Web Authorization Protocol (oauth)
| Document | Date | Status | IPR | AD/Shepherd | |
|---|---|---|---|---|---|
| Active Internet-Drafts (10 hits) | |||||
|
30 pages
draft-ietf-oauth-attestation-based-client-auth-08
OAuth 2.0 Attestation-Based Client Authentication |
2026-03-02 |
I-D Exists
WG Document |
|
||
|
14 pages
draft-ietf-oauth-client-id-metadata-document-01
OAuth Client ID Metadata Document |
2026-03-01 |
I-D Exists
WG Document |
|
||
|
41 pages
draft-ietf-oauth-first-party-apps-03
OAuth 2.0 for First-Party Applications |
2026-02-27 |
I-D Exists
WG Document |
|
||
|
50 pages
draft-ietf-oauth-identity-assertion-authz-grant-02
Identity Assertion JWT Authorization Grant |
2026-03-02 |
I-D Exists
WG Document |
|
||
|
11 pages
draft-ietf-oauth-refresh-token-expiration-01
OAuth 2.0 Refresh Token and Authorization Expiration |
2026-02-27 |
I-D Exists
WG Document |
|
||
|
65 pages
draft-ietf-oauth-sd-jwt-vc-15
SD-JWT-based Verifiable Digital Credentials (SD-JWT VC) |
2026-02-26 |
I-D Exists
WG Consensus: Waiting for Write-Up |
Hannes Tschofenig |
||
|
20 pages
draft-ietf-oauth-security-topics-update-01
Updates to OAuth 2.0 Security Best Current Practice |
2026-03-02 |
I-D Exists
WG Document |
|
||
|
24 pages
draft-ietf-oauth-spiffe-client-auth-01
OAuth SPIFFE Client Authentication |
2026-03-02 |
I-D Exists
WG Document |
|
||
|
34 pages
draft-ietf-oauth-transaction-tokens-08
Transaction Tokens |
2026-03-02 |
I-D Exists
In WG Last Call |
Rifaat Shekh-Yusef |
||
|
100 pages
draft-ietf-oauth-v2-1-15
The OAuth 2.1 Authorization Framework |
2026-03-02 |
I-D Exists
WG Document Jul 2021 |
|
||
| Active with the IESG Internet-Drafts (6 hits) | |||||
|
68 pages
draft-ietf-oauth-browser-based-apps-26
OAuth 2.0 for Browser-Based Applications |
2025-12-03 |
RFC Ed Queue
: EDIT
287
Submitted to IESG for Publication : Best Current Practice Reviews: httpdir IETF Last Call secdir IETF Last Call opsdir IETF Last Call rtgdir IETF Last Call artart IETF Last Call genart IETF Last Call secdir IETF Last Call Oct 2021 |
Deb Cooley
Rifaat Shekh-Yusef |
||
|
69 pages
draft-ietf-oauth-cross-device-security-16
Cross-Device Flows: Security Best Current Practice |
2026-03-02 |
RFC Ed Queue
: EDIT
Submitted to IESG for Publication : Best Current Practice Reviews: secdir secdir IETF Last Call opsdir IETF Last Call artart IETF Last Call genart IETF Last Call |
Deb Cooley
Hannes Tschofenig |
||
|
28 pages
draft-ietf-oauth-identity-chaining-08
OAuth Identity and Authorization Chaining Across Domains |
2026-02-09 |
AD Evaluation::Revised I-D Needed
Submitted to IESG for Publication : Proposed Standard Action Holders: Arndt Schwenkschuster , Pieter Kasselman , Kelley Burgin , Michael J. Jenkins , Brian Campbell |
Deb Cooley
Rifaat Shekh-Yusef |
||
|
16 pages
draft-ietf-oauth-rfc7523bis-10
Updates to OAuth 2.0 JSON Web Token (JWT) Client Authentication and Assertion-Based Authorization Grants |
2026-04-20
New
|
IESG Evaluation
IESG telechat: 2026-04-30 Submitted to IESG for Publication : Proposed Standard Reviews: secdir IETF Last Call opsdir IETF Last Call artart IETF Last Call genart IETF Last Call Action Holder: Deb Cooley |
Deb Cooley
Rifaat Shekh-Yusef |
||
|
22 pages
draft-ietf-oauth-rfc8725bis-04
JSON Web Token Best Current Practices |
2026-03-02 |
Publication Requested
31
Submitted to IESG for Publication : Best Current Practice Action Holder: Deb Cooley 31 |
