Skip to main content

Web Authorization Protocol (oauth)

WG Name Web Authorization Protocol
Acronym oauth
Area Security Area (sec)
State Active
Charter charter-ietf-oauth-05 Approved
Document dependencies
Additional resources Issue tracker, Wiki, Zulip stream
Personnel Chairs Hannes Tschofenig, Rifaat Shekh-Yusef
Area Director Deb Cooley
Mailing list Address
To subscribe
Chat Room address

Charter for Working Group

The Web Authorization (OAuth) protocol allows a user to grant a
third-party web site or application access to the user's protected
resources, without necessarily revealing their long-term credentials,
or even their identity. For example, a photo-sharing site that
supports OAuth could allow its users to use a third-party printing web
site to print their private pictures, without allowing the printing
site to gain full control of the user's account and without having the
user share his or her photo-sharing sites' long-term credential with
the printing site.

The OAuth 2.0 protocol suite already includes

  • a procedure for enabling a client to register with an authorization
  • a protocol for obtaining authorization tokens from an authorization
    server with the resource owner's consent, and
  • protocols for presenting these authorization tokens to protected
    resources for access to a resource.

This protocol suite has been enhanced with functionality for
interworking with legacy identity infrastructure (such as SAML), token
revocation, token exchange, dynamic client registration, token
introspection, a standardized token format with the JSON Web Token, and
specifications that mitigate security attacks, such as Proof Key for
Code Exchange.

The ongoing standardization efforts within the OAuth working group
focus on increasing interoperability of OAuth deployments and to
improve security. More specifically, the working group is defining proof
of possession tokens, developing a discovery mechanism, providing
guidance for the use of OAuth with native apps, re-introducing
the device flow used by devices with limited user interfaces, additional
security enhancements for clients communicating with multiple service
providers, definition of claims used with JSON Web Tokens, techniques to
mitigate open redirector attacks, as well as guidance on encoding state

For feedback and discussion about our specifications please
subscribe to our public mailing list at .

For security related bug reports that relate to our specifications
please contact . If the reported
bug report turns out to be implementation-specific we will attempt
to forward it to the appropriate developers.


Date Milestone Associated documents
Apr 2022 Submit "OAuth 2.0 Authorization Server Issue Identifier in Authorization Response" to IESG draft-ietf-oauth-iss-auth-resp
Jan 2022 Submit "OAuth 2.0 Proof-of-Posession at the Application Layer" to IESG draft-ietf-oauth-dpop
Oct 2021 Submit "OAuth 2.0 for Browser-Based Apps" to IES draft-ietf-oauth-browser-based-apps
Jul 2021 Submit 'OAuth 2.0 Security Best Practice" to IESG draft-ietf-oauth-security-topics
Jul 2021 Submit "OAuth 2.1 Authorization Framework" to IESG draft-ietf-oauth-v2-1
Mar 2021 Submit 'OAuth 2.0 Pushed Authorization Requests" to IESG draft-ietf-oauth-par

Done milestones

Date Milestone Associated documents
Done Submit 'OAuth 2.0 Token Exchange' to the IESG for consideration as a Proposed Standard draft-ietf-oauth-token-exchange
Done Submit 'OAuth 2.0 Device Flow' to the IESG draft-ietf-oauth-device-flow
Done Submit 'OAuth 2.0 Authorization Server Discovery Metadata' to the IESG draft-ietf-oauth-discovery
Done Submit 'OAuth 2.0 for Native Apps' to the IESG draft-ietf-oauth-native-apps
Done Submit 'Authentication Method Reference Values' to the IESG draft-ietf-oauth-amr-values
Done Submit 'Request by JWS ver.1.0 for OAuth 2.0' to the IESG for consideration as a Proposed Standard
Done Submit 'OAuth 2.0 Proof-of-Possession (PoP) Security Architecture' to the IESG
Done Submit 'Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)' to the IESG draft-ietf-oauth-proof-of-possession