OAuth logoIn preparation for the OAuth working group meeting on Monday, I’ve published draft 05 of the OAuth Bearer Token Specification, incorporating input received from the OAuth design team. The changes in this draft are:

  • Removed OAuth Errors Registry, per design team input.
  • Changed HTTP status code for invalid_request error code from HTTP 400 (Bad Request) to HTTP 401 (Unauthorized) to match HTTP usage [[ change pending working group consensus ]].
  • Added missing quotation marks in error-uri definition.
  • Added note to add language and encoding information to error_description if the core specification does.
  • Explicitly reference the Augmented Backus-Naur Form (ABNF) defined in [RFC5234].
  • Use auth-param instead of repeating its definition, which is ( token “=” ( token / quoted-string ) ).
  • Clarify security considerations about including an audience restriction in the token and include a recommendation to issue scoped bearer tokens in the summary of recommendations.

The draft is available at these locations: