At 07:46 23-01-2012, The IESG wrote:
The IESG has received a request from the Web Authorization Protocol WG
(oauth) to consider the following document:
- 'The OAuth 2.0 Authorization Protocol: Bearer Tokens'
<draft-ietf-oauth-v2-bearer-15.txt> as a Proposed Standard
The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf(_at_)ietf(_dot_)org mailing lists by 2012-02-06. Exceptionally, comments
From Section 2.3:
'When sending the access token in the HTTP request URI, the client
adds the access token to the request URI query component as defined
by Uniform Resource Identifier (URI) [RFC3986] using the
This draft standardizes the URI query parameter to be used. There
isn't any mention of whether it is reserving the parameter. The
draft mentions that:
'Because of the security weaknesses associated with the URI method
(see Section 4), including the high likelihood that the URL
containing the access token will be logged, it SHOULD NOT be used
unless it is impossible to transport the access token in the
"Authorization" request header field or the HTTP request entity-body.'
The security weakness is well-known. It might be good to label
Section 2.3 as deprecated. I note that a "platform" using OAuth 2.0
does not mention the above security consideration.
As for Section 3, it seems that the text reflects a consensus
decision of the working group which is at odds with a recommendation
in the specifications from HTTPbis:
"As for your assertion that the specs are in conflict, yes, the Bearer spec
includes a different decision than a RECOMMENDED clause in the HTTPbis spec
(which was added after the Bearer text was already in place). However, it
is not violating any MUST clauses in the HTTPbis spec."
The thread of the discussion is at
The informative reference for RFC 2616 can be removed.
Ietf mailing list