Resource Indicators for OAuth 2.0
RFC 8707

Document Type RFC - Proposed Standard (February 2020; No errata)
Authors Brian Campbell  , John Bradley  , Hannes Tschofenig 
Last updated 2020-03-09
Replaces draft-campbell-oauth-resource-indicators
Stream IETF
Formats plain text html xml pdf htmlized bibtex
Stream WG state Submitted to IESG for Publication
Document shepherd Rifaat Shekh-Yusef
Shepherd write-up Show (last changed 2019-08-27)
IESG IESG state RFC 8707 (Proposed Standard)
Consensus Boilerplate Yes
Telechat date
Responsible AD Roman Danyliw
Send notices to Rifaat Shekh-Yusef <>
IANA IANA review state IANA OK - Actions Needed
IANA action state RFC-Ed-Ack
IANA expert review state Expert Reviews OK
IANA expert review comments As one of the co-authors is the designated expert, the Area Director has completed the reviews.

Internet Engineering Task Force (IETF)                       B. Campbell
Request for Comments: 8707                                 Ping Identity
Category: Standards Track                                     J. Bradley
ISSN: 2070-1721                                                   Yubico
                                                           H. Tschofenig
                                                             Arm Limited
                                                           February 2020

                   Resource Indicators for OAuth 2.0


   This document specifies an extension to the OAuth 2.0 Authorization
   Framework defining request parameters that enable a client to
   explicitly signal to an authorization server about the identity of
   the protected resource(s) to which it is requesting access.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction
     1.1.  Requirements Notation and Conventions
     1.2.  Terminology
   2.  Resource Parameter
     2.1.  Authorization Request
     2.2.  Access Token Request
   3.  Security Considerations
   4.  Privacy Considerations
   5.  IANA Considerations
     5.1.  OAuth Parameters Registration
     5.2.  OAuth Extensions Error Registration
   6.  References
     6.1.  Normative References
     6.2.  Informative References
   Authors' Addresses

1.  Introduction

   Several years of deployment and implementation experience with the
   OAuth 2.0 Authorization Framework [RFC6749] has uncovered a need (in
   some circumstances, such as an authorization server servicing a
   significant number of diverse resources) for the client to explicitly
   signal to the authorization server where it intends to use the access
   token it is requesting.

   Knowing the protected resource (a.k.a. resource server, application,
   API, etc.) that will process the access token enables the
   authorization server to construct the token as necessary for that
   entity.  Properly encrypting the token (or content within the token)
   to a particular resource, for example, requires knowing which
   resource will receive and decrypt the token.  Furthermore, various
   resources oftentimes have different requirements with respect to the
   data contained in (or referenced by) the token, and knowing the
   resource where the client intends to use the token allows the
   authorization server to mint the token accordingly.

   Specific knowledge of the intended recipient(s) of the access token
   also helps facilitate improved security characteristics of the token
   itself.  Bearer tokens, currently the most commonly utilized type of
   OAuth access token, allow any party in possession of a token to get
   access to the associated resources.  To prevent misuse, several
   important security assumptions must hold, one of which is that an
   access token must only be valid for use at a specific protected
   resource and for a specific scope of access.  Section 5.2 of
   [RFC6750], for example, prescribes including the token's intended
   recipients within the token to prevent token redirect.  When the
   authorization server is informed of the resource that will process
   the access token, it can restrict the intended audience of that token
   to the given resource such that the token cannot be used successfully
   at other resources.

   OAuth scope, from Section 3.3 of [RFC6749], is sometimes overloaded
   to convey the location or identity of the protected resource,
   however, doing so isn't always feasible or desirable.  Scope is
   typically about what access is being requested rather than where that
   access will be redeemed (e.g., "email", "admin:org", "user_photos",
   "channels:read", and "channels:write" are a small sample of scope
Show full document text