OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 supersedes the work done on the original OAuth protocol created in 2006. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. This specification is being developed within the IETF OAuth WG.
Questions, suggestions and protocol changes should be discussed on the mailing list.
OAuth 2.0 Core
- OAuth 2.0 Framework - RFC 6749
- Bearer Token Usage - RFC 6750
- Threat Model and Security Considerations - RFC 6819
OAuth 2.0 Extensions
- OAuth 2.0 Device Flow
- OAuth 2.0 Token Introspection - RFC 7662, to determine the active state and meta-information of a token
- PKCE - Proof Key for Code Exchange, better security for native apps
- Native Apps - Recommendations for using OAuth 2.0 with native apps
- JSON Web Token - RFC 7519
- OAuth Assertions Framework - RFC 7521
- SAML2 Bearer Assertion - RFC 7522, for integrating with existing identity systems
- JWT Bearer Assertion - RFC 7523, for integrating with existing identity systems
- OAuth 2.0 Simplified
- Books about OAuth
- OAuth 2.0 Servers - a guide to building OAuth 2.0 servers by Aaron Parecki
- OAuth articles by Alex Bilbie
Protocols Built on OAuth 2.0
Code and Services
See more information on OAuth 1.0 and 1.0a.