OAuth 2.0 for Browser-Based Applications

	draft-ietf-oauth-browser-based-apps-26.txt
	Date:	03/12/2025
	Authors:	Aaron Parecki, Philippe De Ryck, David Waite
	Working Group:	Web Authorization Protocol (oauth)

This specification details the threats, attack consequences, security considerations and best practices that must be taken into account when developing browser-based applications that use OAuth 2.0. Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the Web Authorization Protocol Working Group mailing list (oauth@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/oauth/. Source for this draft and an issue tracker can be found at https://github.com/oauth-wg/oauth-browser-based-apps.

The OAuth 2.1 Authorization Framework

	draft-ietf-oauth-v2-1-15.txt
	Date:	02/03/2026
	Authors:	Dick Hardt, Aaron Parecki, Torsten Lodderstedt
	Working Group:	Web Authorization Protocol (oauth)

The OAuth 2.1 authorization framework enables an application to obtain limited access to a protected resource, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and an authorization service, or by allowing the application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 2.0 Authorization Framework described in RFC 6749 and the Bearer Token Usage in RFC 6750.

Cross-Device Flows: Security Best Current Practice

	draft-ietf-oauth-cross-device-security-16.txt
	Date:	02/03/2026
	Authors:	Pieter Kasselman, Daniel Fett, Filip Skokan
	Working Group:	Web Authorization Protocol (oauth)

This document describes threats against cross-device flows along with practical mitigations, protocol selection guidance, and a summary of formal analysis results identified as relevant to the security of cross-device flows. It serves as a security guide to system designers, architects, product managers, security specialists, fraud analysts and engineers implementing cross-device flows.

SD-JWT-based Verifiable Digital Credentials (SD-JWT VC)

	draft-ietf-oauth-sd-jwt-vc-16.txt
	Date:	24/04/2026
	Authors:	Oliver Terbu, Daniel Fett, Brian Campbell
	Working Group:	Web Authorization Protocol (oauth)

This specification describes data formats as well as validation and processing rules to express Verifiable Digital Credentials with JSON payloads with and without selective disclosure based on the SD-JWT format.

OAuth 2.0 Attestation-Based Client Authentication

	draft-ietf-oauth-attestation-based-client-auth-09.txt
	Date:	25/05/2026
	Authors:	Tobias Looker, Paul Bastian, Christian Bormann
	Working Group:	Web Authorization Protocol (oauth)

This specification defines an extension to the OAuth 2.0 protocol [RFC6749] that enables a client instance to include a key-bound attestation when interacting with an Authorization Server or Resource Server. This mechanism allows a client instance to prove its authenticity verified by a client attester without revealing its target audience to that attester. It may also serve as a mechanism for client authentication as per OAuth 2.0.

Token Status List (TSL)

	draft-ietf-oauth-status-list-20.txt
	Date:	20/04/2026
	Authors:	Tobias Looker, Paul Bastian, Christian Bormann
	Working Group:	Web Authorization Protocol (oauth)

This specification defines a status mechanism called Token Status List (TSL), data structures and processing rules for representing the status of tokens secured by JSON Object Signing and Encryption (JOSE) or CBOR Object Signing and Encryption (COSE), such as JWT, SD-JWT, CBOR Web Token, and ISO mdoc. It also defines an extension point and a registry for future status mechanisms.

Transaction Tokens

	draft-ietf-oauth-transaction-tokens-08.txt
	Date:	02/03/2026
	Authors:	Atul Tulshibagwale, George Fletcher, Pieter Kasselman
	Working Group:	Web Authorization Protocol (oauth)

Transaction Tokens (Txn-Tokens) are designed to maintain and propagate user identity, workload identity and authorization context throughout the Call Chain within a trusted domain during the processing of external requests (e.g. such as API calls) or requests initiated internally within the trust domain. Txn-Tokens ensure that this context is preserved throughout the Call Chain thereby enhancing security and consistency in complex, multi-service architectures.

OAuth Identity and Authorization Chaining Across Domains

	draft-ietf-oauth-identity-chaining-14.txt
	Date:	02/06/2026
	Authors:	Arndt Schwenkschuster, Pieter Kasselman, Kelley Burgin, Michael Jenkins, Brian Campbell, Aaron Parecki
	Working Group:	Web Authorization Protocol (oauth)

This specification describes a mechanism for preserving identity and authorization information across trust domains that use the OAuth 2.0 Framework. A JSON Web Token (JWT) authorization grant, obtained through an intra-domain OAuth 2.0 Token Exchange, facilitates the cross-domain acquisition of an access token. The relevant identity and authorization information is chained throughout the flow by being conveyed in the respective artifacts exchanged at each step of the process. Chaining across multiple domains is achieved by using the same protocol every time a trust domain boundary is crossed.

OAuth 2.0 for First-Party Applications

	draft-ietf-oauth-first-party-apps-03.txt
	Date:	27/02/2026
	Authors:	Aaron Parecki, George Fletcher, Pieter Kasselman
	Working Group:	Web Authorization Protocol (oauth)

This document defines the Authorization Challenge Endpoint, which supports clients that want to control the process of obtaining authorization from the user using a native experience. In many cases, this can provide an entirely browserless OAuth 2.0 experience suited for native applications, only delegating to the browser in unexpected, high risk, or error conditions.

Updates to OAuth 2.0 JSON Web Token (JWT) Client Authentication and Assertion-Based Authorization Grants

	draft-ietf-oauth-rfc7523bis-11.txt
	Date:	28/04/2026
	Authors:	Michael Jones, Brian Campbell, Chuck Mortimore, Filip Skokan
	Working Group:	Web Authorization Protocol (oauth)

This document updates RFC7521, RFC7522, RFC7523 and RFC9126 with respect to the treatment of audience values in OAuth 2.0 Client Assertion Authentication and Assertion-based Authorization Grants to address a security vulnerability identified in the previous requirements for those audience values in multiple OAuth 2.0 specifications.

JSON Web Token Best Current Practices

	draft-ietf-oauth-rfc8725bis-04.txt
	Date:	02/03/2026
	Authors:	Yaron Sheffer, Dick Hardt, Michael Jones
	Working Group:	Web Authorization Protocol (oauth)

JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security tokens that contain a set of claims that can be signed and/or encrypted. JWTs are being widely used and deployed as a simple security token format in numerous protocols and applications, both in the area of digital identity and in other application areas. This Best Current Practices (BCP) specification updates RFC 7519 to provide actionable guidance leading to secure implementation and deployment of JWTs. This BCP specification furthermore replaces the existing JWT BCP specification RFC 8725 to provide additional actionable guidance covering threats and attacks that have been discovered since RFC 8725 was published.

Identity Assertion JWT Authorization Grant

	draft-ietf-oauth-identity-assertion-authz-grant-04.txt
	Date:	21/05/2026
	Authors:	Aaron Parecki, Karl McGuinness, Brian Campbell
	Working Group:	Web Authorization Protocol (oauth)

This specification provides a mechanism for an application to use an identity assertion to obtain an access token for a third-party API by coordinating through an identity provider that the downstream Resource Authorization Server already trusts for single sign-on (SSO), using Token Exchange [RFC8693] and JWT Profile for OAuth 2.0 Authorization Grants [RFC7523]. This pattern is informally referred to as Cross-App Access (XAA).

OAuth Client ID Metadata Document

	draft-ietf-oauth-client-id-metadata-document-01.txt
	Date:	01/03/2026
	Authors:	Aaron Parecki, Emelia Smith
	Working Group:	Web Authorization Protocol (oauth)

This specification defines a mechanism through which an OAuth client can identify itself to authorization servers, without prior dynamic client registration or other existing registration. This is through the usage of a URL as a client_id in an OAuth flow, where the URL refers to a document containing the necessary client metadata, enabling the authorization server to fetch the metadata about the client as needed.

Updates to OAuth 2.0 Security Best Current Practice

	draft-ietf-oauth-security-topics-update-01.txt
	Date:	02/03/2026
	Authors:	Tim Wuertele, Pedram Hosseyni, Kaixuan Luo, Adonis Fung
	Working Group:	Web Authorization Protocol (oauth)

This document updates the set of best current security practices for OAuth 2.0 by extending the security advice given in RFC 6749, RFC 6750, and RFC 9700, to cover new threats that have been discovered since the former documents have been published.

OAuth SPIFFE Client Authentication

	draft-ietf-oauth-spiffe-client-auth-01.txt
	Date:	02/03/2026
	Authors:	Arndt Schwenkschuster, Pieter Kasselman, Scott Rose, Stian Thorgersen
	Working Group:	Web Authorization Protocol (oauth)

This specification profiles the Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants [RFC7521], the JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants [RFC7523], and OAuth 2.0 Attestation-Based Client Authentication [I-D.draft-ietf-oauth-attestation-based-client-auth] to enable the use of SPIFFE Verifiable Identity Documents (SVIDs) as client credentials in OAuth 2.0. It defines how OAuth clients with SPIFFE credentials can authenticate to OAuth authorization servers using their JWT-SVIDs, WIT-SVIDs, or X.509-SVIDs without the need for client secrets. This approach enhances security by enabling seamless integration between SPIFFE-enabled workloads and OAuth authorization servers while eliminating the need to distribute and manage shared secrets such as static client secrets.

