Web Authorization Protocol
charter-ietf-oauth-05-04

The Web Authorization (OAuth) protocol is a delegation protocol that allows users to grant third-party applications limited access to their resources without sharing their long-term credentials, or even their identity. For example, a photo-sharing site that supports OAuth could allow its users to use a third-party printing website to print their private pictures, without allowing the printing site to gain full control of the user's account and without requiring the user to share their long-term credentials with the printing site.

As automated agents increasingly act on behalf of users, organizations, or both, these delegation patterns become increasingly involved and complex.

The OAuth 2.0 protocol framework already includes:

• A procedure for enabling a client to register with an authorization server.
• A protocol for obtaining authorization tokens from an authorization server with the resource owner's consent.
• Protocols for presenting these authorization tokens to protected resources for access.

This framework has been enhanced with functionality for interworking with legacy identity infrastructure, token revocation, token exchange, dynamic client registration, token introspection, and standardized formats like JSON Web Token (JWT). It also includes specifications to mitigate security attacks, such as Proof Key for Code Exchange (PKCE), native app support, step-up authentication, and Demonstrating Proof of Possession (DPoP).

Work Program

The working group is now tackling these topics which will be published as Standards Track or BCPs:

• Consolidation: Finalizing OAuth 2.1 to consolidate the core framework and incorporate established security best practices into a single baseline.
• Digital Credentials: Completing Selective Disclosure for JSON Web Tokens (SD-JWT), SD-JWT-based Verifiable Credentials (SD-JWT VC), and Token Status List (TSL) to support privacy-preserving attribute disclosure.
• Complex Delegation: Developing new mechanisms or/and extensions for authorization of automated agents working on behalf of users, including addressing scenarios where automated agents act across multiple administrative domains.
• First-Party Integration: Standardizing patterns for first-party applications to provide a secure, interoperable alternative to proprietary extensions.
• Security Maintenance: Maintaining and updating Best Current Practices (BCPs) for browser-based and native applications to address evolving web security models.

Coordination

To ensure interoperability and avoid duplication of effort, the working group will coordinate with:

• WIMSE (Workload Identity in Multi-System Environments): On the application of OAuth-based tokens (e.g., Token Exchange and DPoP) for service-to-service and multi-hop workload identities.
• Secure Patterns for Internet CrEdentials (SPICE): on the application of SD-CWT and other CBOR related work.
• EU Wallet Initiative: To ensure that SD-JWT and related credential formats remain compatible with broader architectural requirements for digital wallets and verifiable presentations.