OAuth 2.0 Security: Going Beyond Bearer Tokens
draft-tschofenig-oauth-security-01

Document Type Expired Internet-Draft (individual)
Last updated 2013-06-19 (latest revision 2012-12-16)
Stream (None)
Intended RFC status (None)
Formats
Expired & archived
pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at
https://www.ietf.org/archive/id/draft-tschofenig-oauth-security-01.txt

Abstract

The OAuth working group has finished work on the OAuth 2.0 core protocol as well as the Bearer Token specification. The Bearer Token is a TLS-based solution for ensuring that neither the interaction with the Authorization Server (when requesting a token) nor the interaction with the Resource Server (for accessing a protected resource) leads to token leakage. There has, however, always been the desire to develop a security solution that is "better" than Bearer Tokens (or at least different) where the Client needs to show possession of some keying material when accessing a Resource Server. This document tries to capture the discussion and to come up with requirements to process the work on solutions. This document aims to discuss threats, security requirements and desired design properties of an enhanced OAuth security mechanism.

Authors

Hannes Tschofenig (Hannes.Tschofenig@gmx.net)
Phil Hunt (phil.hunt@yahoo.com)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)