OAuth logoOn June 8, draft 27 of the OAuth 2.0 Authorization Specification and draft 20 of the OAuth 2.0 Bearer Token Specification were published. They addressed DISCUSS issues and COMMENTs raised for these specifications during IESG review.

Changes made to draft-ietf-oauth-v2 were:

  • Added character set restrictions for error, error_description, and error_uri parameters consistent with the OAuth Bearer spec.
  • Added “resource access error response” as an error usage location in the OAuth Extensions Error Registry.
  • Added an ABNF for all message elements.
  • Corrected editorial issues identified during review.

Changes made to draft-ietf-oauth-v2-bearer were:

  • Added caveat about using a reserved query parameter name being counter to URI namespace best practices.
  • Specified use of Cache-Control options when using the URI Query Parameter method.
  • Changed title to “The OAuth 2.0 Authorization Framework: Bearer Token Usage”.
  • Referenced syntax definitions for the scope, error, error_description, and error_uri parameters in the OAuth 2.0 core spec.
  • Registered the invalid_request, invalid_token, and insufficient_scope error values in the OAuth Extensions Error Registry.
  • Acknowledged additional individuals.

The drafts are available at:

HTML-formatted versions are available at: