LLMpediaThe first transparent, open encyclopedia generated by LLMs

RFC 6749

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: OAuth 2.0 Hop 4
Expansion Funnel Raw 71 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted71
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
RFC 6749
TitleRFC 6749
StatusInformational
PublishedOctober 2012
AuthorsD. Hardt
CategoryInternet Standards

RFC 6749

RFC 6749 is the IETF specification that defines the OAuth 2.0 Authorization Framework, a protocol for delegated authorization used in web, mobile, and application ecosystems. The document formalizes grant types, client roles, and token mechanics that enable third-party access to protected resources without sharing user credentials. It influenced widespread deployments across major technology platforms and spurred related work in security, privacy, and interoperability.

Introduction

The introduction situates RFC 6749 within the Internet Engineering Task Force process and frames OAuth 2.0 as a successor to earlier authorization mechanisms described in documents like HTTP/1.1, TLS 1.2, OpenID, SAML 2.0, X.509 and standards produced by the IETF. It identifies core actors such as resource owners, clients, authorization servers, and resource servers, referencing implementation contexts encountered at organizations such as Google, Facebook, Microsoft, Amazon (company), and Twitter. The section outlines goals such as simplicity for developers, support for web and native applications, and extensibility for future work led by groups including the OAuth Working Group and contributors from companies like Yahoo! and LinkedIn.

Background and Purpose

This section recounts the lineage and rationale that motivated RFC 6749, tracing prior art including the work on delegation used in projects at Mozilla Foundation, Apache Software Foundation, and research from MIT and Stanford University. It contrasts OAuth 2.0 with predecessor protocols adopted by institutions like PayPal, GitHub, and Salesforce, and explains interoperability aims shared with efforts such as IETF ACE Working Group and identity initiatives like OpenID Foundation. The purpose emphasizes pragmatic adoption by developers at entities such as Dropbox, Box (company), and Slack Technologies, and the need to balance security recommendations from bodies like NIST with ease of integration championed by commercial platforms such as Heroku.

OAuth 2.0 Grants and Flows

RFC 6749 specifies multiple grant types and authorization flows designed for diverse environments including browser-based apps used at Mozilla, native mobile clients distributed via Apple Inc. and Google LLC, and server-side applications hosted on platforms like Amazon Web Services and Microsoft Azure. The "Authorization Code" grant addresses scenarios patterned after implementations by Facebook and Google, while the "Implicit" grant targets single-page applications similar to deployments at Netflix and Spotify (company). The "Resource Owner Password Credentials" grant reflects legacy models employed in services by organizations such as Atlassian and GitLab, and the "Client Credentials" grant is suited to machine-to-machine interactions in infrastructures like Docker and Kubernetes. The specification defines parameters, token endpoint behavior, scope negotiation comparable to scopes used by Google APIs, and error response formats that influenced API design at companies such as Stripe and Square (company).

Security Considerations

RFC 6749 contains extensive security guidance shaped by threat analyses from contributors associated with CERT Coordination Center, OWASP, ENISA, and recommendations influenced by CISPR and IETF TLS Working Group discussions. It warns about risks such as token interception reminiscent of attacks documented against web platforms like MySpace and stresses the importance of transport-layer protections exemplified by TLS 1.3. The document also discusses client authentication patterns used by enterprises such as Cisco Systems, IBM, and Oracle Corporation, and references mitigation techniques aligned with guidance from NIST Special Publication 800-63 and practices adopted by providers like Okta and Ping Identity.

Implementation and Adoption

After publication, RFC 6749 saw adoption and implementation in SDKs and services from major vendors including Google, Facebook, Microsoft, Apple Inc., Amazon (company), and identity providers like Auth0. Open-source libraries in ecosystems maintained by communities such as GitHub and organizations like the Apache Software Foundation and Eclipse Foundation embedded flows into frameworks used by projects such as Spring Framework, Express (software), Django, and Ruby on Rails. Large-scale deployments at companies like Spotify (company), Slack Technologies, and Salesforce illustrated practical integration patterns, while standardization work at the IETF OAuth Working Group and interaction with the OpenID Foundation produced profiles and best practices.

Criticism and Extensions

RFC 6749 attracted critique and spawned extensions addressing security and interoperability gaps noted by researchers at University of Cambridge, ETH Zurich, and labs at Google. Critics from communities including OWASP and engineers at Mozilla Foundation argued that certain grant types encouraged insecure implementations in contexts like single-page applications noted by teams at Twitter and GitHub. This prompted subsequent work such as RFC 8252 for native apps, token binding proposals influenced by research at Microsoft Research and Google Research, and the development of OAuth 2.0 for Native Apps and Proof Key for Code Exchange profiles adopted by providers like Okta and Auth0. Extensions and companion specifications from organizations such as the IETF and OpenID Foundation continue to refine deployment guidance and address concerns raised by academic studies at Stanford University and security assessments by Kaspersky Lab.

Category:Internet standards