Search RFCs

RFC Editor

File formats:

Status:

PROPOSED STANDARD

Authors:

W. Mills
T. Showalter
H. Tschofenig

Stream:

IETF

Source:

kitten (sec)

Cite this RFC:TXT  | XML  |  BibTeX

DOI:  https://doi.org/10.17487/RFC7628

Discuss this RFC: Send questions or comments to the mailing listkitten@ietf.org

Other actions:Submit Errata  | Find IPR Disclosures from the IETF  | View History of RFC 7628

Abstract

OAuth enables a third-party application to obtain limited access to aprotected resource, either on behalf of a resource owner byorchestrating an approval interaction or by allowing the third-partyapplication to obtain access on its own behalf.

This document defines how an application client uses credentialsobtained via OAuth over the Simple Authentication and Security Layer(SASL) to access a protected resource at a resource server. Thereby,it enables schemes defined within the OAuth framework fornon-HTTP-based application protocols.

Clients typically store the user's long-term credential. This does,however, lead to significant security vulnerabilities, for example,when such a credential leaks. A significant benefit of OAuth forusage in those clients is that the password is replaced by a sharedsecret with higher entropy, i.e., the token. Tokens typicallyprovide limited access rights and can be managed and revokedseparately from the user's long-term password.

For the definition ofStatus,seeRFC 2026.

For the definition ofStream, seeRFC 8729.