draft-balfanz-signedoauth2-00.xml

<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc strict="no" ?>
<?rfc toc="yes"?>
<?rfc tocdepth="4"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes" ?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<?rfc private="Draft" ?>
<?rfc comments="no"?>
<?rfc inline="no"?>
<!-- end of list of popular I-D processing instructions -->
<rfc category="info" docName="draft-balfanz-signedoauth-00" >
  <!-- ***** FRONT MATTER ***** -->
  <front>
    <title abbrev="OAuth2 Signed Tokens">OAuth2 Signed Tokens</title>
    <author fullname="Dirk Balfanz" initials="D.B." role="editor" surname="Balfanz">
      <organization>Google Inc.</organization>
      <address>
        <postal>
          <street>1600 Ampitheatre Parkway</street>
          <!-- Reorder these if your country does things differently -->
          <city>Mountain View</city>
          <region>CA</region>
          <code/>
          <country>USA</country>
        </postal>
        <phone/>
        <email>balfanz@google.com</email>
        <!-- uri and facsimile elements may also be added -->
      </address>
    </author>
    <date month="September" year="2010"/>
    <!-- Meta-data Declarations -->
    <area>General</area>
    <workgroup>Internet Engineering Task Force</workgroup>
    <keyword>signatures</keyword>
    <keyword>PKI</keyword>
    <abstract>
      <t>This document describes how to cryptographically bind an
      OAuth token and (parts of an) HTTP request to
      a <xref target="JsonTokens">JSON tokens</xref>.</t>
    </abstract>
  </front>
  <middle>
    <section title="Introduction">
      <t>OAuth2 Signed Tokens are <xref target="JsonTokens">JSON
      Tokens</xref> with additional payload parameters and a specific
      envelope data type. We include an OAuth2 Signed Token in the
      Authorization header of an HTTP request to ensure integrity of
      the transmitted request.</t>
      <section title="Requirements Language">
        <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
        "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
         document are to be interpreted as described in <xref target="RFC2119">RFC 2119</xref>.</t>
      </section>
    </section>
    <section title="OAuth2 Signed Token Parameters" anchor="params">
      <t>OAuth2 Signed Tokens are <xref target="JsonTokens">JSON
        Tokens</xref> with the following additional payload parameters:
      <list style="hanging">
        <t hangText="method">The HTTP method used to execute the
          HTTP request. Type: string.</t>
        <t hangText="nonce">Used to prevent replay
          attacks. Receivers of OAuth2 Signed Token may verify that
          nonces have not been previously used within a reasonable
          interval. Type: string</t>
        <t hangText="body_hash">(optional) The
          base64url-encoded hash of the request body. Which
          hash algorithm is used depends on the signature algorithm
          specified in the Magic Signature envelope. Type: string</t>
        <t hangText="token">The OAuth token. Type: string</t>
      </list>
      </t>
    </section>
    <section title="OAuth2 Signed Token Data Type">
      <t>OAuth2 Signed Tokens SHALL use the data type
      "application/oauth-token+json" for the data type element in the
      Magic Signature envelope.</t>
    </section>
    <section title="Generating OAuth2 Signed Tokens" anchor="generation">
      <t>OAuth Clients generate OAuth2 Signed Tokens. The Client must
        use its client id as the issuer value in the token
        payload. They must use the URL of the Protected Resource as
        the audience value in the payload.</t>
       <t>Senders should set the token_lifetime in the token payload
         to a short lifetime, e.g., 1 minute.</t>
       <t>Clients include a OAuth2 signed token into the authorization
         header as follows: 
        <figure><artwork><![CDATA[
Authorization: Token signed_token="<the OAuth2 signed token>"
]]></artwork></figure></t>
    </section>

      <section title="Validating OAuth2 Signed Tokens">
        <t>Receivers of OAuth2 Signed Tokens proceed as follows to
          validate an incoming HTTP request: 
        <list style="numbers">
          <t>They validate the JSON Tokens as explained in
            the <xref target="JsonTokens">JSON Token spec</xref>.</t>
          <t>They verify the correct data type in the Magic Signature
            envelope.</t>
          <t>They verify that the method in the token payload equals
            the method used to access the HTTP resource</t>
          <t>They verify that the audience in the token payload
            matches the URI used to access the HTTP resource.</t>
          <t>They may verify that the token nonce has not been used
            within the lifetime of the token.</t>
          <t>If the body_hash field is present, they should verify
            that the received request body hashes to the specified
            value.</t>
	</list>
	If all these steps succeed, then the token in the payload can
	be used to determine access control decisions for the
	protected resource.
        </t>
      </section>
  </middle>
  <!--  *****BACK MATTER ***** -->
  <back>
    <!-- References split into informative and normative -->
    <!-- There are 2 ways to insert reference entries from the citation libraries:
     1. define an ENTITY at the top, and use "ampersand character"RFC2629; here (as shown)
     2. simply use a PI "less than character"?rfc include="reference.RFC.2119.xml"?> here
        (for I-Ds: include="reference.I-D.narten-iana-considerations-rfc2434bis.xml")

     Both are cited textually in the same manner: by using xref elements.
     If you use the PI option, xml2rfc will, by default, try to find included files in the same
     directory as the including file. You can also define the XML_LIBRARY environment variable
     with a value containing a set of directories to search.  These can be either in the local
     filing system or remote ones accessed by http (http://domain/dir/... ).-->
    <references title="Normative References"><!--?rfc include="http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"?-->
      &RFC2119;

     <reference anchor="JsonTokens"
        target="http://balfanz.github.com/jsontoken-spec/draft-balfanz-jsontoken-00.html">
        <front><title>JSON Tokens</title>
          <author initials="D.B." surname="Balfanz" fullname="Dirk Balfanz">
            <organization/>
          </author>
        </front>
      </reference>
    </references>
  </back>
</rfc>