12.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
RFC 2246, January 1999.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S.,
Leach, P., Luotonen, A., and L. Stewart, "HTTP
Authentication: Basic and Digest Access Authentication",
RFC 2617, June 1999.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of
ISO 10646", STD 63, RFC 3629, November 2003.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, January 2005.
[RFC4627] Crockford, D., "The application/json Media Type for
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
RFC 4949, August 2007.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226,
[RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, January 2008.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509
(PKIX) Certificates in the Context of Transport Layer
Security (TLS)", RFC 6125, March 2011.
[USASCII] American National Standards Institute, "Coded Character
Set -- 7-bit American Standard Code for Information
Interchange", ANSI X3.4, 1986.
Raggett, D., Le Hors, A., and I. Jacobs, "HTML 4.01
Specification", World Wide Web Consortium
Recommendation REC-html401-19991224, December 1999,
Bray, T., Paoli, J., Sperberg-McQueen, C., Maler, E.,
and F. Yergeau, "Extensible Markup Language (XML) 1.0
(Fifth Edition)", World Wide Web Consortium
Recommendation REC-xml-20081126, November 2008,
12.2. Informative References
Hammer-Lahav, E., Ed., "HTTP Authentication: MAC Access
Authentication", Work in Progress, February 2012.
Campbell, B. and C. Mortimore, "SAML 2.0 Bearer Assertion
Profiles for OAuth 2.0", Work in Progress, September 2012.
Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0
Threat Model and Security Considerations", Work
in Progress, October 2012.
Hardt, D., Ed., Tom, A., Eaton, B., and Y. Goland, "OAuth
Web Resource Authorization Profiles", Work in Progress,
[RFC5849] Hammer-Lahav, E., "The OAuth 1.0 Protocol", RFC 5849,
[RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization
Framework: Bearer Token Usage", RFC 6750, October 2012.
Appendix A. Augmented Backus-Naur Form (ABNF) Syntax
This section provides Augmented Backus-Naur Form (ABNF) syntax
descriptions for the elements defined in this specification using the
notation of [RFC5234]. The ABNF below is defined in terms of Unicode
code points [W3C.REC-xml-20081126]; these characters are typically
encoded in UTF-8. Elements are presented in the order first defined.
Some of the definitions that follow use the "URI-reference"
definition from [RFC3986].
Some of the definitions that follow use these common definitions:
VSCHAR = %x20-7E
NQCHAR = %x21 / %x23-5B / %x5D-7E
NQSCHAR = %x20-21 / %x23-5B / %x5D-7E
UNICODECHARNOCRLF = %x09 /%x20-7E / %x80-D7FF /
%xE000-FFFD / %x10000-10FFFF
(The UNICODECHARNOCRLF definition is based upon the Char definition
in Section 2.2 of [W3C.REC-xml-20081126], but omitting the Carriage
Return and Linefeed characters.)
A.1. "client_id" Syntax
The "client_id" element is defined in Section 2.3.1:
client-id = *VSCHAR
A.2. "client_secret" Syntax
The "client_secret" element is defined in Section 2.3.1:
client-secret = *VSCHAR
A.3. "response_type" Syntax
The "response_type" element is defined in Sections 3.1.1 and 8.4:
response-type = response-name *( SP response-name )
response-name = 1*response-char
response-char = "_" / DIGIT / ALPHA
A.17. "refresh_token" Syntax
The "refresh_token" element is defined in Sections 5.1 and 6:
refresh-token = 1*VSCHAR
A.18. Endpoint Parameter Syntax
The syntax for new endpoint parameters is defined in Section 8.2:
param-name = 1*name-char
name-char = "-" / "." / "_" / DIGIT / ALPHA
Appendix B. Use of application/x-www-form-urlencoded Media Type
At the time of publication of this specification, the
"application/x-www-form-urlencoded" media type was defined in
Section 17.13.4 of [W3C.REC-html401-19991224] but not registered in
the IANA MIME Media Types registry
(<http://www.iana.org/assignments/media-types>). Furthermore, that
definition is incomplete, as it does not consider non-US-ASCII
To address this shortcoming when generating payloads using this media
type, names and values MUST be encoded using the UTF-8 character
encoding scheme [RFC3629] first; the resulting octet sequence then
needs to be further encoded using the escaping rules defined in
When parsing data from a payload using this media type, the names and
values resulting from reversing the name/value encoding consequently
need to be treated as octet sequences, to be decoded using the UTF-8
character encoding scheme.
