tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Gloss.     Arch.     IMS     UICC    |    Misc.    |    search     info

RFC 6749


The OAuth 2.0 Authorization Framework

Part 4 of 4, p. 68 to 76
Prev RFC Part


prevText      Top      Up      ToC       Page 68 
12.  References

12.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2246]  Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
              RFC 2246, January 1999.

   [RFC2616]  Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
              Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
              Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.

   [RFC2617]  Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S.,
              Leach, P., Luotonen, A., and L. Stewart, "HTTP
              Authentication: Basic and Digest Access Authentication",
              RFC 2617, June 1999.

Top      Up      ToC       Page 69 
   [RFC2818]  Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.

   [RFC3629]  Yergeau, F., "UTF-8, a transformation format of
              ISO 10646", STD 63, RFC 3629, November 2003.

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66,
              RFC 3986, January 2005.

   [RFC4627]  Crockford, D., "The application/json Media Type for
              JavaScript Object Notation (JSON)", RFC 4627, July 2006.

   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2",
              RFC 4949, August 2007.

   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
              IANA Considerations Section in RFCs", BCP 26, RFC 5226,
              May 2008.

   [RFC5234]  Crocker, D. and P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", STD 68, RFC 5234, January 2008.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

   [RFC6125]  Saint-Andre, P. and J. Hodges, "Representation and
              Verification of Domain-Based Application Service Identity
              within Internet Public Key Infrastructure Using X.509
              (PKIX) Certificates in the Context of Transport Layer
              Security (TLS)", RFC 6125, March 2011.

   [USASCII]  American National Standards Institute, "Coded Character
              Set -- 7-bit American Standard Code for Information
              Interchange", ANSI X3.4, 1986.

              Raggett, D., Le Hors, A., and I. Jacobs, "HTML 4.01
              Specification", World Wide Web Consortium
              Recommendation REC-html401-19991224, December 1999,

              Bray, T., Paoli, J., Sperberg-McQueen, C., Maler, E.,
              and F. Yergeau, "Extensible Markup Language (XML) 1.0
              (Fifth Edition)", World Wide Web Consortium
               Recommendation REC-xml-20081126, November 2008,

Top      Up      ToC       Page 70 
12.2.  Informative References

              Hammer-Lahav, E., Ed., "HTTP Authentication: MAC Access
              Authentication", Work in Progress, February 2012.

              Campbell, B. and C. Mortimore, "SAML 2.0 Bearer Assertion
              Profiles for OAuth 2.0", Work in Progress, September 2012.

              Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0
              Threat Model and Security Considerations", Work
              in Progress, October 2012.

              Hardt, D., Ed., Tom, A., Eaton, B., and Y. Goland, "OAuth
              Web Resource Authorization Profiles", Work in Progress,
              January 2010.

   [RFC5849]  Hammer-Lahav, E., "The OAuth 1.0 Protocol", RFC 5849,
              April 2010.

   [RFC6750]  Jones, M. and D. Hardt, "The OAuth 2.0 Authorization
              Framework: Bearer Token Usage", RFC 6750, October 2012.

Top      Up      ToC       Page 71 
Appendix A.  Augmented Backus-Naur Form (ABNF) Syntax

   This section provides Augmented Backus-Naur Form (ABNF) syntax
   descriptions for the elements defined in this specification using the
   notation of [RFC5234].  The ABNF below is defined in terms of Unicode
   code points [W3C.REC-xml-20081126]; these characters are typically
   encoded in UTF-8.  Elements are presented in the order first defined.

   Some of the definitions that follow use the "URI-reference"
   definition from [RFC3986].

   Some of the definitions that follow use these common definitions:

     VSCHAR     = %x20-7E
     NQCHAR     = %x21 / %x23-5B / %x5D-7E
     NQSCHAR    = %x20-21 / %x23-5B / %x5D-7E
     UNICODECHARNOCRLF = %x09 /%x20-7E / %x80-D7FF /
                         %xE000-FFFD / %x10000-10FFFF

   (The UNICODECHARNOCRLF definition is based upon the Char definition
   in Section 2.2 of [W3C.REC-xml-20081126], but omitting the Carriage
   Return and Linefeed characters.)

