
2. Client Registration . . . . . . . . . . . . . . . . . . . . . 14 2. Client Registration . . . . . . . . . . . . . . . . . . . . . 14
2.1. Client Types . . . . . . . . . . . . . . . . . . . . . . 14 2.1. Client Types . . . . . . . . . . . . . . . . . . . . . . 14
2.2. Client Identifier . . . . . . . . . . . . . . . . . . . . 16 2.2. Client Identifier . . . . . . . . . . . . . . . . . . . . 16
2.3. Client Authentication . . . . . . . . . . . . . . . . . . 16 2.3. Client Authentication . . . . . . . . . . . . . . . . . . 16
2.3.1. Client Password . . . . . . . . . . . . . . . . . . . 17 2.3.1. Client Secret . . . . . . . . . . . . . . . . . . . . 17
2.3.2. Other Authentication Methods . . . . . . . . . . . . 18 2.3.2. Other Authentication Methods . . . . . . . . . . . . 18
2.4. Unregistered Clients . . . . . . . . . . . . . . . . . . 18 2.4. Unregistered Clients . . . . . . . . . . . . . . . . . . 18
3. Protocol Endpoints . . . . . . . . . . . . . . . . . . . . . 18 3. Protocol Endpoints . . . . . . . . . . . . . . . . . . . . . 18
3.1. Authorization Endpoint . . . . . . . . . . . . . . . . . 19 3.1. Authorization Endpoint . . . . . . . . . . . . . . . . . 19
3.1.1. Response Type . . . . . . . . . . . . . . . . . . . . 19 3.1.1. Response Type . . . . . . . . . . . . . . . . . . . . 19
3.1.2. Redirection Endpoint . . . . . . . . . . . . . . . . 20 3.1.2. Redirection Endpoint . . . . . . . . . . . . . . . . 20
3.2. Token Endpoint . . . . . . . . . . . . . . . . . . . . . 22 3.2. Token Endpoint . . . . . . . . . . . . . . . . . . . . . 22
3.2.1. Client Authentication . . . . . . . . . . . . . . . . 22 3.2.1. Client Authentication . . . . . . . . . . . . . . . . 22
3.3. Access Token Scope . . . . . . . . . . . . . . . . . . . 23 3.3. Access Token Scope . . . . . . . . . . . . . . . . . . . 23
4. Obtaining Authorization . . . . . . . . . . . . . . . . . . . 23 4. Obtaining Authorization . . . . . . . . . . . . . . . . . . . 23
4.1. Authorization Code Grant . . . . . . . . . . . . . . . . 23 4.1. Authorization Code Grant . . . . . . . . . . . . . . . . 23
4.1.1. Authorization Request . . . . . . . . . . . . . . . . 25 4.1.1. Authorization Request . . . . . . . . . . . . . . . . 25
4.1.2. Authorization Response . . . . . . . . . . . . . . . 28 4.1.2. Authorization Response . . . . . . . . . . . . . . . 28
4.1.3. Access Token Request . . . . . . . . . . . . . . . . 31 4.1.3. Access Token Request . . . . . . . . . . . . . . . . 31
4.1.4. Access Token Response . . . . . . . . . . . . . . . . 32 4.1.4. Access Token Response . . . . . . . . . . . . . . . . 32
4.2. Client Credentials Grant . . . . . . . . . . . . . . . . 33 4.2. Client Credentials Grant . . . . . . . . . . . . . . . . 32
4.2.1. Authorization Request and Response . . . . . . . . . 33 4.2.1. Authorization Request and Response . . . . . . . . . 33
4.2.2. Access Token Request . . . . . . . . . . . . . . . . 33 4.2.2. Access Token Request . . . . . . . . . . . . . . . . 33
4.2.3. Access Token Response . . . . . . . . . . . . . . . . 34 4.2.3. Access Token Response . . . . . . . . . . . . . . . . 34
4.3. Extension Grants . . . . . . . . . . . . . . . . . . . . 34 4.3. Extension Grants . . . . . . . . . . . . . . . . . . . . 34
5. Issuing an Access Token . . . . . . . . . . . . . . . . . . . 35 5. Issuing an Access Token . . . . . . . . . . . . . . . . . . . 35
5.1. Successful Response . . . . . . . . . . . . . . . . . . . 35 5.1. Successful Response . . . . . . . . . . . . . . . . . . . 35
5.2. Error Response . . . . . . . . . . . . . . . . . . . . . 36 5.2. Error Response . . . . . . . . . . . . . . . . . . . . . 36
6. Refreshing an Access Token . . . . . . . . . . . . . . . . . 38 6. Refreshing an Access Token . . . . . . . . . . . . . . . . . 38
6.1. Refresh Token Protection . . . . . . . . . . . . . . . . 39 6.1. Refresh Token Request . . . . . . . . . . . . . . . . . . 38
6.2. Refresh Token Response . . . . . . . . . . . . . . . . . 40
7. Accessing Protected Resources . . . . . . . . . . . . . . . . 41 7. Accessing Protected Resources . . . . . . . . . . . . . . . . 41
7.1. Access Token Types . . . . . . . . . . . . . . . . . . . 41 7.1. Access Token Types . . . . . . . . . . . . . . . . . . . 41
7.2. Bearer Tokens . . . . . . . . . . . . . . . . . . . . . . 42 7.2. Bearer Tokens . . . . . . . . . . . . . . . . . . . . . . 42
7.2.1. Authenticated Requests . . . . . . . . . . . . . . . 42 7.2.1. Authenticated Requests . . . . . . . . . . . . . . . 42
7.2.2. The WWW-Authenticate Response Header Field . . . . . 44 7.2.2. The WWW-Authenticate Response Header Field . . . . . 44
7.2.3. Error Codes . . . . . . . . . . . . . . . . . . . . . 45 7.2.3. Error Codes . . . . . . . . . . . . . . . . . . . . . 45
7.3. Error Response . . . . . . . . . . . . . . . . . . . . . 46 7.3. Error Response . . . . . . . . . . . . . . . . . . . . . 46
7.3.1. Extension Token Types . . . . . . . . . . . . . . . . 46 7.3.1. Extension Token Types . . . . . . . . . . . . . . . . 46
7.4. Access Token Security Considerations . . . . . . . . . . 46 7.4. Access Token Security Considerations . . . . . . . . . . 46
7.4.1. Security Threats . . . . . . . . . . . . . . . . . . 47 7.4.1. Security Threats . . . . . . . . . . . . . . . . . . 47
skipping to change at page 14, line 29 skipping to change at page 14, line 29
establishing trust and obtaining the required client properties establishing trust and obtaining the required client properties
(e.g., redirect URI, client type). For example, registration can be (e.g., redirect URI, client type). For example, registration can be
accomplished using a self-issued or third-party-issued assertion, or accomplished using a self-issued or third-party-issued assertion, or
by the authorization server performing client discovery using a by the authorization server performing client discovery using a
trusted channel. trusted channel.
