UNLIMITED FREE
ACCESS TO THE WORLD'S BEST IDEAS

SUBMIT
Already a GlobalSpec user? Log in.

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

Customize Your GlobalSpec Experience

Select Your Free Newsletters

Industry Newsletters

Select Your Free Product Alerts

Finish!
Privacy Policy

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

IETF - RFC 9470

OAuth 2.0 Step Up Authentication Challenge Protocol

active, Most Current
Organization: IETF
Publication Date: 1 September 2023
Status: active
Page Count: 14
scope:

It is not uncommon for resource servers to require different authentication strengths or recentness according to the characteristics of a request. This document introduces a mechanism that resource servers can use to signal to a client that the authentication event associated with the access token of the current request does not meet its authentication requirements and, further, how to meet them. This document also codifies a mechanism for a client to request that an authorization server achieve a specific authentication strength or recentness when processing an authorization request.

Document History

RFC 9470
September 1, 2023
OAuth 2.0 Step Up Authentication Challenge Protocol
It is not uncommon for resource servers to require different authentication strengths or recentness according to the characteristics of a request. This document introduces a mechanism that resource...

References

This document references:
IETF RFC 6749 - The OAuth 2.0 Authorization Framework
Published by IETF on October 1, 2012
The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction...
This document references:
IETF RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage
Published by IETF on October 1, 2012
This specification describes how to use bearer tokens in HTTP requests to access OAuth 2.0 protected resources. Any party in possession of a bearer token (a "bearer") can use it to get access to the...
This document references:
IETF RFC 7662 - OAuth 2.0 Token Introspection
Published by IETF on October 1, 2015
This specification defines a method for a protected resource to query an OAuth 2.0 authorization server to determine the active state of an OAuth 2.0 token and to determine meta-information about...
This document references:
IETF RFC 8414 - OAuth 2.0 Authorization Server Metadata
Published by IETF on June 1, 2018
This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and...
This document references:
RFC 9068 - JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
Published by IETF on October 1, 2021
Abstract This specification defines a profile for issuing OAuth 2.0 access tokens in JSON Web Token (JWT) format. Authorization servers and resource servers from different vendors can leverage this...
This document references:
RFC 9449 - OAuth 2.0 Demonstrating Proof of Possession (DPoP)
Published by IETF on September 1, 2023
This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks...
View Less
View All
Advertisement