| OAuth Working Group | N. Sakimura |
| Internet-Draft | Nomura Research Institute |
| Intended status: Standards Track | November 04, 2015 |
| Expires: May 7, 2016 |
OAuth Response Metadata
draft-sakimura-oauth-meta-05
This specification defines an extensible metadata that may be inserted into the OAuth 2.0 responses to assist the clients to process those responses. It is expressed either as a link header, or query parameters. It will allow the client to learn where the members in the response could be used. Since it is just additional response header/query parameters, any client that does not understand this extension should not break and work normally while supporting clients can utilize the metadata to take the advantage of the extension.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 7, 2016.
Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
Although OAuth 2.0 [RFC6749] has been known for its REST friendliness, OAuth itself is not RESTful, as it heavily relies on out-of-band information to drive the interactions. This situation can be eased by hypertext-enabling the endpoint responses through the introduction of data structure that represents such hypertext and other metadata. This specification defines methods to represent such metadata in the authorization and token endpoints.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
The Authorization response of the implementation of this specification MUST return the following query parameter in the redirect URI.
If the discovery document also includes Token Endpoint URI or Resource Endpoint, the value of the turi or ruri takes precedence.
The following is an example of such resopnse. Line breaks are for display purposes only.
HTTP/1.1 302 Found
Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA
&turi=https%3A%2F%2Fexample.com%2Ftoken
&duri=https%3A%2F%2Fexample.com%2Fdisco
&state=xyz
Token Endpoints that implements this specification MUST return the following relation (rel) and the corresponding URI value as defined in [RFC5988] in the Access Token Response defined in [RFC6749].
Following is an example of an HTTPS response.
HTTP/1.1 200 OK
Link: <https://example.com/userinfo>; rel="ruri",
<https://example.com/disco>; rel="duri"
Content-Type: application/JSON; charset=utf-8
{
"access_token":"aCeSsToKen"
}
Pursuant to [RFC5988], the following link type registrations [[will be]] registered by mail to link-relations@ietf.org.
The query response parameters may be tampered by the man-in-the-browser.
Members of OAuth WG helped to form this specification. Notabely: Hannes tschofenig, John Bradley, Justin Richer, Kaoru Maeda, Masashi Kurabayashi, Nov Matake, Michael B. Jones, Phil Hunt, William Dennis, (add yourselves).
-05
-04
-03
-02
-01
-00
| [RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997. |
| [RFC2616] | Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P. and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, DOI 10.17487/RFC2616, June 1999. |
| [RFC5988] | Nottingham, M., "Web Linking", RFC 5988, DOI 10.17487/RFC5988, October 2010. |
| [RFC6749] | Hardt, D., "The OAuth 2.0 Authorization Framework", RFC 6749, DOI 10.17487/RFC6749, October 2012. |
| [RFC6750] | Jones, M. and D. Hardt, "The OAuth 2.0 Authorization Framework: Bearer Token Usage", RFC 6750, DOI 10.17487/RFC6750, October 2012. |
| [HAL] | Kelly, M., "JSON Hypermedia API Language", February 2013. |
| [oauth-lrdd] | Mills, W., "Link Type Registrations for OAuth 2", October 2012. |
| [RFC4627] | Crockford, D., "The application/json Media Type for JavaScript Object Notation (JSON)", RFC 4627, DOI 10.17487/RFC4627, July 2006. |
| [RFC6570] | Gregorio, J., Fielding, R., Hadley, M., Nottingham, M. and D. Orchard, "URI Template", RFC 6570, DOI 10.17487/RFC6570, March 2012. |