For example, the value consisting of the six Unicode code points
(1) U+0020 (SPACE), (2) U+0025 (PERCENT SIGN),
(3) U+0026 (AMPERSAND), (4) U+002B (PLUS SIGN),
(5) U+00A3 (POUND SIGN), and (6) U+20AC (EURO SIGN) would be encoded
into the octet sequence below (using hexadecimal notation):
20 25 26 2B C2 A3 E2 82 AC
and then represented in the payload as:
Appendix C. Acknowledgements
The initial OAuth 2.0 protocol specification was edited by David
Recordon, based on two previous publications: the OAuth 1.0 community
specification [RFC5849], and OAuth WRAP (OAuth Web Resource
Authorization Profiles) [OAuth-WRAP]. Eran Hammer then edited many
of the intermediate drafts that evolved into this RFC. The Security
Considerations section was drafted by Torsten Lodderstedt, Mark
McGloin, Phil Hunt, Anthony Nadalin, and John Bradley. The section
on use of the "application/x-www-form-urlencoded" media type was
drafted by Julian Reschke. The ABNF section was drafted by Michael
The OAuth 1.0 community specification was edited by Eran Hammer and
authored by Mark Atwood, Dirk Balfanz, Darren Bounds, Richard M.
Conlan, Blaine Cook, Leah Culver, Breno de Medeiros, Brian Eaton,
Kellan Elliott-McCrea, Larry Halff, Eran Hammer, Ben Laurie, Chris
Messina, John Panzer, Sam Quigley, David Recordon, Eran Sandler,
Jonathan Sergent, Todd Sieling, Brian Slesinsky, and Andy Smith.
The OAuth WRAP specification was edited by Dick Hardt and authored by
Brian Eaton, Yaron Y. Goland, Dick Hardt, and Allen Tom.
This specification is the work of the OAuth Working Group, which
includes dozens of active and dedicated participants. In particular,
the following individuals contributed ideas, feedback, and wording
that shaped and formed the final specification:
Michael Adams, Amanda Anganes, Andrew Arnott, Dirk Balfanz, Aiden
Bell, John Bradley, Marcos Caceres, Brian Campbell, Scott Cantor,
Blaine Cook, Roger Crew, Leah Culver, Bill de hOra, Andre DeMarre,
Brian Eaton, Wesley Eddy, Wolter Eldering, Brian Ellin, Igor
Faynberg, George Fletcher, Tim Freeman, Luca Frosini, Evan Gilbert,
Yaron Y. Goland, Brent Goldman, Kristoffer Gronowski, Eran Hammer,
Dick Hardt, Justin Hart, Craig Heath, Phil Hunt, Michael B. Jones,
Terry Jones, John Kemp, Mark Kent, Raffi Krikorian, Chasen Le Hara,
Rasmus Lerdorf, Torsten Lodderstedt, Hui-Lan Lu, Casey Lucas, Paul
Madsen, Alastair Mair, Eve Maler, James Manger, Mark McGloin,
Laurence Miao, William Mills, Chuck Mortimore, Anthony Nadalin,
Julian Reschke, Justin Richer, Peter Saint-Andre, Nat Sakimura, Rob
Sayre, Marius Scurtescu, Naitik Shah, Luke Shepard, Vlad Skvortsov,
Justin Smith, Haibin Song, Niv Steingarten, Christian Stuebner,
Jeremy Suriel, Paul Tarjan, Christopher Thomas, Henry S. Thompson,
Allen Tom, Franklin Tse, Nick Walker, Shane Weeden, and Skylar
This document was produced under the chairmanship of Blaine Cook,
Peter Saint-Andre, Hannes Tschofenig, Barry Leiba, and Derek Atkins.
The area directors included Lisa Dusseault, Peter Saint-Andre, and
Dick Hardt (editor)