The IESG has approved the following document: - 'The OAuth 2.0 Authorization Framework: Bearer Token Usage' (draft-ietf-oauth-v2-bearer-23.txt) as Proposed Standard This document is the product of the Web Authorization Protocol Working Group. The IESG contact persons are Stephen Farrell and Sean Turner. A URL of this Internet Draft is: http://datatracker.ietf.org/doc/draft-ietf-oauth-v2-bearer/ Technical Summary This specification describes how to use bearer tokens in HTTP requests to access OAuth 2.0 protected resources. Any party in possession of a bearer token (a "bearer") can use it to get access to granted resources (without demonstrating possession of a cryptographic key). To prevent misuse, the bearer token MUST be protected from disclosure in storage and in transport. Working Group Summary The working group decided to develop two types of mechanisms for a client to access a protected resource. The second specification is being worked on with draft-ietf-oauth-v2-http-mac. The two specifications offer different security properties to allow deployments to meet their specific needs. Document Quality This specification is implemented, deployed and used by Microsoft Access Control Service (ACS), Google Apps, Facebook Connect and the Graph API, Salesforce, Mitre, and many others. Source code is available as well. For example http://static.springsource.org/spring-security/oauth/ http://incubator.apache.org/projects/amber.html https://github.com/nov/rack-oauth2 + many more, including those listed at https://github.com/teohm/teohm.github.com/wiki/OAuth Personnel Hannes Tschofenig is the document shepherd. Stephen Farrell is the responsible AD. RFC Editor Note 1) Please replace text in section 2.1 as follows: OLD: The "Authorization" header field uses the framework defined by HTTP/1.1 [RFC2617] as follows: NEW: The syntax of the "Authorization" header field for this scheme follows the usage of the Basic scheme defined in Section 2 of [RFC2617]. Note that, as with Basic, it does not conform to the generic syntax defined in Section 1.2 of [RFC2617], but that it is compatible with the the general authentication framework being developed for HTTP 1.1 [I-D.ietf-httpbis-p7-auth], although it does not follow the preferred practice outlined therein in order to reflect existing deployments. The syntax for Bearer credentials is as follows: 2) Please add the informative reference needed by the above in section 7.2, to this Internet draft: http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth