One document matched: draft-ietf-oauth-assertions-10.xml
<?xml version="1.0" encoding="US-ASCII"?>
<?xml-stylesheet type='text/xsl' href='http://xml.resource.org/authoring/rfc2629.xslt' ?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc strict="yes" ?>
<?rfc toc="yes" ?>
<?rfc tocdepth="3" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<?rfc iprnotified="yes" ?>
<rfc category="std" docName="draft-ietf-oauth-assertions-10" ipr="trust200902">
<!-- category values: std, bcp, info, exp, and historic
ipr values: full3667, noModification3667, noDerivatives3667
you can add the attributes updates="NNNN" and obsoletes="NNNN"
they will automatically be output with "(if approved)" -->
<front>
<title>Assertion Framework for OAuth 2.0</title>
<author fullname="Brian Campbell" initials="B." surname="Campbell">
<organization abbrev="Ping">Ping Identity Corp.</organization>
<address>
<email>brian.d.campbell@gmail.com</email>
</address>
</author>
<author fullname="Chuck Mortimore" initials="C." surname="Mortimore">
<organization abbrev="Salesforce">Salesforce.com</organization>
<address>
<email>cmortimore@salesforce.com</email>
</address>
</author>
<author fullname="Michael B. Jones" initials="M.B." surname="Jones">
<organization abbrev="Microsoft">Microsoft</organization>
<address>
<email>mbj@microsoft.com</email>
</address>
</author>
<author fullname="Yaron Y. Goland" initials="Y.Y." surname="Goland">
<organization abbrev="Microsoft">Microsoft</organization>
<address>
<email>yarong@microsoft.com</email>
</address>
</author>
<date day="19" month="January" year="2013" />
<!-- Meta-data Declarations -->
<area>Security</area>
<workgroup>OAuth Working Group</workgroup>
<!-- WG name at the upperleft corner of the doc,
IETF is fine for individual submissions.
If this element is not present, the default is "Network Working Group",
which is used by the RFC Editor as a nod to the history of the IETF. -->
<keyword>OAuth</keyword>
<keyword>SAML</keyword>
<keyword>JWT</keyword>
<keyword>Assertion</keyword>
<abstract>
<t>This specification provides a framework for the use of
assertions with OAuth 2.0 in the form of a new client authentication mechanism and a new authorization grant type.
Mechanisms are specified for transporting assertions during
interactions with a token endpoint, as well as general processing rules.</t>
<t>The intent of this specification is to provide a common framework for OAuth 2.0 to interwork with other identity systems using assertions, and to provide alternative client authentication mechanisms.</t>
<t>Note that this specification only defines abstract message flows and processing
rules. In order to be implementable, companion specifications are necessary to provide the corresponding
concrete instantiations.
</t>
</abstract>
</front>
<middle>
<!-- ************************************************************************* -->
<section anchor="overview" title="Introduction">
<t>OAuth 2.0 <xref target="RFC6749"/> is an authorization framework that enables a third-party
application to obtain limited access to a protected HTTP resource. In OAuth, those third-party
applications are called clients; they access protected resources by presenting an access token to the HTTP resource.
Access tokens are issued to clients by an
authorization server with the (sometimes implicit) approval of the
resource owner. These access tokens are typically obtained by
exchanging an authorization grant, which represents the authorization granted by the
resource owner (or by a privileged administrator). Several authorization
grant types are defined to support a wide range of client types and
user experiences. OAuth also provides an extensibility mechanism for defining additional
grant types, which can serve as a bridge between OAuth and other protocol frameworks.
</t>
<t>
This specification provides a general framework for the use of
assertions as authorization grants with OAuth 2.0. It also provides a framework for assertions to
be used for client authentication.
It provides generic mechanisms for transporting
assertions during interactions with an authorization server's token endpoint, as well as general
rules for the content and processing of those assertions. The intent
is to provide an alternative client authentication mechanism (one that doesn't send client secrets),
as well as to facilitate the use of OAuth
2.0 in client-server integration scenarios, where the end-user may not be present.
</t>
<t>
This specification only defines abstract message flows and processing
rules. In order to be implementable, companion specifications are necessary to provide the corresponding
concrete instantiations.
For instance,
SAML 2.0 Bearer Assertion Profiles for OAuth 2.0
<xref target="I-D.ietf-oauth-saml2-bearer"/>
defines a concrete instantiation for SAML 2.0 tokens and
JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0
<xref target="I-D.ietf-oauth-jwt-bearer"/>
defines a concrete instantiation for JWT tokens.
</t>
<t>
Note: The use of assertions for client
authentication is orthogonal to and separable from using assertions as an
authorization grant. They can be used either in combination or separately.
Client assertion authentication is nothing more than an alternative way for a client to authenticate
to the token endpoint and must be used in conjunction with some grant type to form a complete and
meaningful protocol request. Assertion authorization grants may be used with or without client authentication
or identification. Whether or not client authentication is needed in conjunction with an assertion authorization
grant, as well as the supported types of client authentication, are policy decisions at the discretion of the authorization server.