When registering a client, the client developer SHALL: When registering a client, the client developer SHALL:
* specify the client type as described in Section 2.1, * specify the client type as described in Section 2.1,
* provide its client redirect URIs as described in Section 3.1.2, * provide client details needed by the grant type in use, such as
and redirect URIs as described in Section 3.1.2, and
* include any other information required by the authorization server * include any other information required by the authorization server
(e.g., application name, website, description, logo image, the (e.g., application name, website, description, logo image, the
acceptance of legal terms). acceptance of legal terms).
Dynamic Client Registration ([RFC7591]) defines a common general data Dynamic Client Registration ([RFC7591]) defines a common general data
model for clients that may be used even with manual client model for clients that may be used even with manual client
registration. registration.
2.1. Client Types 2.1. Client Types
Clients are identified at the authorization server by a "client_id". OAuth 2.1 defines three client types based on their ability to
It is, for example, used by the authorization server to determine the authenticate securely with the authorization server as well as the
set of redirect URIs this client can use. authorization server's assurance of the client's identity.
Clients requiring a higher level of confidence in their identity by
the authorization server use credentials to authenticate with the
authorization server. Such credentials are either issued by the
authorization server or registered by the developer of the client
with the authorization server.
OAuth 2.1 defines three client types:
"confidential": Clients that have credentials and their identity has "confidential": Clients that have credentials and their identity has
been confirmed by the AS are designated as "confidential clients" been confirmed by the AS are designated as "confidential clients"
"credentialed": Clients that have credentials and their identity has "credentialed": Clients that have credentials and their identity has
been not been confirmed by the AS are designated as "credentialed been not been confirmed by the AS are designated as "credentialed
clients" clients"
"public": Clients without credentials are called "public clients" "public": Clients without credentials are called "public clients"
skipping to change at page 16, line 34 skipping to change at page 16, line 24
The client identifier string size is left undefined by this The client identifier string size is left undefined by this
specification. The client should avoid making assumptions about the specification. The client should avoid making assumptions about the
identifier size. The authorization server SHOULD document the size identifier size. The authorization server SHOULD document the size
of any identifier it issues. of any identifier it issues.
Authorization servers SHOULD NOT allow clients to choose or influence Authorization servers SHOULD NOT allow clients to choose or influence
their "client_id" value. See Section 9.6 for details. their "client_id" value. See Section 9.6 for details.
2.3. Client Authentication 2.3. Client Authentication
If the client type is confidential, the client and authorization Confidential and credentialed clients establish a client
server establish a client authentication method suitable for the authentication method with the authorization server suitable for the
security requirements of the authorization server. The authorization security requirements of the authorization server. The authorization
server MAY accept any form of client authentication meeting its server MAY accept any form of client authentication meeting its
security requirements. security requirements.
Confidential clients are typically issued (or establish) a set of Confidential and credentialed clients are typically issued (or
client credentials used for authenticating with the authorization establish) a set of client credentials used for authenticating with
server (e.g., password, public/private key pair). the authorization server (e.g., password, public/private key pair).
Authorization servers SHOULD use client authentication if possible. Authorization servers SHOULD use client authentication if possible.
It is RECOMMENDED to use asymmetric (public-key based) methods for It is RECOMMENDED to use asymmetric (public-key based) methods for
client authentication such as mTLS [RFC8705] or "private_key_jwt" client authentication such as mTLS [RFC8705] or "private_key_jwt"
[OpenID]. When asymmetric methods for client authentication are [OpenID]. When asymmetric methods for client authentication are
used, authorization servers do not need to store sensitive symmetric used, authorization servers do not need to store sensitive symmetric
keys, making these methods more robust against a number of attacks. keys, making these methods more robust against a number of attacks.
The authorization server MAY establish a client authentication method The authorization server MAY establish a client authentication method
with public clients, which converts them to credentialed clients. with public clients, which converts them to credentialed clients.
However, the authorization server MUST NOT rely on credentialed However, the authorization server MUST NOT rely on credentialed
client authentication for the purpose of identifying the client. client authentication for the purpose of identifying the client.
The client MUST NOT use more than one authentication method in each The client MUST NOT use more than one authentication method in each
request. request.
2.3.1. Client Password 2.3.1. Client Secret
Clients in possession of a client password, also known as a client Clients in possession of a client secret, sometimes known as a client
secret, MAY use the HTTP Basic authentication scheme as defined in password, MAY use the HTTP Basic authentication scheme as defined in
[RFC2617] to authenticate with the authorization server. The client [RFC2617] to authenticate with the authorization server. The client
identifier is encoded using the "application/x-www-form-urlencoded" identifier is encoded using the "application/x-www-form-urlencoded"
encoding algorithm per Appendix B, and the encoded value is used as encoding algorithm per Appendix B, and the encoded value is used as
the username; the client secret is encoded using the same algorithm the username; the client secret is encoded using the same algorithm
and used as the password. The authorization server MUST support the and used as the password. The authorization server MUST support the
HTTP Basic authentication scheme for authenticating clients that were HTTP Basic authentication scheme for authenticating clients that were
issued a client secret. issued a client secret.
For example (with extra line breaks for display purposes only): For example (with extra line breaks for display purposes only):
skipping to change at page 18, line 27 skipping to change at page 18, line 17
brute force attacks. brute force attacks.
2.3.2. Other Authentication Methods 2.3.2. Other Authentication Methods
The authorization server MAY support any suitable authentication The authorization server MAY support any suitable authentication
scheme matching its security requirements. When using other scheme matching its security requirements. When using other
authentication methods, the authorization server MUST define a authentication methods, the authorization server MUST define a
mapping between the client identifier (registration record) and mapping between the client identifier (registration record) and
authentication scheme. authentication scheme.
Some additional authentication methods are defined in the "OAuth Some additional authentication methods such as mTLS [RFC8705] and
Token Endpoint Authentication Methods "private_key_jwt" [OpenID] are defined in the "OAuth Token Endpoint
(https://www.iana.org/assignments/oauth-parameters/oauth- Authentication Methods (https://www.iana.org/assignments/oauth-
parameters.xhtml#token-endpoint-auth-method)" registry, and may be parameters/oauth-parameters.xhtml#token-endpoint-auth-method)"
useful as generic client authentication methods beyond the specific registry, and may be useful as generic client authentication methods
use of protecting the token endpoint. beyond the specific use of protecting the token endpoint.
2.4. Unregistered Clients 2.4. Unregistered Clients
This specification does not exclude the use of unregistered clients. This specification does not exclude the use of unregistered clients.
However, the use of such clients is beyond the scope of this However, the use of such clients is beyond the scope of this
specification and requires additional security analysis and review of specification and requires additional security analysis and review of
its interoperability impact. its interoperability impact.
