One document matched: draft-sakimura-oauth-meta-07.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="3"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="std" docName="draft-sakimura-oauth-meta-07" ipr="trust200902">
<front>
<title abbrev="OAuth-Meta">OAuth Response Metadata</title>
<author fullname="Nat Sakimura" initials="N."
surname="Sakimura">
<organization>Nomura Research Institute</organization>
<address>
<email>sakimura@gmail.com</email>
</address>
</author>
<author fullname="Nov Matake" initials="N." surname="Matake">
<organization>GREE, Inc.</organization>
<address>
<email>nov@matake.jp</email>
<uri>http://matake.jp</uri>
</address>
</author>
<author fullname="Sascha Preibisch" initials="S." surname="Preibisch">
<organization>CA Technologies</organization>
<address>
<email>Sascha.Preibisch@gmail.com</email>
</address>
</author>
<date day="12" month="February" year="2016"/>
<area>Security</area>
<workgroup>OAuth Working Group</workgroup>
<abstract>
<t>This specification defines an extensible metadata that may be
inserted into the OAuth 2.0 responses to assist the clients to process
those responses. It is expressed either as a link header, or
query parameters. It will allow the
client to learn where the members in the response could be used,
what is the characteristics of the payload is, how it should be processed,
and so on.
Since they are just additional response header/query parameters,
any client that does not understand this
extension should not break and work normally while supporting clients
can utilize the metadata to take the advantage of the extension.</t>
</abstract>
</front>
<middle>
<section title="Introduction" anchor="introduction">
<t>Although <xref target="RFC6749">OAuth 2.0</xref> has been known for
its REST friendliness, OAuth itself is not RESTful, as it heavily relies
on out-of-band information to drive the interactions. This situation can
be eased by hypertext-enabling the endpoint responses through the
introduction of data structure that represents such hypertext and other
metadata. </t>
<t>Hyper-text enabling the OAuth responses has many advantages.
For example, </t>
<t>
<list style="symbols">
<t>The protected resource can tell which authorization servers
it supports. </t>
<t>Permissioned resource discovery:
It is possible to tell the client which resource endpoint
it should use. This has a privacy advantage.
The location of the resource by itself may be a sensitive
information as its location may reveal information about the
resource owner. Therefore, it may be sensible to tell the
location only after the user consent. </t>
<t>It is possible to give a hint on the processing of the payload.</t>
<t>It will be resitant to IdP Mix-up attack. </t>
<t>It will be resitant to Code Phishing Attack.</t>
</list>
</t>
<t>This specification defines methods to represent such metadata
in the authorization and token responses. </t>
<section title="Requirements Notation and Conventions" anchor="requirements">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119">RFC 2119</xref>.</t>
</section>
<section title="terminology" anchor="terminology">
<t>This specification uses the terms "Access Token", "Authorization Code",
"Authorization Endpoint", "Authorization Grant", "Authorization Server",
"Client", "Client Authentication", "Protected Resource", "Refresh Token",
and "Token Endpoint" defined by OAuth 2.0 [RFC6749].</t>
</section>
</section>
<section anchor="res_res" title="Resource Endpoint Resonse">
<t>Resource Endpoints that implement this specification returns
the following link relation (rel) and the corresonding URI value as
defined in <xref target="RFC5988" /> in the response header.
The response header can be returned in response to
HEAD, GET, or POST request to the endpoint.
</t>
<t><list style="hanging">
<t hangText="duri">
The URI of the corresponding authorization server's
discovery document, from which the client can learn
the server capabilities and endpoints.
</t>
<t hangText="auri">
The URI of the corresponding Authorization Endpoint URI.
</t>
</list></t>
<t>A typical example of the use of these header values are
in the case of the Client accessing the protected resource
without a propoer credential. For example, in the case
of an <xref target="RFC6750" /> protected resource, the unauthorized
access may result in a response header that includes both
WWW-Authenticate header as well as the Web Linking header
indicating either the Authorization Endpoint URI or
the discovery document URI.
</t>
<t>
There is no cardinality restriction on relations put in
place by <xref target="RFC5988" />. Therefore, the resource can respond with
multiple Authorization Endpoint URI or Discovery Document URIs
from which the Client may choose the appropriate one.
</t>
<figure>
<artwork><![CDATA[
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="example"
Link: <https://example.com/.well-known/openid-configuration>; rel="duri",
<https://example.net/.well-known/openid-configuration>; rel="duri",
<https://example.com/authz/>; rel="auri",
<https://example.net/az/>; rel="auri",
<https://example.com/payment-upon-trial-expiry>; rel="payments"
]]></artwork>
</figure>
</section>
<section anchor="token_res" title="Token Endpoint Response">
<t>Token Endpoints that implements this specification returns the following
link relation (rel) and the corresponding URI value as defined in
<xref target="RFC5988" />
in the Access Token Response defined in <xref target="RFC6749" />. </t>
<t><list style="hanging">
<t hangText="ruri">
Resource URI. The value of this parameter is the URI of the Resource Endpoint
that the Access Token is supposed to be used at.
