identity 1.0 documentation

OAuth 2.0 Multiple Response Type Encoding Practices

«  Assertion Framework for OAuth 2.0   ::   Contents   ::   HTTP Authentication: MAC Access Authentication  »

OAuth 2.0 Multiple Response Type Encoding Practices

Based on draft 03 ( http://openid.bitbucket.org/oauth-v2-multiple-response-types-1_0.html ) ( December 21, 2011 )

Abstract

This specification aims to provide guidance on proper encoding of responses to OAuth 2.0 Authorization requests, where the request specifies a response type that includes space characters.

This specification also serves as the registration document for several specific new response types, in accordance with the stipulations [1] of the OAuth Parameters Registry.

[1]a restriction that is insisted upon as a condition for an agreement, TheFreeDictionary ( http://www.thefreedictionary.com/stipulation )

(draft 03)

1. Introduction

(draft 03)

1.1. Requirements Notation and Conventions

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in [RFC2119] .

Throughout this document, values are quoted to indicate that they are to be taken literally. When using these values in protocol messages, the quotes MUST NOT be used as part of the value.

(draft 03)

1.2. Terminology

This specification uses the terms Access Token, Refresh Token, Authorization Code, Authorization Grant, Authorization Server, Authorization Endpoint, Client, Client Identifier, Client Secret, Protected Resource, Resource Owner, Resource Server, and Token Endpoint defined by OAuth 2.0 [OAuth2.0]. This specification also defines the following terms:

Client and Server
In the traditional client-server authentication model, the client requests an access restricted resource (Protected Resource) on the server by authenticating with the server using the Resource Owner‘s credentials.
Authorization Endpoint
A web resource maintained by the server, and used to obtain authorization (grant) from the Resource Owner via User-Agent redirection.
Response Type
The Client informs the Authorization Server of the desired authorization processing flow using the parameter response_type.
Authorization Endpoint Response Type Registry
Process established by the OAuth 2.0 specification for the registration of new response_type parameters.
Multiple-Valued Response Types
The OAuth 2.0 specification allows for registration of space-separated response_type values. If a response type contains one of more space characters (%20), it is compared as a space-delimited list of values in which the order of values does not matter.

(draft 03)

2. Encoding Multiple-Valued Response Types

This specification does not provide guidance if, in a request, response_type includes a value that requires the server to return data partially encoded in the query string and partially encoded in the fragment.

Otherwise, if a multiple-valued response type is defined, then it is RECOMMENDED that the following encoding rules be applied for the issued response.

If, in a request, response_type includes only values that require the server to return data fully encoded within the query string then the returned data in the response for this multiple-valued response_type MUST be fully encoded within the query string. This recommendation applies to both success and error responses.

If, in a request, response_type includes any value that requires the server to return data fully encoded within the fragment then the returned data in the response for this multiple-valued response_type MUST be fully encoded within the fragment. This recommendation applies to both success and error responses.

Rationale [2] : Whenever response_type values include fragment-encoded parts, a User-Agent Client component must be involved to complete processing of the response. If a new query parameter is added to the Client URI, it will cause the User-Agent to re-fetch the Client URI, causing discontinuity of operation of the User-Agent based Client components. If only fragment encoding is used, the User-Agent will simply reactivate the Client component which may then process the fragment and also convey any parameters to a Client host as necessary, e.g., via XmlHttpRequest. Therefore, full fragment encoding always results in lower latency for response processing.

[2]1. Fundamental reasons; the basis. 2. An exposition of principles or reasons. - TheFreeDictionary ( http://www.thefreedictionary.com/Rationale )

Note

  • Rationale should be written in easier English.
  • Too many un-defined words...

3. ID Token Response Type

This section registers a new response type, the id_token, in accordance with the stipulations in the OAuth 2.0 specification, Section 8.4.

The intended purpose of the id_token is that it MUST provide an assertion of the identity of the Resource Owner as understood by the server. The assertion MUST specify a targeted audience, e.g. the requesting Client. However, the specific semantics of the assertion and how it can be validated are not specified in this document.

id_token
If supplied as the response_type parameter in an OAuth 2.0 Authorization Request, a successful response should include the parameter id_token encoded in the fragment of the response URI.

Returning the id_token in a fragment reduces the likelihood that the id_token leaks during transport and mitigates the associated risks to the privacy of the user (Resource Owner).

(draft 03)

4. None Response Type

This section registers the response type none, in accordance with the stipulations in the OAuth 2.0 specification, Section 8.4. The intended purpose is to enable use cases where a party requests the server to register a grant of access to a Protected Resource on behalf of a Client but requires no access credentials to be returned to the Client at that time. The means by which the Client eventually obtains the access credentials is left unspecified here.

One scenario is where a user wishes to purchase an application from a market, and desires to authorize application installation and grant the application access to Protected Resources in a single step. However, since the user is not presently interacting with the (not yet active) application, it is not appropriate to return access credentials simultaneously in the authorization step.

none
When supplied as the response_type parameter in an OAuth 2.0 authorization request, the Authorization Server SHOULD NOT return an OAuth 2.0 code nor a token in a successful response to the grant request. If a redirect_uri is supplied, the User-Agent SHOULD be redirected there after granting or denying access. The request MAY include a state parameter, and if so the server MUST echo its value by adding it to the redirect_uri when issuing a successful response. Any parameters added to the redirect_uri should be query encoded. This applies to both successful responses and error responses.

The response type none SHOULD NOT be combined with other response types.

(draft 03)

5. Registration of Some Multiple-Valued Response Type Combinations

This section registers combinations of the values code, token, and id_token, which are each individually registered response types.

code token
When supplied as the value for the response_type parameter, a successful response MUST include both an Access Token and an Authorization Code as defined in the OAuth 2.0 specification. Both successful and error responses SHOULD be fragment-encoded.
code id_token
When supplied as the value for the response_type parameter, a successful response MUST include both an Authorization Code as well as an id_token. Both success and error responses SHOULD be fragment-encoded.
id_token token
When supplied as the value for the response_type parameter, a successful response MUST include both an Access Token as well as an id_token. Both success and error responses SHOULD be fragment-encoded.
code id_token token
When supplied as the value for the response_type parameter, a successful response MUST include an Authorization Code, an id_token, and an Access Token. Both success and error responses SHOULD be fragment-encoded.

A non-normative request/response example as issued/received by the User-Agent:

GET https://server.example.com/authorize?
response_type=token%20id_token
&client_id=s6BhdRkqt3
&redirect_uri=https%3A%2F%2Fclient.example.com%2Fcb
&state=af0ifjsldkj HTTP/1.1

HTTP/1.1 302 Found
Location: https://client.example.com/cb#
access_token=SlAV32hkKG
&token_type=bearer
&id_token=1234567.SlAV32hkKG.abcde1234
&expires_in=3600
&state=af0ifjsldkj

(draft 03)

6. IANA Considerations

This document makes no requests of IANA.

(draft 03)

7. Normative References

OAuth2.0
Hammer-Lahav, E., Ed., Recordon, D., and D. Hardt, “OAuth 2.0 Authorization Protocol,” September 2011.
RFC2119
Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” BCP 14, RFC 2119, March 1997 (TXT, HTML, XML).

(draft 03)

«  Assertion Framework for OAuth 2.0   ::   Contents   ::   HTTP Authentication: MAC Access Authentication  »