WG Action: RECHARTER: Web Authorization Protocol (oauth)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The Web Authorization Protocol (oauth) working group in the Security Area of the IETF has been rechartered.  For additional information, please contact the Area Directors or the working group Chairs.

Web Authorization Protocol (oauth)
------------------------------------------
Current Status: Active
Last updated: 2012-05-10

Chairs:
Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
Derek Atkins <derek@ihtfp.com>

Security Area Directors:
Stephen Farrell <stephen.farrell@cs.tcd.ie>
Sean Turner <turners@ieca.com>

Security Area Advisor:
Stephen Farrell <stephen.farrell@cs.tcd.ie>

Technical Advisor:
Peter Saint-Andre <stpeter@stpeter.im>

Mailing Lists:
Address:      oauth@ietf.org
To Subscribe: https://www.ietf.org/mailman/listinfo/oauth
Archive:      http://www.ietf.org/mail-archive/web/oauth/

Description of Working Group:

The Web Authorization (OAuth) protocol allows a user to grant a
third-party Web site or application access to the user's protected
resources, without necessarily revealing their long-term credentials,
or even their identity. For example, a photo-sharing site that
supports OAuth could allow its users to use a third-party printing Web
site to print their private pictures, without allowing the printing
site to gain full control of the user's account and without having the
user share his or her photo-sharing sites' long-term credential with
the printing site.

The OAuth protocol suite encompasses 

* a procedure for allowing a client to discover an authorization 
 server, 
* a protocol for obtaining authorization tokens from an authorization 
 server with the resource owner's consent, 
* protocols for presenting these authorization tokens to protected 
 resources for access to a resource, and 
* consequently for sharing data in a security and privacy respective 
 way.

The working group also developed security schemes for presenting
authorization tokens to access a protected resource. This led to the
publication of the bearer token, as well as work that remains to be
completed on message authentication code (MAC) access authentication
and SAML assertions to interwork with existing identity management
solutions.  The working group will complete those remaining documents,
and will also complete documentation of the OAuth threat model that
was started under the previous charter.

The ongoing standardization effort within the OAuth working group will
focus on enhancing interoperability of OAuth deployments.  A standard
for a token revocation service, which can be separated from the
existing web tokens to the token repertoire will enable wider
deployment of OAuth.  Extended documentation of OAuth use cases will
enhance the understanding of the OAuth framework and provide
assistance to implementors.  And dynamic client registration will make
it easier to broadly deploy OAuth clients (performing services to
users).

Goals and Milestones

Done  Submit 'OAuth 2.0 Threat Model and Security Considerations' as a
  working group item
Done  Submit 'HTTP Authentication: MAC Authentication' as a working
  group item
Done  Submit 'The OAuth 2.0 Protocol: Bearer Tokens' to the IESG for
  consideration as a Proposed Standard
Done  Submit 'The OAuth 2.0 Authorization Protocol' to the IESG for
  consideration as a Proposed Standard

May  2012  Submit 'SAML 2.0 Bearer Assertion Profiles for OAuth 2.0' to
       the IESG for consideration as a Proposed Standard
May  2012  Submit 'OAuth 2.0 Assertion Profile' to the IESG for
       consideration as a Proposed Standard
May  2012  Submit 'An IETF URN Sub-Namespace for OAuth' to the IESG for
       consideration as a Proposed Standard
May  2012  Submit 'OAuth 2.0 Threat Model and Security Considerations'
       to the IESG for consideration as an Informational RFC

Aug. 2012  Submit 'Token Revocation' to the IESG for consideration as a
       Proposed Standard
[Starting point for the work will be
http://datatracker.ietf.org/doc/draft-lodderstedt-oauth-revocation/]

Nov. 2012  Submit 'JSON Web Token (JWT)' to the IESG for consideration
       as a Proposed Standard
[Starting point for the work will be
http://tools.ietf.org/html/draft-jones-json-web-token]

Nov. 2012  Submit 'JSON Web Token (JWT) Bearer Token Profiles for OAuth
       2.0' to the IESG for consideration as a Proposed Standard
[Starting point for the work will be
http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer]

Dec. 2012  Submit 'HTTP Authentication: MAC Authentication' to the IESG
       for consideration as a Proposed Standard

Dec. 2012  Submit 'OAuth Use Cases' to the IESG for consideration as an
       Informational RFC
[Starting point for the work will be
http://tools.ietf.org/html/draft-zeltsan-oauth-use-cases]

Jul. 2013  Submit 'OAuth Dynamic Client Registration Protocol' to the
       IESG for consideration as a Proposed Standard
[Starting point for the work will be
http://tools.ietf.org/html/draft-hardjono-oauth-dynreg]



[Index of Archives]     [IETF]     [IETF Discussion]     [Linux Kernel]

  Powered by Linux