3. Protocol Endpoints 3. Protocol Endpoints
skipping to change at page 19, line 41 skipping to change at page 19, line 34
Since requests to the authorization endpoint result in user Since requests to the authorization endpoint result in user
authentication and the transmission of clear-text credentials (in the authentication and the transmission of clear-text credentials (in the
HTTP response), the authorization server MUST require the use of TLS HTTP response), the authorization server MUST require the use of TLS
as described in Section 1.6 when sending requests to the as described in Section 1.6 when sending requests to the
authorization endpoint. authorization endpoint.
The authorization server MUST support the use of the HTTP "GET" The authorization server MUST support the use of the HTTP "GET"
method [RFC7231] for the authorization endpoint and MAY support the method [RFC7231] for the authorization endpoint and MAY support the
use of the "POST" method as well. use of the "POST" method as well.
Parameters sent without a value MUST be treated as if they were The authorization server MUST ignore unrecognized request parameters.
omitted from the request. The authorization server MUST ignore
unrecognized request parameters. Request and response parameters Request and response parameters defined by this specification MUST
defined by this specification MUST NOT be included more than once. NOT be included more than once. Parameters sent without a value MUST
be treated as if they were omitted from the request.
3.1.1. Response Type 3.1.1. Response Type
The authorization endpoint is used by the authorization code flow. The authorization endpoint is used by the authorization code flow.
The client informs the authorization server of the desired response The client informs the authorization server of the desired response
type using the following parameter: type using the following parameter:
"response_type": REQUIRED. The value MUST be "code" for requesting "response_type": REQUIRED. The value MUST be "code" for requesting
an authorization code as described by Section 4.1.1, or a an authorization code as described by Section 4.1.1, or a
registered extension value as described by Section 8.4. registered extension value as described by Section 8.4.
Extension response types MAY contain a space-delimited (%x20) list of Extension response types MAY contain a space-delimited (%x20) list of
values, where the order of values does not matter (e.g., response values, where the order of values does not matter (e.g., response
type "a b" is the same as "b a"). The meaning of such composite type "a b" is the same as "b a"). The meaning of such composite
response types is defined by their respective specifications. response types is defined by their respective specifications.
Some extension response types are defined by ([OpenID]).
If an authorization request is missing the "response_type" parameter, If an authorization request is missing the "response_type" parameter,
or if the response type is not understood, the authorization server or if the response type is not understood, the authorization server
MUST return an error response as described in Section 4.1.2.1. MUST return an error response as described in Section 4.1.2.1.
3.1.2. Redirection Endpoint 3.1.2. Redirection Endpoint
After completing its interaction with the resource owner, the After completing its interaction with the resource owner, the
authorization server directs the resource owner's user-agent back to authorization server directs the resource owner's user-agent back to
the client. The authorization server redirects the user-agent to the the client. The authorization server redirects the user-agent to one
client's redirection endpoint previously established with the of the client's redirection endpoints previously established with the
authorization server during the client registration process. authorization server during the client registration process.
The authorization server MUST compare the two URIs using simple
string comparison as defined in [RFC3986], Section 6.2.1.
The redirect URI MUST be an absolute URI as defined by [RFC3986] The redirect URI MUST be an absolute URI as defined by [RFC3986]
Section 4.3. The endpoint URI MAY include an "application/x-www- Section 4.3. The endpoint URI MAY include an "application/x-www-
form-urlencoded" formatted (per Appendix B) query component form-urlencoded" formatted (per Appendix B) query component
([RFC3986] Section 3.4), which MUST be retained when adding ([RFC3986] Section 3.4), which MUST be retained when adding
additional query parameters. The endpoint URI MUST NOT include a additional query parameters. The endpoint URI MUST NOT include a
fragment component. fragment component.
3.1.2.1. Endpoint Request Confidentiality 3.1.2.1. Endpoint Request Confidentiality
The redirection endpoint SHOULD require the use of TLS as described The redirection endpoint SHOULD require the use of TLS as described
skipping to change at page 21, line 15 skipping to change at page 21, line 15
3.1.2.2. Registration Requirements 3.1.2.2. Registration Requirements
The authorization server MUST require all clients to register one or The authorization server MUST require all clients to register one or
more complete redirect URIs prior to utilizing the authorization more complete redirect URIs prior to utilizing the authorization
endpoint. The client MAY use the "state" request parameter to endpoint. The client MAY use the "state" request parameter to
achieve per-request customization if needed. achieve per-request customization if needed.
The authorization server MAY allow the client to register multiple The authorization server MAY allow the client to register multiple
redirect URIs. redirect URIs.
Lack of requiring registration of redirect URIs enables an attacker Without requiring registration of redirect URIs, attackers can use
to use the authorization endpoint as an open redirector as described the authorization endpoint as an open redirector as described in
in Section 9.18. Section 9.18.
3.1.2.3. Dynamic Configuration 3.1.2.3. Dynamic Configuration
If multiple redirect URIs have been registered the client MUST If multiple redirect URIs have been registered the client MUST
include a redirect URI with the authorization request using the include a redirect URI with the authorization request using the
"redirect_uri" request parameter. "redirect_uri" request parameter.
3.1.2.4. Invalid Endpoint 3.1.2.4. Invalid Endpoint
If an authorization request fails validation due to a missing, If an authorization request fails validation due to a missing,
skipping to change at page 21, line 39 skipping to change at page 21, line 39
inform the resource owner of the error and MUST NOT automatically inform the resource owner of the error and MUST NOT automatically
redirect the user-agent to the invalid redirect URI. redirect the user-agent to the invalid redirect URI.
3.1.2.5. Endpoint Content 3.1.2.5. Endpoint Content
The redirection request to the client's endpoint typically results in The redirection request to the client's endpoint typically results in
an HTML document response, processed by the user-agent. If the HTML an HTML document response, processed by the user-agent. If the HTML
response is served directly as the result of the redirection request, response is served directly as the result of the redirection request,
any script included in the HTML document will execute with full any script included in the HTML document will execute with full
access to the redirect URI and the credentials (e.g. authorization access to the redirect URI and the credentials (e.g. authorization
code) it contains. code) it contains. Additionally, the request URL containing the
authorization code may be sent in the HTTP Referer header to any
embedded images, stylesheets and other elements loaded in the page.
The client SHOULD NOT include any third-party scripts (e.g., third- The client SHOULD NOT include any third-party scripts (e.g., third-
party analytics, social plug-ins, ad networks) in the redirection party analytics, social plug-ins, ad networks) in the redirection
endpoint response. Instead, it SHOULD extract the credentials from endpoint response. Instead, it SHOULD extract the credentials from
the URI and redirect the user-agent again to another endpoint without the URI and redirect the user-agent again to another endpoint without
exposing the credentials (in the URI or elsewhere). If third-party exposing the credentials (in the URI or elsewhere). If third-party
scripts are included, the client MUST ensure that its own scripts scripts are included, the client MUST ensure that its own scripts
(used to extract and remove the credentials from the URI) will (used to extract and remove the credentials from the URI) will
execute first. execute first.
