<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head profile="http://www.w3.org/2006/03/hcard http://dublincore.org/documents/2008/08/04/dc-html/">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>OAuth2 Bootstrap to web session - draft 02</title>
<style type="text/css" title="Xml2Rfc (sans serif)">
/*<![CDATA[*/
a {
text-decoration: none;
}
a.smpl {
color: black;
}
a:hover {
text-decoration: underline;
}
a:active {
text-decoration: underline;
}
address {
margin-top: 1em;
margin-left: 2em;
font-style: normal;
}
body {
color: black;
font-family: verdana, helvetica, arial, sans-serif;
font-size: 10pt;
max-width: 55em;
}
cite {
font-style: normal;
}
dd {
margin-right: 2em;
}
dl {
margin-left: 2em;
}
ul.empty {
list-style-type: none;
}
ul.empty li {
margin-top: .5em;
}
dl p {
margin-left: 0em;
}
dt {
margin-top: .5em;
}
h1 {
font-size: 14pt;
line-height: 21pt;
page-break-after: avoid;
}
h1.np {
page-break-before: always;
}
h1 a {
color: #333333;
}
h2 {
font-size: 12pt;
line-height: 15pt;
page-break-after: avoid;
}
h3, h4, h5, h6 {
font-size: 10pt;
page-break-after: avoid;
}
h2 a, h3 a, h4 a, h5 a, h6 a {
color: black;
}
img {
margin-left: 3em;
}
li {
margin-left: 2em;
margin-right: 2em;
}
ol {
margin-left: 2em;
margin-right: 2em;
}
ol p {
margin-left: 0em;
}
p {
margin-left: 2em;
margin-right: 2em;
}
pre {
margin-left: 3em;
background-color: lightyellow;
padding: .25em;
}
pre.text2 {
border-style: dotted;
border-width: 1px;
background-color: #f0f0f0;
width: 69em;
}
pre.inline {
background-color: white;
padding: 0em;
}
pre.text {
border-style: dotted;
border-width: 1px;
background-color: #f8f8f8;
width: 69em;
}
pre.drawing {
border-style: solid;
border-width: 1px;
background-color: #f8f8f8;
padding: 2em;
}
table {
margin-left: 2em;
}
table.tt {
vertical-align: top;
}
table.full {
border-style: outset;
border-width: 1px;
}
table.headers {
border-style: outset;
border-width: 1px;
}
table.tt td {
vertical-align: top;
}
table.full td {
border-style: inset;
border-width: 1px;
}
table.tt th {
vertical-align: top;
}
table.full th {
border-style: inset;
border-width: 1px;
}
table.headers th {
border-style: none none inset none;
border-width: 1px;
}
table.left {
margin-right: auto;
}
table.right {
margin-left: auto;
}
table.center {
margin-left: auto;
margin-right: auto;
}
caption {
caption-side: bottom;
font-weight: bold;
font-size: 9pt;
margin-top: .5em;
}
table.header {
border-spacing: 1px;
width: 95%;
font-size: 10pt;
color: white;
}
td.top {
vertical-align: top;
}
td.topnowrap {
vertical-align: top;
white-space: nowrap;
}
table.header td {
background-color: gray;
width: 50%;
}
table.header a {
color: white;
}
td.reference {
vertical-align: top;
white-space: nowrap;
padding-right: 1em;
}
thead {
display:table-header-group;
}
ul.toc, ul.toc ul {
list-style: none;
margin-left: 1.5em;
margin-right: 0em;
padding-left: 0em;
}
ul.toc li {
line-height: 150%;
font-weight: bold;
font-size: 10pt;
margin-left: 0em;
margin-right: 0em;
}
ul.toc li li {
line-height: normal;
font-weight: normal;
font-size: 9pt;
margin-left: 0em;
margin-right: 0em;
}
li.excluded {
font-size: 0pt;
}
ul p {
margin-left: 0em;
}
.comment {
background-color: yellow;
}
.center {
text-align: center;
}
.error {
color: red;
font-style: italic;
font-weight: bold;
}
.figure {
font-weight: bold;
text-align: center;
font-size: 9pt;
}
.filename {
color: #333333;
font-weight: bold;
font-size: 12pt;
line-height: 21pt;
text-align: center;
}
.fn {
font-weight: bold;
}
.hidden {
display: none;
}
.left {
text-align: left;
}
.right {
text-align: right;
}
.title {
color: #990000;
font-size: 18pt;
line-height: 18pt;
font-weight: bold;
text-align: center;
margin-top: 36pt;
}
.vcardline {
display: block;
}
.warning {
font-size: 14pt;
background-color: yellow;
}
@media print {
.noprint {
display: none;
}
a {
color: black;
text-decoration: none;
}
table.header {
width: 90%;
}
td.header {
width: 50%;
color: black;
background-color: white;
vertical-align: top;
font-size: 12pt;
}
