The OAuth 2.0 Authorization Framework: Bearer Token Usage

Approval announcement
Draft of message to be sent after approval:

From: The IESG <>
To: IETF-Announce <>
Cc: RFC Editor <>,
    oauth mailing list <>,
    oauth chair <>
Subject: Protocol Action: 'The OAuth 2.0 Authorization Framework: Bearer Token Usage' to Proposed Standard (draft-ietf-oauth-v2-bearer-23.txt)

The IESG has approved the following document:
- 'The OAuth 2.0 Authorization Framework: Bearer Token Usage'
  (draft-ietf-oauth-v2-bearer-23.txt) as Proposed Standard

This document is the product of the Web Authorization Protocol Working

The IESG contact persons are Stephen Farrell and Sean Turner.

A URL of this Internet Draft is:

Technical Summary

  This specification describes how to use bearer tokens in HTTP
  requests to access OAuth 2.0 protected resources.  Any party in
  possession of a bearer token (a "bearer") can use it to get access to
  granted resources (without demonstrating possession of a
  cryptographic key).  To prevent misuse, the bearer token MUST be
  protected from disclosure in storage and in transport.

Working Group Summary

  The working group decided to develop two types of mechanisms for
  a client to access a protected resource. The second specification
  is being worked on with draft-ietf-oauth-v2-http-mac. The
  two specifications offer different security properties to allow
  deployments to meet their specific needs. 

Document Quality

  This specification is implemented, deployed and used by Microsoft
  Access Control Service (ACS), Google Apps, Facebook Connect and the
  Graph API, Salesforce, Mitre, and many others.
  Source code is available as well. For example
  + many more, including those listed at


  Hannes Tschofenig is the document shepherd.
  Stephen Farrell is the responsible AD.

RFC Editor Note

1) Please replace text in section 2.1 as follows:


   The "Authorization" header field uses the framework defined by
   HTTP/1.1 [RFC2617] as follows:


   The syntax of the "Authorization" header field for this scheme follows
   the usage of the Basic scheme defined in Section 2 of [RFC2617]. Note
   that, as with Basic, it does not conform to the generic syntax defined
   in Section 1.2 of [RFC2617], but that it is compatible with the the
   general authentication framework being developed for HTTP 1.1
   [I-D.ietf-httpbis-p7-auth], although it does not follow the preferred
   practice outlined therein in order to reflect existing deployments.
   The syntax for Bearer credentials is as follows: 

2) Please add the informative reference needed by the
above in section 7.2, to this Internet draft: