idnits 2.17.00 (12 Aug 2021) /tmp/idnits58514/draft-ietf-oauth-resource-indicators-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 5, 2019) is 988 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: draft-ietf-oauth-jwsreq has been published as RFC 9101 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 OAuth Working Group B. Campbell 3 Internet-Draft Ping Identity 4 Intended status: Standards Track J. Bradley 5 Expires: March 8, 2020 Yubico 6 H. Tschofenig 7 Arm Limited 8 September 5, 2019 10 Resource Indicators for OAuth 2.0 11 draft-ietf-oauth-resource-indicators-07 13 Abstract 15 This document specifies an extension to the OAuth 2.0 Authorization 16 Framework defining request parameters that enable a client to 17 explicitly signal to an authorization server about the identity of 18 the protected resource(s) to which it is requesting access. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at https://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on March 8, 2020. 37 Copyright Notice 39 Copyright (c) 2019 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (https://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 1.1. Requirements Notation and Conventions . . . . . . . . . . 3 56 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 57 2. Resource Parameter . . . . . . . . . . . . . . . . . . . . . 3 58 2.1. Authorization Request . . . . . . . . . . . . . . . . . . 5 59 2.2. Access Token Request . . . . . . . . . . . . . . . . . . 6 60 3. Security Considerations . . . . . . . . . . . . . . . . . . . 9 61 4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 10 62 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 63 5.1. OAuth Parameters Registration . . . . . . . . . . . . . . 10 64 5.2. OAuth Extensions Error Registration . . . . . . . . . . . 10 65 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 66 6.1. Normative References . . . . . . . . . . . . . . . . . . 11 67 6.2. Informative References . . . . . . . . . . . . . . . . . 11 68 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 12 69 Appendix B. Document History . . . . . . . . . . . . . . . . . . 12 70 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 72 1. Introduction 74 Several years of deployment and implementation experience with the 75 OAuth 2.0 Authorization Framework [RFC6749] has uncovered a need, in 76 some circumstances such as an authorization server servicing a 77 significant number of diverse resources, for the client to explicitly 78 signal to the authorization server where it intends to use the access 79 token it is requesting. 81 Knowing the protected resource (a.k.a. resource server, application, 82 API, etc.) that will process the access token enables the 83 authorization server to construct the token as necessary for that 84 entity. Properly encrypting the token (or content within the token) 85 to a particular resource, for example, requires knowing which 86 resource will receive and decrypt the token. Furthermore, various 87 resources oftentimes have different requirements with respect to the 88 data contained in, or referenced by, the token and knowing the 89 resource where the client intends to use the token allows the 90 authorization server to mint the token accordingly. 92 Specific knowledge of the intended recipient(s) of the access token 93 also helps facilitate improved security characteristics of the token 94 itself. Bearer tokens, currently the most commonly utilized type of 95 OAuth access token, allow any party in possession of a token to get 96 access to the associated resources. To prevent misuse, several 97 important security assumptions must hold, one of which is that an 98 access token must only be valid for use at a specific protected 99 resource and for a specific scope of access. Section 5.2 of 100 [RFC6750], for example, prescribes including the token's intended 101 recipients within the token to prevent token redirect. When the 102 authorization server is informed of the resource that will process 103 the access token, it can restrict the intended audience of that token 104 to the given resource such that the token cannot be used successfully 105 at other resources. 