OAuth logoI’ve published draft 04 of the OAuth Bearer Token Specification. All changes were in response to working group last call feedback on draft 03. The changes in this draft were:

  • Added Bearer Token definition in Terminology section.
  • Changed parameter name “oauth_token” to “bearer_token”.
  • Added realm parameter to “WWW-Authenticate” response to comply with [RFC2617].
  • Removed “[ RWS 1#auth-param ]” from “credentials” definition since it did not comply with the ABNF in [I-D.ietf-httpbis-p7-auth].
  • Removed restriction that the “bearer_token” (formerly “oauth_token”) parameter be the last parameter in the entity-body and the HTTP request URI query.
  • Do not require WWW-Authenticate Response in a reply to a malformed request, as an HTTP 400 Bad Request response without a WWW-Authenticate header is likely the right response in some cases of malformed requests.
  • Removed OAuth Parameters registry extension.
  • Numerous editorial improvements suggested by working group members.

The draft is available at these locations: