Skip to main content

Web Authorization Protocol

The information below is for an older approved charter
Document Charter Web Authorization Protocol WG (oauth) Snapshot
Title Web Authorization Protocol
Last updated 2009-05-12
State Approved
WG State Active
IESG Responsible AD Roman Danyliw
Charter edit AD (None)
Send notices to (None)

The Web Authorization (OAuth) protocol allows a user to grant a
  third-party Web site or application access to the user's protected
  resources, without necessarily revealing their long-term credentials,
  or even their identity. For example, a photo-sharing site that
  supports OAuth could allow its users to use a third-party printing Web
  site to print their private pictures, without allowing the printing
  site to gain full control of the user's account and without having the
  user share his or her photo-sharing sites' long-term credential with
  the printing site.
  The OAuth protocol suite encompasses 
  * a procedure for allowing a client to discover an authorization 
  * a protocol for obtaining authorization tokens from an authorization 
   server with the resource owner's consent, 
  * protocols for presenting these authorization tokens to protected 
   resources for access to a resource, and 
  * consequently for sharing data in a security and privacy respective 
  The working group also developed security schemes for presenting
  authorization tokens to access a protected resource. This led to the
  publication of the bearer token, as well as work that remains to be
  completed on message authentication code (MAC) access authentication
  and SAML assertions to interwork with existing identity management
  solutions.  The working group will complete those remaining documents,
  and will also complete documentation of the OAuth threat model that
  was started under the previous charter.
  The ongoing standardization effort within the OAuth working group will
  focus on enhancing interoperability of OAuth deployments.  A standard
  for a token revocation service, which can be separated from the
  existing web tokens to the token repertoire will enable wider
  deployment of OAuth.  Extended documentation of OAuth use cases will
  enhance the understanding of the OAuth framework and provide
  assistance to implementors.  And dynamic client registration will make
  it easier to broadly deploy OAuth clients (performing services to