-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathdraft-balfanz-signedoauth2-00.xml
149 lines (146 loc) · 6.61 KB
/
draft-balfanz-signedoauth2-00.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc strict="no" ?>
<?rfc toc="yes"?>
<?rfc tocdepth="4"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes" ?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<?rfc private="Draft" ?>
<?rfc comments="no"?>
<?rfc inline="no"?>
<!-- end of list of popular I-D processing instructions -->
<rfc category="info" docName="draft-balfanz-signedoauth-00" >
<!-- ***** FRONT MATTER ***** -->
<front>
<title abbrev="OAuth2 Signed Tokens">OAuth2 Signed Tokens</title>
<author fullname="Dirk Balfanz" initials="D.B." role="editor" surname="Balfanz">
<organization>Google Inc.</organization>
<address>
<postal>
<street>1600 Ampitheatre Parkway</street>
<!-- Reorder these if your country does things differently -->
<city>Mountain View</city>
<region>CA</region>
<code/>
<country>USA</country>
</postal>
<phone/>
<email>[email protected]</email>
<!-- uri and facsimile elements may also be added -->
</address>
</author>
<date month="September" year="2010"/>
<!-- Meta-data Declarations -->
<area>General</area>
<workgroup>Internet Engineering Task Force</workgroup>
<keyword>signatures</keyword>
<keyword>PKI</keyword>
<abstract>
<t>This document describes how to cryptographically bind an
OAuth token and (parts of an) HTTP request to
a <xref target="JsonTokens">JSON tokens</xref>.</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>OAuth2 Signed Tokens are <xref target="JsonTokens">JSON
Tokens</xref> with additional payload parameters and a specific
envelope data type. We include an OAuth2 Signed Token in the
Authorization header of an HTTP request to ensure integrity of
the transmitted request.</t>
<section title="Requirements Language">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref target="RFC2119">RFC 2119</xref>.</t>
</section>
</section>
<section title="OAuth2 Signed Token Parameters" anchor="params">
<t>OAuth2 Signed Tokens are <xref target="JsonTokens">JSON
Tokens</xref> with the following additional payload parameters:
<list style="hanging">
<t hangText="method">The HTTP method used to execute the
HTTP request. Type: string.</t>
<t hangText="nonce">Used to prevent replay
attacks. Receivers of OAuth2 Signed Token may verify that
nonces have not been previously used within a reasonable
interval. Type: string</t>
<t hangText="body_hash">(optional) The
base64url-encoded hash of the request body. Which
hash algorithm is used depends on the signature algorithm
specified in the Magic Signature envelope. Type: string</t>
<t hangText="token">The OAuth token. Type: string</t>
</list>
</t>
</section>
<section title="OAuth2 Signed Token Data Type">
<t>OAuth2 Signed Tokens SHALL use the data type
"application/oauth-token+json" for the data type element in the
Magic Signature envelope.</t>
</section>
<section title="Generating OAuth2 Signed Tokens" anchor="generation">
<t>OAuth Clients generate OAuth2 Signed Tokens. The Client must
use its client id as the issuer value in the token
payload. They must use the URL of the Protected Resource as
the audience value in the payload.</t>
<t>Senders should set the token_lifetime in the token payload
to a short lifetime, e.g., 1 minute.</t>
<t>Clients include a OAuth2 signed token into the authorization
header as follows:
<figure><artwork><![CDATA[
Authorization: Token signed_token="<the OAuth2 signed token>"
]]></artwork></figure></t>
</section>
<section title="Validating OAuth2 Signed Tokens">
<t>Receivers of OAuth2 Signed Tokens proceed as follows to
validate an incoming HTTP request:
<list style="numbers">
<t>They validate the JSON Tokens as explained in
the <xref target="JsonTokens">JSON Token spec</xref>.</t>
<t>They verify the correct data type in the Magic Signature
envelope.</t>
<t>They verify that the method in the token payload equals
the method used to access the HTTP resource</t>
<t>They verify that the audience in the token payload
matches the URI used to access the HTTP resource.</t>
<t>They may verify that the token nonce has not been used
within the lifetime of the token.</t>
<t>If the body_hash field is present, they should verify
that the received request body hashes to the specified
value.</t>
</list>
If all these steps succeed, then the token in the payload can
be used to determine access control decisions for the
protected resource.
</t>
</section>
</middle>
<!-- *****BACK MATTER ***** -->
<back>
<!-- References split into informative and normative -->
<!-- There are 2 ways to insert reference entries from the citation libraries:
1. define an ENTITY at the top, and use "ampersand character"RFC2629; here (as shown)
2. simply use a PI "less than character"?rfc include="reference.RFC.2119.xml"?> here
(for I-Ds: include="reference.I-D.narten-iana-considerations-rfc2434bis.xml")
Both are cited textually in the same manner: by using xref elements.
If you use the PI option, xml2rfc will, by default, try to find included files in the same
directory as the including file. You can also define the XML_LIBRARY environment variable
with a value containing a set of directories to search. These can be either in the local
filing system or remote ones accessed by http (http://domain/dir/... ).-->
<references title="Normative References"><!--?rfc include="http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"?-->
&RFC2119;
<reference anchor="JsonTokens"
target="http://balfanz.github.com/jsontoken-spec/draft-balfanz-jsontoken-00.html">
<front><title>JSON Tokens</title>
<author initials="D.B." surname="Balfanz" fullname="Dirk Balfanz">
<organization/>
</author>
</front>
</reference>
</references>
</back>
</rfc>