</t>
<section anchor="Interoperability" title="Interoperability Considerations">
<t>
This specification defines a framework for using assertions
with OAuth 2.0. However, as an abstract framework in which
the data formats used for representing many values are not
defined, on its own, this specification is not sufficient to
produce interoperable implementations.
</t>
<t>
Two other specifications that profile this framework for
specific assertion have been developed:
one <xref target="I-D.ietf-oauth-saml2-bearer"/>
uses SAML 2.0-based assertions and
the other <xref target="I-D.ietf-oauth-jwt-bearer"/>
uses JSON Web Tokens (JWTs). These two instantiations of
this framework specify additional details about the
assertion encoding and processing rules for using those
kinds of assertions with OAuth 2.0.
</t>
<t>
However, even when profiled for specific assertion types,
additional profiling for specific use cases will be required
to achieve full interoperability. Deployments for
particular trust frameworks, circles of trust, or other uses
cases will need to agree among the participants on the kinds
of values to be used for some abstract fields defined by
this specification. For example the values of Issuer,
Subject, and Audience fields might be URLs, URIs, fully
qualified domain names, OAuth client IDs, IP addresses, or
other values, depending upon the requirements of the
particular use case. The verification rules for some values
will also be use case specific.
</t>
<t>
This framework was designed with the clear expectation that
additional specifications will define prescriptive profiles
and extensions necessary to achieve full web-scale
interoperability for particular use cases.
</t>
</section>
</section>
<!-- ************************************************************************* -->
<section anchor="rnc" title="Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119"/> .</t>
<t>Throughout this document, values are quoted to indicate that they are
to be taken literally. When using these values in protocol messages, the
quotes must not be used as part of the value.</t>
</section>
<!-- ************************************************************************* -->
<section anchor="framework" title="Framework">
<t>
An assertion is a package of information that allows
identity and security information to be shared across security
domains. An assertion typically contains information about a subject or principal,
information about the party that issued the assertion and when was it issued, as well as the conditions
under which the assertion is to
be considered valid, such as when and where it can be used.
</t>
<t>
The entity that creates and signs the assertion is typically known as the "Issuer" and the entity that
consumes the assertion and relies on its information is typically known as the "Relying Party". In the context of
this document, the authorization server acts as a relying party.
</t>
<t>
Assertions used in the protocol exchanges defined by this specification
MUST always be protected against tampering
using a digital signature or a keyed message digest applied by the issuer.
An assertion MAY additionally be encrypted, preventing unauthorized parties
from inspecting the content.
</t>
<t>
Although this document does not define the processes by which the client
obtains the assertion (prior to sending it to the authorization
server), there are two common patterns described below.
</t>
<t>
In the first pattern,
depicted in <xref target="third-party-created"/>, the client obtains
an assertion from a third party entity capable of issuing, renewing, transforming, and validating security tokens.
Typically such an entity is known as a "Security Token Service" (STS) or just "Token Service" and
a trust relationship (usually manifested in the exchange of some kind of key material)
exists between the token service and the relying party.
The token service is the assertion issuer; its role is to fulfill requests from clients, which present various credentials, and
mint assertions as requested, fill them with appropriate information, and sign them.
<xref target="OASIS.WS-Trust">WS-Trust</xref> is one available standard for requesting security tokens (assertions).
</t>
<t>
<figure anchor="third-party-created" title="Third Party Created Assertion">
<artwork><![CDATA[
Relying
Party Client Token Service
| | |
| | 1) Request Assertion |
| |------------------------>|
| | |
| | 2) Assertion |
| |<------------------------|
| 3) Assertion | |
|<-------------------------| |
| | |
| 4) OK or Failure | |
|------------------------->| |
| | |
| | |
]]></artwork>
</figure>
</t>
<t>
In the second pattern, depicted in <xref target="self-issued"/>, the client creates assertions
locally. To sign the assertions, it has to obtain key material:
either symmetric keys or asymmetric key pairs.
The mechanisms for obtaining this key material are beyond the scope of this specification.
</t>
<t>
Although assertions are usually used to convey identity and security information,
self-issued assertions can also serve a different purpose. They can be used to demonstrate knowledge of some secret, such as a client secret, without actually
communicating the secret directly in the transaction. In that case, additional information included in the
assertion by the client itself will be of limited value to the relying party
and, for this reason, only a bare minimum of information is typically included in such an assertion, such as information about issuing and usage conditions.</t>
<t>
<figure anchor="self-issued" title="Self-Issued Assertion">
<artwork><![CDATA[
Relying
Party Client
| |
| | 1) Create
| | Assertion
| |--------------+
| | |
| | 2) Assertion |
| |<-------------+
| 3) Assertion |
|<-------------------------|
| |
| 4) OK or Failure |
|------------------------->|
| |
| |
]]></artwork>
</figure>
</t>
<t>Deployments need to
determine the appropriate variant to use based on the required level of security, the trust relationship between the entities, and other factors.
