<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head profile="http://www.w3.org/2006/03/hcard http://dublincore.org/documents/2008/08/04/dc-html/">
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
<title>OAuth Event Types 1.0</title>
<style type="text/css" title="Xml2Rfc (sans serif)">
/*<![CDATA[*/
a {
text-decoration: none;
}
/* info code from SantaKlauss at http://www.madaboutstyle.com/tooltip2.html */
a.info {
/* This is the key. */
position: relative;
z-index: 24;
text-decoration: none;
}
a.info:hover {
z-index: 25;
color: #FFF; background-color: #900;
}
a.info span { display: none; }
a.info:hover span.info {
/* The span will display just on :hover state. */
display: block;
position: absolute;
font-size: smaller;
top: 2em; left: -5em; width: 15em;
padding: 2px; border: 1px solid #333;
color: #900; background-color: #EEE;
text-align: left;
}
a.smpl {
color: black;
}
a:hover {
text-decoration: underline;
}
a:active {
text-decoration: underline;
}
address {
margin-top: 1em;
margin-left: 2em;
font-style: normal;
}
body {
color: black;
font-family: verdana, helvetica, arial, sans-serif;
font-size: 10pt;
max-width: 55em;
}
cite {
font-style: normal;
}
dd {
margin-right: 2em;
}
dl {
margin-left: 2em;
}
ul.empty {
list-style-type: none;
}
ul.empty li {
margin-top: .5em;
}
dl p {
margin-left: 0em;
}
dt {
margin-top: .5em;
}
h1 {
font-size: 14pt;
line-height: 21pt;
page-break-after: avoid;
}
h1.np {
page-break-before: always;
}
h1 a {
color: #333333;
}
h2 {
font-size: 12pt;
line-height: 15pt;
page-break-after: avoid;
}
h3, h4, h5, h6 {
font-size: 10pt;
page-break-after: avoid;
}
h2 a, h3 a, h4 a, h5 a, h6 a {
color: black;
}
img {
margin-left: 3em;
}
li {
margin-left: 2em;
margin-right: 2em;
}
ol {
margin-left: 2em;
margin-right: 2em;
}
ol p {
margin-left: 0em;
}
p {
margin-left: 2em;
margin-right: 2em;
}
pre {
margin-left: 3em;
background-color: lightyellow;
padding: .25em;
}
pre.text2 {
border-style: dotted;
border-width: 1px;
background-color: #f0f0f0;
width: 69em;
}
pre.inline {
background-color: white;
padding: 0em;
}
pre.text {
border-style: dotted;
border-width: 1px;
background-color: #f8f8f8;
width: 69em;
}
pre.drawing {
border-style: solid;
border-width: 1px;
background-color: #f8f8f8;
padding: 2em;
}
table {
margin-left: 2em;
}
table.tt {
vertical-align: top;
}
table.full {
border-style: outset;
border-width: 1px;
}
table.headers {
border-style: outset;
border-width: 1px;
}
table.tt td {
vertical-align: top;
}
table.full td {
border-style: inset;
border-width: 1px;
}
table.tt th {
vertical-align: top;
}
table.full th {
border-style: inset;
border-width: 1px;
}
table.headers th {
border-style: none none inset none;
border-width: 1px;
}
table.left {
margin-right: auto;
}
table.right {
margin-left: auto;
}
table.center {
margin-left: auto;
margin-right: auto;
}
caption {
caption-side: bottom;
font-weight: bold;
font-size: 9pt;
margin-top: .5em;
}
table.header {
border-spacing: 1px;
width: 95%;
font-size: 10pt;
color: white;
}
td.top {
vertical-align: top;
}
td.topnowrap {
vertical-align: top;
white-space: nowrap;
}
table.header td {
background-color: gray;
width: 50%;
}
table.header a {
color: white;
}
td.reference {
vertical-align: top;
white-space: nowrap;
padding-right: 1em;
}
thead {
display:table-header-group;
}
ul.toc, ul.toc ul {
list-style: none;
margin-left: 1.5em;
margin-right: 0em;
padding-left: 0em;
}
ul.toc li {
line-height: 150%;
font-weight: bold;
font-size: 10pt;
margin-left: 0em;
margin-right: 0em;
}
ul.toc li li {
line-height: normal;
font-weight: normal;
font-size: 9pt;