3.2. Token Endpoint 3.2. Token Endpoint
The token endpoint is used by the client to obtain an access token by The token endpoint is used by the client to obtain an access token
presenting its authorization grant or refresh token. using a grant such as those described in Section 4 and Section 6.
The means through which the client obtains the location of the token The means through which the client obtains the location of the token
endpoint are beyond the scope of this specification, but the location endpoint are beyond the scope of this specification, but the location
is typically provided in the service documentation, or in the is typically provided in the service documentation and configured
authorization server's metadata document ([RFC8414]). during development of the client, or provided in the authorization
server's metadata document ([RFC8414]) and fetched programmatically
at runtime.
The endpoint URI MAY include an "application/x-www-form-urlencoded" The endpoint URI MAY include an "application/x-www-form-urlencoded"
formatted (per Appendix B) query component ([RFC3986] Section 3.4), formatted (per Appendix B) query component ([RFC3986] Section 3.4)
which MUST be retained when adding additional query parameters. The and MUST NOT include a fragment component.
endpoint URI MUST NOT include a fragment component.
Since requests to the token endpoint result in the transmission of Since requests to the token endpoint result in the transmission of
clear-text credentials (in the HTTP request and response), the clear-text credentials (in the HTTP request and response), the
authorization server MUST require the use of TLS as described in authorization server MUST require the use of TLS as described in
Section 1.6 when sending requests to the token endpoint. Section 1.6 when sending requests to the token endpoint.
The client MUST use the HTTP "POST" method when making access token The client MUST use the HTTP "POST" method when making access token
requests. requests.
The authorization server MUST ignore unrecognized request parameters.
Parameters sent without a value MUST be treated as if they were Parameters sent without a value MUST be treated as if they were
omitted from the request. The authorization server MUST ignore omitted from the request. Request and response parameters defined by
unrecognized request parameters. Request and response parameters this specification MUST NOT be included more than once.
defined by this specification MUST NOT be included more than once.
3.2.1. Client Authentication 3.2.1. Client Authentication
Confidential clients or other clients issued client credentials MUST Confidential clients or other clients issued client credentials MUST
authenticate with the authorization server as described in authenticate with the authorization server as described in
Section 2.3 when making requests to the token endpoint. Client Section 2.3 when making requests to the token endpoint. Client
authentication is used for: authentication is used for:
* Enforcing the binding of refresh tokens and authorization codes to * Enforcing the binding of refresh tokens and authorization codes to
the client they were issued to. Client authentication is critical the client they were issued to. Client authentication is critical
skipping to change at page 23, line 42 skipping to change at page 23, line 42
If the client omits the scope parameter when requesting If the client omits the scope parameter when requesting
authorization, the authorization server MUST either process the authorization, the authorization server MUST either process the
request using a pre-defined default value or fail the request request using a pre-defined default value or fail the request
indicating an invalid scope. The authorization server SHOULD indicating an invalid scope. The authorization server SHOULD
document its scope requirements and default value (if defined). document its scope requirements and default value (if defined).
4. Obtaining Authorization 4. Obtaining Authorization
To request an access token, the client obtains authorization from the To request an access token, the client obtains authorization from the
resource owner. The authorization is expressed in the form of an resource owner. OAuth defines two authorization grant types:
authorization grant, which the client uses to request the access authorization code and client credentials. It also provides an
token. OAuth defines two authorization grant types: authorization extension mechanism for defining additional grant types.
code and client credentials. It also provides an extension mechanism
for defining additional grant types.
4.1. Authorization Code Grant 4.1. Authorization Code Grant
The authorization code grant type is used to obtain both access The authorization code grant type is used to obtain both access
tokens and refresh tokens. tokens and refresh tokens.
Since this is a redirect-based flow, the client must be capable of Since this is a redirect-based flow, the client must be capable of
interacting with the resource owner's user-agent (typically a web initiating the flow with the resource owner's user-agent (typically a
browser) and capable of receiving incoming requests (via redirection) web browser) and capable of being redirected back to from the
from the authorization server. authorization server.
+----------+ +----------+
| Resource | | Resource |
| Owner | | Owner |
| | | |
+----------+ +----------+
^ ^
| |
(2) (2)
+----|-----+ Client Identifier +---------------+ +----|-----+ Client Identifier +---------------+
skipping to change at page 25, line 28 skipping to change at page 25, line 28
(5) The authorization server authenticates the client when possible, (5) The authorization server authenticates the client when possible,
validates the authorization code, validates the code verifier, and validates the authorization code, validates the code verifier, and
ensures that the redirect URI received matches the URI used to ensures that the redirect URI received matches the URI used to
redirect the client in step (3). If valid, the authorization server redirect the client in step (3). If valid, the authorization server
responds back with an access token and, optionally, a refresh token. responds back with an access token and, optionally, a refresh token.
4.1.1. Authorization Request 4.1.1. Authorization Request
To begin the authorization request, the client builds the To begin the authorization request, the client builds the
authorization request URI by adding parameters to the authorization authorization request URI by adding parameters to the authorization
server's authorization endpoint URI. server's authorization endpoint URI. The client will eventually
redirect the user-agent to this URI to initiate the request, as
described in Section 4.1.1.1.
Clients use a unique secret per authorization request to protect Clients use a unique secret per authorization request to protect
against code injection and CSRF attacks. The client first generates against authorization code injection and CSRF attacks. The client
this secret, which it can later use along with the authorization code first generates this secret, which it can use at the time of
to prove that the application using the authorization code is the redeeming the authorization code to prove that the client using the
same application that requested it. The properties "code_challenge" authorization code is the same client that requested it.
and "code_verifier" are adopted from the OAuth 2.0 extension known as
"Proof-Key for Code Exchange", or PKCE ([RFC7636]) where this
technique was originally developed.
Clients MUST use "code_challenge" and "code_verifier" and 4.1.1.1. Client Initiates the Authorization Request
authorization servers MUST enforce their use except under the
conditions described in Section 9.8. In this case, using and
enforcing "code_challenge" and "code_verifier" as described in the
following is still RECOMMENDED.
4.1.1.1. Client Creates a Code Verifier The client constructs the request URI by adding the following
parameters to the query component of the authorization endpoint URI
using the "application/x-www-form-urlencoded" format, per Appendix B:
The client first creates a code verifier, "code_verifier", for each "response_type": REQUIRED. Value MUST be set to "code".
Authorization Request, in the following manner:
code_verifier = high-entropy cryptographic random STRING using the "client_id": REQUIRED. The client identifier as described in
unreserved characters `[A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~"` Section 2.2.
from Section 2.3 of {{RFC3986}}, with a minimum length of 43 characters
and a maximum length of 128 characters. "code_challenge": REQUIRED or RECOMMENDED (see Section 9.8). Code
challenge.
