This specification aims to provide guidance on proper encoding of responses to OAuth 2.0 Authorization Requests, where the request specifies a response type that includes space characters.
This specification also serves as the registration document for several specific new response types, in accordance with the stipulations of the OAuth Parameters Registry.
1.1. Requirements Notation and Conventions
2. Encoding Multiple-Valued Response Types
3. ID Token Response Type
4. None Response Type
5. Registration of Some Multiple-Valued Response Type Combinations
6. IANA Considerations
6.1. Registry Contents
7. Normative References
Appendix A. Acknowledgements
Appendix B. Notices
Appendix C. Document History
§ Authors' Addresses
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.) .
Throughout this document, values are quoted to indicate that they are to be taken literally. When using these values in protocol messages, the quotes MUST NOT be used as part of the value.
This specification uses the terms "Access Token", "Refresh Token", "Authorization Code", "Authorization Grant", "Authorization Server", "Authorization Endpoint", "Client", "Client Identifier", "Client Secret", "Protected Resource", "Resource Owner", "Resource Server", and "Token Endpoint" defined by OAuth 2.0 (Hardt, D., “The OAuth 2.0 Authorization Framework,” October 2012.) [RFC6749]. This specification also defines the following terms:
- Client and Server
- In the traditional client-server authentication model, the client requests an access restricted resource (Protected Resource) on the server by authenticating with the server using the Resource Owner's credentials.
- Response Type
- The Client informs the Authorization Server of the desired authorization processing flow using the parameter response_type.
- Authorization Endpoint Response Type Registry
- Process established by the OAuth 2.0 specification for the registration of new response_type parameters.
- Multiple-Valued Response Types
- The OAuth 2.0 specification allows for registration of space-separated response_type values. If a response type contains one of more space characters (%20), it is compared as a space-delimited list of values in which the order of values does not matter.
This specification does not provide guidance if, in a request, response_type includes a value that requires the server to return data partially encoded in the query string and partially encoded in the fragment.
Otherwise, if a multiple-valued response type is defined, then it is RECOMMENDED that the following encoding rules be applied for the issued response.
If, in a request, response_type includes only values that require the server to return data fully encoded within the query string then the returned data in the response for this multiple-valued response_type MUST be fully encoded within the query string. This recommendation applies to both success and error responses.
If, in a request, response_type includes any value that requires the server to return data fully encoded within the fragment then the returned data in the response for this multiple-valued response_type MUST be fully encoded within the fragment. This recommendation applies to both success and error responses.
Rationale: Whenever response_type values include fragment encoded parts, a User-Agent Client component must be involved to complete processing of the response. If a new query parameter is added to the Client URI, it will cause the User-Agent to re-fetch the Client URI, causing discontinuity of operation of the User-Agent based Client components. If only fragment encoding is used, the User-Agent will simply reactivate the Client component, which can then process the fragment and also convey any parameters to a Client host as necessary, e.g., via XmlHttpRequest. Therefore, full fragment encoding always results in lower latency for response processing.
Furthermore, there are security implications to encoding values in the query string. The HTTP Referer header includes query parameters, and so any values encoded in query parameters will leak to third parties. Thus, while it is safe to encode an Authorization Code as a query parameter when using a Confidential Client (because it can't be used without the Client Secret, which third parties won't have), more sensitive information such as Access Tokens and ID Tokens MUST NOT be encoded in the query string.
This specification uses "SHOULD" rather than "MUST" when specifying the use of fragment encoding to leave open the possibility of using other safe parameter transmission mechanisms in the future, such as postMessage. These "SHOULDs" MUST NOT be interpreted as permitting query encoding.
This section registers a new response type, the id_token, in accordance with the stipulations in the OAuth 2.0 specification, Section 8.4. The intended purpose of the id_token is that it MUST provide an assertion of the identity of the Resource Owner as understood by the server. The assertion MUST specify a targeted audience, e.g. the requesting Client. However, the specific semantics of the assertion and how it can be validated are not specified in this document.
- When supplied as the response_type parameter in an OAuth 2.0 Authorization Request, a successful response MUST include the parameter id_token, which SHOULD be encoded in the fragment of the response URI. The Authorization Server SHOULD NOT return an OAuth 2.0 Authorization Code, Access Token, or Access Token Type in a successful response to the grant request. If a redirect_uri is supplied, the User-Agent SHOULD be redirected there after granting or denying access. The request MAY include a state parameter, and if so, the server MUST echo its value by adding it to the redirect_uri when issuing either a successful response or an error response. Any parameters added to the redirect_uri SHOULD be fragment encoded and MUST NOT be query encoded. This applies to both successful responses and error responses.
Returning the id_token in a fragment reduces the likelihood that the id_token leaks during transport and mitigates the associated risks to the privacy of the user (Resource Owner).
