OAuth logoNew versions of the OAuth Core and Bearer specs have been published that are intended to address all outstanding issues. (Although see Dick Hardt’s forwarded note from Charles Honton, which may result in an additional issue.)

The specifications are available at:

Changes in http://tools.ietf.org/html/draft-ietf-oauth-v2-29 are:

  • Added “MUST” to “A public client that was not issued a client password MUST use the client_id request parameter to identify itself when sending requests to the token endpoint” and added text explaining why this must be so.
  • Added that the authorization server MUST “ensure the authorization code was issued to the authenticated confidential client or to the public client identified by the client_id in the request”.
  • Added Security Considerations section “Misuse of Access Token to Impersonate Resource Owner in Implicit Flow”.
  • Added references in the “Implicit” and “Implicit Grant” sections to particularly pertinent security considerations.
  • Added appendix “Use of application/x-www-form-urlencoded Media Type” and referenced it in places that this encoding is used.
  • Deleted “;charset=UTF-8” from examples formerly using “Content-Type: application/x-www-form-urlencoded;charset=UTF-8”.
  • Added the phrase “with a character encoding of UTF-8” when describing how to send requests using the HTTP request entity-body.
  • For symmetry when using HTTP Basic authentication, also apply the application/x-www-form-urlencoded encoding to the client password, just as was already done for the client identifier.
  • Added “The ABNF below is defined in terms of Unicode code points [W3C.REC xml 20081126]; these characters are typically encoded in UTF-8”.
  • Replaced UNICODENOCTRLCHAR in ABNF with UNICODECHARNOCRLF = %x09 / %x20-7E / %x80-D7FF / %xE000-FFFD / %x10000-10FFFF.
  • Corrected incorrect uses of “which”.
  • Reduced multiple blank lines around artwork elements to single blank lines.
  • Removed Eran Hammer’s name from the author list, at his request. Dick Hardt is now listed as the editor.

Changes in http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-22 are:

  • Removed uses of HTTPbis in favor of RFC 2616 and RFC 2617, since HTTPbis is not an approved standard.
  • Match formatting of artwork elements with OAuth core specification.

HTML-formatted versions are available at:

Thanks to Dick Hardt for editing the Core specification. Thanks to Julian Reschke for supplying the text in Core Appendix B on the use of the application/x-www-form-urlencoded encoding.