Skip to main content

OAuth 2.0 Token Binding

Document Type Replaced Internet-Draft (individual)
Expired & archived
Authors Michael B. Jones , John Bradley , Brian Campbell
Last updated 2016-07-04
Replaced by draft-ietf-oauth-token-binding
RFC stream (None)
Intended RFC status (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Replaced by draft-ietf-oauth-token-binding
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


This specification enables OAuth 2.0 implementations to apply Token Binding to Access Tokens and Refresh Tokens. This cryptographically binds these tokens to the TLS connections over which they are intended to be used. This use of Token Binding protects these tokens from man-in-the-middle and token export and replay attacks.


Michael B. Jones
John Bradley
Brian Campbell

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)