</t>
<t>
From the perspective of what must be done by the entity presenting the assertion, there are two general types of assertions:
<list style="numbers">
<t>Bearer Assertions: Any entity in
possession of a bearer assertion (e.g. the bearer) can use it to get access to
the associated resources (without demonstrating possession of a
cryptographic key). To prevent misuse, bearer assertions need to be
protected from disclosure in storage and in transport. A secure communication channel is required
between all entities to avoid leaking the assertion to unauthorized parties.</t>
<t>Holder-of-Key Assertions:
To access the associated resources, the entity presenting the assertion must demonstrate possession of additional cryptographic material.
The token service thereby binds a key identifier to the assertion
and the client has to demonstrate to the relying party that it knows the key corresponding to that
identifier when presenting the assertion. This mechanism provides additional security properties.</t>
</list>
The protocol parameters and processing rules defined in this document are intended to support
a client presenting a bearer assertion to an authorization server. The use of holder-of-key assertions are not precluded by this document, but
additional protocol details would need to be specified.
</t>
</section>
<!-- ************************************************************************* -->
<section title="Transporting Assertions" anchor="transporting">
<t>
This section defines HTTP parameters for transporting
assertions during interactions with a token endpoint of an OAuth authorization server.
Because requests to the token endpoint result in the transmission of
clear-text credentials (in both the HTTP request and response), all requests to the
token endpoint MUST use TLS, as mandated in Section 3.2 of <xref target="RFC6749">OAuth 2.0</xref>.
</t>
<section title="Using Assertions as Authorization Grants" anchor="authgrants">
<t>This section defines the use of assertions as authorization grants,
based on the definition provided in Section 4.5 of <xref target="RFC6749">OAuth 2.0</xref>.
When using assertions as authorization grants, the client
includes the assertion and related information using the following HTTP request
parameters:</t>
<t><list style="hanging">
<t hangText="grant_type">REQUIRED. The format of the assertion as
defined by the authorization server. The value MUST be an absolute
URI.</t>
<t hangText="assertion">REQUIRED. The assertion being used as an
authorization grant. Specific serialization of the assertion is
defined by profile documents. The serialization MUST be encoded
for transport within HTTP forms. It is RECOMMENDED that base64url
be used.</t>
<t hangText="scope">OPTIONAL. The requested scope as
described in Section 3.3 of <xref target="RFC6749">OAuth
2.0</xref>. When
exchanging assertions for access tokens, the authorization for the
token has been previously granted through some out-of-band mechanism. As
such, the requested scope MUST be equal or lesser than the scope
originally granted to the authorized accessor. If the scope
parameter and/or value are omitted, the scope MUST be treated as
equal to the scope originally granted to the authorized accessor.
The Authorization Server MUST limit the scope of the issued
access token to be equal or lesser than the scope originally
granted to the authorized accessor.</t>
</list></t>
<t>The following non-normative example demonstrates an assertion being
used as an authorization grant
(with extra line breaks for display purposes only):</t>
<figure>
<artwork><![CDATA[
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
client_id=s6BhdRkqt3&
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer&
assertion=PHNhbWxwOl...[omitted for brevity]...ZT4
]]></artwork>
</figure>
<t>An assertion used in this context is generally a short lived representation
of the authorization grant and authorization servers SHOULD NOT issue access tokens with a lifetime
that exceeds the validity period of the assertion by a significant period. In practice, that will
usually mean that refresh tokens are not issued in response to assertion
grant requests and access tokens will be issued with a reasonably short lifetime.
Clients can refresh an expired access token by requesting a new one using the same
assertion, if it is still valid, or with a new assertion.
</t>
<t>An IETF URN for use as the <spanx style='verb'>grant_type</spanx> value can be requested
using the template in <xref target="RFC6755"/>.
A URN of the form urn:ietf:params:oauth:grant-type:* is suggested.
</t>
<section title="Error Responses">
<t>If an assertion is not valid or has expired, the Authorization Server
MUST construct an error response as defined in <xref
target="RFC6749">OAuth 2.0</xref>. The value of the <spanx style='verb'>error</spanx>
parameter MUST be the <spanx style='verb'>invalid_grant</spanx> error code. The authorization
server MAY include additional information regarding the reasons the
assertion was considered invalid using the <spanx style='verb'>error_description</spanx> or
<spanx style='verb'>error_uri</spanx> parameters.</t>
<t>For example:</t>
<figure>
<artwork><![CDATA[
HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
{
"error":"invalid_grant",
"error_description":"Audience validation failed"
}
]]></artwork>
</figure>
</section>
</section>
<section title="Using Assertions for Client Authentication" anchor="clientauth">
<t>The following section defines the use of assertions as client
credentials as an extension of Section 2.3 of <xref
target="RFC6749">OAuth 2.0</xref>. When using
assertions as client credentials, the client includes the assertion
and related information using the following HTTP request parameters:</t>
<t><list style="hanging">
<t hangText="client_id">OPTIONAL. The client identifier as
described in Section 2.2 of <xref target="RFC6749">OAuth
2.0</xref>. When present, the <spanx style='verb'>client_id</spanx> MUST identify the client to the authorization server.</t>
<t hangText="client_assertion_type">REQUIRED. The format of the
assertion as defined by the authorization server. The value MUST
be an absolute URI. </t>
<t hangText="client_assertion">REQUIRED. The assertion being used
to authenticate the client. Specific serialization of the
assertion is defined by profile documents. The serialization MUST
be encoded for transport within HTTP forms. It is RECOMMENDED that
base64url be used.</t>
</list></t>
<t>The following non-normative example demonstrates a client
authenticating using an assertion during an
Access Token Request, as defined in Section 4.1.3 of
<xref target="RFC6749">OAuth 2.0</xref>
(with extra line breaks for display purposes only):</t>
<figure>
<artwork><![CDATA[
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&
code=i1WsRn1uB1&
client_id=s6BhdRkqt3&
client_assertion_type=urn%3Aietf%3Aparams%3Aoauth
%3Aclient-assertion-type%3Asaml2-bearer&
client_assertion=PHNhbW...[omitted for brevity]...ZT
]]></artwork>
</figure>
<t>Token endpoints can differentiate between assertion based
credentials and other client credential types by looking for the
presence of the <spanx style='verb'>client_assertion</spanx> and
<spanx style='verb'>client_assertion_type</spanx> parameters,
which will only be present when using assertions for client
authentication.</t>
<t>An IETF URN for use as the <spanx style='verb'>client_assertion_type</spanx> value may be requested
using the template in <xref target="RFC6755"/>.
A URN of the form urn:ietf:params:oauth:client-assertion-type:* is suggested.
</t>
<section title="Error Responses">
<t>If an assertion is invalid for any reason or if more than one client authentication mechanism is used, the Authorization
Server MUST construct an error response as defined in <xref
target="RFC6749">OAuth 2.0</xref>. The value of the <spanx style='verb'>error</spanx>
parameter MUST be the <spanx style='verb'>invalid_client</spanx> error code. The
authorization server MAY include additional information regarding the
reasons the client assertion was considered invalid using the <spanx style='verb'>error_description</spanx>
or <spanx style='verb'>error_uri</spanx> parameters.</t>
<t>For example:</t>
<figure>
<artwork><![CDATA[
HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
{
"error":"invalid_client"
"error_description":"assertion has expired"
}
]]></artwork>
</figure>
</section>
</section>
</section>
<!-- ************************************************************************* -->
<section title="Assertion Content and Processing" anchor="contentprocessing">
<t>This section provides a general content and processing model for the
use of assertions in <xref target="RFC6749">OAuth
2.0</xref>.</t>
<section title="Assertion Metamodel">
<t>The following are entities and metadata involved in the issuance,
exchange, and processing of assertions in OAuth 2.0. These are general
terms, abstract from any particular assertion format. Mappings of
these terms into specific representations are provided by profiles of
this specification.</t>
<t><list style="hanging">
<t hangText="Issuer">The unique identifier for the entity that
issued the assertion. Generally this is the entity that holds the
key material used to generate the assertion.
Examples of issuers are OAuth clients (when assertions are self-issued)
and third party security token services.</t>
<t hangText="Subject">A unique identifier for the subject of the
assertion. When using assertions for client authentication, the
Subject SHOULD be the <spanx style='verb'>client_id</spanx> of the OAuth client. When using
assertions as an authorization grant, the Subject MUST identify
an authorized accessor for which the access token is being
requested (typically the resource owner, or an authorized
delegate).</t>
<t hangText="Audience">A value that identifies the parties intended to
process the assertion. An audience value MAY be the URL of
the Token Endpoint as defined in Section 3.2 of <xref
target="RFC6749">OAuth 2.0</xref>.</t>
<t hangText="Issued At ">The time at which the assertion was
issued. While the serialization may differ by assertion format,
this is always expressed in UTC with no time zone component.</t>
<t hangText="Expires At ">The time at which the assertion expires.