107 OAuth scope, from Section 3.3 of [RFC6749], is sometimes overloaded 108 to convey the location or identity of the protected resource, 109 however, doing so isn't always feasible or desirable. Scope is 110 typically about what access is being requested rather than where that 111 access will be redeemed (e.g., "email", "admin:org", "user_photos", 112 "channels:read", and "channels:write" are a small sample of scope 113 values in use in the wild that convey only the type of access and not 114 the location or identity). 116 In some circumstances and for some deployments, a means for the 117 client to signal to the authorization server where it intends to use 118 the access token it's requesting is important and useful. A number 119 of implementations and deployments of OAuth 2.0 have already employed 120 proprietary parameters toward that end. Going forward, this 121 specification aspires to provide a standardized and interoperable 122 alternative to the proprietary approaches. 124 1.1. Requirements Notation and Conventions 126 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 127 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 128 "OPTIONAL" in this document are to be interpreted as described in BCP 129 14 [RFC2119] [RFC8174] when, and only when, they appear in all 130 capitals, as shown here. 132 1.2. Terminology 134 This specification uses the terms "access token", "refresh token", 135 "authorization server", "resource server", "authorization endpoint", 136 "authorization request", "authorization response", "token endpoint", 137 "grant type", "access token request", "access token response", and 138 "client" defined by The OAuth 2.0 Authorization Framework [RFC6749]. 140 2. Resource Parameter 142 In requests to the authorization server, a client MAY indicate the 143 protected resource (a.k.a. resource server, application, API, etc.) 144 to which it is requesting access by including the following parameter 145 in the request. 147 resource 148 Indicates the target service or resource to which access is being 149 requested. Its value MUST be an absolute URI, as specified by 150 Section 4.3 of [RFC3986]. The URI MUST NOT include a fragment 151 component. It SHOULD NOT include a query component, but it is 152 recognized that there are cases that make a query component 153 useful. The "resource" parameter URI value is an identifier 154 representing the identity of the resource, which MAY be a locator 155 that corresponds to a network addressable location where the 156 target resource is hosted. Multiple "resource" parameters MAY be 157 used to indicate that the requested token is intended to be used 158 at multiple resources. 160 The parameter value identifies a resource to which the client is 161 requesting access. The parameter can carry the location of a 162 protected resource, typically as an https URL, or a more abstract 163 identifier. This enables the authorization server to apply policy as 164 appropriate for the resource, such as determining the type and 165 content of tokens to be issued, if and how tokens are encrypted, and 166 applying appropriate audience restrictions. 168 The client SHOULD provide the most specific URI that it can for the 169 complete API or set of resources it intends to access. In practice a 170 client will know a base URI for the application or resource that it 171 interacts with, which is appropriate to use as the value of the 172 "resource" parameter. The client SHOULD use the base URI of the API 173 as the "resource" parameter value unless specific knowledge of the 174 resource dictates otherwise. For example, the value 175 "https://api.example.com/" would be used for a resource that is the 176 exclusive application on that host, however, if the resource is one 177 of many applications on that host, something like 178 "https://api.example.com/app/" would be used as a more specific 179 value. Another example, for an API like SCIM [RFC7644] that has 180 multiple endpoints such as "https://apps.example.com/scim/Users", 181 "https://apps.example.com/scim/Groups", and 182 "https://apps.example.com/scim/Schemas" The client would use 183 "https://apps.example.com/scim/" as the resource so that the issued 184 access token is valid for all the endpoints of the SCIM API. 186 The following error code is provided for an authorization server to 187 indicate problems with the requested resource(s) in response to an 188 authorization request or access token request. It can also be used 189 to inform the client that it has requested an invalid combination of 190 resource and scope. 192 invalid_target 193 The requested resource is invalid, missing, unknown, or malformed. 