October 12, 2012
OAuth 2.0 RFCs Completed

OAuth logoThe OAuth 2.0 Core and Bearer specifications are now RFC 6749 and RFC 6750. This completes the journey to standardize a pair of simple identity specifications that are already in very widespread use for Web, enterprise, cloud, and mobile applications. They make things better by enabling access to resources to be granted without giving the password for the resource to the party being granted access (a pattern that used to be all too common).

I believe that the completion of these RFCs will only accelerate the momentum behind the adoption of simple REST/JSON based identity solutions. Some of the related standards that are already well under way and in use include the OAuth Assertion Framework, the OAuth SAML 2.0 Assertion Profile and OAuth JWT Assertion Profile, JSON Web Token (JWT), the JSON Object Signing and Encryption (JOSE) specs – JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), and JSON Web Algorithms (JWA), and OpenID Connect. Watch this space for future developments. Like OAuth 2.0, all of these are the product of collaboration by numerous people around the world and in many industries to build and deploy simple, usable identity solutions that solve real-world problems.

The goal of all these specs is to standardize functionality that is not only useful, but is simple enough that it will actually be used. OAuth 2.0 is an early success story in this regard. While the number of words in the spec has increased since early drafts, most of that is due to doing a more complete job of describing things not to do (adding security considerations), rather than adding bells and whistles. It doesn’t get much simpler than a couple of HTTP GETs and replies with simple request parameters and responses.

Dick Hardt deserves special thanks for his role both in starting what became OAuth 2.0 and seeing it through to completion. I recommend his post on the process that brought us the OAuth 2.0 RFCs.

3 Responses to “OAuth 2.0 RFCs Completed”

  1. OAuth 2.0 :: RFCs 6749 and 6750 on 13 Oct 2012 at 8:10 am #

    [...] audience as the API was described.  With this work now complete, many of us can now focus on the next layers in the identity [...]

  2. Mike Jones on 15 Oct 2012 at 12:05 pm #

    Since people have asked, I’ve also made HTML-formatted versions of the specs available. See http://self-issued.info/docs/rfc6749.html and http://self-issued.info/docs/rfc6750.html.

  3. Mike Jones: self-issued » OAuth 2.0 and Sign-In on 02 Jan 2013 at 10:06 am #

    [...] Bertocci wrote on the relationship between OAuth 2.0 and sign-in/federation protocols. While OAuth 2.0 can be used to sign in users and the term “OAuth” is often bandied about in identity contexts, [...]

Trackback URI | Comments RSS

Leave a Reply

You must be logged in to post a comment.