ul.toc a::after {
content: leader('.') target-counter(attr(href), page);
}
ul.ind li li a {
content: target-counter(attr(href), page);
}
.print2col {
column-count: 2;
-moz-column-count: 2;
column-fill: auto;
}
}
@page {
@top-left {
content: "Internet-Draft";
}
@top-right {
content: "December 2010";
}
@top-center {
content: "Abbreviated Title";3
}
@bottom-left {
content: "Doe";
}
@bottom-center {
content: "Expires June 2011";
}
@bottom-right {
content: "[Page " counter(page) "]";
}
}
@page:first {
@top-left {
content: normal;
}
@top-right {
content: normal;
}
@top-center {
content: normal;
}
}
/*]]>*/
</style>
<link href="#rfc.toc" rel="Contents">
<link href="#rfc.section.1" rel="Chapter" title="1 Introduction">
<link href="#rfc.section.1.1" rel="Chapter" title="1.1 Roles">
<link href="#rfc.section.1.2" rel="Chapter" title="1.2 Scopes">
<link href="#rfc.section.1.3" rel="Chapter" title="1.3 Protocol Flow">
<link href="#rfc.section.1.4" rel="Chapter" title="1.4 Terminology">
<link href="#rfc.section.2" rel="Chapter" title="2 Bootstrap Token">
<link href="#rfc.section.2.1" rel="Chapter" title="2.1 Refresh Token Authorization Grant">
<link href="#rfc.section.2.2" rel="Chapter" title="2.2 Assertion Framework Authorization Grants">
<link href="#rfc.section.2.3" rel="Chapter" title="2.3 Bootstrap Token Request Processing Rules">
<link href="#rfc.section.3" rel="Chapter" title="3 Web Session endpoint">
<link href="#rfc.section.4" rel="Chapter" title="4 Security Considerations">
<link href="#rfc.references" rel="Chapter" title="5 Normative References">
<link href="#rfc.authors" rel="Chapter">
<meta name="generator" content="xml2rfc version 2.4.0 - http://tools.ietf.org/tools/xml2rfc">
<link rel="schema.dct" href="http://purl.org/dc/terms/">
<meta name="dct.creator" content="Fletcher, GFF., Ed.">
<meta name="dct.identifier" content="urn:ietf:id:oauth2-bootstrap-web-session-1_0">
<meta name="dct.issued" scheme="ISO8601" content="2013-1-7">
<meta name="dct.abstract" content="This document describes a process that allows a client to seamlessly transition the user from an authenticated state in a native application, to an authenticated state in a web browser.">
<meta name="description" content="This document describes a process that allows a client to seamlessly transition the user from an authenticated state in a native application, to an authenticated state in a web browser.">
</head>
<body>
<table class="header">
<tbody>
<tr>
<td class="left">Network Working Group</td>
<td class="right">GFF. Fletcher, Ed.</td>
</tr>
<tr>
<td class="left">Internet-Draft</td>
<td class="right">AOL</td>
</tr>
<tr>
<td class="left">Intended status: Experimental</td>
<td class="right">January 7, 2013</td>
</tr>
<tr>
<td class="left">Expires: July 11, 2013</td>
<td class="right"></td>
</tr>
</tbody>
</table>
<p class="title">OAuth2 Bootstrap to web session - draft 02<br>
<span class="filename">oauth2-bootstrap-web-session-1_0</span></p>
<h1 id="rfc.abstract">
<a href="#rfc.abstract">Abstract</a>
</h1>
<p>This document describes a process that allows a client to seamlessly
transition the user from an authenticated state in a native application,
to an authenticated state in a web browser.</p>
<h1>
<a>Requirements Language</a>
</h1>
<p>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <a href="#RFC2119">RFC 2119</a> <cite title="NONE">[RFC2119]</cite>.</p>
<h1 id="rfc.status">
<a href="#rfc.status">Status of This Memo</a>
</h1>
<p>This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.</p>
<p>Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute working
documents as Internet-Drafts. The list of current Internet-Drafts is at
<a href="https://urldefense.com/v3/__http://datatracker.ietf.org/drafts/current/__;!!FrPt2g6CO4Wadw!PrSn-vMsAaSFcYy4csgH9KtY35VuAuJEICI0HaUHkDnB8er8EpqIGtE0LBo9LAy9JzHhcbaDrLM6EmPLWXbDkKeT$">http://datatracker.ietf.org/drafts/current/</a>.</p>
<p>Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference material