195 The authorization server SHOULD audience-restrict issued access 196 tokens to the resource(s) indicated by the "resource" parameter. 197 Audience restrictions can be communicated in JSON Web Tokens 198 [RFC7519] with the "aud" claim and the top-level member of the same 199 name provides the audience restriction information in a Token 200 Introspection [RFC7662] response. The authorization server may use 201 the exact "resource" value as the audience or it may map from that 202 value to a more general URI or abstract identifier for the given 203 resource. 205 2.1. Authorization Request 207 When the "resource" parameter is used in an authorization request to 208 the authorization endpoint, it indicates the identity of the 209 protected resource(s) to which access is being requested. When an 210 access token will be returned directly from the authorization 211 endpoint via the implicit flow (Section 4.2 of OAuth 2.0 [RFC6749]), 212 the requested resource is applicable to that access token. In the 213 code flow (Section 4.1 of OAuth 2.0 [RFC6749]) where an intermediate 214 representation of the authorization grant (the authorization code) is 215 returned from the authorization endpoint, the requested resource is 216 applicable to the full authorization grant. 218 For an authorization request sent as a JSON Web Token (JWT), such as 219 when using JWT Secured Authorization Request [I-D.ietf-oauth-jwsreq], 220 a single "resource" parameter value is represented as a JSON string 221 while multiple values are represented as an array of strings. 223 If the client omits the "resource" parameter when requesting 224 authorization, the authorization server MAY process the request with 225 no specific resource or by using a pre-defined default resource 226 value. Alternatively, the authorization server MAY require clients 227 to specify the resource(s) they intend to access and MAY fail 228 requests that omit the parameter with an "invalid_target" error. The 229 authorization server might use this data to inform the user about the 230 resources the client is going to access on her behalf, to apply 231 policy (e.g., refuse the request due to unknown resources), and to 232 determine the set of resources that can be used in subsequent access 233 token requests. 235 If the authorization server fails to parse the provided value(s) or 236 does not consider the resource(s) acceptable, it should reject the 237 request with an error response using the error code "invalid_target" 238 as the value of the "error" parameter and can provide additional 239 information regarding the reasons for the error using the 240 "error_description". 242 An example of an authorization request where the client tells the 243 authorization server that it wants an access token for use at 244 "https://api.example.com/app/" is shown in Figure 1 below (extra line 245 breaks and indentation are for display purposes only). 247 GET /as/authorization.oauth2?response_type=token 248 &client_id=example-client 249 &state=XzZaJlcwYew1u0QBrRv_Gw 250 &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb 251 &resource=https%3A%2F%2Fapi.example.com%2Fapp%2F HTTP/1.1 252 Host: authorization-server.example.com 254 Figure 1: Implicit Flow Authorization Request 256 Below in Figure 2 is an example of an authorization request using the 257 "code" response type where the client is requesting access to the 258 resource owner's contacts and calendar data at 259 "https://cal.example.com/" and "https://contacts.example.com/" (extra 260 line breaks and indentation are for display purposes only). 262 GET /as/authorization.oauth2?response_type=code 263 &client_id=s6BhdRkqt3 264 &state=tNwzQ87pC6llebpmac_IDeeq-mCR2wLDYljHUZUAWuI 265 &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb 266 &scope=calendar%20contacts 267 &resource=https%3A%2F%2Fcal.example.com%2F 268 &resource=https%3A%2F%2Fcontacts.example.com%2F HTTP/1.1 269 Host: authorization-server.example.com 271 Figure 2: Code Flow Authorization Request 273 2.2. Access Token Request 275 When the "resource" parameter is used on an access token request made 276 to the token endpoint, for all grant types, it indicates the target 277 service or protected resource where the client intends to use the 278 requested access token. 