OAuth logoI’ve published draft 02 of the bearer token specification. This incorporates consensus feedback received to date. It contains no normative changes relative to draft 01. Your feedback is solicited. Specific changes were:

  • Changed terminology from “token reuse” to “token capture and replay”.
  • Removed sentence “Encrypting the token contents is another alternative” from the security considerations since it was redundant and potentially confusing.
  • Corrected some references to “resource server” to be “authorization server” in the security considerations.
  • Generalized security considerations language about obtaining consent of the resource owner.
  • Broadened scope of security considerations description for recommendation “Don’t pass bearer tokens in page URLs”.
  • Removed unused reference to OAuth 1.0.
  • Updated reference to framework specification and updated David Recordon’s e-mail address.
  • Removed security considerations text on authenticating clients.
  • Registered the “OAuth2” OAuth access token type and “oauth_token” parameter.

The draft is available at these locations:

This version is explicitly not ready for working group last call, as changes may need to be made due to the open issues in the framework spec about the removal of the Client Assertion Credentials and OAuth2 HTTP Authentication Scheme.