datatracker.ietf.org
Sign in
Version 5.3.0, 2014-04-12
Report a bug

Web Authorization Protocol
charter-ietf-oauth-04

Snapshots: 04
Charter for "Web Authorization Protocol" (oauth) WG
WG State: Active
Charter State:
Responsible AD: none

Send notices to: none
Last updated: 2009-05-12

Other versions: plain text

Charter charter-ietf-oauth-04

The Web Authorization (OAuth) protocol allows a user to grant a
  third-party Web site or application access to the user's protected
  resources, without necessarily revealing their long-term credentials,
  or even their identity. For example, a photo-sharing site that
  supports OAuth could allow its users to use a third-party printing Web
  site to print their private pictures, without allowing the printing
  site to gain full control of the user's account and without having the
  user share his or her photo-sharing sites' long-term credential with
  the printing site.
  
  The OAuth protocol suite encompasses 
  
  * a procedure for allowing a client to discover an authorization 
   server, 
  * a protocol for obtaining authorization tokens from an authorization 
   server with the resource owner's consent, 
  * protocols for presenting these authorization tokens to protected 
   resources for access to a resource, and 
  * consequently for sharing data in a security and privacy respective 
   way.
  
  The working group also developed security schemes for presenting
  authorization tokens to access a protected resource. This led to the
  publication of the bearer token, as well as work that remains to be
  completed on message authentication code (MAC) access authentication
  and SAML assertions to interwork with existing identity management
  solutions.  The working group will complete those remaining documents,
  and will also complete documentation of the OAuth threat model that
  was started under the previous charter.
  
  The ongoing standardization effort within the OAuth working group will
  focus on enhancing interoperability of OAuth deployments.  A standard
  for a token revocation service, which can be separated from the
  existing web tokens to the token repertoire will enable wider
  deployment of OAuth.  Extended documentation of OAuth use cases will
  enhance the understanding of the OAuth framework and provide
  assistance to implementors.  And dynamic client registration will make
  it easier to broadly deploy OAuth clients (performing services to
  users).