Month: June 2012

OAuth Core draft -28 has been published. Changes were:

• Updated the ABNF in the manner discussed by the working group, allowing username and password to be Unicode and restricting client_id and client_secret to ASCII.
• Specifies the use of the application/x-www-form-urlencoded content-type encoding method to encode the client_id when used as the password for HTTP Basic.

OAuth Bearer draft -21 has also been published. Changes were:

• Changed “NOT RECOMMENDED” to “not recommended” in caveat about the URI Query Parameter method.
• Changed “other specifications may extend this specification for use with other transport protocols” to “other specifications may extend this specification for use with other protocols”.
• Changed Acknowledgements to use only ASCII characters, per the RFC style guide.

The drafts are available at:

• http://tools.ietf.org/html/draft-ietf-oauth-v2-28
• http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-21

HTML-formatted versions are available at:

• https://self-issued.info/docs/draft-ietf-oauth-v2-28.html
• https://self-issued.info/docs/draft-ietf-oauth-v2-bearer-21.html

Thanks to Eran Hammer for approving the Core draft posting.

On June 8, draft 27 of the OAuth 2.0 Authorization Specification and draft 20 of the OAuth 2.0 Bearer Token Specification were published. They addressed DISCUSS issues and COMMENTs raised for these specifications during IESG review.

Changes made to draft-ietf-oauth-v2 were:

• Added character set restrictions for error, error_description, and error_uri parameters consistent with the OAuth Bearer spec.
• Added “resource access error response” as an error usage location in the OAuth Extensions Error Registry.
• Added an ABNF for all message elements.
• Corrected editorial issues identified during review.

Changes made to draft-ietf-oauth-v2-bearer were:

• Added caveat about using a reserved query parameter name being counter to URI namespace best practices.
• Specified use of Cache-Control options when using the URI Query Parameter method.
• Changed title to “The OAuth 2.0 Authorization Framework: Bearer Token Usage”.
• Referenced syntax definitions for the scope, error, error_description, and error_uri parameters in the OAuth 2.0 core spec.
• Registered the invalid_request, invalid_token, and insufficient_scope error values in the OAuth Extensions Error Registry.
• Acknowledged additional individuals.

The drafts are available at:

• http://tools.ietf.org/html/draft-ietf-oauth-v2-27
• http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-20

HTML-formatted versions are available at:

• https://self-issued.info/docs/draft-ietf-oauth-v2-27.html
• https://self-issued.info/docs/draft-ietf-oauth-v2-bearer-20.html