OAuth 2.0: Audience Information
draft-tschofenig-oauth-audience-00

Document Type Expired Internet-Draft (individual)
Last updated 2013-08-22 (latest revision 2013-02-18)
Stream (None)
Intended RFC status (None)
Formats
Expired & archived
plain text pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at
https://www.ietf.org/archive/id/draft-tschofenig-oauth-audience-00.txt

Abstract

The OAuth 2.0 Bearer Token specification allows any party in possession of a bearer token to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, two important security assumptions must hold: bearer tokens must be protected from disclosure in storage and in transport and the access token must only be valid for use with a specific resource server (the audience) and with a specific scope. This document defines a new header that is used by the client to indicate what resource server, as the intended recipient, it wants to access. This information is subsequently also communicated by the authorization server securely to the resource server, for example within the audience field of the access token.

Authors

Hannes Tschofenig (Hannes.Tschofenig@gmx.net)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)