Technical Summary
This specification describes how to use bearer tokens in HTTP
requests to access OAuth 2.0 protected resources. Any party in
possession of a bearer token (a "bearer") can use it to get access to
granted resources (without demonstrating possession of a
cryptographic key). To prevent misuse, the bearer token MUST be
protected from disclosure in storage and in transport.
Working Group Summary
The working group decided to develop two types of mechanisms for
a client to access a protected resource. The second specification
is being worked on with draft-ietf-oauth-v2-http-mac. The
two specifications offer different security properties to allow
deployments to meet their specific needs.
Document Quality
This specification is implemented, deployed and used by Microsoft
Access Control Service (ACS), Google Apps, Facebook Connect and the
Graph API, Salesforce, Mitre, and many others.
Source code is available as well. For example
http://static.springsource.org/spring-security/oauth/http://incubator.apache.org/projects/amber.htmlhttps://github.com/nov/rack-oauth2
+ many more, including those listed at
https://github.com/teohm/teohm.github.com/wiki/OAuth
Personnel
Hannes Tschofenig is the document shepherd.
Stephen Farrell is the responsible AD.
RFC Editor Note
1) Please replace text in section 2.1 as follows:
OLD:
The "Authorization" header field uses the framework defined by
HTTP/1.1 [RFC2617] as follows:
NEW:
The syntax of the "Authorization" header field for this scheme follows
the usage of the Basic scheme defined in Section 2 of [RFC2617]. Note
that, as with Basic, it does not conform to the generic syntax defined
in Section 1.2 of [RFC2617], but that it is compatible with the the
general authentication framework being developed for HTTP 1.1
[I-D.ietf-httpbis-p7-auth], although it does not follow the preferred
practice outlined therein in order to reflect existing deployments.
The syntax for Bearer credentials is as follows:
2) Please add the informative reference needed by the
above in section 7.2, to this Internet draft:
http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth