OAuth 2.0 for Browser-Based Applications

	draft-ietf-oauth-browser-based-apps-22.txt
	Date:	17/01/2025
	Authors:	Aaron Parecki, David Waite, Philippe De Ryck
	Working Group:	Web Authorization Protocol (oauth)

This specification details the threats, attack consequences, security considerations and best practices that must be taken into account when developing browser-based applications that use OAuth 2.0. Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the Web Authorization Protocol Working Group mailing list (oauth@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/oauth/. Source for this draft and an issue tracker can be found at https://github.com/oauth-wg/oauth-browser-based-apps.

The OAuth 2.1 Authorization Framework

	draft-ietf-oauth-v2-1-12.txt
	Date:	15/11/2024
	Authors:	Dick Hardt, Aaron Parecki, Torsten Lodderstedt
	Working Group:	Web Authorization Protocol (oauth)

The OAuth 2.1 authorization framework enables an application to obtain limited access to a protected resource, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and an authorization service, or by allowing the application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 2.0 Authorization Framework described in RFC 6749 and the Bearer Token Usage in RFC 6750.

Selective Disclosure for JWTs (SD-JWT)

	draft-ietf-oauth-selective-disclosure-jwt-15.txt
	Date:	16/01/2025
	Authors:	Daniel Fett, Kristina Yasuda, Brian Campbell
	Working Group:	Web Authorization Protocol (oauth)

This specification defines a mechanism for the selective disclosure of individual elements of a JSON-encoded data structure used as the payload of a JSON Web Signature (JWS). The primary use case is the selective disclosure of JSON Web Token (JWT) claims.

Cross-Device Flows: Security Best Current Practice

	draft-ietf-oauth-cross-device-security-09.txt
	Date:	06/01/2025
	Authors:	Pieter Kasselman, Daniel Fett, Filip Skokan
	Working Group:	Web Authorization Protocol (oauth)

This document describes threats against cross-device flows along with practical mitigations, protocol selection guidance, and a summary of formal analysis results identified as relevant to the security of cross-device flows. It serves as a security guide to system designers, architects, product managers, security specialists, fraud analysts and engineers implementing cross-device flows.

SD-JWT-based Verifiable Credentials (SD-JWT VC)

	draft-ietf-oauth-sd-jwt-vc-08.txt
	Date:	03/12/2024
	Authors:	Oliver Terbu, Daniel Fett, Brian Campbell
	Working Group:	Web Authorization Protocol (oauth)

This specification describes data formats as well as validation and processing rules to express Verifiable Credentials with JSON payloads with and without selective disclosure based on the SD-JWT [I-D.ietf-oauth-selective-disclosure-jwt] format.

OAuth 2.0 Attestation-Based Client Authentication

	draft-ietf-oauth-attestation-based-client-auth-04.txt
	Date:	21/10/2024
	Authors:	Tobias Looker, Paul Bastian, Christian Bormann
	Working Group:	Web Authorization Protocol (oauth)

This specification defines an extension to the OAuth 2 protocol as defined in [RFC6749] which enables a Client Instance to include a key-bound attestation in interactions with an Authorization Server or a Resource Server. This new method enables Client Instances involved in a client deployment that is traditionally viewed as a public client, to be able to utilize this key-bound attestation to authenticate.

OAuth 2.0 Protected Resource Metadata

	draft-ietf-oauth-resource-metadata-13.txt
	Date:	15/10/2024
	Authors:	Michael Jones, Phil Hunt, Aaron Parecki
	Working Group:	Web Authorization Protocol (oauth)

This specification defines a metadata format that an OAuth 2.0 client or authorization server can use to obtain the information needed to interact with an OAuth 2.0 protected resource.

Token Status List

	draft-ietf-oauth-status-list-08.txt
	Date:	19/02/2025
	Authors:	Tobias Looker, Paul Bastian, Christian Bormann
	Working Group:	Web Authorization Protocol (oauth)

This specification defines a mechanism, data structures and processing rules for representing the status of tokens secured by JSON Object Signing and Encryption (JOSE) or CBOR Object Signing and Encryption (COSE), such as JWT, SD-JWT VC, CBOR Web Token and ISO mdoc. It also defines an extension point and a registry for future status mechanisms.

Transaction Tokens

	draft-ietf-oauth-transaction-tokens-04.txt
	Date:	30/12/2024
	Authors:	Atul Tulshibagwale, George Fletcher, Pieter Kasselman
	Working Group:	Web Authorization Protocol (oauth)

Transaction Tokens (Txn-Tokens) enable workloads in a trusted domain to ensure that user identity and authorization context of an external programmatic request, such as an API invocation, are preserved and available to all workloads that are invoked as part of processing such a request. Txn-Tokens also enable workloads within the trusted domain to optionally immutably assert to downstream workloads that they were invoked in the call chain of the request.

OAuth Identity and Authorization Chaining Across Domains

	draft-ietf-oauth-identity-chaining-03.txt
	Date:	21/12/2024
	Authors:	Arndt Schwenkschuster, Pieter Kasselman, Kelley Burgin, Michael Jenkins, Brian Campbell
	Working Group:	Web Authorization Protocol (oauth)

This specification defines a mechanism to preserve identity and authorization information across trust domains that use the OAuth 2.0 Framework. Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the Web Authorization Protocol Working Group mailing list (oauth@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/oauth/. Source for this draft and an issue tracker can be found at https://github.com/oauth-wg/oauth-identity-chaining.

OAuth 2.0 for First-Party Applications

	draft-ietf-oauth-first-party-apps-00.txt
	Date:	07/10/2024
	Authors:	Aaron Parecki, George Fletcher, Pieter Kasselman
	Working Group:	Web Authorization Protocol (oauth)

This document defines the Authorization Challenge Endpoint, which supports a first-party client that wants to control the process of obtaining authorization from the user using a native experience. In many cases, this can provide an entirely browserless OAuth 2.0 experience suited for native applications, only delegating to the browser in unexpected, high risk, or error conditions.

JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants

	draft-ietf-oauth-rfc7523bis-00.txt
	Date:	21/02/2025
	Authors:	Michael Jones, Brian Campbell, Chuck Mortimore
	Working Group:	Web Authorization Protocol (oauth)

This specification defines the use of a JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for client authentication.

Javascript disabled? Like other modern websites, the IETF Datatracker relies on Javascript. Please enable Javascript for full functionality.

Web Authorization Protocol (oauth)

WG	Name	Web Authorization Protocol
	Acronym	oauth
	Area	Security Area (sec)
	State	Active
	Charter	charter-ietf-oauth-05 Approved
	Document dependencies	Document dependencies Loading... Pan and zoom the dependency graph after the layout settles. Show legend Loading...
	Additional resources	Issue tracker, Wiki, Zulip stream
Personnel	Chairs	Hannes Tschofenig, Rifaat Shekh-Yusef
	Area Director	Deb Cooley
Mailing list	Address	oauth@ietf.org
	To subscribe	https://www.ietf.org/mailman/listinfo/oauth
	Archive	https://mailarchive.ietf.org/arch/browse/oauth/
Chat	Room address	https://zulip.ietf.org/#narrow/stream/oauth

Charter for Working Group

The Web Authorization (OAuth) protocol allows a user to grant a
third-party web site or application access to the user's protected
resources, without necessarily revealing their long-term credentials,
or even their identity. For example, a photo-sharing site that
supports OAuth could allow its users to use a third-party printing web
site to print their private pictures, without allowing the printing
site to gain full control of the user's account and without having the
user share his or her photo-sharing sites' long-term credential with
the printing site.

The OAuth 2.0 protocol suite already includes

a procedure for enabling a client to register with an authorization
server,
a protocol for obtaining authorization tokens from an authorization
server with the resource owner's consent, and
protocols for presenting these authorization tokens to protected
resources for access to a resource.

This protocol suite has been enhanced with functionality for
interworking with legacy identity infrastructure (such as SAML), token
revocation, token exchange, dynamic client registration, token
introspection, a standardized token format with the JSON Web Token, and
specifications that mitigate security attacks, such as Proof Key for
Code Exchange.

The ongoing standardization efforts within the OAuth working group
focus on increasing interoperability of OAuth deployments and to
improve security. More specifically, the working group is defining proof
of possession tokens, developing a discovery mechanism, providing
guidance for the use of OAuth with native apps, re-introducing
the device flow used by devices with limited user interfaces, additional
security enhancements for clients communicating with multiple service
providers, definition of claims used with JSON Web Tokens, techniques to
mitigate open redirector attacks, as well as guidance on encoding state
information.

For feedback and discussion about our specifications please
subscribe to our public mailing list at .

For security related bug reports that relate to our specifications
please contact . If the reported
bug report turns out to be implementation-specific we will attempt
to forward it to the appropriate developers.

Milestones

Date	Milestone	Associated documents
Apr 2022	Submit "OAuth 2.0 Authorization Server Issue Identifier in Authorization Response" to IESG	rfc9207 (was draft-ietf-oauth-iss-auth-resp)
Jan 2022	Submit "OAuth 2.0 Proof-of-Posession at the Application Layer" to IESG	rfc9449 (was draft-ietf-oauth-dpop)
Oct 2021	Submit "OAuth 2.0 for Browser-Based Apps" to IES	draft-ietf-oauth-browser-based-apps
Jul 2021	Submit 'OAuth 2.0 Security Best Practice" to IESG	rfc9700 (was draft-ietf-oauth-security-topics)
Jul 2021	Submit "OAuth 2.1 Authorization Framework" to IESG	draft-ietf-oauth-v2-1
Mar 2021	Submit 'OAuth 2.0 Pushed Authorization Requests" to IESG	rfc9126 (was draft-ietf-oauth-par)

Done milestones

Date	Milestone	Associated documents
Done	Submit 'OAuth 2.0 Token Exchange' to the IESG for consideration as a Proposed Standard	rfc8693 (was draft-ietf-oauth-token-exchange)
Done	Submit 'OAuth 2.0 Device Flow' to the IESG	rfc8628 (was draft-ietf-oauth-device-flow)
Done	Submit 'OAuth 2.0 Authorization Server Discovery Metadata' to the IESG	rfc8414 (was draft-ietf-oauth-discovery)
Done	Submit 'OAuth 2.0 for Native Apps' to the IESG	rfc8252 (was draft-ietf-oauth-native-apps)
Done	Submit 'Authentication Method Reference Values' to the IESG	rfc8176 (was draft-ietf-oauth-amr-values)
Done	Submit 'Request by JWS ver.1.0 for OAuth 2.0' to the IESG for consideration as a Proposed Standard
Done	Submit 'OAuth 2.0 Proof-of-Possession (PoP) Security Architecture' to the IESG
Done	Submit 'Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)' to the IESG	rfc7800 (was draft-ietf-oauth-proof-of-possession)