Deb Cooley
Hannes Tschofenig |
||
|
80 pages
draft-ietf-oauth-status-list-20
Token Status List (TSL) |
2026-04-20
New
|
IESG Evaluation::AD Followup
104
Submitted to IESG for Publication : Proposed Standard Reviews: artart IETF Last Call genart IETF Last Call secdir IETF Last Call Action Holder: Deb Cooley 84 |
Deb Cooley
Rifaat Shekh-Yusef |
||
| Expired Internet-Drafts (10 hits) | |||||
|
7 pages
draft-ietf-oauth-closing-redirectors-00
OAuth 2.0 Security: Closing Open Redirectors in OAuth |
2016-02-04 |
Expired
WG Document : Best Current Practice |
|
||
|
9 pages
draft-ietf-oauth-distributed-01
Distributed OAuth |
2018-10-19 |
Expired
WG Document |
|
||
|
11 pages
draft-ietf-oauth-incremental-authz-04
OAuth 2.0 Incremental Authorization |
2020-05-03 |
Expired
WG Document |
|
||
|
14 pages
draft-ietf-oauth-mix-up-mitigation-01
OAuth 2.0 Mix-Up Mitigation |
2016-07-07 |
Expired
WG Document |
|
||
|
23 pages
draft-ietf-oauth-pop-architecture-08
OAuth 2.0 Proof-of-Possession (PoP) Security Architecture |
2016-07-08 |
Expired
Submitted to IESG for Publication : Informational Reviews: opsdir IETF Last Call opsdir IETF Last Call genart genart secdir |
Kathleen Moriarty
Kepeng Li |
||
|
17 pages
draft-ietf-oauth-pop-key-distribution-07
OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key Distribution |
2019-03-27 |
Expired
WG Document : Proposed Standard |
Kepeng Li |
||
|
8 pages
draft-ietf-oauth-reciprocal-04
Reciprocal OAuth |
2019-08-01 |
Expired
In WG Last Call |
Rifaat Shekh-Yusef |
||
|
13 pages
draft-ietf-oauth-signed-http-request-03
A Method for Signing HTTP Requests for OAuth |
2016-08-08 |
Expired
WG Document |
|
||
|
30 pages
draft-ietf-oauth-token-binding-08
OAuth 2.0 Token Binding |
2018-10-19 |
Expired
WG Document |
|
||
|
37 pages
draft-ietf-oauth-v2-http-mac-05
OAuth 2.0 Message Authentication Code (MAC) Tokens |
2014-01-15 |
Expired
WG Document |
Barry Leiba |
||
| RFCs (34 hits) | |||||
| 76 pages | 2012-10 |
Proposed Standard RFC
Updated by rfc8252, rfc8996, rfc9700 |
4 |
Stephen Farrell
|
|
| 18 pages | 2012-10 |
Proposed Standard RFC
Updated by rfc8996, rfc9700 |
2 |
Stephen Farrell
|
|
|
5 pages
RFC 6755
An IETF URN Sub-Namespace for OAuth |
2012-10 | Informational RFC |
Stephen Farrell
|
||
| 71 pages | 2013-01 |
Informational RFC
Updated by rfc9700 |
Stephen Farrell
|
||
| 11 pages | 2013-08 | Proposed Standard RFC |
Stephen Farrell
|
||
| 30 pages | 2015-05 |
Proposed Standard RFC
Updated by rfc7797, rfc8725 |
Kathleen Moriarty
|
||
|
20 pages
RFC 7521
Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants |
2015-05 | Proposed Standard RFC |
Kathleen Moriarty
|
||
|
15 pages
RFC 7522
Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants |
2015-05 | Proposed Standard RFC |
Kathleen Moriarty
|
||
|
12 pages
RFC 7523
JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants |
2015-05 | Proposed Standard RFC |
Kathleen Moriarty
|
||
| 39 pages | 2015-07 | Proposed Standard RFC |
Kathleen Moriarty
|
||
|
18 pages
RFC 7592
OAuth 2.0 Dynamic Client Registration Management Protocol |
2015-07 | Experimental RFC |
Kathleen Moriarty
|
||
| 20 pages | 2015-09 | Proposed Standard RFC |
Kathleen Moriarty
|
||
| 17 pages | 2015-10 | Proposed Standard RFC |
Kathleen Moriarty
|
||
| 15 pages | 2016-04 | Proposed Standard RFC |
Kathleen Moriarty
|
||
|
15 pages
RFC 8176
