[OAUTH-WG] OAuth Core -29 and OAuth Bearer -22 specs published

Mike Jones <Michael.Jones@microsoft.com> Fri, 13 July 2012 00:25 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 8199111E80B6 for <oauth@ietfa.amsl.com>; Thu, 12 Jul 2012 17:25:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.788
X-Spam-Status: No, score=-3.788 tagged_above=-999 required=5 tests=[AWL=-0.190, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id UWZZuf7ZZRXw for <oauth@ietfa.amsl.com>; Thu, 12 Jul 2012 17:25:55 -0700 (PDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe003.messaging.microsoft.com []) by ietfa.amsl.com (Postfix) with ESMTP id 2AACE11E8098 for <oauth@ietf.org>; Thu, 12 Jul 2012 17:25:55 -0700 (PDT)
Received: from mail9-ch1-R.bigfish.com ( by CH1EHSOBE004.bigfish.com ( with Microsoft SMTP Server id; Fri, 13 Jul 2012 00:26:29 +0000
Received: from mail9-ch1 (localhost []) by mail9-ch1-R.bigfish.com (Postfix) with ESMTP id 4D0EB403FB; Fri, 13 Jul 2012 00:26:29 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC102.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: -19
X-BigFish: VS-19(zzc89bhc857hzz1202hzz1033IL8275eh8275bh8275dha1495iz2fh2a8h668h839hd25hf0ah107ah)
Received-SPF: pass (mail9-ch1: domain of microsoft.com designates as permitted sender) client-ip=; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14MLTC102.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail9-ch1 (localhost.localdomain []) by mail9-ch1 (MessageSwitch) id 134213918731296_6983; Fri, 13 Jul 2012 00:26:27 +0000 (UTC)
Received: from CH1EHSMHS037.bigfish.com (snatpool2.int.messaging.microsoft.com []) by mail9-ch1.bigfish.com (Postfix) with ESMTP id 0570C1A0047; Fri, 13 Jul 2012 00:26:27 +0000 (UTC)
Received: from TK5EX14MLTC102.redmond.corp.microsoft.com ( by CH1EHSMHS037.bigfish.com ( with Microsoft SMTP Server (TLS) id; Fri, 13 Jul 2012 00:26:26 +0000
Received: from TK5EX14MBXC285.redmond.corp.microsoft.com ([]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([]) with mapi id 14.02.0298.005; Fri, 13 Jul 2012 00:26:24 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: OAuth Core -29 and OAuth Bearer -22 specs published
Thread-Index: Ac1gjhZwVHhn22y2T/WdpE7Ba6CGRA==
Date: Fri, 13 Jul 2012 00:26:24 +0000
Message-ID: <4E1F6AAD24975D4BA5B168042967394366723810@TK5EX14MBXC285.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B168042967394366723810TK5EX14MBXC285r_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: Julian Reschke <julian.reschke@gmx.de>
Subject: [OAUTH-WG] OAuth Core -29 and OAuth Bearer -22 specs published
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jul 2012 00:25:56 -0000

New versions of the OAuth Core and Bearer specs have been published that are intended to address all outstanding issues.  (Although see Dick Hardt’s forwarded note from Charles Honton, which may result in an additional issue.)

The specifications are available at:

·        http://tools.ietf.org/html/draft-ietf-oauth-v2-29

·        http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-22

Changes in http://tools.ietf.org/html/draft-ietf-oauth-v2-29 are:

  *   Added "MUST" to "A public client that was not issued a client password MUST use the client_id request parameter to identify itself when sending requests to the token endpoint" and added text explaining why this must be so.
  *   Added that the authorization server MUST "ensure the authorization code was issued to the authenticated confidential client or to the public client identified by the client_id in the request".
  *   Added Security Considerations section "Misuse of Access Token to Impersonate Resource Owner in Implicit Flow".
  *   Added references in the "Implicit" and "Implicit Grant" sections to particularly pertinent security considerations.
  *   Added appendix "Use of application/x-www-form-urlencoded Media Type" and referenced it in places that this encoding is used.
  *   Deleted ";charset=UTF-8" from examples formerly using "Content-Type: application/x-www-form-urlencoded;charset=UTF-8".
  *   Added the phrase "with a character encoding of UTF-8" when describing how to send requests using the HTTP request entity-body.
  *   For symmetry when using HTTP Basic authentication, also apply the application/x-www-form-urlencoded encoding to the client password, just as was already done for the client identifier.
  *   Added "The ABNF below is defined in terms of Unicode code points [W3C.REC‑xml‑20081126]; these characters are typically encoded in UTF-8".
  *   Replaced UNICODENOCTRLCHAR in ABNF with UNICODECHARNOCRLF = %x09 / %x20-7E / %x80-D7FF / %xE000-FFFD / %x10000-10FFFF.
  *   Corrected incorrect uses of "which".
  *   Reduced multiple blank lines around artwork elements to single blank lines.
  *   Removed Eran Hammer's name from the author list, at his request. Dick Hardt is now listed as the editor.

Changes in http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-22 are:

  *   Removed uses of HTTPbis in favor of RFC 2616 and RFC 2617, since HTTPbis is not an approved standard.
  *   Match formatting of artwork elements with OAuth core specification.

HTML-formatted versions are available at:

·        http://self-issued.info/docs/draft-ietf-oauth-v2-29.html

·        http://self-issued.info/docs/draft-ietf-oauth-v2-bearer-22.html

Thanks to Dick Hardt for editing the Core specification.  Thanks to Julian Reschke for supplying the text in Core Appendix B on the use of the application/x-www-form-urlencoded encoding.

                                                            -- Mike