A.1.  "client_id" Syntax

   The "client_id" element is defined in Section 2.3.1:

     client-id     = *VSCHAR

A.2.  "client_secret" Syntax

   The "client_secret" element is defined in Section 2.3.1:

     client-secret = *VSCHAR

A.3.  "response_type" Syntax

   The "response_type" element is defined in Sections 3.1.1 and 8.4:

     response-type = response-name *( SP response-name )
     response-name = 1*response-char
     response-char = "_" / DIGIT / ALPHA

Top      Up      ToC       Page 72 
A.4.  "scope" Syntax

   The "scope" element is defined in Section 3.3:

     scope       = scope-token *( SP scope-token )
     scope-token = 1*NQCHAR

A.5.  "state" Syntax

   The "state" element is defined in Sections 4.1.1, 4.1.2,,
   4.2.1, 4.2.2, and

     state      = 1*VSCHAR

A.6.  "redirect_uri" Syntax

   The "redirect_uri" element is defined in Sections 4.1.1, 4.1.3,
   and 4.2.1:

     redirect-uri      = URI-reference

A.7.  "error" Syntax

   The "error" element is defined in Sections,, 5.2,
   7.2, and 8.5:

     error             = 1*NQSCHAR

A.8.  "error_description" Syntax

   The "error_description" element is defined in Sections,, 5.2, and 7.2:

     error-description = 1*NQSCHAR

A.9.  "error_uri" Syntax

   The "error_uri" element is defined in Sections,, 5.2,
   and 7.2:

     error-uri         = URI-reference

Top      Up      ToC       Page 73 
A.10.  "grant_type" Syntax

   The "grant_type" element is defined in Sections 4.1.3, 4.3.2, 4.4.2,
   4.5, and 6:

     grant-type = grant-name / URI-reference
     grant-name = 1*name-char
     name-char  = "-" / "." / "_" / DIGIT / ALPHA

A.11.  "code" Syntax

   The "code" element is defined in Section 4.1.3:

     code       = 1*VSCHAR

A.12.  "access_token" Syntax

   The "access_token" element is defined in Sections 4.2.2 and 5.1:

     access-token = 1*VSCHAR

A.13.  "token_type" Syntax

   The "token_type" element is defined in Sections 4.2.2, 5.1, and 8.1:

     token-type = type-name / URI-reference
     type-name  = 1*name-char
     name-char  = "-" / "." / "_" / DIGIT / ALPHA

A.14.  "expires_in" Syntax

   The "expires_in" element is defined in Sections 4.2.2 and 5.1:

     expires-in = 1*DIGIT

A.15.  "username" Syntax

   The "username" element is defined in Section 4.3.2:

     username = *UNICODECHARNOCRLF

A.16.  "password" Syntax

   The "password" element is defined in Section 4.3.2:

     password = *UNICODECHARNOCRLF

Top      Up      ToC       Page 74 
A.17.  "refresh_token" Syntax

   The "refresh_token" element is defined in Sections 5.1 and 6:

     refresh-token = 1*VSCHAR

A.18.  Endpoint Parameter Syntax

   The syntax for new endpoint parameters is defined in Section 8.2:

     param-name = 1*name-char
     name-char  = "-" / "." / "_" / DIGIT / ALPHA

Appendix B.  Use of application/x-www-form-urlencoded Media Type

   At the time of publication of this specification, the
   "application/x-www-form-urlencoded" media type was defined in
   Section 17.13.4 of [W3C.REC-html401-19991224] but not registered in
   the IANA MIME Media Types registry
   (<>).  Furthermore, that
   definition is incomplete, as it does not consider non-US-ASCII

   To address this shortcoming when generating payloads using this media
   type, names and values MUST be encoded using the UTF-8 character
   encoding scheme [RFC3629] first; the resulting octet sequence then
   needs to be further encoded using the escaping rules defined in

   When parsing data from a payload using this media type, the names and
   values resulting from reversing the name/value encoding consequently
   need to be treated as octet sequences, to be decoded using the UTF-8
   character encoding scheme.