"code_challenge_method": OPTIONAL, defaults to "plain" if not
present in the request. Code verifier transformation method is
"S256" or "plain".
"redirect_uri": OPTIONAL. As described in Section 3.1.2.
"scope": OPTIONAL. The scope of the access request as described by
Section 3.3.
"state": OPTIONAL. An opaque value used by the client to maintain
state between the request and callback. The authorization server
includes this value when redirecting the user-agent back to the
client.
The "code_verifier" is a unique high-entropy cryptographically random
string generated for each authorization request, using the unreserved
characters "[A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~"", with a
minimum length of 43 characters and a maximum length of 128
characters.
The client stores the "code_verifier" temporarily, and calculates the
"code_challenge" which it uses in the authorization request.
ABNF for "code_verifier" is as follows. ABNF for "code_verifier" is as follows.
code-verifier = 43*128unreserved code-verifier = 43*128unreserved
unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
ALPHA = %x41-5A / %x61-7A ALPHA = %x41-5A / %x61-7A
DIGIT = %x30-39 DIGIT = %x30-39
NOTE: The code verifier SHOULD have enough entropy to make it NOTE: The code verifier SHOULD have enough entropy to make it
impractical to guess the value. It is RECOMMENDED that the output of impractical to guess the value. It is RECOMMENDED that the output of
a suitable random number generator be used to create a 32-octet a suitable random number generator be used to create a 32-octet
sequence. The octet sequence is then base64url-encoded to produce a sequence. The octet sequence is then base64url-encoded to produce a
43-octet URL-safe string to use as the code verifier. 43-octet URL-safe string to use as the code verifier.
4.1.1.2. Client Creates the Code Challenge The client then creates a "code_challenge" derived from the code
The client then creates a code challenge derived from the code
verifier by using one of the following transformations on the code verifier by using one of the following transformations on the code
verifier: verifier:
plain
code_challenge = code_verifier
S256 S256
code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier))) code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))
plain
code_challenge = code_verifier
If the client is capable of using "S256", it MUST use "S256", as If the client is capable of using "S256", it MUST use "S256", as
"S256" is Mandatory To Implement (MTI) on the server. Clients are "S256" is Mandatory To Implement (MTI) on the server. Clients are
permitted to use "plain" only if they cannot support "S256" for some permitted to use "plain" only if they cannot support "S256" for some
technical reason and know via out-of-band configuration or via technical reason, for example constrained environments that do not
Authorization Server Metadata ([RFC8414]) that the server supports have a hashing function available, and know via out-of-band
"plain". configuration or via Authorization Server Metadata ([RFC8414]) that
the server supports "plain".
The plain transformation is for compatibility with existing
deployments and for constrained environments that can't use the
"S256" transformation.
ABNF for "code_challenge" is as follows. ABNF for "code_challenge" is as follows.
code-challenge = 43*128unreserved code-challenge = 43*128unreserved
unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
ALPHA = %x41-5A / %x61-7A ALPHA = %x41-5A / %x61-7A
DIGIT = %x30-39 DIGIT = %x30-39
4.1.1.3. Client Initiates the Authorization Request The properties "code_challenge" and "code_verifier" are adopted from
the OAuth 2.0 extension known as "Proof-Key for Code Exchange", or
The client constructs the request URI by adding the following PKCE ([RFC7636]) where this technique was originally developed.
parameters to the query component of the authorization endpoint URI
using the "application/x-www-form-urlencoded" format, per Appendix B:
"response_type": REQUIRED. Value MUST be set to "code".
"client_id": REQUIRED. The client identifier as described in
Section 2.2.
"code_challenge": REQUIRED or RECOMMENDED (see Section 9.8). Code
challenge.
"code_challenge_method": OPTIONAL, defaults to "plain" if not
present in the request. Code verifier transformation method is
"S256" or "plain".
"redirect_uri": OPTIONAL. As described in Section 3.1.2.
"scope": OPTIONAL. The scope of the access request as described by
Section 3.3.
"state": OPTIONAL. An opaque value used by the client to maintain Clients MUST use "code_challenge" and "code_verifier" and
state between the request and callback. The authorization server authorization servers MUST enforce their use except under the
includes this value when redirecting the user-agent back to the conditions described in Section 9.8. In this case, using and
client. enforcing "code_challenge" and "code_verifier" as described in the
following is still RECOMMENDED.
The client directs the resource owner to the constructed URI using an The client directs the resource owner to the constructed URI using an
HTTP redirection response, or by other means available to it via the HTTP redirection, or by other means available to it via the user-
user-agent. agent.
For example, the client directs the user-agent to make the following For example, the client directs the user-agent to make the following
HTTP request using TLS (with extra line breaks for display purposes HTTP request using TLS (with extra line breaks for display purposes
only): only):
GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
&code_challenge=6fdkQaPm51l13DSukcAH3Mdx7_ntecHYd1vi3n0hMZY &code_challenge=6fdkQaPm51l13DSukcAH3Mdx7_ntecHYd1vi3n0hMZY
&code_challenge_method=S256 HTTP/1.1 &code_challenge_method=S256 HTTP/1.1
Host: server.example.com Host: server.example.com
The authorization server validates the request to ensure that all The authorization server validates the request to ensure that all
required parameters are present and valid. If the request is valid, required parameters are present and valid.
the authorization server authenticates the resource owner and obtains
an authorization decision (by asking the resource owner or by In particular, the authorization server MUST validate the
establishing approval via other means). "redirect_uri" in the request if present, ensuring that it matches
one of the registered redirect URIs previously established during
client registration (Section 2). When comparing the two URIs the
authorization server MUST using simple character-by-character string
comparison as defined in [RFC3986], Section 6.2.1.
If the request is valid, the authorization server authenticates the
resource owner and obtains an authorization decision (by asking the
resource owner or by establishing approval via other means).
When a decision is established, the authorization server directs the When a decision is established, the authorization server directs the
user-agent to the provided client redirect URI using an HTTP user-agent to the provided client redirect URI using an HTTP
redirection response, or by other means available to it via the user- redirection response, or by other means available to it via the user-
agent. agent.
4.1.2. Authorization Response 4.1.2. Authorization Response
If the resource owner grants the access request, the authorization If the resource owner grants the access request, the authorization
server issues an authorization code and delivers it to the client by server issues an authorization code and delivers it to the client by
skipping to change at page 28, line 45 skipping to change at page 28, line 49
HTTP/1.1 302 Found HTTP/1.1 302 Found
Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA
&state=xyz &state=xyz
The client MUST ignore unrecognized response parameters. The The client MUST ignore unrecognized response parameters. The
authorization code string size is left undefined by this authorization code string size is left undefined by this
specification. The client should avoid making assumptions about code specification. The client should avoid making assumptions about code
value sizes. The authorization server SHOULD document the size of value sizes. The authorization server SHOULD document the size of
any value it issues. any value it issues.