Authentication Method Reference Values |
2017-06 | Proposed Standard RFC |
Kathleen Moriarty
|
||
| 21 pages | 2017-10 |
Best Current Practice RFC
Also known as BCP 212 |
Kathleen Moriarty
|
||
| 23 pages | 2018-06 | Proposed Standard RFC |
Eric Rescorla
|
||
| 21 pages | 2019-08 | Proposed Standard RFC |
Roman Danyliw
|
||
| 27 pages | 2020-01 | Proposed Standard RFC |
Roman Danyliw
|
||
|
24 pages
RFC 8705
OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens |
2020-02 | Proposed Standard RFC |
Roman Danyliw
|
||
| 11 pages | 2020-02 | Proposed Standard RFC |
Roman Danyliw
|
||
|
13 pages
RFC 8725
JSON Web Token Best Current Practices |
2020-02 |
Best Current Practice RFC
Also known as BCP 225 |
Roman Danyliw
|
||
| 15 pages | 2021-10 | Proposed Standard RFC |
Roman Danyliw
|
||
|
25 pages
RFC 9101
The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR) |
2021-08 | Proposed Standard RFC |
Roman Danyliw
|
||
| 18 pages | 2021-09 | Proposed Standard RFC |
Roman Danyliw
|
||
|
9 pages
RFC 9207
OAuth 2.0 Authorization Server Issuer Identification |
2022-03 | Proposed Standard RFC |
Roman Danyliw
|
||
|
6 pages
RFC 9278
JWK Thumbprint URI |
2022-08 | Proposed Standard RFC |
Roman Danyliw
|
||
|
38 pages
RFC 9396
OAuth 2.0 Rich Authorization Requests |
2023-05 | Proposed Standard RFC |
Roman Danyliw
|
||
| 39 pages | 2023-09 | Proposed Standard RFC |
Roman Danyliw
|
||
| 14 pages | 2023-09 | Proposed Standard RFC |
Roman Danyliw
|
||
|
46 pages
RFC 9700
Best Current Practice for OAuth 2.0 Security |
2025-01 |
Best Current Practice RFC
Also known as BCP 240 |
Roman Danyliw
|
||
|
13 pages
RFC 9701
JSON Web Token (JWT) Response for OAuth Token Introspection |
2025-01 | Proposed Standard RFC |
Roman Danyliw
|
||
|
25 pages
RFC 9728
OAuth 2.0 Protected Resource Metadata |
2025-04 | Proposed Standard RFC |
Deb Cooley
|
||
|
88 pages
RFC 9901
Selective Disclosure for JSON Web Tokens |
2025-11 | Proposed Standard RFC |
Deb Cooley
|
||
| Related Internet-Drafts and RFCs (34 hits) | |||||
|
83 pages
draft-aap-oauth-profile-01
Agent Authorization Profile (AAP) for OAuth 2.0 |
2026-02-07 | I-D Exists |
|
||
|
19 pages
draft-araut-oauth-transaction-tokens-for-agents-00
Transaction Tokens For Agents |
2026-04-16
New
|
I-D Exists |
|
||
|
11 pages
draft-chen-oauth-rar-agent-extensions-01
Policy, Lifecycle, and Intent Extensions for OAuth Rich Authorization Requests |
2026-04-21
New
|
I-D Exists |
|
||
|
12 pages
draft-chen-oauth-scope-agent-extensions-00
Structured and Constraint Extensions for OAuth Scopes |
2026-03-01 | I-D Exists |
|
||
|
9 pages
draft-chu-oauth-as-attested-user-cert-00
OAuth 2.0 Rich Authorization Requests for AS-Attested User Certificates |
2026-03-02 | I-D Exists |
|
||
|
20 pages
draft-coetzee-oauth-spt-txn-tokens-00
Sovereign Policy Token Transactions (SPT-Txn) |
2026-03-14 | I-D Exists |
|
||
|
17 pages
draft-embesozzi-oauth-agent-native-authorization-00
OAuth 2.0 Agents Native Authorization via Structured Elicitation |
2026-04-03 | I-D Exists |
|
||
|
4 pages
draft-emelia-oauth-authorization-management-uri-00
OAuth Authorization Management URI |
2025-11-17 | I-D Exists |
|
||
|
6 pages
draft-fulz-oauth-trust-binding-00
OAuth Trust Binding Extension (OTBE) |
2025-11-26 | I-D Exists |
|
||
|
9 pages
draft-fx-oauth-government-content-access-control-02
OAuth 2.1 Government Content Access Control |