margin-left: 0em;
margin-right: 0em;
}
li.excluded {
font-size: 0pt;
}
ul p {
margin-left: 0em;
}
.comment {
background-color: yellow;
}
.center {
text-align: center;
}
.error {
color: red;
font-style: italic;
font-weight: bold;
}
.figure {
font-weight: bold;
text-align: center;
font-size: 9pt;
}
.filename {
color: #333333;
font-weight: bold;
font-size: 12pt;
line-height: 21pt;
text-align: center;
}
.fn {
font-weight: bold;
}
.hidden {
display: none;
}
.left {
text-align: left;
}
.right {
text-align: right;
}
.title {
color: #990000;
font-size: 18pt;
line-height: 18pt;
font-weight: bold;
text-align: center;
margin-top: 36pt;
}
.vcardline {
display: block;
}
.warning {
font-size: 14pt;
background-color: yellow;
}
@media print {
.noprint {
display: none;
}
a {
color: black;
text-decoration: none;
}
table.header {
width: 90%;
}
td.header {
width: 50%;
color: black;
background-color: white;
vertical-align: top;
font-size: 12pt;
}
ul.toc a::after {
content: leader('.') target-counter(attr(href), page);
}
ul.ind li li a {
content: target-counter(attr(href), page);
}
.print2col {
column-count: 2;
-moz-column-count: 2;
column-fill: auto;
}
}
@page {
@top-left {
content: "Internet-Draft";
}
@top-right {
content: "December 2010";
}
@top-center {
content: "Abbreviated Title";
}
@bottom-left {
content: "Doe";
}
@bottom-center {
content: "Expires June 2011";
}
@bottom-right {
content: "[Page " counter(page) "]";
}
}
@page:first {
@top-left {
content: normal;
}
@top-right {
content: normal;
}
@top-center {
content: normal;
}
}
/*]]>*/
</style>
<link href="#rfc.toc" rel="Contents"/>
<link href="#rfc.section.1" rel="Chapter" title="1 Introduction"/>
<link href="#rfc.section.1.1" rel="Chapter" title="1.1 Notational Conventions"/>
<link href="#rfc.section.2" rel="Chapter" title="2 OAuth Specific Subject Identifier Types"/>
<link href="#rfc.section.2.1" rel="Chapter" title="2.1 Token Subject Identifier Type"/>
<link href="#rfc.section.2.2" rel="Chapter" title="2.2 Client Subject Identifier Type"/>
<link href="#rfc.section.3" rel="Chapter" title="3 Event Types"/>
<link href="#rfc.section.3.1" rel="Chapter" title="3.1 Token Issued"/>
<link href="#rfc.section.3.2" rel="Chapter" title="3.2 Token Revoked"/>
<link href="#rfc.section.3.3" rel="Chapter" title="3.3 Tokens Revoked"/>
<link href="#rfc.section.3.4" rel="Chapter" title="3.4 Client Disabled"/>
<link href="#rfc.section.3.5" rel="Chapter" title="3.5 Client Enabled"/>
<link href="#rfc.section.3.6" rel="Chapter" title="3.6 Client Credential Changed"/>
<link href="#rfc.section.4" rel="Chapter" title="4 IANA Considerations"/>
<link href="#rfc.section.4.1" rel="Chapter" title="4.1 Subject Identifier Type Registry"/>
<link href="#rfc.references" rel="Chapter" title="5 Normative References"/>
<link href="#rfc.authors" rel="Chapter"/>
<meta name="generator" content="xml2rfc version 2.5.1 - http://tools.ietf.org/tools/xml2rfc" />
<link rel="schema.dct" href="http://purl.org/dc/terms/" />
<meta name="dct.creator" content="Scurtescu, M., Backman, A., Hunt, P., and J. Bradley" />
<meta name="dct.identifier" content="urn:ietf:id:oauth-event-types-1_0" />
<meta name="dct.issued" scheme="ISO8601" content="2018-4-24" />
<meta name="dct.abstract" content="This document defines the OAuth Event Types. Event Types are introduced and defined in " />
<meta name="description" content="This document defines the OAuth Event Types. Event Types are introduced and defined in " />
</head>
<body>
<table class="header">
<tbody>
<tr>
<td class="left"></td>
<td class="right">M. Scurtescu</td>
</tr>
<tr>