While the serialization may differ by assertion format, this is
always expressed in UTC with no time zone component.</t>
<t hangText="Assertion ID">A nonce or unique identifier for the
assertion. The Assertion ID may be used by implementations
requiring message de-duplication for one-time use assertions. Any
entity that assigns an identifier MUST ensure that there is
negligible probability that that entity or any other entity will
accidentally assign the same identifier to a different data
object.</t>
</list></t>
</section>
<section title="General Assertion Format and Processing Rules">
<t>The following are general format and processing rules for the use
of assertions in OAuth:</t>
<t><list style="symbols">
<t>The assertion MUST contain an Issuer. The Issuer MUST identify
the entity that issued the assertion as recognized by the
Authorization Server. If an assertion is self-issued, the Issuer
SHOULD be the <spanx style='verb'>client_id</spanx>.</t>
<t>The assertion SHOULD contain a Subject. The Subject MUST
identify an authorized accessor for which the access token is being
requested (typically the resource owner, or an authorized
delegate). When the client is acting on behalf of itself, the
Subject SHOULD be the <spanx style='verb'>client_id</spanx>.</t>
<t>The assertion MUST contain an Audience that identifies the
Authorization Server as the intended audience. The Authorization
Server MUST verify that it is an intended audience for the
assertion. The Audience SHOULD be the URL of the Authorization
Server's Token Endpoint.</t>
<t>The assertion MUST contain an Expires At entity that limits the
time window during which the assertion can be used. The
authorization server MUST verify that the expiration time has not
passed, subject to allowable clock skew between systems. The
authorization server SHOULD reject assertions with an Expires At
attribute value that is unreasonably far in the future.</t>
<t>The assertion MAY contain an Issued At entity containing the
UTC time at which the assertion was issued.</t>
<t>The assertion MAY contain an Assertion ID. An Authorization
Server MAY dictate that Assertion ID is mandatory.</t>
<t>The Authorization Server MUST validate the assertion's signature
to verify the Issuer of the assertion. The algorithm used to validate the
signature, and the mechanism for designating the secret used to
generate the assertion, are beyond the scope of this specification.</t>
</list></t>
</section>
</section>
<!-- ************************************************************************* -->
<section title="Specific Assertion Format and Processing Rules">
<t>The following clarifies the format and processing rules defined in
<xref target="transporting" /> and <xref target="contentprocessing" />
for a number of common use cases:</t>
<section title="Client Authentication">
<t>When a client uses an assertion for authentication, it SHOULD do so according to <xref target="clientauth" />. The following format and
processing rules apply:
<list style="symbols">
<t>The <spanx style='verb'>client_assertion_type</spanx> HTTP parameter MUST identify the
assertion format being used for authentication.</t>
<t>The <spanx style='verb'>client_assertion</spanx> HTTP parameter MUST contain the serialized
assertion in a format indicated by the <spanx style='verb'>client_assertion_type</spanx>
parameter.</t>
<t>The Subject SHOULD be the <spanx style='verb'>client_id</spanx>.</t>
<t>The Issuer of the assertion MUST identify the entity that issued
the assertion as recognized by the Authorization Server. If the
assertion is self-issued, the Issuer SHOULD be the <spanx style='verb'>client_id</spanx>.</t>
<t>The Audience of the assertion MUST identify the Authorization
Server and SHOULD be the URL of the Token Endpoint.</t>
<t>The Authorization Server MUST verify the assertion's signature or keyed message digest to determine the validity of the issuer and the content of the assertion.</t>
</list></t>
<t>The following non-normative example demonstrates a
client authentication using an assertion during an
Access Token Request, as defined in Section 4.1.3 of
<xref target="RFC6749">OAuth 2.0</xref>
(with extra line breaks for display purposes only):</t>
<figure>
<artwork><![CDATA[
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&
code=i1WsRn1uB1&
client_id=s6BhdRkqt3&
client_assertion_type=urn%3Aietf%3Aparams%3Aoauth
%3Aclient-assertion-type%3Asaml2-bearer&
client_assertion=PHNhb...[omitted for brevity]...ZT4
]]></artwork>
</figure>
</section>
<section title="Client Acting on Behalf of Itself">
<t>When a client is accessing resources on behalf of itself, it SHOULD
do so in a manner analogous to the Client Credentials flow defined in
Section 4.4 of <xref target="RFC6749">OAuth 2.0</xref>. This
is a special case that combines both the authentication and
authorization grant usage patterns. In this case, the interactions
with the authorization server SHOULD be treated as using an assertion
for Client Authentication according to <xref target="clientauth" />, with the addition
of a grant_type parameter. The following format and processing rules
apply:
<list style="symbols">
<t>The grant_type HTTP request parameter MUST be
<spanx style='verb'>client_credentials</spanx>.</t>
<t>The <spanx style='verb'>client_assertion_type</spanx> HTTP parameter MUST identify the
assertion format.</t>
<t>The <spanx style='verb'>client_assertion</spanx> HTTP parameter MUST contain the serialized
assertion as in a format indicated by the <spanx style='verb'>client_assertion_type</spanx>
parameter.</t>
<t>The Issuer of the assertion MUST identify the entity that
issued the assertion as recognized by the Authorization Server. If
the assertion is self-issued, the Issuer SHOULD be the
<spanx style='verb'>client_id</spanx>. If the assertion was issued by a Security Token
Service (STS), the Issuer SHOULD identify the STS as recognized by the
Authorization Server.</t>
<t>The Subject SHOULD be the <spanx style='verb'>client_id</spanx>.</t>