OAuth 2.0 Refresh Token and Authorization Expiration

	draft-ietf-oauth-refresh-token-expiration-02.txt
	Date:	08/05/2026
	Authors:	Nick Watson
	Working Group:	Web Authorization Protocol (oauth)

This specification extends OAuth 2.0 [RFC6749] by adding new token endpoint response parameters to specify refresh token expiration and user authorization expiration.

Javascript disabled? Like other modern websites, the IETF Datatracker relies on Javascript. Please enable Javascript for full functionality.

Web Authorization Protocol (oauth)

WG	Name	Web Authorization Protocol
	Acronym	oauth
	Area	Security Area (sec)
	State	Active
	Charter	charter-ietf-oauth-06 Approved
	Document dependencies	Document dependencies Loading... Pan and zoom the dependency graph after the layout settles. Show legend Loading...
	Additional resources	Issue tracker, Wiki, Zulip stream
Personnel	Chairs	Hannes Tschofenig, Rifaat Shekh-Yusef
	Area Director	Deb Cooley
	Delegate	Michael B. Jones
Mailing list	Address	oauth@ietf.org
	To subscribe	https://www.ietf.org/mailman/listinfo/oauth
	Archive	https://mailarchive.ietf.org/arch/browse/oauth/
Chat	Room address	https://zulip.ietf.org/#narrow/stream/oauth

Charter for Working Group

The Web Authorization (OAuth) protocol is a delegation protocol that allows users to grant third-party applications limited access to their resources without sharing their long-term credentials, or even their identity. For example, a photo-sharing site that supports OAuth could allow its users to use a third-party printing website to print their private pictures, without allowing the printing site to gain full control of the user's account and without requiring the user to share their long-term credentials with the printing site.

As automated agents increasingly act on behalf of users, organizations, or both, these delegation patterns become increasingly involved and complex.

The OAuth 2.0 protocol framework already includes:

A procedure for enabling a client to register with an authorization server.
A protocol for obtaining authorization tokens from an authorization server with the resource owner's consent.
Protocols for presenting these authorization tokens to protected resources for access.

This framework has been enhanced with functionality for interworking with legacy identity infrastructure, token revocation, token exchange, dynamic client registration, token introspection, and standardized formats like JSON Web Token (JWT). It also includes specifications to mitigate security attacks, such as Proof Key for Code Exchange (PKCE), native app support, step-up authentication, and Demonstrating Proof of Possession (DPoP).

Work Program

The working group is now tackling these topics which will be published primarily as Standards Track or BCPs:

Consolidation: Finalizing OAuth 2.1 to consolidate the core framework and incorporate established security best practices into a single baseline.
Digital Credentials: Completing Selective Disclosure for JSON Web Tokens (SD-JWT), SD-JWT-based Verifiable Credentials (SD-JWT VC), and Token Status List (TSL) to support privacy-preserving attribute disclosure.
Complex Delegation: Developing new mechanisms or/and extensions for authorization of automated agents working on behalf of users, including addressing scenarios where automated agents act across multiple administrative domains.
First-Party Integration: Standardizing patterns for first-party applications to provide a secure, interoperable alternative to proprietary extensions.
Security Maintenance: Maintaining and updating Best Current Practices (BCPs) for browser-based and native applications to address evolving web security models.

Coordination

To ensure interoperability and avoid duplication of effort, the working group will coordinate with:

WIMSE (Workload Identity in Multi-System Environments): On the application of OAuth-based tokens (e.g., Token Exchange and DPoP) for service-to-service and multi-hop workload identities.
Secure Patterns for Internet CrEdentials (SPICE): on the application of SD-CWT and other CBOR related work.
EU Digital Identity Wallet: To ensure that SD-JWT and related credential formats remain compatible with broader architectural requirements for digital wallets and verifiable presentations.

Milestones

Date	Milestone	Associated documents
Dec 2026	Submit “Transaction Tokens” to the IESG	draft-ietf-oauth-transaction-tokens
Dec 2026	Submit “OAuth 2.1 Authorization Framework’ to IESG	draft-ietf-oauth-v2-1
Jul 2026	Submit “SD-JWT-based Verifiable Digital Credentials (SD-JWT VC)” to the IESG	draft-ietf-oauth-sd-jwt-vc