Enterprise Mission Tailored OAuth 2.0 Profile
Abstract
This document profiles the OAuth 2.0 web authorization framework [RFC6749] for use in the context of securing web-facing application programming interfaces (APIs), particularly Representational State Transfer (RESTful) APIs. The OAuth 2.0 specifications accommodate a wide range of implementations with varying security and usability considerations, across different types of software clients. The OAuth 2.0 client, authorization server, and protected resource profiles defined in this document serve two purposes: 1. Define a mandatory baseline set of security controls, while maintaining reasonable ease of implementation and functionality. 2. Define objective requirements for use of features that provide stronger security properties but are not yet widely available in OAuth implementations. This OAuth profile is derived from the International Government Assurance Profile (iGov) for OAuth 2.0 [OpenID-iGov] produced by the OpenID Foundation and has been tailored for use in enterprise environments, as further described in section 1.4. This profile incorporates many recommendations found in the IETF Internet-Draft "OAuth 2.0 Security Best Current Practice" [Lodderstedt]
Document Details
- Document Type
- Technical Report
- Publication Date
- Feb 01, 2020
- Accession Number
- AD1108120
Entities
People
- Beth Abramowitz
- Kelley Burgin
- Mark Russell
- Michael Peck
- Neil Mcnab
- Roger Westman
- Tommy Farinelli
Organizations
- MITRE Corporation