If this value is present, the client MUST NOT send the Access Token to any other URI. </t>
<t hangText="turi">
Token Endpoint URI.
The value of this parameter is the URI of the Token Endpoint that the Refresh Token
can be sent to obtain a new Access Token.
If this value is present, then the client MUST NOT send the refresh token to any other places.
</t>
</list></t>
<t>Any other rels that are registered in Link Relation Type Registry defined in
<xref target="RFC5988"/> registry can be used.
</t>
<t>
There is no cardinality restriction on relations put in
place by <xref target="RFC5988" />. Therefore, the Token Endpoing can respond with
multiple Resource Endpoint URI or Discovery Document URIs
from which the Client may choose the appropriate one.
</t>
<t>Following is an example of an HTTPS response.</t>
<figure>
<artwork><![CDATA[
HTTP/1.1 200 OK
Link: <https://example.com/userinfo>; rel="ruri",
<https://example.net/photostream/>; rel="ruri",
<https://example.com/payment-upon-trial-expiry>; rel="payments"
Content-Type: application/JSON; charset=utf-8
{
"access_token":"aCeSsToKen"
}
]]></artwork>
</figure>
</section>
<section anchor="authz_head_res" title="Authorization Endpoint HEAD response">
<t>Authorization Endpoints that implements this specification returns the following
link relation (rel) and the corresponding URI value as defined in
<xref target="RFC5988" />
in the response to the HEAD request. </t>
<t><list style="hanging">
<t hangText="turi">Token Endpoint URI.
The value of this parameter is the URI of the Token Endpoint that
the Authorization Code
can be sent to obtain the Access Token.
</t>
<t hangText="duri">
The URI of discovery document, from which the client can learn
the server capabilities and endpoints.
</t>
<t hangText="ruri">
Resource URI. The value of this parameter is the URI of the Resource Endpoint
that the Access Token can be used at.
If this parameter is specified, the client MUST NOT send the Access Token to
any other URIs than the value of this parameter.
</t>
</list></t>
<t>
There is no cardinality restriction on relations put in
place by <xref target="RFC5988" />. Therefore, the Authorization Endpoint
can respond with
multiple Endpoint URIs with a same relation type
from which the Client may choose the appropriate one.
</t>
<t>Following is an example of an HTTPS response.</t>
<figure>
<artwork><![CDATA[
HTTP/1.1 200 OK
Link: <https://example.com/.well-known/openid-configuration>; rel="duri",
<https://example.net/.well-known/openid-configuration>; rel="duri",
<https://example.com/payment-upon-trial-expiry>; rel="payments"
Content-Type: application/JSON; charset=utf-8
]]></artwork>
</figure>
</section>
<section anchor="authz_res" title="Authorization Response">
<t>While <xref target="RFC5988"/> defines a useful way of conveying link relations,
it cannot be utilized for a redirect based communication such as
the authorization response of OAuth 2.0. This section defines
a way to return a limited set of those link relations as query parameters
so that it can be conveyed over the redirection.
</t>
<t>The authorization response of the implementation of this specification may return
the following query parameter in the redirect URI.</t>
<t><list style="hanging">
<t hangText="turi">Token Endpoint URI.
The value of this parameter is the URI of the Token Endpoint that
the Authorization Code
can be sent to obtain the Access Token.
If this parameter is specified,
the client MUST check that the value of turi matches exactly
with the pre-registered token endpoint URI of the Authorization Server
that the session recoverd from the state variable points to.
The client MUST NOT send the code to
any other URIs than the value of this parameter. </t>
<t hangText="ruri">
Resource URI. The value of this parameter is the URI of the Resource Endpoint
that the Access Token can be used at.
If this parameter is specified, the client MUST NOT send the Access Token to
any other URIs than the value of this parameter.
</t>
</list></t>
<t>As long as the link relation type string does not collide with the underlying
protocol parameters, they can also be specified as a query parameter. The value MUST
be encoded in application/x-www-form-urlencoded.