280 The resource value(s) that are acceptable to an authorization server 281 in fulfilling an access token request are at its sole discretion 282 based on local policy or configuration. In the case of a 283 "refresh_token" or "authorization_code" grant type request, such 284 policy may limit the acceptable resources to those that were 285 originally granted by the resource owner or a subset thereof. In the 286 "authorization_code" case where the requested resources are a subset 287 of the set of resources originally granted, the authorization server 288 will issue an access token based on that subset of requested 289 resources while any refresh token that is returned is bound to the 290 full original grant. 292 When requesting a token, the client can indicate the desired target 293 service(s) where it intends to use that token by way of the 294 "resource" parameter and can indicate the desired scope of the 295 requested token using the "scope" parameter. The semantics of such a 296 request are that the client is asking for a token with the requested 297 scope that is usable at all the requested target services. 298 Effectively, the requested access rights of the token are the 299 cartesian product of all the scopes at all the target services. To 300 the extent possible, when issuing access tokens, the authorization 301 server should downscope the scope value associated with an access 302 token to the value the respective resource is able to process and 303 needs to know. This further improves privacy as a list of scope 304 values is an indication that the resource owner uses the multiple 305 various services listed; downscoping a token to only that which is 306 needed for a particular service can limit the extent to which such 307 information is revealed across different services. As specified in 308 Section 5.1 of [RFC6749], the authorization server must indicate the 309 access token's effective scope to the client in the "scope" response 310 parameter value when it differs from the scope requested by the 311 client. 313 Following from the code flow authorization request shown in Figure 2, 314 the below examples show an "authorization_code" grant type access 315 token request (Figure 3) and response (Figure 4) where the client 316 tells the authorization server that it wants the access token for use 317 at "https://cal.example.com/" (extra line breaks and indentation are 318 for display purposes only). 320 POST /as/token.oauth2 HTTP/1.1 321 Host: authorization-server.example.com 322 Authorization: Basic czZCaGRSa3F0Mzpoc3FFelFsVW9IQUU5cHg0RlNyNHlJ 323 Content-Type: application/x-www-form-urlencoded 325 grant_type=authorization_code 326 &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb 327 &code=10esc29BWC2qZB0acc9v8zAv9ltc2pko105tQauZ 328 &resource=https%3A%2F%2Fcal.example.com%2F 330 Figure 3: Access Token Request 332 HTTP/1.1 200 OK 333 Content-Type: application/json 334 Cache-Control: no-cache, no-store 336 { 337 "access_token":"eyJhbGciOiJFUzI1NiIsImtpZCI6Ijc3In0.eyJpc3MiOi 338 JodHRwOi8vYXV0aG9yaXphdGlvbi1zZXJ2ZXIuZXhhbXBsZS5jb20iLCJzdWI 339 iOiJfX2JfYyIsImV4cCI6MTU4ODQyMDgwMCwic2NvcGUiOiJjYWxlbmRhciIs 340 ImF1ZCI6Imh0dHBzOi8vY2FsLmV4YW1wbGUuY29tLyJ9.nNWJ2dXSxaDRdMUK 341 lzs-cYIj8MDoM6Gy7pf_sKrLGsAFf1C2bDhB60DQfW1DZL5npdko1_Mmk5sUf 342 zkiQNVpYw", 343 "token_type":"Bearer", 344 "expires_in":3600, 345 "refresh_token":"4LTC8lb0acc6Oy4esc1Nk9BWC0imAwH7kic16BDC2", 346 "scope":"calendar" 347 } 349 Figure 4: Access Token Response 351 A subsequent access token request, using the refresh token, where the 352 client tells the authorization server that it wants an access token 353 for use at "https://contacts.example.com/" is shown in Figure 5 below 354 with the response shown in Figure 6 (extra line breaks and 355 indentation are for display purposes only). 357 POST /as/token.oauth2 HTTP/1.1 358 Host: authorization-server.example.com 359 Authorization: Basic czZCaGRSa3F0Mzpoc3FFelFsVW9IQUU5cHg0RlNyNHlJ 360 Content-Type: application/x-www-form-urlencoded 362 grant_type=refresh_token 363 &refresh_token=4LTC8lb0acc6Oy4esc1Nk9BWC0imAwH7kic16BDC2 364 &resource=https%3A%2F%2Fcontacts.example.com%2F 366 Figure 5: Access Token Request 368 HTTP/1.1 200 OK 369 Content-Type: application/json 370 Cache-Control: no-cache, no-store 372 { 373 "access_token":"eyJhbGciOiJFUzI1NiIsImtpZCI6Ijc3In0.eyJpc3MiOi 374 JodHRwOi8vYXV0aG9yaXphdGlvbi1zZXJ2ZXIuZXhhbXBsZS5jb20iLCJzdWI 375 iOiJfX2JfYyIsImV4cCI6MTU4ODQyMDgyNiwic2NvcGUiOiJjb250YWN0cyIs 376 ImF1ZCI6Imh0dHBzOi8vY29udGFjdHMuZXhhbXBsZS5jb20vIn0.5f4yhqazc 377 