or to cite them other than as "work in progress."</p>
<p>This Internet-Draft will expire on July 11, 2013.</p>
<h1 id="rfc.copyrightnotice">
<a href="#rfc.copyrightnotice">Copyright Notice</a>
</h1>
<p>Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
<p>This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="https://urldefense.com/v3/__http://trustee.ietf.org/license-info__;!!FrPt2g6CO4Wadw!PrSn-vMsAaSFcYy4csgH9KtY35VuAuJEICI0HaUHkDnB8er8EpqIGtE0LBo9LAy9JzHhcbaDrLM6EmPLWSCG1wlS$">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents carefully,
as they describe your rights and restrictions with respect to this
document. Code Components extracted from this document must include
Simplified BSD License text as described in Section 4.e of the Trust
Legal Provisions and are provided without warranty as described in the
Simplified BSD License.</p>
<hr class="noprint">
<h1 class="np" id="rfc.toc"><a href="#rfc.toc">Table of Contents</a></h1>
<ul class="toc">
<li>1. <a href="#rfc.section.1">Introduction</a></li>
<li>1.1. <a href="#rfc.section.1.1">Roles</a></li>
<li>1.2. <a href="#rfc.section.1.2">Scopes</a></li>
<li>1.3. <a href="#rfc.section.1.3">Protocol Flow</a></li>
<li>1.4. <a href="#rfc.section.1.4">Terminology</a></li>
<li>2. <a href="#rfc.section.2">Bootstrap Token</a></li>
<li>2.1. <a href="#rfc.section.2.1">Refresh Token Authorization Grant</a></li>
<li>2.2. <a href="#rfc.section.2.2">Assertion Framework Authorization Grants</a></li>
<li>2.3. <a href="#rfc.section.2.3">Bootstrap Token Request Processing Rules</a></li>
<li>3. <a href="#rfc.section.3">Web Session endpoint</a></li>
<li>4. <a href="#rfc.section.4">Security Considerations</a></li>
<li>5. <a href="#rfc.references">Normative References</a></li>
<li><a href="#rfc.authors">Author's Address</a></li>
</ul>
<h1 id="rfc.section.1"><a href="#rfc.section.1">1.</a> Introduction</h1>
<p id="rfc.section.1.p.1">In order to provide a good user experience it
is necessary at times to "share" an authentication state across
disparate environments. For example, a desktop utility that shows the
user a list of their last N mail messages, and when the user selects one
of the mail messages, opens a browser logging the user into their mail
account on the web.</p>
<p id="rfc.section.1.p.2">This document defines a process based on <a href="#RFC6749">OAuth2</a> <cite title="NONE">[RFC6749]</cite> to enable this functionality.</p>
<h1 id="rfc.section.1.1"><a href="#rfc.section.1.1">1.1.</a> Roles</h1>
<p id="rfc.section.1.1.p.1">This specification uses the 'client' and 'authorization server' roles from the <a href="#RFC6749">OAuth2</a> <cite title="NONE">[RFC6749]</cite> specifcation. In addition to these two roles, this specification also identifies the role of the </p>
<dl>
<dt>web application</dt>
<dd style="margin-left: 8">The destination web application where the user will be seamlessly logged in.</dd>
</dl>
<p> </p>
<h1 id="rfc.section.1.2"><a href="#rfc.section.1.2">1.2.</a> Scopes</h1>
<p id="rfc.section.1.2.p.1">This specification defines an additional scope that MUST be authorized to the client in order to obtain the bootstrap-token. </p>
<dl>
<dt>web_session</dt>
<dd style="margin-left: 8">A scope that provides the client the authorization to obtain a bootstrap-token</dd>
</dl>
<p> </p>
<h1 id="rfc.section.1.3"><a href="#rfc.section.1.3">1.3.</a> Protocol Flow</h1>
<p>
</p><pre>
+-----------------+
| |
| |
+----------(C)----------+ Client |
| | |
| | |
| +------------+----+
| ^ |
| | (A)
| (B) |
v | v
+-----------------+ +----+------------+
| | | |
| +-----(D)------>| |
| Browser | | Authorization |
| |<----(E)-------+ Server |
| | | |
+---------+-------+ +-----------------+
|
|
|
| +-----------------+
| | |
| | |
+----------(F)--------->| Web |
| Application |
| |
+-----------------+
</pre>
<p>Figure 1: Abstract Protocol Flow</p>
<p class="figure"></p>
<p id="rfc.section.1.3.p.1">The abstract Web Session Bootstrap flow
illustrated in Figure 1 describes the interaction between the three
roles and includes the following steps: </p>
<dl>
<dt> (A) </dt>
<dd style="margin-left: 8">The client requests a bootstrap-token using the OAuth2 token endpoing (e.g. grant_type=refresh_token)</dd>
<dt> (B) </dt>
<dd style="margin-left: 8">The authorization server returns bootstrap-token</dd>
<dt> (C) </dt>
<dd style="margin-left: 8">The client constructs a URL to the AS (/web-session?access_token=<bootstrap-token>) and loads it into the browser</dd>
<dt> (D) </dt>
<dd style="margin-left: 8">The browser invokes the AS /web-session endpoint.</dd>
<dt> (E) </dt>
<dd style="margin-left: 8">The AS validates the bootstrap-token and
establishes a web session for the user identified by the token. The AS
redirects the browser to the destination web application (potentially
setting cookies)</dd>
<dt> (F) </dt>
<dd style="margin-left: 8">The browser follows the HTTP redirect and loads the destination web application</dd>
</dl>
<p> </p>
<h1 id="rfc.section.1.4"><a href="#rfc.section.1.4">1.4.</a> Terminology</h1>
<p id="rfc.section.1.4.p.1">See <a href="#RFC6749">OAuth2</a> <cite title="NONE">[RFC6749]</cite>
for terminology used in this specification. In addition to the terms
defined in the OAuth2 specification, the following terms are defined: </p>
<dl>
<dt>bootstrap-token</dt>
<dd style="margin-left: 8">An <a href="#RFC6749">OAuth2</a> <cite title="NONE">[RFC6749]</cite> access_token that is used to bootstrap the authentication context from the client to the web application.</dd>
</dl>
<p> </p>
<h1 id="rfc.section.2"><a href="#rfc.section.2">2.</a> Bootstrap Token</h1>
<p id="rfc.section.2.p.1">In order for the client to obtain a
bootstrap-token, the client MUST have an authorization grant that is
authorized with the 'web_session' scope. The process of obtaining an
authorization grant authorized with the 'web_session' scope is outside
the scope of this document. This specification specifically profiles the
refresh_token and Assertion Framework for OAuth 2.0 Client
Authentication and Authorization Grants. The required scope for this
process is </p>
<dl>
<dt>web_session</dt>
<dd style="margin-left: 8">This scope provides the authorized party
the ability to bridge the user's identity from the receiving client
application to a browser based session.</dd>
</dl>
<p> </p>
<h1 id="rfc.section.2.1"><a href="#rfc.section.2.1">2.1.</a> Refresh Token Authorization Grant</h1>
<p id="rfc.section.2.1.p.1">The request to obtain the bootstrap-token uses the token endpoint described in section 6 of <a href="#RFC6749">OAuth2</a> <cite title="NONE">[RFC6749]</cite>. This use of the /token endpoint is profiled for grant_type=refresh_token as follows. </p>
<dl>
<dt>grant_type</dt>
<dd style="margin-left: 8">The value MUST be 'refresh_token'</dd>
<dt>refresh_token</dt>
<dd style="margin-left: 8">The refresh_token obtained by the client.</dd>
<dt>scope</dt>
<dd style="margin-left: 8">The value MUST only contain 'web_session'. This is effectively a "downscoped" token and MUST only be used for this flow.</dd>
<dt>dest_url</dt>
<dd style="margin-left: 8">An additional parameter used by this
profile; The URL to which the browser should be redirected if the
seamless bootstrapping of the authentication is successful.</dd>
</dl>
<p> </p>
<h1 id="rfc.section.2.2"><a href="#rfc.section.2.2">2.2.</a> Assertion Framework Authorization Grants</h1>
<p id="rfc.section.2.2.p.1">The request to obtain the bootstrap-token uses the token endpoint described in section 6 of <a href="#RFC6749">OAuth2</a> <cite title="NONE">[RFC6749]</cite>. This use of the /token endpoint is profiled for grant types of the Assertion Framework as follows. </p>
<dl>
<dt>grant_type</dt>
<dd style="margin-left: 8">The value MUST be a valid assertion framework grant type</dd>
<dt>assertion</dt>
<dd style="margin-left: 8">The assertion previous issued in an authorization grant.</dd>
<dt>scope</dt>
<dd style="margin-left: 8">The value MUST only contain 'web_session'. This is effectively a "downscoped" token and MUST only be used for this flow.</dd>
<dt>dest_url</dt>
<dd style="margin-left: 8">An additional parameter used by this
profile; The URL to which the browser should be redirected if the
seamless bootstrapping of the authentication is successful.</dd>
</dl>
<p> </p>
<h1 id="rfc.section.2.3"><a href="#rfc.section.2.3">2.3.</a> Bootstrap Token Request Processing Rules</h1>
<p id="rfc.section.2.3.p.1">The authorization server MUST validate the request as follows </p>
<ol>
<li>Verify the client credentials. The request MUST fail if the client
credentials are not valid. The AS may whitelist clients such that only
certain clients can perform this function.</li>
<li>Verify the authorization grant. The authoriztaion grant MUST be valid and MUST be granted the 'web_session' scope.</li>
<li>Generate a new bootstrap-token with a short expiry time. Note that
these tokens SHOULD be treated as one-time-use tokens. The
bootstrap-token MUST be associated with the specified dest_url. If no
dest_url is specified, the request SHOULD fail.</li>
<li>Return bootstrap-token as the access_token in the response per <a href="#RFC6749">OAuth2</a> <cite title="NONE">[RFC6749]</cite> Section 6</li>
</ol>
<p> </p>
<p id="rfc.section.2.3.p.2">For Example: (line breaks added for readability) </p>
<p>
</p><pre> POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA&
scope=web_session&dest_url=https%3A%2F%2Fweb-app.example.com
</pre>
<p>
</p><p class="figure"></p>
<ul class="empty">
<li>
</li></ul>
<p> </p>
<p id="rfc.section.2.3.p.3">In the case that there are processing rule errors or other failure conditions the /token endpoint response MUST conform to <a href="#RFC6749">OAuth2</a> <cite title="NONE">[RFC6749]</cite> Section 5.2</p>
<h1 id="rfc.section.3"><a href="#rfc.section.3">3.</a> Web Session endpoint</h1>
<p id="rfc.section.3.p.1">The web session endpoint allows the holder of a
bootstrap-token to establish an authenticated web session for the user
identified by the bootstrap-token. This endpoint is a protected
resource as defined by <a href="#RFC6750">Bearer Token Usage</a> <cite title="NONE">[RFC6750]</cite>.</p>
<p id="rfc.section.3.p.2">This endpoint defines no additional parameters
other than the OAuth2 access token. The client invokes this API by
specifying the bootstrap-token as the API's access_token.</p>
<p id="rfc.section.3.p.3">The web session endpoint MUST support both the GET and POST methods of the <a href="#RFC6750">Bearer Token Usage</a> <cite title="NONE">[RFC6750]</cite>
specification. Support for the Authorization header is not required as
most browsers do not allow for setting of arbitrary HTTP headers.</p>
<p id="rfc.section.3.p.4">The web session endpoint SHOULD identify requests not coming from a browser and return an error of 'invalid_request'</p>
<p id="rfc.section.3.p.5">On receipt of a web-session request, the
Authorization Server MUST validate the bootstrap-token to ensure that it
has not expired and SHOULD verify the token is not being replayed.</p>
<p id="rfc.section.3.p.6">The AS then determines the user and
destination URL from the bootstrap-token and establishes a web session
for this user. NOTE: the web session context MUST identify that this web
session was establish with a means other than user credentials.</p>
<p id="rfc.section.3.p.7">The web-session endpoint responds successfully
by returning a HTTP 302 redirect instructing the browser to load the
destination URL and setting whatever cookies necessary to establish the
web authentication session.</p>
<p id="rfc.section.3.p.8">For Example: (line breaks added for readability) </p>
<p>
</p><pre> HTTP/1.1 302 Found
Host: server.example.com
Location: <a href="https://urldefense.com/v3/__http://web-app.example.com__;!!FrPt2g6CO4Wadw!PrSn-vMsAaSFcYy4csgH9KtY35VuAuJEICI0HaUHkDnB8er8EpqIGtE0LBo9LAy9JzHhcbaDrLM6EmPLWesBm3ZY$">http://web-app.example.com</a>
Set-Cookie: AuthSession=asdfasdfasd; Domain=.example.com; Path=/; Secure; HttpOnly
</pre>
<p>