<td class="left"></td>
<td class="right">Google</td>
</tr>
<tr>
<td class="left"></td>
<td class="right">A. Backman</td>
</tr>
<tr>
<td class="left"></td>
<td class="right">Amazon</td>
</tr>
<tr>
<td class="left"></td>
<td class="right">P. Hunt</td>
</tr>
<tr>
<td class="left"></td>
<td class="right">Oracle</td>
</tr>
<tr>
<td class="left"></td>
<td class="right">J. Bradley</td>
</tr>
<tr>
<td class="left"></td>
<td class="right">Yubico</td>
</tr>
<tr>
<td class="left"></td>
<td class="right">April 24, 2018</td>
</tr>
</tbody>
</table>
<p class="title">OAuth Event Types 1.0<br />
<span class="filename">oauth-event-types-1_0</span></p>
<h1 id="rfc.abstract">
<a href="#rfc.abstract">Abstract</a>
</h1>
<p>This document defines the OAuth Event Types. Event Types are introduced and defined in <a href="#SET">Security Event Token (SET)</a> <cite title="NONE">[SET]</cite>.</p>
<hr class="noprint" />
<h1 class="np" id="rfc.toc"><a href="#rfc.toc">Table of Contents</a></h1>
<ul class="toc">
<li>1. <a href="#rfc.section.1">Introduction</a></li>
<ul><li>1.1. <a href="#rfc.section.1.1">Notational Conventions</a></li>
</ul><li>2. <a href="#rfc.section.2">OAuth Specific Subject Identifier Types</a></li>
<ul><li>2.1. <a href="#rfc.section.2.1">Token Subject Identifier Type</a></li>
<li>2.2. <a href="#rfc.section.2.2">Client Subject Identifier Type</a></li>
</ul><li>3. <a href="#rfc.section.3">Event Types</a></li>
<ul><li>3.1. <a href="#rfc.section.3.1">Token Issued</a></li>
<li>3.2. <a href="#rfc.section.3.2">Token Revoked</a></li>
<li>3.3. <a href="#rfc.section.3.3">Tokens Revoked</a></li>
<li>3.4. <a href="#rfc.section.3.4">Client Disabled</a></li>
<li>3.5. <a href="#rfc.section.3.5">Client Enabled</a></li>
<li>3.6. <a href="#rfc.section.3.6">Client Credential Changed</a></li>
</ul><li>4. <a href="#rfc.section.4">IANA Considerations</a></li>
<ul><li>4.1. <a href="#rfc.section.4.1">Subject Identifier Type Registry</a></li>
</ul><li>5. <a href="#rfc.references">Normative References</a></li>
<li><a href="#rfc.authors">Authors' Addresses</a></li>
</ul>
<h1 id="rfc.section.1"><a href="#rfc.section.1">1.</a> <a href="#intro" id="intro">Introduction</a></h1>
<p id="rfc.section.1.p.1">This specification is based on <a href="#RISC-PROFILE">RISC Profile</a> <cite title="NONE">[RISC-PROFILE]</cite> and uses the subject identifiers defined there.</p>
<p id="rfc.section.1.p.2">The <samp>aud</samp> claim identifies the OAuth 2 client and its value SHOULD be the <a href="#RFC6749">OAuth 2</a> <cite title="NONE">[RFC6749]</cite> client id.</p>
<h1 id="rfc.section.1.1"><a href="#rfc.section.1.1">1.1.</a> <a href="#conv" id="conv">Notational Conventions</a></h1>
<p id="rfc.section.1.1.p.1">The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 <a href="#RFC2119">[RFC2119]</a> <a href="#RFC8174">[RFC8174]</a> when, and only when, they appear in all capitals, as shown here.</p>
<h1 id="rfc.section.2"><a href="#rfc.section.2">2.</a> <a href="#subject-identifier-types" id="subject-identifier-types">OAuth Specific Subject Identifier Types</a></h1>
<p id="rfc.section.2.p.1">This section defines OAuth specific Subject Identifier Types. Subject identifiers are defined in Section 2 of <a href="#RISC-PROFILE">[RISC-PROFILE]</a>.</p>
<h1 id="rfc.section.2.1"><a href="#rfc.section.2.1">2.1.</a> <a href="#subject-identifier-token" id="subject-identifier-token">Token Subject Identifier Type</a></h1>
<p id="rfc.section.2.1.p.1">A Token Subject Identifier Type describes an OAuth 2 token subject and it is identified by the name <samp>oauth_token</samp>.</p>