</t>
<t>The following is an example of such response. Line breaks are for display purposes only.</t>
<figure>
<artwork><![CDATA[
HTTP/1.1 302 Found
Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA
&turi=https%3A%2F%2Fexample.com%2Ftoken
&state=xyz
]]></artwork>
</figure>
</section>
<section anchor="IANA" title="IANA Considerations">
<section title="Link Type Registration">
<t>Pursuant to <xref target="RFC5988"/>, the following link type
registrations [[will be]] registered by mail to
link-relations@ietf.org.</t>
<t><list style="symbols">
<t>Relation Name: turi</t>
<t>Description: An OAuth 2.0 Token Endpoint specified in
section 3.2 of <xref target="RFC6749"/>.</t>
<t>Reference: This specification</t>
</list></t>
<t><list style="symbols">
<t>Relation Name: ruri</t>
<t>Description: An OAuth 2.0 Resource Endpoint specified in
section 3.2 of <xref target="RFC6750"/>.</t>
<t>Reference: This specification</t>
</list></t>
</section>
</section>
<section anchor="Security" title="Security Considerations">
<section anchor="query_tampering"
title="Authorization Response Query Parameter Tampering by a Bad User">
<t>The query response parameters may be tampered by the man-in-the-browser.
It can also be tampered by a malicious user.
In general, anything that comes via the browser/user-agent
can be tainted and untrusted. </t>
<t>This specification mandates the turi check so that
tamparing of turi by the malicious user will be detected.
It does not mandate ruri check as the user can get the
Access Token and send it to anywhere he wants anyways
when it is returned to the browser. </t>
<t>
However, other parameters are not protected.
The Client MUST treat them tainted and implement
its own check rules for each parameters. </t>
<t>
To solve this "Tampering by bad user", either
HMAC(concat(params)) need to be sent with them
or have all of them inside the JWS.
</t>
</section>
</section>
<section anchor="Acknowledgements" title="Acknowledgements">
<t>Members of OAuth WG helped to form this specification. Notabely:
Hannes tschofenig, John Bradley, Justin Richer, Kaoru Maeda, Masashi Kurabayashi,
Michael B. Jones, Phil Hunt, William Dennis, James Manger,
(add yourselves).
</t>
</section>
<section title="Document History">
<t>-07</t>
<t><list style="symbols">
<t>Added note that there is no cardinality requirements so that
multiple endpoints can be returned by repeating a same rel. </t>
<t>Added resource endpoint response.</t>
</list></t>
<t>-06</t>
<t><list style="symbols">
<t>Removed duri description from token response as it is not needed.</t>
<t>Made the processing instruction more precise. </t>
<t>Added RFC5988 defined link relation type in the example. </t>
<t>Swaped the order of the authorization response and token response.
Now, token response gets explained first so that the reader will grasp the
basic concept according to RFC5988 and regards the authorization response
extension as a mapping of RFC5988 into query parameter form.</t>
</list></t>
<t>-05</t>
<t><list style="symbols">
<t>Factored out JSON Meta and now using query param and Web Linking.</t>
</list></t>
<t>-04</t>
<t><list style="symbols">
<t>Date refresh.</t>
</list></t>
<t>-03</t>
<t><list style="symbols">
<t>Date refresh.</t>
</list></t>
<t>-02</t>
<t><list style="symbols">
<t>Added Mike Kelly as an author.</t>
<t>xref fix.</t>
<t>Introduced "operations" as in
draft-ietf-scim-api-00#section-3.5.</t>
<t>Updated the informative reference to HAL.</t>
<t>Added description to OAuth Token Endpoint hrefs.</t>
<t>Added content-type to the example.</t>
<t>Added Area and Working Group.</t>
</list></t>
<t>-01</t>
<t><list style="symbols">
<t>Some format changes, reference fix, and typo fixes.</t>
<t>Changed 'items' to 'elements' to match the JSON terminology.</t>
</list></t>
<t>-00</t>
<t><list style="symbols">
<t>Initial Draft</t>
</list></t>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include="reference.RFC.2119"?>
<?rfc include='reference.RFC.2616'?>
<?rfc include='reference.RFC.5988'?>
<?rfc include='reference.RFC.6749'?>
<?rfc include='reference.RFC.6750'?>
</references>
<references title="Informational References">
<?rfc include='reference.RFC.4627'?>
<?rfc include='reference.RFC.6570'?>
<reference anchor="HAL">
<front>
<title>JSON Hypermedia API Language</title>
<author fullname="Mike Kelly" initials="M." surname="Kelly">
<address>
<email>mike@stateless.co</email>
</address>
</author>
<date day="12" month="February" year="2013"/>
</front>
</reference>
<reference anchor="oauth-lrdd">
<front>
<title>Link Type Registrations for OAuth 2</title>
<author fullname="William J. Mills" initials="W. J. "
surname="Mills">
<address>
<email>wmills_92105@yahoo.com</email>
</address>
</author>
<date day="10" month="October" year="2012"/>
</front>
</reference>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 01:18:47 |