OSlJw4y94KPeWNEFQqj2cfeO8x4hr3YbHtIl3nQXnBMw5wREY5O1YbZED-GfH 378 UowfmtNaA5EikYAw", 379 "token_type":"Bearer", 380 "expires_in":3600, 381 "scope":"contacts" 382 } 384 Figure 6: Access Token Response 386 3. Security Considerations 388 An audience-restricted access token, legitimately presented to a 389 resource, cannot then be taken by that resource and presented 390 elsewhere for illegitimate access to other resources. The "resource" 391 parameter enables a client to indicate the protected resources where 392 the requested access token will be used, which in turn enables the 393 authorization server to apply the appropriate audience restrictions 394 to the token. 396 Some servers may host user content or be multi-tenant. In order to 397 avoid attacks where one tenant uses an access token to illegitimately 398 access resources owned by a different tenant, it is important to use 399 a specific resource URI including any portion of the URI that 400 identifies the tenant, such as a path component. This will allow 401 access tokens to be audience-restricted in a way that identifies the 402 tenant and prevent their use, due to an invalid audience, at 403 resources owned by a different tenant. 405 Although multiple occurrences of the "resource" parameter may be 406 included in a token request, using only a single "resource" parameter 407 is encouraged. A bearer token that has multiple intended recipients 408 (audiences) indicating that the token is valid at more than one 409 protected resource can be used by any one of those protected 410 resources to access any of the other protected resources. Thus, a 411 high degree of trust between the involved parties is needed when 412 using access tokens with multiple audiences. Furthermore an 413 authorization server may be unwilling or unable to fulfill a token 414 request with multiple resources. 416 Whenever feasible, the "resource" parameter should correspond to the 417 network addressable location of the protected resource. This makes 418 it possible for the client to validate that the resource being 419 requested controls the corresponding network location, reducing the 420 risk of malicious endpoints obtaining tokens meant for other 421 resources. If the "resource" parameter contains an abstract 422 identifier, it is the client's responsibility to validate out of band 423 that any network endpoint to which tokens are sent are the intended 424 audience for that identifier. 426 4. Privacy Considerations 428 In typical OAuth deployments the authorization sever is in a position 429 to observe and track a significant amount of user and client 430 behavior. It is largely just inherent to the nature of OAuth and 431 this document does little to affect that. In some cases, however, 432 such as when access token introspection is not being used, use of the 433 resource parameter defined herein may allow for tracking behavior at 434 a somewhat more granular and specific level than would otherwise be 435 possible in its absence. 437 5. IANA Considerations 439 5.1. OAuth Parameters Registration 441 This specification updates the following value in the IANA "OAuth 442 Parameters" registry [IANA.OAuth.Parameters] established by 443 [RFC6749]. 445 o Parameter name: resource 446 o Parameter usage location: authorization request, token request 447 o Change controller: IESG 448 o Specification document(s): [[ this specification ]] 450 5.2. OAuth Extensions Error Registration 452 This specification updates the following error in the IANA "OAuth 453 Extensions Error Registry" [IANA.OAuth.Parameters] established by 454 [RFC6749]. 456 o Error name: invalid_target 457 o Error usage location: implicit grant error response, token error 458 response 459 o Related protocol extension: resource parameter 460 o Change controller: IESG 461 o Specification document(s): [[ this specification ]] 463 6. References 465 6.1. Normative References 467 [IANA.OAuth.Parameters] 468 IANA, "OAuth Parameters", 469 . 471 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 472 Requirement Levels", BCP 14, RFC 2119, 473 DOI 10.17487/RFC2119, March 1997, 474 . 476 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 477 Resource Identifier (URI): Generic Syntax", STD 66, 478 RFC 3986, DOI 10.17487/RFC3986, January 2005, 479 . 481 [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", 482 RFC 6749, DOI 10.17487/RFC6749, October 2012, 483 . 485 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 486 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 487 May 2017, . 489 6.2. Informative References 491 [I-D.ietf-oauth-jwsreq] 492 Sakimura, N. and J. Bradley, "The OAuth 2.0 Authorization 493 Framework: JWT Secured Authorization Request (JAR)", 494 draft-ietf-oauth-jwsreq-19 (work in progress), June 2019. 496 [RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization 497 Framework: Bearer Token Usage", RFC 6750, 498 DOI 10.17487/RFC6750, October 2012, 499 . 501 [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token 502 (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, 503 . 505 [RFC7644] Hunt, P., Ed., Grizzle, K., Ansari, M., Wahlstroem, E., 506 and C. Mortimore, "System for Cross-domain Identity 507 Management: Protocol", RFC 7644, DOI 10.17487/RFC7644, 508 September 2015, . 510 [RFC7662] Richer, J., Ed., "OAuth 2.0 Token Introspection", 511 RFC 7662, DOI 10.17487/RFC7662, October 2015, 512 . 514 Appendix A. Acknowledgements 516 This specification was developed within the OAuth Working Group under 517 the chairmanship of Hannes Tschofenig and Rifaat Shekh-Yusef with 518 Eric Rescorla, Benjamin Kaduk and Roman Danyliw serving as Security 519 Area Directors. Additionally, the following individuals contributed 520 ideas, feedback, and wording that helped shape this specification: 522 Vittorio Bertocci, Sergey Beryozkin, Roman Danyliw, William Denniss, 523 Vladimir Dzhuvinov, George Fletcher, Dick Hardt, Phil Hunt, Michael 524 Jones, Benjamin Kaduk, Barry Leiba, Torsten Lodderstedt, Anthony 525 Nadalin, Justin Richer, Adam Roach, Nat Sakimura, Rifaat Shekh-Yusef, 526 Filip Skokan, Eric Vyncke, and Hans Zandbelt. 528 Appendix B. Document History 530 [[ to be removed by the RFC Editor before publication as an RFC ]] 532 draft-ietf-oauth-resource-indicators-07 534 o One more update from IESG evaluation comments 535 (https://mailarchive.ietf.org/arch/msg/oauth/ 536 RS0UZSsguQurHl4P18Zo77BzZnU). 538 draft-ietf-oauth-resource-indicators-06 540 o Expand JWT acronym on first use per Genart last call review. 541 o Updates from IESG evaluation comments. 543 draft-ietf-oauth-resource-indicators-05 545 o Remove specific mention of error_uri, which is rarely (if ever) 546 used and seems to only confuse things for readers of extensions 547 like this one. 549 draft-ietf-oauth-resource-indicators-04 551 o Editorial updates from AD review that were overlooked in -03. 553 draft-ietf-oauth-resource-indicators-03 555 o Editorial updates from AD review. 556 o Update draft-ietf-oauth-jwsreq ref to -19. 557 o Update the IANA requests to say they update the registries. 559 o Clarify that the value of the "resource" parameter is a URI which 560 can be an abstract identifier for the target resource and doesn't 561 necessarily have to correspond to a network addressable location. 563 draft-ietf-oauth-resource-indicators-01 565 o Significant rework of the main section of the document attempting 566 to clarify a number of things that came up at, around and after 567 IETF 102 and the call for adoption. 568 o Change the "invalid_resource" error to "invalid_target" to align 569 with draft-ietf-oauth-token-exchange, which has some overlap in 570 functionality. 571 o Allow the "resource" parameter value to have a query component 572 (aligning with draft-ietf-oauth-token-exchange). 573 o Moved the Security Considerations section to before the IANA 574 Considerations. 575 o Other editorial updates. 576 o Rework the Acknowledgements section. 577 o Use RFC 8174 boilerplate. 579 draft-ietf-oauth-resource-indicators-00 581 o First version of the working group document. A replica of draft- 582 campbell-oauth-resource-indicators-02. 584 draft-campbell-oauth-resource-indicators-02 586 o No changes. 588 draft-campbell-oauth-resource-indicators-01 590 o Move Hannes Tschofenig, who wrote https://tools.ietf.org/html/ 591 draft-tschofenig-oauth-audience in '13, from Acknowledgements to 592 Authors. 593 o Added IANA Considerations to register the "resource" parameter and 594 "invalid_resource" error code. 596 draft-campbell-oauth-resource-indicators-00 598 o Initial draft to define a resource parameter for OAuth 2.0. 600 Authors' Addresses 601 Brian Campbell 602 Ping Identity 604 Email: brian.d.campbell@gmail.com 606 John Bradley 607 Yubico 609 Email: ve7jtb@ve7jtb.com 611 Hannes Tschofenig 612 Arm Limited 614 Email: hannes.tschofenig@gmx.net