<t>The Audience of the assertion MUST identify the Authorization
Server and SHOULD be the URL of the Token Endpoint.</t>
<t>The Authorization Server MUST validate the assertion's signature to verify the Issuer of the assertion.</t>
</list></t>
<t>The following non-normative example demonstrates
an assertion being used for a Client Credentials Access Token
Request, as defined in Section 4.4.2 of
<xref target="RFC6749">OAuth 2.0</xref>
(with extra line breaks for display purposes only):</t>
<figure>
<artwork><![CDATA[
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
client_id=s6BhdRkqt3&
grant_type=client_credentials&
client_assertion_type=urn%3Aietf%3Aparams%3Aoauth
%3Aclient-assertion-type%3Asaml2-bearer&
client_assertion=PHNhbW...[omitted for brevity]...ZT
]]></artwork>
</figure>
</section>
<section title="Client Acting on Behalf of a User">
<t>When a client is accessing resources on behalf of a user, it SHOULD
be treated as using an assertion as an Authorization Grant according
to <xref target="authgrants" />. The following format and processing rules apply:
<list style="symbols">
<t>The grant_type HTTP request parameter MUST indicate the
assertion format.</t>
<t>The assertion HTTP parameter MUST contain the serialized
assertion as in a format indicated by the grant_type
parameter.</t>
<t>The Issuer of the assertion MUST identify the entity that
issued the assertion as recognized by the Authorization Server. If
the assertion is self-issued, the Issuer SHOULD be the
<spanx style='verb'>client_id</spanx>. If the assertion was issued by a
Security Token Service (STS), the Issuer SHOULD
identify the STS as recognized by the Authorization Server.</t>
<t>The Subject MUST identify an authorized accessor for which the
access token is being requested (typically the resource owner, or
an authorized delegate).</t>
<t>The Audience of the assertion MUST identify the Authorization
Server and MAY be the URL of the Token Endpoint.</t>
<t>The Authorization Server MUST validate the assertion's signature to verify the Issuer of the assertion.</t>
</list></t>
<t>The following non-normative example demonstrates a
client using an assertion as an Authorization Grant during an
Access Token Request, as defined in Section 4.1.3 of <xref
target="RFC6749">OAuth 2.0</xref>
(with extra line breaks for display purposes only):</t>
<figure>
<artwork><![CDATA[
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
client_id=s6BhdRkqt3&
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer&
assertion=PHNhbWxwOl...[omitted for brevity]...ZT
]]></artwork>
</figure>
</section>
<section title="Client Acting on Behalf of an Anonymous User">
<t>When a client is accessing resources on behalf of an anonymous
user, the following format and processing rules apply:
<list style="symbols">
<t>The grant_type HTTP request parameter MUST indicate the
assertion format.</t>
<t>The assertion HTTP parameter MUST contain the serialized
assertion as in a format indicated by the grant_type
parameter.</t>
<t>The Issuer of the assertion MUST identify the entity that
issued the assertion as recognized by the Authorization Server. If
the assertion is self-issued, the Issuer SHOULD be the
<spanx style='verb'>client_id</spanx>. If the assertion was issued by a Security Token
Service (STS), the Issuer SHOULD identify the STS as recognized by the
Authorization Server.</t>
<t>The Subject SHOULD indicate to the Authorization Server that
the client is acting on-behalf of an anonymous user as defined by
the Authorization Server. It is implied that authorization is based
upon additional criteria, such as additional attributes or claims
provided in the assertion. For example, a client may present an
assertion from a trusted issuer asserting that the bearer is over
18 via an included claim. In this case, no additional information
about the user's identity is included, yet all the data needed to
issue an access token is present.</t>
<t>The Audience of the assertion MUST identify the Authorization
Server and MAY be the URL of the Token Endpoint.</t>
<t>The Authorization Server MUST validate the assertion's signature to verify the Issuer of the assertion.</t>
</list></t>
</section>
</section>
<section anchor="Security" title="Security Considerations">
<t>This section discusses security considerations that apply when using assertions with OAuth 2.0 as described in this document.
As discussed in <xref target="framework"/>, there are two different ways to obtain assertions: either as self-issued or
obtained from a third party token service.
While the actual interactions for obtaining an assertion are outside the scope of this document,
the details are important from a security perspective.
<xref target="framework"/> discusses the high level architectural aspects. Many of the security considerations discussed in this section are applicable to both the OAuth exchange as well as the client obtaining the assertion. </t>
<t>The remainder of this section focuses on the exchanges that concern presenting an assertion for client authentication and for the authorization grant. </t>
<section title="Forged Assertion">
<t>
<list style="hanging">
<t hangText="Threat:"><vspace/>
An adversary could forge or alter an assertion in order to
obtain an access token (in case of the authorization grant) or to
impersonate a client (in case of the client authentication mechanism).
<vspace blankLines="1"/></t>
<t hangText="Countermeasures:"><vspace/>
To avoid this kind of attack, the entities must assure that proper
mechanisms for protecting the integrity of the assertion are employed. This includes
the issuer digitally signing the assertion or computing a keyed
message digest over the assertion.
</t>
</list>
</t>
</section>
<section title="Stolen Assertion">
<t>
<list style="hanging">
<t hangText="Threat:"><vspace/>
An adversary may be able obtain an assertion (e.g., by eavesdropping)
and then reuse it (replay it) at a later point in time.
