OAuth 2.0 Token Binding

Document Type Replaced Internet-Draft (individual)
Authors Michael Jones  , John Bradley  , Brian Campbell 
Last updated 2016-07-04
Replaced by draft-ietf-oauth-token-binding
Stream (None)
Intended RFC status (None)
Expired & archived
plain text xml pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Replaced by draft-ietf-oauth-token-binding
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


This specification enables OAuth 2.0 implementations to apply Token Binding to Access Tokens and Refresh Tokens. This cryptographically binds these tokens to the TLS connections over which they are intended to be used. This use of Token Binding protects these tokens from man-in-the-middle and token export and replay attacks.


Michael Jones (mbj@microsoft.com)
John Bradley (ve7jtb@ve7jtb.com)
Brian Campbell (brian.d.campbell@gmail.com)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)