<p id="rfc.section.2.1.p.2">Subject Identifiers of this type MUST contain the following claims:</p>
<ul>
<li>token_type - required, describes the OAuth 2 token type. Possible values:<ul><li>access_token</li><li>authorization_code</li><li>refresh_token</li></ul></li>
<li>token_identifier_alg - required, describes how is the token string in the <samp>token</samp> attribute to be interpreted. Possible values:<ul><li>plain - plain token string</li><li>prefix - token string prefix</li><li>hash_* - token string hash, actual hash algorithms added as a suffix. TODO: create individual values for each hash algorithm.</li></ul></li>
<li>token - required, the token identifier, as described by <samp>token_identifier_alg</samp>.</li>
</ul>
<div id="rfc.figure.1"/>
<div id="subject-identifier-token-example"/>
<pre>
"subject": {
"subject_type": "oauth_token",
"token_type": "refresh_token",
"token_identifier_alg": "plain",
"token": "7265667265736820746F6B656E20737472696E67"
}
</pre>
<p class="figure">Figure 1: Example: Token Subject Identifier Type</p>
<h1 id="rfc.section.2.2"><a href="#rfc.section.2.2">2.2.</a> <a href="#subject-identifier-client" id="subject-identifier-client">Client Subject Identifier Type</a></h1>
<p id="rfc.section.2.2.p.1">A Client Subject Identifier Type describes an OAuth 2 client subject and it is identified by the name <samp>oauth_client</samp>.</p>
<p id="rfc.section.2.2.p.2">Subjects identifiers of this type MUST contain the following claim:</p>
<ul>
<li>client_id - required, the OAuth 2 client id.</li>
</ul>
<div id="rfc.figure.2"/>
<div id="subject-identifier-client-example"/>
<pre>
"subject": {
"subject_type": "oauth_client",
"client_id": "636C69656E74206964"
}
</pre>
<p class="figure">Figure 2: Example: Client Subject Identifier Type</p>
<h1 id="rfc.section.3"><a href="#rfc.section.3">3.</a> <a href="#event-types" id="event-types">Event Types</a></h1>
<p id="rfc.section.3.p.1">The base URI for OAuth Event Types is:<br/> https://schemas.openid.net/secevent/oauth/event-type/</p>
<h1 id="rfc.section.3.1"><a href="#rfc.section.3.1">3.1.</a> <a href="#token-issued" id="token-issued">Token Issued</a></h1>
<p id="rfc.section.3.1.p.1">Event Type URI:<br/> https://schemas.openid.net/secevent/oauth/event-type/token-issued</p>
<p id="rfc.section.3.1.p.2">Token Issued signals that a new token was issued.</p>
<p id="rfc.section.3.1.p.3">Attributes:</p>
<ul>
<li>subject - required, a Subjectect Identifier as defined by <a href="#subject-identifier-token">Section 2.1</a> that identifies the token.</li>
<li>token_subject - optional, a Subject Identifier as defined by Section 2.1 of <a href="#RISC-PROFILE">[RISC-PROFILE]</a> that identifies the account associated with the token.</li>
<li>TODO: OAuth flow and endpoints involved in the process? For example: redirect_uri, response_type, origin?</li>
</ul>
<p id="rfc.section.3.1.p.4">The token SHOULD be uniquely identified by the provided attributes, either by <samp>subject</samp> alone or by <samp>subject</samp> in combination with <samp>token_subject</samp>. The token is unique in the context of a given Transmitter and not globally unique. TODO: do we need a <samp>iss</samp> attribute for the <samp>oauth_token</samp> Subject Type?</p>
<div id="rfc.figure.3"/>
<div id="token-issued-example"/>
<pre>
{
"iss": "https://idp.example.com/",
"jti": "756E69717565206964656E746966696572",
"iat": 1508184845,
"aud": "636C69656E745F6964",
"events": {
"https://schemas.openid.net/secevent/oauth/event-type/\
token-issued": {
"subject": {
"subject_type": "oauth_token",
"token_type": "refresh_token",
"token_identifier_alg": "token_string",
"token": "7265667265736820746F6B656E20737472696E67"
},
"token_subject" {
"subject_type": "iss-sub",
"iss": "https://idp.example.com/",
"sub": "75736572206964"
}
}
}
}
</pre>
<p>
<em>(the event type URI is wrapped, the backslash is the continuation character)</em>
</p>
<p class="figure">Figure 3: Example: Token Issued</p>
<h1 id="rfc.section.3.2"><a href="#rfc.section.3.2">3.2.</a> <a href="#token-revoked" id="token-revoked">Token Revoked</a></h1>
<p id="rfc.section.3.2.p.1">Event Type URI:<br/> https://schemas.openid.net/secevent/oauth/event-type/token-revoked</p>
<p id="rfc.section.3.2.p.2">Token Revoked signals that the token identified by this event was revoked.</p>
<p id="rfc.section.3.2.p.3">Attributes:</p>
<ul>
<li>subject - required, a Subjectect Identifier as defined by <a href="#subject-identifier-token">Section 2.1</a> that identifies the token.</li>
<li>token_subject - optional, a Subject Identifier as defined by Section 2.1 of <a href="#RISC-PROFILE">[RISC-PROFILE]</a> that identifies the account associated with the token.</li>
<li>reason - optional, the reason why the token was revoked. Possible values: <ul><li>inactive - token was revoked by the issuer because of inactivity</li><li>too_many - token was revoked by the issuer because an internal limit was reached</li><li>api - token was revoked through an API call like <a href="#RFC7009">[RFC7009]</a></li><li>user - token was revoked explicitly by the user</li><li>issuer - token was revoked by the issuer for some other reason</li><li>TODO: add extension mechanism (either through URIs or IANA registry)</li></ul></li>
</ul>
<p id="rfc.section.3.2.p.4">The token SHOULD be uniquely identified by the provided attributes, either by <samp>subject</samp> alone or by <samp>subject</samp> in combination with <samp>token_subject</samp>. The token is unique in the context of a given Transmitter and not globally unique. TODO: do we need a <samp>iss</samp> attribute for the <samp>oauth_token</samp> Subject Type?</p>
<div id="rfc.figure.4"/>
<div id="token-revoked-example"/>
<pre>
{
"iss": "https://idp.example.com/",
"jti": "756E69717565206964656E746966696572",
"iat": 1508184845,
"aud": "636C69656E745F6964",
"events": {
"https://schemas.openid.net/secevent/oauth/event-type/\
token-revoked": {
"subject": {
"subject_type": "oauth_token",
"token_type": "refresh_token",
"token_identifier_alg": "token_string",
"token": "7265667265736820746F6B656E20737472696E67"
},
"token_subject" {
"subject_type": "iss-sub",
"iss": "https://idp.example.com/",
"sub": "75736572206964"
},
"reason": "inactive"
}
}
}
</pre>
<p>
<em>(the event type URI is wrapped, the backslash is the continuation character)</em>
</p>
<p class="figure">Figure 4: Example: Token Revoked</p>
<h1 id="rfc.section.3.3"><a href="#rfc.section.3.3">3.3.</a> <a href="#tokens-revoked" id="tokens-revoked">Tokens Revoked</a></h1>
<p id="rfc.section.3.3.p.1">Event Type URI:<br/> https://schemas.openid.net/secevent/oauth/event-type/tokens-revoked</p>
<p id="rfc.section.3.3.p.2">Tokens Revoked signals that all tokens issued for the account identified by the subject have been revoked.</p>
<p id="rfc.section.3.3.p.3">Attributes:</p>
<ul>
<li>subject - optional, a Subject Identifier as defined by Section 2.1 of <a href="#RISC-PROFILE">[RISC-PROFILE]</a> that identifies the account associated with the token.</li>
<li>reason - optional, the reason why all the tokens were revoked. Possible values: <ul><li>user - all tokens were revoked explicitly by the user</li><li>issuer - all tokens were revoked by the issuer</li><li>TODO: add extension mechanism (either through URIs or IANA registry)</li></ul></li>