<vspace blankLines="1"/></t>
<t hangText="Countermeasures:"><vspace/>
The primary mitigation for this threat is the use of a secure communication
channel with server authentication for all network exchanges.
<vspace blankLines="1"/>
An assertion may also contain several elements to prevent replay
attacks. There is, however, a clear tradeoff between
reusing an assertion for multiple exchanges and obtaining and creating
new fresh assertions.
<vspace blankLines="1"/>
Authorization Servers and Resource Servers may use a combination of the
Assertion ID and Issued At/Expires At attributes for replay protection. Previously
processed assertions may be rejected based on the
Assertion ID. The addition of the validity window relieves the
authorization server from maintaining an infinite state table of
processed Assertion IDs.
</t>
</list>
</t>
</section>
<section title="Unauthorized Disclosure of Personal Information">
<t>
<list style="hanging">
<t hangText="Threat:"><vspace/>
The ability for other entities to obtain information
about an individual, such as authentication information, role in an organization, or other
authorization relevant information, raises privacy concerns.
<vspace blankLines="1"/></t>
<t hangText="Countermeasures:"><vspace/>
To address the threats, two cases need to be differentiated:
<vspace blankLines="1"/>
First, a third party that did not participate in any of the
exchange is prevented from eavesdropping on the content of the
assertion by employing confidentiality protection of the
exchange using TLS. This ensures
that an eavesdropper on the wire is unable to obtain information.
However, this does not prevent legitimate protocol entities
from obtaining information from an assertion they may not have been
allowed to obtain. Some assertion formats allow for the assertion
to be encrypted, preventing unauthorized parties from inspecting the content.
<vspace blankLines="1"/>
Second, an Authorization Server may obtain an
assertion that was created by a third party token service and that
token service may have placed attributes into the assertion. To
mitigate potential privacy problems, prior consent from the resource owner
has to be obtained. OAuth itself does not directly provide such capabilities, but this
consent approval may be obtained using other identity management protocols,
user consent interactions,
or in an out-of-band fashion.
<vspace blankLines="1"/>
For the cases where a third party token service creates assertions
to be used for client authentication, privacy concerns are typically lower,
since many of these clients are Web servers rather than individual devices
operated by humans. If the assertions are used for client authentication of
devices or software that can be closely linked to end users, then privacy
protection safeguards need to be taken into consideration.
<vspace blankLines="1"/>
Further guidance on privacy friendly protocol design can be found in <xref target="I-D.iab-privacy-considerations"/>.
</t>
</list>
</t>
</section>
</section>
<section title='IANA Considerations'>
<t>This is a request to add three values, as listed in the sub-sections below,
to the "OAuth Parameters" registry established by <xref target="RFC6749">RFC 6749.</xref></t>
<section title='assertion Parameter Registration'>
<t>
<list style='symbols'>
<t>Parameter name: assertion</t>
<t>Parameter usage location: token request
</t>
<t>Change controller: IETF</t>
<t>Specification document(s): [[this document]]</t>
</list>
</t>
</section>
<section title='client_assertion Parameter Registration'>
<t>
<list style='symbols'>
<t>Parameter name: client_assertion</t>
<t>Parameter usage location: token request
</t>
<t>Change controller: IETF</t>
<t>Specification document(s): [[this document]]</t>
</list>
</t>
</section>
<section title='client_assertion_type Parameter Registration'>
<t>
<list style='symbols'>
<t>Parameter name: client_assertion_type</t>
<t>Parameter usage location: token request
</t>
<t>Change controller: IETF</t>
<t>Specification document(s): [[this document]]</t>
</list>
</t>
</section>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml' ?>
<?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.6749.xml' ?>
</references>
<references title="Informative References">
<?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.6755.xml' ?>
<?rfc include='http://xml.resource.org/public/rfc/bibxml3/reference.I-D.iab-privacy-considerations.xml' ?>
<?rfc include='http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-oauth-saml2-bearer-15.xml' ?>
<?rfc include='http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-oauth-jwt-bearer-04.xml' ?>
<reference anchor="OASIS.WS-Trust">
<front>
<title abbrev='WS-Trust'>WS-Trust</title>
<author initials='A.' surname='Nadalin' fullname='Anthony Nadalin' role='editor'/>
<author initials='M.' surname='Goodner' fullname='Marc Goodner' role='editor'/>
<author initials='M.' surname='Gudgin' fullname='Martin Gudgin' role='editor'/>
<author initials='A.' surname='Barbir' fullname='Abbie Barbir' role='editor'/>
<author initials='H.' surname='Granqvist' fullname='Hans Granqvist' role='editor'/>
<date year="2009" month="Feb"/>
</front>
<format type='HTML' target='http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/ws-trust.html'/>
</reference>
</references>
<section title="Acknowledgements">
<t>The authors wish to thank the following people that have influenced
or contributed this specification: Paul Madsen, Eric Sachs, Jian Cai,
Tony Nadalin, Hannes Tschofenig, the authors of the OAuth WRAP specification,
and the members of the OAuth working group.</t>
</section>
<section title='Document History'>
<t>
[[ to be removed by the RFC editor before publication as an RFC ]]
</t>
<t>
draft-ietf-oauth-assertions-10
<list style='symbols'>
<t>
Changed term "Principal" to "Subject".
