OAuth 2.0 Security: Going Beyond Bearer Tokens
draft-tschofenig-oauth-security-01
| Document | Type |
Expired Internet-Draft
(individual)
Expired & archived
|
|
|---|---|---|---|
| Authors | Hannes Tschofenig , Phil Hunt | ||
| Last updated | 2013-06-19 (Latest revision 2012-12-16) | ||
| RFC stream | (None) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | Expired | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:
Abstract
The OAuth working group has finished work on the OAuth 2.0 core protocol as well as the Bearer Token specification. The Bearer Token is a TLS-based solution for ensuring that neither the interaction with the Authorization Server (when requesting a token) nor the interaction with the Resource Server (for accessing a protected resource) leads to token leakage. There has, however, always been the desire to develop a security solution that is "better" than Bearer Tokens (or at least different) where the Client needs to show possession of some keying material when accessing a Resource Server. This document tries to capture the discussion and to come up with requirements to process the work on solutions. This document aims to discuss threats, security requirements and desired design properties of an enhanced OAuth security mechanism.
Authors
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)