2026-01-25 | I-D Exists |
|
||
|
15 pages
draft-gco-oauth-delegate-sd-jwt-00
Delegate SD-JWT |
2026-04-21
New
|
I-D Exists |
|
||
|
9 pages
draft-hemanth-oauth-ai-scopes-00
OAuth 2.0 Extension for AI Model Access |
2026-01-05 | I-D Exists |
|
||
|
15 pages
draft-jia-oauth-scope-aggregation-00
OAuth 2.0 Scope Aggregation for Multi-Step AI Agent Workflows |
2026-02-10 | I-D Exists |
|
||
|
27 pages
draft-li-oauth-delegated-authorization-01
OAuth 2.0 Delegated Authorization |
2026-03-02 | I-D Exists |
|
||
|
5 pages
draft-liu-oauth-a2a-profile-00
Agent-to-Agent (A2A) Profile for OAuth Transaction Tokens |
2025-10-20
Expires soon |
I-D Exists |
|
||
|
34 pages
draft-mcguinness-oauth-resource-token-resp-03
OAuth 2.0 Resource Parameter in Access Token Response |
2026-03-23 | I-D Exists |
|
||
|
16 pages
draft-mcguinness-oauth-rfc9728bis-01
Update to OAuth 2.0 Protected Resource Metadata Resource Identifier Validation |
2026-02-24 | I-D Exists |
|
||
|
16 pages
draft-meyerzuselha-oauth-web-message-response-mode-01
OAuth 2.0 Web Message Response Mode for Popup- and Iframe-based Authorization Flows |
2025-11-05 | I-D Exists |
|
||
|
40 pages
draft-mishra-oauth-agent-grants-01
Delegated Agent Authorization Protocol (DAAP) |
2026-03-02 | I-D Exists |
|
||
|
36 pages
draft-mora-oauth-entity-profiles-01
OAuth 2.0 Entity Profiles |
2026-04-15
New
|
I-D Exists |
|
||
|
16 pages
draft-moros-oauth-browser-session-handoff-00
Browser Session Establishment Using OAuth 2.0 Token Exchange and Short-Lived Authorization Codes |
2026-04-16
New
|
I-D Exists |
|
||
|
27 pages
draft-mw-oauth-tls-session-bound-tokens-04
TLS-Session-Bound Access Tokens for OAuth 2.0 |
2026-04-09
New
|
I-D Exists |
|
||
|
72 pages
draft-niyikiza-oauth-attenuating-agent-tokens-00
Attenuating Authorization Tokens for Agentic Delegation Chains |
2026-03-16 | I-D Exists |
|
||
|
17 pages
draft-parecki-oauth-global-token-revocation-06
Global Token Revocation |
2026-02-24 | I-D Exists |
|
||
|
7 pages
draft-parecki-oauth-jwt-dpop-grant-01
OAuth 2.0 JWT Authorization Grant with DPoP Binding |
2026-01-30 | I-D Exists |
|
||
|
11 pages
draft-parecki-oauth-jwt-grant-interaction-response-00
JWT Authorization Grant Interaction Response |
2026-03-24 | I-D Exists |
|
||
|
15 pages
draft-skokan-oauth-additional-hashes-04
Additional Hash Algorithms for OAuth 2.0 PKCE and Proof-of-Possession |
2026-02-28 | I-D Exists |
|
||
|
7 pages
draft-skokan-oauth-resource-response-02
Resource Indicator Response Parameter for OAuth 2.0 |
2026-03-02 | I-D Exists |
|
||
|
13 pages
draft-song-oauth-ai-agent-collaborate-authz-01
OAuth2.0 Extension for Multi-AI Agent Collaboration |
2026-03-01 | I-D Exists |
|
||
|
44 pages
draft-valverde-oauth-pact-00
PACT: Private Agent Consent and Trust Profile for OAuth 2.1 and CIBA |
2026-04-18
New
|
I-D Exists |
|
||
|
24 pages
draft-valverde-oauth-veil-00
VEIL: Verified Ephemeral Identity Layer for OAuth 2.1 |
2026-04-18
New
|
I-D Exists |
|
||
|
27 pages
draft-yakung-oauth-agent-attestation-00
Agent Credential Attestation Protocol (ACAP) |
2026-03-26 | I-D Exists |
|
||
|
21 pages
draft-zehavi-oauth-native-clients-federation-01
OAuth 2.0 direct interaction for native clients using federation |
2026-02-17 | I-D Exists |
|
||
|
29 pages
draft-zehavi-oauth-rar-metadata-02
OAuth 2.0 RAR Metadata and Error Signaling |
2026-02-22 | I-D Exists |
|
||