12. References 12.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC 2246, January 1999. [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., and L. Stewart, "HTTP Authentication: Basic and Digest Access Authentication", RFC 2617, June 1999.
12.2. Informative References [OAuth-HTTP-MAC] Hammer-Lahav, E., Ed., "HTTP Authentication: MAC Access Authentication", Work in Progress, February 2012. [OAuth-SAML2] Campbell, B. and C. Mortimore, "SAML 2.0 Bearer Assertion Profiles for OAuth 2.0", Work in Progress, September 2012. [OAuth-THREATMODEL] Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0 Threat Model and Security Considerations", Work in Progress, October 2012. [OAuth-WRAP] Hardt, D., Ed., Tom, A., Eaton, B., and Y. Goland, "OAuth Web Resource Authorization Profiles", Work in Progress, January 2010. [RFC5849] Hammer-Lahav, E., "The OAuth 1.0 Protocol", RFC 5849, April 2010. [RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization Framework: Bearer Token Usage", RFC 6750, October 2012.
Appendix A. Augmented Backus-Naur Form (ABNF) Syntax This section provides Augmented Backus-Naur Form (ABNF) syntax descriptions for the elements defined in this specification using the notation of [RFC5234]. The ABNF below is defined in terms of Unicode code points [W3C.REC-xml-20081126]; these characters are typically encoded in UTF-8. Elements are presented in the order first defined. Some of the definitions that follow use the "URI-reference" definition from [RFC3986]. Some of the definitions that follow use these common definitions: VSCHAR = %x20-7E NQCHAR = %x21 / %x23-5B / %x5D-7E NQSCHAR = %x20-21 / %x23-5B / %x5D-7E UNICODECHARNOCRLF = %x09 /%x20-7E / %x80-D7FF / %xE000-FFFD / %x10000-10FFFF (The UNICODECHARNOCRLF definition is based upon the Char definition in Section 2.2 of [W3C.REC-xml-20081126], but omitting the Carriage Return and Linefeed characters.) A.1. "client_id" Syntax The "client_id" element is defined in Section 2.3.1: client-id = *VSCHAR A.2. "client_secret" Syntax The "client_secret" element is defined in Section 2.3.1: client-secret = *VSCHAR A.3. "response_type" Syntax The "response_type" element is defined in Sections 3.1.1 and 8.4: response-type = response-name *( SP response-name ) response-name = 1*response-char response-char = "_" / DIGIT / ALPHA
A.4. "scope" Syntax The "scope" element is defined in Section 3.3: scope = scope-token *( SP scope-token ) scope-token = 1*NQCHAR A.5. "state" Syntax The "state" element is defined in Sections 4.1.1, 4.1.2, 22.214.171.124, 4.2.1, 4.2.2, and 126.96.36.199: state = 1*VSCHAR A.6. "redirect_uri" Syntax The "redirect_uri" element is defined in Sections 4.1.1, 4.1.3, and 4.2.1: redirect-uri = URI-reference A.7. "error" Syntax The "error" element is defined in Sections 188.8.131.52, 184.108.40.206, 5.2, 7.2, and 8.5: error = 1*NQSCHAR A.8. "error_description" Syntax The "error_description" element is defined in Sections 220.127.116.11, 18.104.22.168, 5.2, and 7.2: error-description = 1*NQSCHAR A.9. "error_uri" Syntax The "error_uri" element is defined in Sections 22.214.171.124, 126.96.36.199, 5.2, and 7.2: error-uri = URI-reference
A.10. "grant_type" Syntax The "grant_type" element is defined in Sections 4.1.3, 4.3.2, 4.4.2, 4.5, and 6: grant-type = grant-name / URI-reference grant-name = 1*name-char name-char = "-" / "." / "_" / DIGIT / ALPHA A.11. "code" Syntax The "code" element is defined in Section 4.1.3: code = 1*VSCHAR A.12. "access_token" Syntax The "access_token" element is defined in Sections 4.2.2 and 5.1: access-token = 1*VSCHAR A.13. "token_type" Syntax The "token_type" element is defined in Sections 4.2.2, 5.1, and 8.1: token-type = type-name / URI-reference type-name = 1*name-char name-char = "-" / "." / "_" / DIGIT / ALPHA A.14. "expires_in" Syntax The "expires_in" element is defined in Sections 4.2.2 and 5.1: expires-in = 1*DIGIT A.15. "username" Syntax The "username" element is defined in Section 4.3.2: username = *UNICODECHARNOCRLF A.16. "password" Syntax The "password" element is defined in Section 4.3.2: password = *UNICODECHARNOCRLF
