OAuth 2.0

OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. This specification and its extensions are being developed within the IETF OAuth Working Group.

Questions, suggestions and protocol changes should be discussed on the mailing list.

OAuth 2.0

• OAuth 2.0 Framework - RFC 6749
  • OAuth Scope
• OAuth Grant Types
  • Authorization Code
  • PKCE
  • Client Credentials
  • Device Code
  • Refresh Token
  • Legacy: Implicit Flow
  • Legacy: Password Grant
• Client Types - Confidential and Public Applications
• Bearer Tokens - RFC 6750
• Threat Model and Security Considerations - RFC 6819
• OAuth Security Best Current Practice

Mobile and Other Devices

• Native Apps - Recommendations for using OAuth with native apps
• Browser-Based Apps - Recommendations for using OAuth with browser-based apps (e.g. an SPA)
• Device Authorization Grant - OAuth for devices with no browser or no keyboard

Token and Token Management

• Token Introspection - RFC 7662, to determine the active state and meta-information of a token
• Token Revocation - RFC 7009, to signal that a previously obtained token is no longer needed
• JSON Web Token - RFC 7519

Discovery and Registration

• Authorization Server Metadata - RFC 8414, for clients to discover OAuth endpoints and authorization server capabilities
• Dynamic Client Registration - RFC 7591, to programmatically register OAuth clients
• Dynamic Client Registration Management - Experimental RFC 7592, for updating and managing dynamically registered OAuth clients

Experimental and Draft Specs

The specs below are either experimental or in draft status and are still active working group items. They will likely change before they are finalized as RFCs or BCPs.

• JWT Profile for Access Tokens
• Rich Authorization Requests (RAR)
• Pushed Authorization Requests (PAR)
• Demonstration of Proof of Possession (DPoP)
• Incremental Authorization
• OAuth WG Status Pages

Related Specs and Extensions

• OAuth Assertions Framework - RFC 7521
• SAML2 Bearer Assertion - RFC 7522, for integrating with existing identity systems
• JWT Bearer Assertion - RFC 7523, for integrating with existing identity systems
• WebAuthn - Web Authentication

Community Resources

• OAuth 2.0 Simplified
• Books about OAuth
  • OAuth 2.0 Simplified by Aaron Parecki
  • OAuth 2 in Action by Justin Richer and Antonio Sanso
  • Mastering OAuth 2.0 by Charles Bihis
  • OAuth 2.0 Cookbook by Adolfo Eloy Nascimento
• OAuth articles by Alex Bilbie

Protocols Built on OAuth 2.0

• OpenID Connect (OpenID Foundation)
• UMA 2.0 (Kantara)
• IndieAuth (W3C)

Code and Services

• OAuth 2.0 Code and Services

OAuth 2.1

• OAuth 2.1 - An in-progress update to simplify OAuth 2.0
• It's Time for OAuth 2.1 (by Aaron Parecki)

Legacy

• OAuth 1.0 and 1.0a