Web Authorization Protocol (oauth)

Web Authorization Protocol (oauth)
Web Authorization Protocol (oauth)
About
Documents
Meetings
History
Photos
Email expansions
List archive »
WG
Name
Web Authorization Protocol
Acronym
oauth
Area
Security Area
(sec)
State
Active
Charter
charter-ietf-oauth-05
Approved
Document dependencies
Document
dependencies
Loading...
Pan and zoom the dependency
graph after the layout settles.
Show legend
Loading...
Additional resources
Issue tracker
Wiki
Zulip stream
Personnel
Chairs
Hannes Tschofenig
Rifaat Shekh-Yusef
Area Director
Deb Cooley
Delegate
Michael B. Jones
Mailing list
Address
oauth@ietf.org
To subscribe
Archive
Chat
Room address
Charter for

Working Group
The Web Authorization (OAuth) protocol allows a user to grant a
third-party web site or application access to the user's protected
resources, without necessarily revealing their long-term credentials,
or even their identity. For example, a photo-sharing site that
supports OAuth could allow its users to use a third-party printing web
site to print their private pictures, without allowing the printing
site to gain full control of the user's account and without having the
user share his or her photo-sharing sites' long-term credential with
the printing site.
The OAuth 2.0 protocol suite already includes
a procedure for enabling a client to register with an authorization
server,
a protocol for obtaining authorization tokens from an authorization
server with the resource owner's consent, and
protocols for presenting these authorization tokens to protected
resources for access to a resource.
This protocol suite has been enhanced with functionality for
interworking with legacy identity infrastructure (such as SAML), token
revocation, token exchange, dynamic client registration, token
introspection, a standardized token format with the JSON Web Token, and
specifications that mitigate security attacks, such as Proof Key for
Code Exchange.
The ongoing standardization efforts within the OAuth working group
focus on increasing interoperability of OAuth deployments and to
improve security. More specifically, the working group is defining proof
of possession tokens, developing a discovery mechanism, providing
guidance for the use of OAuth with native apps, re-introducing
the device flow used by devices with limited user interfaces, additional
security enhancements for clients communicating with multiple service
providers, definition of claims used with JSON Web Tokens, techniques to
mitigate open redirector attacks, as well as guidance on encoding state
information.
For feedback and discussion about our specifications please
subscribe to our public mailing list at .
For security related bug reports that relate to our specifications
please contact . If the reported
bug report turns out to be implementation-specific we will attempt
to forward it to the appropriate developers.
Milestones
Date
Milestone
Associated documents
2022-04-30
Apr 2022
Submit "OAuth 2.0 Authorization Server Issue Identifier in Authorization Response" to IESG
rfc9207 (was draft-ietf-oauth-iss-auth-resp)
2022-01-31
Jan 2022
Submit "OAuth 2.0 Proof-of-Posession at the Application Layer" to IESG
rfc9449 (was draft-ietf-oauth-dpop)
2021-10-31
Oct 2021
Submit "OAuth 2.0 for Browser-Based Apps" to IES
draft-ietf-oauth-browser-based-apps
2021-07-31
Jul 2021
Submit 'OAuth 2.0 Security Best Practice" to IESG
rfc9700 (was draft-ietf-oauth-security-topics)
2021-07-31
Jul 2021
Submit "OAuth 2.1 Authorization Framework" to IESG
draft-ietf-oauth-v2-1
2021-03-31
Mar 2021
Submit 'OAuth 2.0 Pushed Authorization Requests" to IESG
rfc9126 (was draft-ietf-oauth-par)
Done milestones
Date
Milestone
Associated documents
Done
Submit 'OAuth 2.0 Token Exchange' to the IESG for consideration as a Proposed Standard
rfc8693 (was draft-ietf-oauth-token-exchange)
Done
Submit 'OAuth 2.0 Device Flow' to the IESG
rfc8628 (was draft-ietf-oauth-device-flow)
Done
Submit 'OAuth 2.0 Authorization Server Discovery Metadata' to the IESG
rfc8414 (was draft-ietf-oauth-discovery)
Done
Submit 'OAuth 2.0 for Native Apps' to the IESG
rfc8252 (was draft-ietf-oauth-native-apps)
Done
Submit 'Authentication Method Reference Values' to the IESG
rfc8176 (was draft-ietf-oauth-amr-values)
Done
Submit 'Request by JWS ver.1.0 for OAuth 2.0' to the IESG for consideration as a Proposed Standard
Done
Submit 'OAuth 2.0 Proof-of-Possession (PoP) Security Architecture' to the IESG
Done
Submit 'Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)' to the IESG
rfc7800 (was draft-ietf-oauth-proof-of-possession)