A.17. "refresh_token" Syntax The "refresh_token" element is defined in Sections 5.1 and 6: refresh-token = 1*VSCHAR A.18. Endpoint Parameter Syntax The syntax for new endpoint parameters is defined in Section 8.2: param-name = 1*name-char name-char = "-" / "." / "_" / DIGIT / ALPHA Appendix B. Use of application/x-www-form-urlencoded Media Type At the time of publication of this specification, the "application/x-www-form-urlencoded" media type was defined in Section 17.13.4 of [W3C.REC-html401-19991224] but not registered in the IANA MIME Media Types registry (<http://www.iana.org/assignments/media-types>). Furthermore, that definition is incomplete, as it does not consider non-US-ASCII characters. To address this shortcoming when generating payloads using this media type, names and values MUST be encoded using the UTF-8 character encoding scheme [RFC3629] first; the resulting octet sequence then needs to be further encoded using the escaping rules defined in [W3C.REC-html401-19991224]. When parsing data from a payload using this media type, the names and values resulting from reversing the name/value encoding consequently need to be treated as octet sequences, to be decoded using the UTF-8 character encoding scheme. For example, the value consisting of the six Unicode code points (1) U+0020 (SPACE), (2) U+0025 (PERCENT SIGN), (3) U+0026 (AMPERSAND), (4) U+002B (PLUS SIGN), (5) U+00A3 (POUND SIGN), and (6) U+20AC (EURO SIGN) would be encoded into the octet sequence below (using hexadecimal notation): 20 25 26 2B C2 A3 E2 82 AC and then represented in the payload as: +%25%26%2B%C2%A3%E2%82%AC
Appendix C. Acknowledgements The initial OAuth 2.0 protocol specification was edited by David Recordon, based on two previous publications: the OAuth 1.0 community specification [RFC5849], and OAuth WRAP (OAuth Web Resource Authorization Profiles) [OAuth-WRAP]. Eran Hammer then edited many of the intermediate drafts that evolved into this RFC. The Security Considerations section was drafted by Torsten Lodderstedt, Mark McGloin, Phil Hunt, Anthony Nadalin, and John Bradley. The section on use of the "application/x-www-form-urlencoded" media type was drafted by Julian Reschke. The ABNF section was drafted by Michael B. Jones. The OAuth 1.0 community specification was edited by Eran Hammer and authored by Mark Atwood, Dirk Balfanz, Darren Bounds, Richard M. Conlan, Blaine Cook, Leah Culver, Breno de Medeiros, Brian Eaton, Kellan Elliott-McCrea, Larry Halff, Eran Hammer, Ben Laurie, Chris Messina, John Panzer, Sam Quigley, David Recordon, Eran Sandler, Jonathan Sergent, Todd Sieling, Brian Slesinsky, and Andy Smith. The OAuth WRAP specification was edited by Dick Hardt and authored by Brian Eaton, Yaron Y. Goland, Dick Hardt, and Allen Tom. This specification is the work of the OAuth Working Group, which includes dozens of active and dedicated participants. In particular, the following individuals contributed ideas, feedback, and wording that shaped and formed the final specification: Michael Adams, Amanda Anganes, Andrew Arnott, Dirk Balfanz, Aiden Bell, John Bradley, Marcos Caceres, Brian Campbell, Scott Cantor, Blaine Cook, Roger Crew, Leah Culver, Bill de hOra, Andre DeMarre, Brian Eaton, Wesley Eddy, Wolter Eldering, Brian Ellin, Igor Faynberg, George Fletcher, Tim Freeman, Luca Frosini, Evan Gilbert, Yaron Y. Goland, Brent Goldman, Kristoffer Gronowski, Eran Hammer, Dick Hardt, Justin Hart, Craig Heath, Phil Hunt, Michael B. Jones, Terry Jones, John Kemp, Mark Kent, Raffi Krikorian, Chasen Le Hara, Rasmus Lerdorf, Torsten Lodderstedt, Hui-Lan Lu, Casey Lucas, Paul Madsen, Alastair Mair, Eve Maler, James Manger, Mark McGloin, Laurence Miao, William Mills, Chuck Mortimore, Anthony Nadalin, Julian Reschke, Justin Richer, Peter Saint-Andre, Nat Sakimura, Rob Sayre, Marius Scurtescu, Naitik Shah, Luke Shepard, Vlad Skvortsov, Justin Smith, Haibin Song, Niv Steingarten, Christian Stuebner, Jeremy Suriel, Paul Tarjan, Christopher Thomas, Henry S. Thompson, Allen Tom, Franklin Tse, Nick Walker, Shane Weeden, and Skylar Woodward.
This document was produced under the chairmanship of Blaine Cook, Peter Saint-Andre, Hannes Tschofenig, Barry Leiba, and Derek Atkins. The area directors included Lisa Dusseault, Peter Saint-Andre, and Stephen Farrell. Author's Address Dick Hardt (editor) Microsoft EMail: email@example.com URI: http://dickhardt.org/