]> OAuth Authorization Management URI
emelia@brandedcode.com https://thisismissem.social
Security Web Authorization Protocol oauth This specification defines a authorization_management_uri property for the OAuth Authorization Server Metadata (), which allows an authorization server to specify a URI through which the user may manage the authorized clients that have access to their account. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Web Authorization Protocol Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .
Introduction An OAuth 2.0 client may wish to provide access to a web-based UI at which a user can manage the applications authorized to access their account with the Authorization Server. This is a feature many Authorization Servers already support, however, when you don't have a primary service for the Authorization Server, there may be no clear path for a user to access this management page. This is especially true for decentralized social web applications where the mapping between Authorization Servers and Clients is many to many. This specification defines the new property of authorization_management_uri for the OAuth Authorization Server Metadata, as defined in . This URI should point to a website at which the user can manage the authorizations that they have granted with their Authorization Server (for example, to revoke any client or active session, or review the security history of their account).
Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.
Authorization Management UI An Authorization Server may provide a user interface through which users can manage the OAuth Clients that have access to their account, such that users can manage their account security with the Authorization Server. This user interface is typically at an URI specific to the Authorization Server implementation, and requires authentication to access. This specification does not define specifics of the user interface, however, recommends that the user interface allows a user to manage their account security and authorized clients with the Authorization Server, for example, allowing them to see all authorized clients that have access to their account. To allow OAuth Clients to discover the URI of this user interface, this specification defines the new property authorization_management_uri for the OAuth Authorization Server Metadata, as defined in .
Security Considerations This specification does not define how the Authorization Server should security the authorization management UI. Authorization Servers should take appropriate measures to ensure that the user is authenticated and authorized to view the authorization management UI. The OAuth Client MUST NOT open the authorization_management_uri in a webview or similar embedded browser, and instead delegate that to the users' default browser, such that the OAuth Client has no access to the account credentials or to other sensitive data.
IANA Considerations
OAuth Authorization Server Metadata Registry The following authorization server metadata value is defined by this specification and registered in the IANA "OAuth Authorization Server Metadata" registry established in OAuth 2.0 Authorization Server Metadata .
  • Metadata Name: authorization_management_uri
  • Metadata Description: URI of the authorization management user interface provided by the Authorization Server.
  • Change Controller: IETF
  • Specification Document: [draft-emelia-oauth-authorization-management-uri-00]
Normative References The OAuth 2.0 Authorization Framework The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK] OAuth 2.0 Authorization Server Metadata This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities. Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.