</ul>
<div id="rfc.figure.5"/>
<div id="tokens-revoked-example"/>
<pre>
{
"iss": "https://idp.example.com/",
"jti": "756E69717565206964656E746966696572",
"iat": 1508184845,
"aud": "636C69656E745F6964",
"events": {
"https://schemas.openid.net/secevent/oauth/event-type/\
tokens-revoked": {
"subject": {
"subject_type": "iss-sub",
"iss": "https://idp.example.com/",
"sub": "7375626A656374",
},
}
}
}
</pre>
<p>
<em>(the event type URI is wrapped, the backslash is the continuation character)</em>
</p>
<p class="figure">Figure 5: Example: Tokens Revoked</p>
<h1 id="rfc.section.3.4"><a href="#rfc.section.3.4">3.4.</a> <a href="#client_disabled" id="client_disabled">Client Disabled</a></h1>
<p id="rfc.section.3.4.p.1">Event Type URI:<br/> https://schemas.openid.net/secevent/oauth/event-type/client-disabled</p>
<p id="rfc.section.3.4.p.2">Client Disabled signals that the client identified by the <samp>aud</samp> claim has been disabled. The client may be <a href="#client-enabled">enabled</a> <cite title="NONE">[client-enabled]</cite> in the future.</p>
<p id="rfc.section.3.4.p.3">Attributes: TODO use client subject identifier</p>
<div id="rfc.figure.6"/>
<div id="client-disabled"/>
<pre>
{
"iss": "https://idp.example.com/",
"jti": "756E69717565206964656E746966696572",
"iat": 1508184845,
"aud": "636C69656E745F6964",
"events": {
"https://schemas.openid.net/secevent/oauth/event-type/\
client-disabled": {}
}
}
</pre>
<p>
<em>(the event type URI is wrapped, the backslash is the continuation character)</em>
</p>
<p class="figure">Figure 6: Example: Client Disabled</p>
<h1 id="rfc.section.3.5"><a href="#rfc.section.3.5">3.5.</a> <a href="#client-enabled" id="client-enabled">Client Enabled</a></h1>
<p id="rfc.section.3.5.p.1">Event Type URI:<br/> https://schemas.openid.net/secevent/oauth/event-type/client-enabled</p>
<p id="rfc.section.3.5.p.2">Client Enabled signals that the client identified by the <samp>aud</samp> claim has been enabled.</p>
<p id="rfc.section.3.5.p.3">Attributes: TODO use client subject identifier</p>
<h1 id="rfc.section.3.6"><a href="#rfc.section.3.6">3.6.</a> <a href="#client-credential-changed" id="client-credential-changed">Client Credential Changed</a></h1>
<p id="rfc.section.3.6.p.1">Event Type URI:<br/> https://schemas.openid.net/secevent/oauth/event-type/client-credential-changed</p>
<p id="rfc.section.3.6.p.2">Client Credential Changed signals that one of the credentials of the client identified by the <samp>aud</samp> claim has changed. For example the client secret has changed.</p>
<p id="rfc.section.3.6.p.3">Attributes: TODO use client subject identifier</p>
<h1 id="rfc.section.4"><a href="#rfc.section.4">4.</a> <a href="#iana" id="iana">IANA Considerations</a></h1>
<h1 id="rfc.section.4.1"><a href="#rfc.section.4.1">4.1.</a> <a href="#iana-subject-identifier-type-registry" id="iana-subject-identifier-type-registry">Subject Identifier Type Registry</a></h1>
<p id="rfc.section.4.1.p.1">TODO: register <samp>oauth_token</samp> and <samp>oauth_client</samp> subject identifier types.</p>
<h1 id="rfc.references"><a href="#rfc.references">5.</a> Normative References</h1>
<table>
<tbody>
<tr>
<td class="reference">
<b id="RFC2119">[RFC2119]</b>
</td>
<td class="top"><a>Bradner, S.</a>, "<a href="http://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.</td>
</tr>
<tr>
<td class="reference">
<b id="RFC6749">[RFC6749]</b>
</td>
