{"id":597,"date":"2011-11-11T16:50:04","date_gmt":"2011-11-11T23:50:04","guid":{"rendered":"https:\/\/self-issued.info\/?p=597"},"modified":"2011-11-11T16:50:04","modified_gmt":"2011-11-11T23:50:04","slug":"oauth-2-0-bearer-token-specification-draft-14","status":"publish","type":"post","link":"https:\/\/self-issued.info\/?p=597","title":{"rendered":"OAuth 2.0 Bearer Token Specification Draft -14"},"content":{"rendered":"<p><span class=\"plain\"><img decoding=\"async\" align=\"right\" src=\"https:\/\/self-issued.info\/images\/oauth_logo_120x120.png\" alt=\"OAuth logo\" \/><\/span><a href=\"https:\/\/self-issued.info\/docs\/draft-ietf-oauth-v2-bearer-14.html\">Draft 14<\/a> of the <a href=\"https:\/\/self-issued.info\/docs\/draft-ietf-oauth-v2-bearer.html\">OAuth 2.0 Bearer Token Specification<\/a> has been published.  It contains the following changes:<\/p>\n<ul>\n<li>Changes made in response to review comments by Security Area Director Stephen Farrell. Specifically:<\/li>\n<li>Strengthened warnings about passing an access token as a query parameter and more precisely described the limitations placed upon the use of this method.<\/li>\n<li>Clarified that the realm attribute MAY included to indicate the scope of protection in the manner described in HTTP\/1.1, Part 7 [I D.ietf httpbis p7 auth].<\/li>\n<li>Normatively stated that &#8220;the token integrity protection MUST be sufficient to prevent the token from being modified&#8221;.<\/li>\n<li>Added statement that &#8220;TLS is mandatory to implement and use with this specification&#8221; to the introduction.<\/li>\n<li>Stated that TLS MUST be used with &#8220;a ciphersuite that provides confidentiality and integrity protection&#8221;.<\/li>\n<li>Added &#8220;As a further defense against token disclosure, the client MUST validate the TLS certificate chain when making requests to protected resources&#8221; to the Threat Mitigation section.<\/li>\n<li>Clarified that putting a validity time field inside the protected part of the token is one means, but not the only means, of limiting the lifetime of the token.<\/li>\n<li>Dropped the confusing phrase &#8220;for instance, through the use of TLS&#8221; from the sentence about confidentiality protection of the exchanges.<\/li>\n<li>Reference RFC 6125 for identity verification, rather than RFC 2818.<\/li>\n<li>Stated that the token MUST be protected between front end and back end servers when the TLS connection terminates at a front end server that is distinct from the actual server that provides the resource.<\/li>\n<li>Stated that bearer tokens MUST not be stored in cookies that can be sent in the clear in the Threat Mitigation section.<\/li>\n<li>Replaced sole remaining reference to [RFC2616].<\/li>\n<li>Replaced all references where the reference is used as if it were part of the sentence (such as &#8220;defined by [I-D.whatever]&#8221;) with ones where the specification name is used, followed by the reference (such as &#8220;defined by Whatever [I-D.whatever]&#8221;).<\/li>\n<li>Other on-normative editorial improvements.<\/li>\n<\/ul>\n<p>The draft is available at these locations:<\/p>\n<ul>\n<li><a href=\"http:\/\/tools.ietf.org\/html\/draft-ietf-oauth-v2-bearer-14\">http:\/\/tools.ietf.org\/html\/draft-ietf-oauth-v2-bearer-14<\/a><\/li>\n<li><a href=\"http:\/\/www.ietf.org\/internet-drafts\/draft-ietf-oauth-v2-bearer-14.pdf\">http:\/\/www.ietf.org\/internet-drafts\/draft-ietf-oauth-v2-bearer-14.pdf<\/a><\/li>\n<li><a href=\"http:\/\/www.ietf.org\/internet-drafts\/draft-ietf-oauth-v2-bearer-14.txt\">http:\/\/www.ietf.org\/internet-drafts\/draft-ietf-oauth-v2-bearer-14.txt<\/a><\/li>\n<li><a href=\"http:\/\/www.ietf.org\/internet-drafts\/draft-ietf-oauth-v2-bearer-14.xml\">http:\/\/www.ietf.org\/internet-drafts\/draft-ietf-oauth-v2-bearer-14.xml<\/a><\/li>\n<li><a href=\"https:\/\/self-issued.info\/docs\/draft-ietf-oauth-v2-bearer-14.html\">https:\/\/self-issued.info\/docs\/draft-ietf-oauth-v2-bearer-14.html<\/a><\/li>\n<li><a href=\"https:\/\/self-issued.info\/docs\/draft-ietf-oauth-v2-bearer-14.pdf\">https:\/\/self-issued.info\/docs\/draft-ietf-oauth-v2-bearer-14.pdf<\/a><\/li>\n<li><a href=\"https:\/\/self-issued.info\/docs\/draft-ietf-oauth-v2-bearer-14.txt\">https:\/\/self-issued.info\/docs\/draft-ietf-oauth-v2-bearer-14.txt<\/a><\/li>\n<li><a href=\"https:\/\/self-issued.info\/docs\/draft-ietf-oauth-v2-bearer-14.xml\">https:\/\/self-issued.info\/docs\/draft-ietf-oauth-v2-bearer-14.xml<\/a><\/li>\n<li><a href=\"https:\/\/self-issued.info\/docs\/draft-ietf-oauth-v2-bearer.html\">https:\/\/self-issued.info\/docs\/draft-ietf-oauth-v2-bearer.html<\/a> (will point to new versions as they are posted)<\/li>\n<li><a href=\"https:\/\/self-issued.info\/docs\/draft-ietf-oauth-v2-bearer.pdf\">https:\/\/self-issued.info\/docs\/draft-ietf-oauth-v2-bearer.pdf<\/a> (will point to new versions as they are posted)<\/li>\n<li><a href=\"https:\/\/self-issued.info\/docs\/draft-ietf-oauth-v2-bearer.txt\">https:\/\/self-issued.info\/docs\/draft-ietf-oauth-v2-bearer.txt<\/a> (will point to new versions as they are posted)<\/li>\n<li><a href=\"https:\/\/self-issued.info\/docs\/draft-ietf-oauth-v2-bearer.xml\">https:\/\/self-issued.info\/docs\/draft-ietf-oauth-v2-bearer.xml<\/a> (will point to new versions as they are posted)<\/li>\n<li><a href=\"http:\/\/svn.openid.net\/repos\/specifications\/oauth\/2.0\/\">http:\/\/svn.openid.net\/repos\/specifications\/oauth\/2.0\/<\/a> (Subversion repository, with html, pdf, txt, and html versions available)<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Draft 14 of the OAuth 2.0 Bearer Token Specification has been published. It contains the following changes: Changes made in response to review comments by Security Area Director Stephen Farrell. Specifically: Strengthened warnings about passing an access token as a query parameter and more precisely described the limitations placed upon the use of this method. [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,25],"tags":[],"class_list":["post-597","post","type-post","status-publish","format-standard","hentry","category-oauth","category-specifications"],"_links":{"self":[{"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/posts\/597","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/self-issued.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=597"}],"version-history":[{"count":4,"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/posts\/597\/revisions"}],"predecessor-version":[{"id":601,"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/posts\/597\/revisions\/601"}],"wp:attachment":[{"href":"https:\/\/self-issued.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=597"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/self-issued.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=597"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/self-issued.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=597"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}