When the server issues the authorization code in the authorization The authorization server MUST associate the "code_challenge" and
response, it MUST associate the "code_challenge" and "code_challenge_method" values with the issued authorization code so
"code_challenge_method" values with the authorization code so it can the code challenge can be verified later.
be verified later.
The "code_challenge" and "code_challenge_method" values may be stored
in encrypted form in the "code" itself, but could alternatively be
stored on the server associated with the code. The server MUST NOT
include the "code_challenge" value in client requests in a form that
other entities can extract.
The exact method that the server uses to associate the The exact method that the server uses to associate the
"code_challenge" with the issued "code" is out of scope for this "code_challenge" with the issued code is out of scope for this
specification. specification. The code challenge could be stored on the server and
associated with the code there. The "code_challenge" and
"code_challenge_method" values may be stored in encrypted form in the
code itself, but the server MUST NOT include the "code_challenge"
value in a response parameter in a form that entities other than the
AS can extract.
4.1.2.1. Error Response 4.1.2.1. Error Response
If the request fails due to a missing, invalid, or mismatching If the request fails due to a missing, invalid, or mismatching
redirect URI, or if the client identifier is missing or invalid, the redirect URI, or if the client identifier is missing or invalid, the
authorization server SHOULD inform the resource owner of the error authorization server SHOULD inform the resource owner of the error
and MUST NOT automatically redirect the user-agent to the invalid and MUST NOT automatically redirect the user-agent to the invalid
redirect URI. redirect URI.
An AS MUST reject requests without a "code_challenge" from public An AS MUST reject requests without a "code_challenge" from public
skipping to change at page 31, line 28 skipping to change at page 31, line 28
included in the authorization request as described in included in the authorization request as described in
Section 4.1.1, and their values MUST be identical. Section 4.1.1, and their values MUST be identical.
"client_id": REQUIRED, if the client is not authenticating with the "client_id": REQUIRED, if the client is not authenticating with the
authorization server as described in Section 3.2.1. authorization server as described in Section 3.2.1.
"code_verifier": REQUIRED, if the "code_challenge" parameter was "code_verifier": REQUIRED, if the "code_challenge" parameter was
included in the authorization request. MUST NOT be used included in the authorization request. MUST NOT be used
otherwise. The original code verifier string. otherwise. The original code verifier string.
If the client type is confidential or the client was issued client Confidential or credentialed clients MUST authenticate with the
credentials (or assigned other authentication requirements), the authorization server as described in Section 3.2.1.
client MUST authenticate with the authorization server as described
in Section 3.2.1.
For example, the client makes the following HTTP request using TLS For example, the client makes the following HTTP request using TLS
(with extra line breaks for display purposes only): (with extra line breaks for display purposes only):
POST /token HTTP/1.1 POST /token HTTP/1.1
Host: server.example.com Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
&code_verifier=3641a2d12d66101249cdf7a79c000c1f8c05d2aafcf14bf146497bed &code_verifier=3641a2d12d66101249cdf7a79c000c1f8c05d2aafcf14bf146497bed
The authorization server MUST: The authorization server MUST:
* require client authentication for confidential clients or for any * require client authentication for confidential and credentialed
client that was issued client credentials (or with other clients (or clients with other authentication requirements),
authentication requirements),
* authenticate the client if client authentication is included, * authenticate the client if client authentication is included,
* ensure that the authorization code was issued to the authenticated * ensure that the authorization code was issued to the authenticated
confidential client, or if the client is public, ensure that the confidential or credentialed client, or if the client is public,
code was issued to "client_id" in the request, ensure that the code was issued to "client_id" in the request,
* verify that the authorization code is valid, * verify that the authorization code is valid,
* verify that the "code_verifier" parameter is present if and only * verify that the "code_verifier" parameter is present if and only
if a "code_challenge" parameter was present in the authorization if a "code_challenge" parameter was present in the authorization
request, request,
* if a "code_verifier" is present, verify the "code_verifier" by * if a "code_verifier" is present, verify the "code_verifier" by
calculating the code challenge from the received "code_verifier" calculating the code challenge from the received "code_verifier"
and comparing it with the previously associated "code_challenge", and comparing it with the previously associated "code_challenge",
after first transforming it according to the after first transforming it according to the
"code_challenge_method" method specified by the client, and "code_challenge_method" method specified by the client, and
* ensure that the "redirect_uri" parameter is present if the * ensure that the "redirect_uri" parameter is present if the
"redirect_uri" parameter was included in the initial authorization "redirect_uri" parameter was included in the initial authorization
request as described in Section 4.1.1.3, and if included ensure request as described in Section 4.1.1.1, and if included ensure
that their values are identical. that their values are identical.
4.1.4. Access Token Response 4.1.4. Access Token Response
If the access token request is valid and authorized, the If the access token request is valid and authorized, the
authorization server issues an access token and optional refresh authorization server issues an access token and optional refresh
token as described in Section 5.1. If the request client token as described in Section 5.1. If the request client
authentication failed or is invalid, the authorization server returns authentication failed or is invalid, the authorization server returns
an error response as described in Section 5.2. an error response as described in Section 5.2.
skipping to change at page 33, line 15 skipping to change at page 33, line 6
4.2. Client Credentials Grant 4.2. Client Credentials Grant
The client can request an access token using only its client The client can request an access token using only its client
credentials (or other supported means of authentication) when the credentials (or other supported means of authentication) when the
client is requesting access to the protected resources under its client is requesting access to the protected resources under its
control, or those of another resource owner that have been previously control, or those of another resource owner that have been previously
arranged with the authorization server (the method of which is beyond arranged with the authorization server (the method of which is beyond
the scope of this specification). the scope of this specification).
The client credentials grant type MUST only be used by confidential The client credentials grant type MUST only be used by confidential
clients. or credentialed clients.
+---------+ +---------------+ +---------+ +---------------+
| | | | | | | |
| |>--(1)- Client Authentication --->| Authorization | | |>--(1)- Client Authentication --->| Authorization |
| Client | | Server | | Client | | Server |
| |<--(2)---- Access Token ---------<| | | |<--(2)---- Access Token ---------<| |
| | | | | | | |
+---------+ +---------------+ +---------+ +---------------+
Figure 4: Client Credentials Flow Figure 4: Client Credentials Flow
skipping to change at page 35, line 36 skipping to change at page 35, line 30
If the access token request is valid and authorized, the If the access token request is valid and authorized, the
authorization server issues an access token and optional refresh authorization server issues an access token and optional refresh
token as described in Section 5.1. If the request failed client token as described in Section 5.1. If the request failed client
authentication or is invalid, the authorization server returns an authentication or is invalid, the authorization server returns an
error response as described in Section 5.2. error response as described in Section 5.2.
5.1. Successful Response 5.1. Successful Response
The authorization server issues an access token and optional refresh The authorization server issues an access token and optional refresh
token, and constructs the response by adding the following parameters token by creating an HTTP response body using the "application/json"
to the payload of the HTTP response with a 200 (OK) status code: media type as defined by [RFC8259] with the following parameters and
an HTTP 200 (OK) status code:
"access_token": REQUIRED. The access token issued by the "access_token": REQUIRED. The access token issued by the
authorization server. authorization server.
"token_type": REQUIRED. The type of the access token issued as "token_type": REQUIRED. The type of the access token issued as
described in Section 7.1. Value is case insensitive. described in Section 7.1. Value is case insensitive.
"expires_in": RECOMMENDED. The lifetime in seconds of the access "expires_in": RECOMMENDED. The lifetime in seconds of the access
token. For example, the value "3600" denotes that the access token. For example, the value "3600" denotes that the access
token will expire in one hour from the time the response was token will expire in one hour from the time the response was
skipping to change at page 36, line 11 skipping to change at page 36, line 5
the expiration time via other means or document the default value. the expiration time via other means or document the default value.
"refresh_token": OPTIONAL. The refresh token, which can be used to "refresh_token": OPTIONAL. The refresh token, which can be used to
obtain new access tokens using the same authorization grant as obtain new access tokens using the same authorization grant as
described in Section 6. described in Section 6.
"scope": OPTIONAL, if identical to the scope requested by the "scope": OPTIONAL, if identical to the scope requested by the
client; otherwise, REQUIRED. The scope of the access token as client; otherwise, REQUIRED. The scope of the access token as
described by Section 3.3. described by Section 3.3.
The parameters are included in the payload of the HTTP response using The parameters are serialized into a JavaScript Object Notation
the "application/json" media type as defined by [RFC7159]. The (JSON) structure by adding each parameter at the highest structure
parameters are serialized into a JavaScript Object Notation (JSON) level. Parameter names and string values are included as JSON
structure by adding each parameter at the highest structure level. strings. Numerical values are included as JSON numbers. The order
Parameter names and string values are included as JSON strings. of parameters does not matter and can vary.
Numerical values are included as JSON numbers. The order of
parameters does not matter and can vary.
The authorization server MUST include the HTTP "Cache-Control" The authorization server MUST include the HTTP "Cache-Control"
response header field [RFC7234] with a value of "no-store" in any response header field [RFC7234] with a value of "no-store" in any
response containing tokens, credentials, or other sensitive response containing tokens, credentials, or other sensitive
information, as well as the "Pragma" response header field [RFC7234] information, as well as the "Pragma" response header field [RFC7234]
with a value of "no-cache". with a value of "no-cache".
For example: For example:
HTTP/1.1 200 OK HTTP/1.1 200 OK
skipping to change at page 38, line 31 skipping to change at page 38, line 26
Content-Type: application/json Content-Type: application/json
Cache-Control: no-store Cache-Control: no-store
Pragma: no-cache Pragma: no-cache
{ {
"error":"invalid_request" "error":"invalid_request"
} }
6. Refreshing an Access Token 6. Refreshing an Access Token
Authorization servers SHOULD determine, based on a risk assessment, Authorization servers SHOULD determine, based on a risk assessment
whether to issue refresh tokens to a certain client. If the and their own policies, whether to issue refresh tokens to a certain
authorization server decides not to issue refresh tokens, the client client. If the authorization server decides not to issue refresh
MAY refresh access tokens by utilizing other grant types, such as the tokens, the client MAY obtain new access tokens by starting the OAuth
authorization code grant type. In such a case, the authorization flow over, for example initiating a new authorization code request.
server may utilize cookies and persistent grants to optimize the user In such a case, the authorization server may utilize cookies and
experience. persistent grants to optimize the user experience.
If refresh tokens are issued, those refresh tokens MUST be bound to If refresh tokens are issued, those refresh tokens MUST be bound to
the scope and resource servers as consented by the resource owner. the scope and resource servers as consented by the resource owner.
This is to prevent privilege escalation by the legitimate client and This is to prevent privilege escalation by the legitimate client and
reduce the impact of refresh token leakage. reduce the impact of refresh token leakage.
If the authorization server issued a refresh token to the client, the 6.1. Refresh Token Request
client makes a refresh request to the token endpoint by adding the
following parameters using the "application/x-www-form-urlencoded" To use a refresh token to obtain a new access token, the client makes
format per Appendix B with a character encoding of UTF-8 in the HTTP a request to the token endpoint by adding the following parameters
request payload: using the "application/x-www-form-urlencoded" format (per Appendix B)
with a character encoding of UTF-8 in the HTTP request payload:
"grant_type": REQUIRED. Value MUST be set to "refresh_token". "grant_type": REQUIRED. Value MUST be set to "refresh_token".
"refresh_token": REQUIRED. The refresh token issued to the client. "refresh_token": REQUIRED. The refresh token issued to the client.
"scope": OPTIONAL. The scope of the access request as described by "scope": OPTIONAL. The scope of the access request as described by
Section 3.3. The requested scope MUST NOT include any scope not Section 3.3. The requested scope MUST NOT include any scope not
originally granted by the resource owner, and if omitted is originally granted by the resource owner, and if omitted is
treated as equal to the scope originally granted by the resource treated as equal to the scope originally granted by the resource
owner. owner.
Because refresh tokens are typically long-lasting credentials used to Because refresh tokens are typically long-lasting credentials used to
request additional access tokens, the refresh token is bound to the request additional access tokens, the refresh token is bound to the
client to which it was issued. If the client type is confidential or client to which it was issued. Confidential or credentialed clients
the client was issued client credentials (or assigned other MUST authenticate with the authorization server as described in
authentication requirements), the client MUST authenticate with the Section 3.2.1.
authorization server as described in Section 3.2.1.
For example, the client makes the following HTTP request using For example, the client makes the following HTTP request using
transport-layer security (with extra line breaks for display purposes transport-layer security (with extra line breaks for display purposes
only): only):
POST /token HTTP/1.1 POST /token HTTP/1.1
Host: server.example.com Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
The authorization server MUST: The authorization server MUST:
* require client authentication for confidential clients or for any * require client authentication for confidential or credentialed
client that was issued client credentials (or with other clients
authentication requirements),
* authenticate the client if client authentication is included and * authenticate the client if client authentication is included and
ensure that the refresh token was issued to the authenticated ensure that the refresh token was issued to the authenticated
client, and client, and
* validate the refresh token. * validate the refresh token.
6.1. Refresh Token Protection
Authorization servers SHOULD utilize one of these methods to detect Authorization servers SHOULD utilize one of these methods to detect
refresh token replay by malicious actors for public clients: refresh token replay by malicious actors for public clients:
* _Sender-constrained refresh tokens:_ the authorization server * _Sender-constrained refresh tokens:_ the authorization server
cryptographically binds the refresh token to a certain client cryptographically binds the refresh token to a certain client
instance by utilizing [I-D.ietf-oauth-token-binding], [RFC8705], instance by utilizing [I-D.ietf-oauth-token-binding], [RFC8705],
[I-D.ietf-oauth-dpop], or another suitable method. [I-D.ietf-oauth-dpop], or another suitable method.
* _Refresh token rotation:_ the authorization server issues a new * _Refresh token rotation:_ the authorization server issues a new
refresh token with every access token refresh response. The refresh token with every access token refresh response. The
skipping to change at page 40, line 25 skipping to change at page 40, line 17
cost of forcing the legitimate client to obtain a fresh cost of forcing the legitimate client to obtain a fresh
authorization grant. authorization grant.
Implementation note: the grant to which a refresh token belongs may Implementation note: the grant to which a refresh token belongs may
be encoded into the refresh token itself. This can enable an be encoded into the refresh token itself. This can enable an
authorization server to efficiently determine the grant to which a authorization server to efficiently determine the grant to which a
refresh token belongs, and by extension, all refresh tokens that need refresh token belongs, and by extension, all refresh tokens that need
to be revoked. Authorization servers MUST ensure the integrity of to be revoked. Authorization servers MUST ensure the integrity of
the refresh token value in this case, for example, using signatures. the refresh token value in this case, for example, using signatures.
6.2. Refresh Token Response
If valid and authorized, the authorization server issues an access If valid and authorized, the authorization server issues an access
token as described in Section 5.1. If the request failed token as described in Section 5.1. If the request failed
verification or is invalid, the authorization server returns an error verification or is invalid, the authorization server returns an error
response as described in Section 5.2. response as described in Section 5.2.
The authorization server MAY issue a new refresh token, in which case The authorization server MAY issue a new refresh token, in which case
the client MUST discard the old refresh token and replace it with the the client MUST discard the old refresh token and replace it with the
new refresh token. The authorization server MAY revoke the old new refresh token. The authorization server MAY revoke the old
refresh token after issuing a new refresh token to the client. If a refresh token after issuing a new refresh token to the client. If a
new refresh token is issued, the refresh token scope MUST be new refresh token is issued, the refresh token scope MUST be
skipping to change at page 40, line 46 skipping to change at page 40, line 40
request. request.
Authorization servers MAY revoke refresh tokens automatically in case Authorization servers MAY revoke refresh tokens automatically in case
of a security event, such as: of a security event, such as:
* password change * password change
* logout at the authorization server * logout at the authorization server
Refresh tokens SHOULD expire if the client has been inactive for some Refresh tokens SHOULD expire if the client has been inactive for some
time, i.e., the refresh token has not been used to obtain fresh time, i.e., the refresh token has not been used to obtain new access
access tokens for some time. The expiration time is at the tokens for some time. The expiration time is at the discretion of
discretion of the authorization server. It might be a global value the authorization server. It might be a global value or determined
or determined based on the client policy or the grant associated with based on the client policy or the grant associated with the refresh
the refresh token (and its sensitivity). token (and its sensitivity).
7. Accessing Protected Resources 7. Accessing Protected Resources
The client accesses protected resources by presenting the access The client accesses protected resources by presenting the access
token to the resource server. The resource server MUST validate the token to the resource server. The resource server MUST validate the
access token and ensure that it has not expired and that its scope access token and ensure that it has not expired and that its scope
covers the requested resource. The methods used by the resource covers the requested resource. The methods used by the resource
server to validate the access token (as well as any error responses) server to validate the access token (as well as any error responses)
are beyond the scope of this specification, but generally involve an are beyond the scope of this specification, but generally involve an
interaction or coordination between the resource server and the interaction or coordination between the resource server and the
skipping to change at page 58, line 25 skipping to change at page 58, line 25
refresh tokens were issued. The authorization server MUST maintain refresh tokens were issued. The authorization server MUST maintain
the binding between a refresh token and the client to whom it was the binding between a refresh token and the client to whom it was
issued. Refresh tokens MUST only be transmitted using TLS as issued. Refresh tokens MUST only be transmitted using TLS as
described in Section 1.6 with server authentication as defined by described in Section 1.6 with server authentication as defined by
[RFC2818]. [RFC2818].
The authorization server MUST verify the binding between the refresh The authorization server MUST verify the binding between the refresh
token and client identity whenever the client identity can be token and client identity whenever the client identity can be
authenticated. When client authentication is not possible, the authenticated. When client authentication is not possible, the
authorization server SHOULD issue sender-constrained refresh tokens authorization server SHOULD issue sender-constrained refresh tokens
or use refresh token rotation as described in or use refresh token rotation as described in (#refreshing-an-access-
(#refresh_token_protection). token).
The authorization server MUST ensure that refresh tokens cannot be The authorization server MUST ensure that refresh tokens cannot be
generated, modified, or guessed to produce valid refresh tokens by generated, modified, or guessed to produce valid refresh tokens by
unauthorized parties. unauthorized parties.
9.6. Client Impersonating Resource Owner 9.6. Client Impersonating Resource Owner
Resource servers may make access control decisions based on the Resource servers may make access control decisions based on the
identity of the resource owner as communicated in the "sub" claim identity of the resource owner as communicated in the "sub" claim
returned by the authorization server in a token introspection returned by the authorization server in a token introspection
skipping to change at page 76, line 41 skipping to change at page 76, line 41
<https://www.rfc-editor.org/info/rfc7595>. <https://www.rfc-editor.org/info/rfc7595>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8252] Denniss, W. and J. Bradley, "OAuth 2.0 for Native Apps", [RFC8252] Denniss, W. and J. Bradley, "OAuth 2.0 for Native Apps",
BCP 212, RFC 8252, DOI 10.17487/RFC8252, October 2017, BCP 212, RFC 8252, DOI 10.17487/RFC8252, October 2017,
<https://www.rfc-editor.org/info/rfc8252>. <https://www.rfc-editor.org/info/rfc8252>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Interchange Format", STD 90, RFC 8259,
<https://www.rfc-editor.org/info/rfc8446>. DOI 10.17487/RFC8259, December 2017,
<https://www.rfc-editor.org/info/rfc8259>.
[USASCII] Institute, A.N.S., "Coded Character Set -- 7-bit American [USASCII] Institute, A.N.S., "Coded Character Set -- 7-bit American
Standard Code for Information Interchange, ANSI X3.4", Standard Code for Information Interchange, ANSI X3.4",
1986. 1986.
[W3C.REC-html401-19991224] [W3C.REC-html401-19991224]
Raggett, D., Hors, A., and I. Jacobs, "HTML 4.01 Raggett, D., Hors, A., and I. Jacobs, "HTML 4.01
Specification", World Wide Web Consortium Recommendation Specification", World Wide Web Consortium Recommendation
REC-html401-19991224, 24 December 1999, REC-html401-19991224, 24 December 1999,
<https://www.w3.org/TR/1999/REC-html401-19991224>. <https://www.w3.org/TR/1999/REC-html401-19991224>.
 End of changes. 60 change blocks. 
193 lines changed or deleted 188 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/