<td class="top"><a>Hardt, D.</a>, "<a href="http://tools.ietf.org/html/rfc6749">The OAuth 2.0 Authorization Framework</a>", RFC 6749, DOI 10.17487/RFC6749, October 2012.</td>
</tr>
<tr>
<td class="reference">
<b id="RFC7009">[RFC7009]</b>
</td>
<td class="top"><a>Lodderstedt, T.</a>, <a>Dronia, S.</a> and <a>M. Scurtescu</a>, "<a href="http://tools.ietf.org/html/rfc7009">OAuth 2.0 Token Revocation</a>", RFC 7009, DOI 10.17487/RFC7009, August 2013.</td>
</tr>
<tr>
<td class="reference">
<b id="RFC8174">[RFC8174]</b>
</td>
<td class="top"><a>Leiba, B.</a>, "<a href="http://tools.ietf.org/html/rfc8174">Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</a>", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017.</td>
</tr>
<tr>
<td class="reference">
<b id="RISC-PROFILE">[RISC-PROFILE]</b>
</td>
<td class="top"><a>Scurtescu, M.</a>, <a>Backman, A.</a> and <a>J. Bradley</a>, "<a href="http://openid.net/specs/openid-risc-profile-1_0.html">OpenID RISC Profile of IETF Security Events 1.0</a>", April 2018.</td>
</tr>
<tr>
<td class="reference">
<b id="SET">[SET]</b>
</td>
<td class="top"><a>Hunt, P.</a>, <a>Jones, M.</a>, <a>Denniss, W.</a> and <a>M. Ansari</a>, "<a href="https://tools.ietf.org/html/draft-ietf-secevent-token-09">Security Event Token (SET)</a>", April 2018.</td>
</tr>
</tbody>
</table>
<h1 id="rfc.authors">
<a href="#rfc.authors">Authors' Addresses</a>
</h1>
<div class="avoidbreak">
<address class="vcard">
<span class="vcardline">
<span class="fn">Marius Scurtescu</span>
<span class="n hidden">
<span class="family-name">Scurtescu</span>
</span>
</span>
<span class="org vcardline">Google</span>
<span class="adr">
<span class="vcardline">
<span class="locality"></span>
<span class="region"></span>
<span class="code"></span>
</span>
<span class="country-name vcardline"></span>
</span>
<span class="vcardline">EMail: <a href="mailto:mscurtescu@google.com">mscurtescu@google.com</a></span>
</address>
</div><div class="avoidbreak">
<address class="vcard">
<span class="vcardline">
<span class="fn">Annabelle Backman</span>
<span class="n hidden">
<span class="family-name">Backman</span>
</span>
</span>
<span class="org vcardline">Amazon</span>
<span class="adr">
<span class="vcardline">
<span class="locality"></span>
<span class="region"></span>
<span class="code"></span>
</span>
<span class="country-name vcardline"></span>
</span>
<span class="vcardline">EMail: <a href="mailto:richanna@amazon.com">richanna@amazon.com</a></span>
</address>
</div><div class="avoidbreak">
<address class="vcard">
<span class="vcardline">
<span class="fn">Phil Hunt</span>
<span class="n hidden">
<span class="family-name">Hunt</span>
</span>
</span>
<span class="org vcardline">Oracle Corporation</span>
<span class="adr">
<span class="vcardline">
<span class="locality"></span>
<span class="region"></span>
<span class="code"></span>
</span>
<span class="country-name vcardline"></span>
</span>
<span class="vcardline">EMail: <a href="mailto:phil.hunt@yahoo.com">phil.hunt@yahoo.com</a></span>
</address>
</div><div class="avoidbreak">
<address class="vcard">
<span class="vcardline">
<span class="fn">John Bradley</span>
<span class="n hidden">
<span class="family-name">Bradley</span>
</span>
</span>
<span class="org vcardline">Yubico</span>
<span class="adr">
<span class="vcardline">
<span class="locality"></span>
<span class="region"></span>
<span class="code"></span>
</span>
<span class="country-name vcardline"></span>
</span>
<span class="vcardline">EMail: <a href="mailto:secevemt@ve7jtb.com">secevemt@ve7jtb.com</a></span>
</address>
</div>
</body>
</html>