This section registers the response type none, in accordance with the stipulations in the OAuth 2.0 specification, Section 8.4. The intended purpose is to enable use cases where a party requests the server to register a grant of access to a Protected Resource on behalf of a Client but requires no access credentials to be returned to the Client at that time. The means by which the Client eventually obtains the access credentials is left unspecified here.
One scenario is where a user wishes to purchase an application from a market, and desires to authorize application installation and grant the application access to Protected Resources in a single step. However, since the user is not presently interacting with the (not yet active) application, it is not appropriate to return access credentials simultaneously in the authorization step.
- When supplied as the response_type parameter in an OAuth 2.0 Authorization Request, the Authorization Server SHOULD NOT return an OAuth 2.0 Authorization Code, Access Token, or Access Token Type in a successful response to the grant request. If a redirect_uri is supplied, the User-Agent SHOULD be redirected there after granting or denying access. The request MAY include a state parameter, and if so, the server MUST echo its value by adding it to the redirect_uri when issuing either a successful response or an error response. Any parameters added to the redirect_uri SHOULD be query encoded. This applies to both successful responses and error responses.
The response type none SHOULD NOT be combined with other response types.
This section registers combinations of the values code, token, and id_token, which are each individually registered response types.
- code token
- When supplied as the value for the response_type parameter, a successful response MUST include an Access Token, an Access Token Type, and an Authorization Code. Both successful and error responses SHOULD be fragment encoded and MUST NOT be query encoded.
- code id_token
- When supplied as the value for the response_type parameter, a successful response MUST include both an Authorization Code and an id_token. Both successful and error responses SHOULD be fragment encoded and MUST NOT be query encoded.
- id_token token
- When supplied as the value for the response_type parameter, a successful response MUST include an Access Token, an Access Token Type, and an id_token. Both successful and error responses SHOULD be fragment encoded and MUST NOT be query encoded.
- code id_token token
- When supplied as the value for the response_type parameter, a successful response MUST include an Authorization Code, an id_token, an Access Token, and an Access Token Type. Both successful and error responses SHOULD be fragment encoded and MUST NOT be query encoded.
For all these response types, the request MAY include a state parameter, and if so, the server MUST echo its value by adding it to the redirect_uri when issuing either a successful response or an error response.
A non-normative request/response example as issued/received by the User-Agent (with extra line breaks for display purposes only) is:
GET /authorize? response_type=id_token%20token &client_id=s6BhdRkqt3 &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb &state=af0ifjsldkj HTTP/1.1 Host: server.example.com
HTTP/1.1 302 Found Location: https://client.example.org/cb# access_token=SlAV32hkKG &token_type=bearer &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso &expires_in=3600 &state=af0ifjsldkj
This specification registers the response_type values defined by this specification in the IANA OAuth Authorization Endpoint Response Types registry [RFC6749] (Hardt, D., “The OAuth 2.0 Authorization Framework,” October 2012.).
|[RFC2119]||Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” BCP 14, RFC 2119, March 1997 (TXT, HTML, XML).|
|[RFC6749]||Hardt, D., “The OAuth 2.0 Authorization Framework,” RFC 6749, October 2012 (TXT).|
The OpenID Community would like to thank the following people for the work they've done in the drafting and editing of this specification.
Naveen Agarwal (email@example.com), Google
John Bradley (firstname.lastname@example.org), Ping Identity
Michael B. Jones (email@example.com), Microsoft
Breno de Medeiros (firstname.lastname@example.org), Google
Nat Sakimura (email@example.com), Nomura Research Institute, Ltd.
David Recordon (firstname.lastname@example.org), Facebook
Marius Scurtescu (email@example.com), Google
Paul Tarjan (firstname.lastname@example.org), Facebook
Copyright (c) 2013 The OpenID Foundation.
The OpenID Foundation (OIDF) grants to any Contributor, developer, implementer, or other interested party a non-exclusive, royalty free, worldwide copyright license to reproduce, prepare derivative works from, distribute, perform and display, this Implementers Draft or Final Specification solely for the purposes of (i) developing specifications, and (ii) implementing Implementers Drafts and Final Specifications based on such documents, provided that attribution be made to the OIDF as the source of the material, but that such attribution does not indicate an endorsement by the OIDF.
The technology described in this specification was made available from contributions from various sources, including members of the OpenID Foundation and others. Although the OpenID Foundation has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this specification or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights. The OpenID Foundation and the contributors to this specification make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to this specification, and the entire risk as to implementing this specification is assumed by the implementer. The OpenID Intellectual Property Rights policy requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers. The OpenID Foundation invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that may cover technology that may be required to practice this specification.
[[ To be removed from the final specification ]]
|Breno de Medeiros (editor)|
|Michael B. Jones|