</t>
<t>
Added Interoperability Considerations section.
</t>
<t>
Applied Shawn Emery's comments from the security directorate review,
including correcting urn:ietf:params:oauth:grant_type:* to
urn:ietf:params:oauth:grant-type:*.
</t>
</list>
</t>
<t>
draft-ietf-oauth-assertions-09
<list style='symbols'>
<t>
Allow audience values to not be URIs.
</t>
<t>
Added informative references to draft-ietf-oauth-saml2-bearer
and draft-ietf-oauth-jwt-bearer.
</t>
<t>
Clarified that the statements about possible issuers are non-normative
by using the language "Examples of issuers".
</t>
</list>
</t>
<t>
draft-ietf-oauth-assertions-08
<list style='symbols'>
<t>Update reference to RFC 6755 from draft-ietf-oauth-urn-sub-ns</t>
<t>Tidy up IANA consideration section</t>
</list>
</t>
<t>
draft-ietf-oauth-assertions-07
<list style='symbols'>
<t>Reference RFC 6749.</t>
<t>Remove extraneous word per http://www.ietf.org/mail-archive/web/oauth/current/msg10029.html</t>
</list>
</t>
<t>
draft-ietf-oauth-assertions-06
<list style='symbols'>
<t>Add more text to intro explaining that an assertion grant type can be used with or without client
authentication/identification and that client assertion authentication is nothing more than an alternative way for a client to authenticate to the token endpoint</t>
</list>
</t>
<t>
draft-ietf-oauth-assertions-05
<list style='symbols'>
<t>Non-normative editorial cleanups</t>
</list>
</t>
<t>
draft-ietf-oauth-assertions-04
<list style='symbols'>
<t>Updated document to incorporate the review comments from the shepherd - thread and alternative draft at http://www.ietf.org/mail-archive/web/oauth/current/msg09437.html</t>
<t>Added reference to draft-ietf-oauth-urn-sub-ns and include suggestions on urn:ietf:params:oauth:[grant-type|client-assertion-type]:* URNs</t>
</list>
</t>
<t>
draft-ietf-oauth-assertions-03
<list style='symbols'>
<t>updated reference to draft-ietf-oauth-v2 from -25 to -26</t>
</list>
</t>
<t>
draft-ietf-oauth-assertions-02
<list style='symbols'>
<t>Added text about limited lifetime ATs and RTs per http://www.ietf.org/mail-archive/web/oauth/current/msg08298.html.</t>
<t>Changed the line breaks in some examples to avoid awkward rendering to text format. Also removed encoded '=' padding from a few examples because both known derivative specs, SAML and JWT, omit the padding char in serialization/encoding.</t>
<t>Remove section 7 on error responses and move that (somewhat modified) content into subsections of section 4 broken up by authn/authz per http://www.ietf.org/mail-archive/web/oauth/current/msg08735.html.</t>
<t>Rework the text about "MUST validate ... in order to establish a mapping between ..." per http://www.ietf.org/mail-archive/web/oauth/current/msg08872.html and http://www.ietf.org/mail-archive/web/oauth/current/msg08749.html.</t>
<t>Change "The Principal MUST identify an authorized accessor. If the
assertion is self-issued, the Principal SHOULD be the client_id" in 6.1 per http://www.ietf.org/mail-archive/web/oauth/current/msg08873.html.</t>
<t>Update reference in 4.1 to point to 2.3 (rather than 3.2) of oauth-v2 (rather than self) http://www.ietf.org/mail-archive/web/oauth/current/msg08874.html.</t>
<t>Move the "Section 3 of" out of the xref to hopefully fix the link in 4.1 and remove the client_id bullet from 4.2 per http://www.ietf.org/mail-archive/web/oauth/current/msg08875.html.</t>
<t>Add ref to Section 3.3 of oauth-v2 for scope definition and remove some then redundant text per http://www.ietf.org/mail-archive/web/oauth/current/msg08890.html.</t>
<t>Change "The following format and processing rules SHOULD be applied" to "The following format and processing rules apply" in sections 6.x to remove conflicting normative qualification of other normative statements per http://www.ietf.org/mail-archive/web/oauth/current/msg08892.html.</t>
<t>Add text the client_id must id the client to 4.1 and remove similar text from other places per http://www.ietf.org/mail-archive/web/oauth/current/msg08893.html.</t>
<t>Remove the MUST from the text prior to the HTTP parameter definitions per http://www.ietf.org/mail-archive/web/oauth/current/msg08920.html.</t>
<t>Updated examples to use grant_type and client_assertion_type values from the OAuth SAML Assertion Profiles spec.</t>
</list>
</t>
</section>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-23 04:30:22 |