OAuth 2.0 Token Introspection
draft-ietf-oauth-introspection-07
| The information below is for an old version of the document |
| Document |
Type |
|
Active Internet-Draft (oauth WG)
|
|
Author |
|
Justin Richer
|
|
Last updated |
|
2015-04-19
(latest revision 2015-03-27)
|
|
Replaces |
|
draft-richer-oauth-introspection
|
|
Stream |
|
Internent Engineering Task Force (IETF)
|
|
Formats |
|
pdf
htmlized (tools)
htmlized
bibtex
|
|
Reviews |
|
|
| Stream |
WG state
|
|
Submitted to IESG for Publication
|
|
Document shepherd |
|
Hannes Tschofenig
|
|
Shepherd write-up |
|
Show
(last changed 2015-04-08)
|
| IESG |
IESG state |
|
AD Evaluation
|
|
Consensus Boilerplate |
|
Unknown
|
|
Telechat date |
|
|
|
Responsible AD |
|
Kathleen Moriarty
|
|
Send notices to |
|
draft-ietf-oauth-introspection@ietf.org, draft-ietf-oauth-introspection.ad@ietf.org, draft-ietf-oauth-introspection.shepherd@ietf.org, Hannes.Tschofenig@gmx.net, oauth-chairs@ietf.org
|
OAuth Working Group J. Richer, Ed.
Internet-Draft March 27, 2015
Intended status: Standards Track
Expires: September 28, 2015
OAuth 2.0 Token Introspection
draft-ietf-oauth-introspection-07
Abstract
This specification defines a method for a protected resource to query
an OAuth 2.0 authorization server to determine the active state of an
OAuth 2.0 token and to determine meta-information about this token.
OAuth 2.0 deployments can use this method to convey information about
the authorization context of the token from the authorization server
to the protected resource.
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 28, 2015.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
Richer Expires September 28, 2015 [Page 1]
Internet-Draft oauth-introspection March 2015
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Introspection Endpoint . . . . . . . . . . . . . . . . . . . 3
2.1. Introspection Request . . . . . . . . . . . . . . . . . . 4
2.2. Introspection Response . . . . . . . . . . . . . . . . . 5
2.3. Error Response . . . . . . . . . . . . . . . . . . . . . 8
3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
3.1. OAuth Token Introspection Response Registry . . . . . . . 8
3.1.1. Registration Template . . . . . . . . . . . . . . . . 9
3.1.2. Initial Registry Contents . . . . . . . . . . . . . . 9
4. Security Considerations . . . . . . . . . . . . . . . . . . . 11
5. Privacy Considerations . . . . . . . . . . . . . . . . . . . 13
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
7.1. Normative References . . . . . . . . . . . . . . . . . . 13
7.2. Informative References . . . . . . . . . . . . . . . . . 14
Appendix A. Use with Proof of Posession Tokens . . . . . . . . . 14
Appendix B. Document History . . . . . . . . . . . . . . . . . . 15
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction
In OAuth 2.0, the contents of tokens are opaque to clients. This
means that the client does not need to know anything about the
content or structure of the token itself, if there is any. However,
there is still a large amount of metadata that may be attached to a
token, such as its current validity, approved scopes, and information
about the context in which the token was issued. These pieces of
information are often vital to protected resources making
authorization decisions based on the tokens being presented. Since
OAuth 2.0 [RFC6749] does not define a protocol for the resource
server to learn meta-information about a token that is has received
from an authorization server, several different approaches have been
developed to bridge this gap. These include using structured token
formats such as JWT [JWT] or proprietary inter-service communication
mechanisms (such as shared databases and protected enterprise service
buses) that convey token information.
Richer Expires September 28, 2015 [Page 2]
Show full document text