Appendix A - IETF NFC Relating to OAuth 2.0

RFC number and Title

High Level Description

RFC 6749

The OAuth 2.0 Authorization Framework

The core OAuth 2.0 RFC defining the authorisation framework.

RFC 6750

The OAuth 2.0 Authorisation Framework: Bearer Token Usage

How to use bearer tokens in HTTP requests to access OAuth 2.0 protected resources. Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key).  To prevent misuse, bearer tokens need to be protected from disclosure in storage and in transport.


Assertion Framework for OAuth 2.0 Client Authentication and Authorisation Grants

Common framework for OAuth 2.0 to interact with other identity systems using an assertion and to provide alternative client authentication mechanisms.

RFC 7522

Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants

The use of a Security Assertion Markup Language (SAML) 2.0 Bearer Assertion as a means for requesting an OAuth 2.0 access token as well as for client authentication.

RFC 7523

JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants

Use of a JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for client authentication.

RFC 6819

OAuth 2.0 Threat Model and Security Considerations

Security considerations for OAuth beyond those in the OAuth 2.0 specification, based on a comprehensive threat model for the OAuth 2.0 protocol.

RFC 7591

OAuth 2.0 Dynamic Client Registration Protocol

Mechanisms for dynamically registering OAuth 2.0 clients with authorisation servers.

RFC 7592

OAuth 2.0 Dynamic Client Registration Management Protocol

 Methods for the management of OAuth 2.0 dynamic client registrations for use cases in which the properties of a registered client may need to be changed during the lifetime of the client.

RFC 7662

OAuth 2.0 Token Introspection

Method for a protected resource to query an OAuth 2.0 authorisation server to determine the active state of an OAuth 2.0 token and to determine meta-information about this token. Provides authorisation context of the token from the authorisation server to the protected resource.

RFC 7519

JSON Web Token (JWT)

URL-safe means of representing claims to be transferred between two parties.  The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encryption.

RFC 7800

Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)

How to declare in a JSON Web Token (JWT) that the presenter of the JWT possesses a particular proof-of-possession key and how the recipient can cryptographically confirm proof of possession of the key by the presenter. 

RFC 7009

OAuth 2.0 Token Revocation

Proposes an additional endpoint for OAuth authorisation

Servers. This allows clients to notify the authorisation server that

a previously obtained refresh or access token is no longer needed,

which enables the authorization server to clean up security


RFC 7636

Proof Key for Code Exchange by OAuth Public Clients

OAuth 2.0 public clients utilising the Authorisation Code Grant are

susceptible to the authorisation code interception attack.  This

specification describes the attack as well as a technique to mitigate

against the threat through the use of Proof Key for Code Exchange.

Page last updated: 19/12/2016