RFC6749

The OAuth 2.0 Authorization Framework

The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This document is the base specification of OAuth 2.0. This document is an officially published standard.

Full text: https://tools.ietf.org/html/rfc6749

Deprecated Features

This document deprecates a number of OAuth features. The OAuch tests related to these deprecated features are:

• Features.IsDeprecatedTlsSupportedTest

Countermeasures

This document introduces a number of security countermeasures for OAuth. The OAuch tests related to these countermeasures are:

• AuthEndpoint.HasValidCertificateTest
• AuthEndpoint.IsModernTlsSupportedTest
• AuthEndpoint.HasFragmentTest
• AuthEndpoint.IsHttpsRequiredTest
• AuthEndpoint.SupportsPostAuthorizationRequestsTest
• AuthEndpoint.UnrecognizedParameterAllowedTest
• AuthEndpoint.SameParameterTwiceDisallowedTest
• AuthEndpoint.IsResponseTypeCheckedTest
• AuthEndpoint.RedirectUriFullyMatchedTest
• AuthEndpoint.CodePollutionTest
• AuthEndpoint.RedirectUriPathMatchedTest
• AuthEndpoint.RedirectUriConfusionTest
• AuthEndpoint.InvalidRedirectTest
• AuthEndpoint.StatePresentTest
• AuthEndpoint.RefreshTokenPresentTest
• AuthEndpoint.HasFrameOptionsTest
• TokenEndpoint.HasValidCertificateTest
• TokenEndpoint.IsModernTlsSupportedTest
• TokenEndpoint.IsBasicAuthenticationSupportedTest
• TokenEndpoint.IsAuthInUriAllowedTest
• TokenEndpoint.IsClientAuthenticationRequiredTest
• TokenEndpoint.IsHttpsRequiredTest
• TokenEndpoint.IsGetSupportedTest
• TokenEndpoint.UnrecognizedParameterAllowedTest
• TokenEndpoint.SameParameterTwiceDisallowedTest
• TokenEndpoint.IsClientIdRequiredTest
• TokenEndpoint.MultipleCodeExchangesTest
• TokenEndpoint.TokenValidAfterMultiExchangeTest
• TokenEndpoint.RefreshTokenValidAfterMultiExchangeTest
• TokenEndpoint.AuthorizationCodeTimeoutTest
• TokenEndpoint.IsCodeBoundToClientTest
• TokenEndpoint.RedirectUriCheckedTest
• TokenEndpoint.RefreshTokenPresentTest
• TokenEndpoint.HasCacheControlHeaderTest
• TokenEndpoint.HasPragmaHeaderTest
• TokenEndpoint.IsRefreshAuthenticationRequiredTest
• TokenEndpoint.RefreshTokenRevokedAfterUseTest
• TokenEndpoint.IsRefreshBoundToClientTest
• TokenEndpoint.ClientSecretEntropyMinReqTest
• TokenEndpoint.ClientSecretEntropySugReqTest
• Tokens.AuthorizationCodeEntropyMinReqTest
• Tokens.AuthorizationCodeEntropySugReqTest
• Tokens.AccessTokenEntropyMinReqTest
• Tokens.AccessTokenEntropySugReqTest
• Tokens.RefreshTokenEntropyMinReqTest
• Tokens.RefreshTokenEntropySugReqTest
• AuthEndpoint.RequireUserConsentTest

Back to the documents overview