</p><p class="figure"></p>
<ul class="empty">
<li>
</li></ul>
<p> </p>
<p id="rfc.section.3.p.9">The mechanism by which web application
determines the identity of the web authentication session is out of
scope of this document.</p>
<p id="rfc.section.3.p.10">Error responses for this endpoint follow the <a href="#RFC6750">Bearer Token Usage</a> <cite title="NONE">[RFC6750]</cite> specification.</p>
<h1 id="rfc.section.4"><a href="#rfc.section.4">4.</a> Security Considerations</h1>
<p>
</p><ul class="empty">
<li>In some ways this exposes an escalation of privileges because a
"restricted" (by scope[s]) refresh_token is used to generate a full web
session. It is imperative that the session semantics generated by the
Web-Session endpoint ensure that downstream web-applications understand
that the user has not "recently" authenticated and instead this session
is generated from an existing token. In many respects, this web-session
is equivalent to that generated from a "remember me" or "keep me signed
in" cookie as supported on many sites. Access to special privileges for
this user SHOULD be restricted and require additional authentication
checks. Possible mitiations include... <ul><li>One way to manage the
authentication session is to track the time at which the user last
presented authentication credentials (e.g. password). By tracking this
within the session context any web-application can protect certain
privileges by requiring the user to have presented their credentials
within the last n seconds/minutes. For a web session created via this
flow, the authentication credentials presentation time is the time at
which the user authenticated to create the refresh_token.</li><li>The
Authorization Server SHOULD issue special client credentials to any
protected resources or clients that need to access the web-session
endpoint. These credentials may be used directly at the endpoint, or
they may be exchanged for an OAuth2 Access token scoped specifically for
the web-session Endpoint.</li></ul><p> </p></li>
</ul>
<p> </p>
<h1 id="rfc.references"><a href="#rfc.references">5.</a> Normative References</h1>
<table>
<tbody>
<tr>
<td class="reference">
<b id="RFC2119">[RFC2119]</b>
</td>
<td class="top"><a href="mailto:sob@harvard.edu" title="Harvard University">Bradner, S.</a>, "<a href="https://urldefense.com/v3/__http://tools.ietf.org/html/rfc2119__;!!FrPt2g6CO4Wadw!PrSn-vMsAaSFcYy4csgH9KtY35VuAuJEICI0HaUHkDnB8er8EpqIGtE0LBo9LAy9JzHhcbaDrLM6EmPLWaBNHB-j$">Key words for use in RFCs to Indicate Requirement Levels</a>", BCP 14, RFC 2119, March 1997.</td>
</tr>
<tr>
<td class="reference">
<b id="RFC6749">[RFC6749]</b>
</td>
<td class="top"><a>Hardt, D.</a>, "<a href="https://urldefense.com/v3/__http://tools.ietf.org/html/rfc6749__;!!FrPt2g6CO4Wadw!PrSn-vMsAaSFcYy4csgH9KtY35VuAuJEICI0HaUHkDnB8er8EpqIGtE0LBo9LAy9JzHhcbaDrLM6EmPLWXzdfu4k$">The OAuth 2.0 Authorization Framework</a>", RFC 6749, October 2012.</td>
</tr>
<tr>
<td class="reference">
<b id="RFC6750">[RFC6750]</b>
</td>
<td class="top"><a>Jones, M.</a> and <a>D. Hardt</a>, "<a href="https://urldefense.com/v3/__http://tools.ietf.org/html/rfc6750__;!!FrPt2g6CO4Wadw!PrSn-vMsAaSFcYy4csgH9KtY35VuAuJEICI0HaUHkDnB8er8EpqIGtE0LBo9LAy9JzHhcbaDrLM6EmPLWRW1yh-6$">The OAuth 2.0 Authorization Framework: Bearer Token Usage</a>", RFC 6750, October 2012.</td>
</tr>
</tbody>
</table>
<h1 id="rfc.authors">
<a href="#rfc.authors">Author's Address</a>
</h1>
<div class="avoidbreak">
<address class="vcard">
<span class="vcardline">
<span class="fn">George Fletcher</span> (editor)
<span class="n hidden">
<span class="family-name">Fletcher</span>
</span>
</span>
<span class="org vcardline">AOL Inc.</span>
<span class="adr">
<span class="vcardline">
<span class="locality"></span>
<span class="region"></span>
<span class="code"></span>
</span>
<span class="country-name vcardline"></span>
</span>
<span class="vcardline">EMail: <a href="mailto:gffletch@aol.com">gffletch@aol.com</a></span>
</address>
</div>
</body></html>