   For example, the value consisting of the six Unicode code points
   (1) U+0020 (SPACE), (2) U+0025 (PERCENT SIGN),
   (3) U+0026 (AMPERSAND), (4) U+002B (PLUS SIGN),
   (5) U+00A3 (POUND SIGN), and (6) U+20AC (EURO SIGN) would be encoded
   into the octet sequence below (using hexadecimal notation):

     20 25 26 2B C2 A3 E2 82 AC

   and then represented in the payload as:


Top      Up      ToC       Page 75 
Appendix C.  Acknowledgements

   The initial OAuth 2.0 protocol specification was edited by David
   Recordon, based on two previous publications: the OAuth 1.0 community
   specification [RFC5849], and OAuth WRAP (OAuth Web Resource
   Authorization Profiles) [OAuth-WRAP].  Eran Hammer then edited many
   of the intermediate drafts that evolved into this RFC.  The Security
   Considerations section was drafted by Torsten Lodderstedt, Mark
   McGloin, Phil Hunt, Anthony Nadalin, and John Bradley.  The section
   on use of the "application/x-www-form-urlencoded" media type was
   drafted by Julian Reschke.  The ABNF section was drafted by Michael
   B. Jones.

   The OAuth 1.0 community specification was edited by Eran Hammer and
   authored by Mark Atwood, Dirk Balfanz, Darren Bounds, Richard M.
   Conlan, Blaine Cook, Leah Culver, Breno de Medeiros, Brian Eaton,
   Kellan Elliott-McCrea, Larry Halff, Eran Hammer, Ben Laurie, Chris
   Messina, John Panzer, Sam Quigley, David Recordon, Eran Sandler,
   Jonathan Sergent, Todd Sieling, Brian Slesinsky, and Andy Smith.

   The OAuth WRAP specification was edited by Dick Hardt and authored by
   Brian Eaton, Yaron Y. Goland, Dick Hardt, and Allen Tom.

   This specification is the work of the OAuth Working Group, which
   includes dozens of active and dedicated participants.  In particular,
   the following individuals contributed ideas, feedback, and wording
   that shaped and formed the final specification:

   Michael Adams, Amanda Anganes, Andrew Arnott, Dirk Balfanz, Aiden
   Bell, John Bradley, Marcos Caceres, Brian Campbell, Scott Cantor,
   Blaine Cook, Roger Crew, Leah Culver, Bill de hOra, Andre DeMarre,
   Brian Eaton, Wesley Eddy, Wolter Eldering, Brian Ellin, Igor
   Faynberg, George Fletcher, Tim Freeman, Luca Frosini, Evan Gilbert,
   Yaron Y. Goland, Brent Goldman, Kristoffer Gronowski, Eran Hammer,
   Dick Hardt, Justin Hart, Craig Heath, Phil Hunt, Michael B. Jones,
   Terry Jones, John Kemp, Mark Kent, Raffi Krikorian, Chasen Le Hara,
   Rasmus Lerdorf, Torsten Lodderstedt, Hui-Lan Lu, Casey Lucas, Paul
   Madsen, Alastair Mair, Eve Maler, James Manger, Mark McGloin,
   Laurence Miao, William Mills, Chuck Mortimore, Anthony Nadalin,
   Julian Reschke, Justin Richer, Peter Saint-Andre, Nat Sakimura, Rob
   Sayre, Marius Scurtescu, Naitik Shah, Luke Shepard, Vlad Skvortsov,
   Justin Smith, Haibin Song, Niv Steingarten, Christian Stuebner,
   Jeremy Suriel, Paul Tarjan, Christopher Thomas, Henry S. Thompson,
   Allen Tom, Franklin Tse, Nick Walker, Shane Weeden, and Skylar

Top      Up      ToC       Page 76 
   This document was produced under the chairmanship of Blaine Cook,
   Peter Saint-Andre, Hannes Tschofenig, Barry Leiba, and Derek Atkins.
   The area directors included Lisa Dusseault, Peter Saint-Andre, and
   Stephen Farrell.

Author's Address

   Dick Hardt (editor)