OAuth 2.0 for Native Apps

Document Type Replaced Internet-Draft (individual)
Authors William Denniss  , John Bradley 
Last updated 2016-02-04
Replaced by RFC 8252
Stream (None)
Intended RFC status (None)
Expired & archived
plain text xml pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Replaced by draft-ietf-oauth-native-apps
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


OAuth 2.0 authorization requests from native apps should only be made through external user-agents such as the system browser (including via an in-app browser tab). This specification details the security and usability reasons why this is the case, and how native apps and authorization servers can implement this best practice.


William Denniss (wdenniss@google.com)
John Bradley (ve7jtb@ve7jtb.com)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)