[go: up one dir, main page]

OAuth Working Group Specifications

Current active drafts in the OAuth working group

Active Drafts

OAuth Identity and Authorization Chaining Across Domains
draft-ietf-oauth-identity-chaining
RFC Ed Queue
2026-06-26
Updates to OAuth 2.0 Security Best Current Practice
draft-ietf-oauth-security-topics-update
2026-06-25
Token Status List (TSL)
draft-ietf-oauth-status-list
RFC Ed Queue
2026-06-21
JSON Web Token Best Current Practices
draft-ietf-oauth-rfc8725bis
In Last Call (ends 2026-07-06
2026-06-19
OAuth SPIFFE Client Authentication
draft-ietf-oauth-spiffe-client-auth
2026-06-15
OAuth 2.0 Attestation-Based Client Authentication
draft-ietf-oauth-attestation-based-client-auth
2026-05-26
Identity Assertion JWT Authorization Grant
draft-ietf-oauth-identity-assertion-authz-grant
2026-05-21
OAuth 2.0 Refresh Token and Authorization Expiration
draft-ietf-oauth-refresh-token-expiration
2026-05-08
Updates to OAuth 2.0 JSON Web Token (JWT) Client Authentication and Assertion-Based Authorization Grants
draft-ietf-oauth-rfc7523bis
RFC Ed Queue
2026-04-28
SD-JWT-based Verifiable Digital Credentials (SD-JWT VC)
draft-ietf-oauth-sd-jwt-vc
Publication Requested
2026-04-24
The OAuth 2.1 Authorization Framework
draft-ietf-oauth-v2-1
2026-03-02
Cross-Device Flows: Security Best Current Practice
draft-ietf-oauth-cross-device-security
RFC Ed Queue
2026-03-02
Transaction Tokens
draft-ietf-oauth-transaction-tokens
2026-03-02
OAuth Client ID Metadata Document
draft-ietf-oauth-client-id-metadata-document
2026-03-02
OAuth 2.0 for First-Party Applications
draft-ietf-oauth-first-party-apps
2026-02-28
OAuth 2.0 for Browser-Based Applications
draft-ietf-oauth-browser-based-apps
RFC Ed Queue
2025-12-04


Active Individual Drafts

OAuth2.0 Extension for Multi-AI Agent Collaboration
draft-song-oauth-ai-agent-collaborate-authz
2026-07-01
Authorization Posture Mechanism (APM): Per-Transaction Consistency for OAuth 2.0
draft-vicente-oauth-apm
2026-06-28
Placeholder for typoed email alias
draft-rosomakho-oauth-txn-challange
2026-06-25
OAuth Transaction Authorization Challenge
draft-rosomakho-oauth-txn-challenge
2026-06-25
AAuth Protocol
draft-hardt-oauth-aauth-protocol
2026-06-25
OAuth 2.0 Client Instance Assertion
draft-mcguinness-oauth-client-instance-assertion
2026-06-24
Deferred Token Response
draft-gerber-oauth-deferred-token-response
2026-06-23
Intent Admission Assertions for Agentic Systems
draft-jiang-oauth-intent-admission
2026-06-23
Implementation Status of OAuth Identity Chaining and Transaction Tokens
draft-agnihotri-oauth-agent-impl-status
2026-06-23
Authorization Evidence and Audit Trail for OAuth 2.0 Access Tokens
draft-liu-oauth-authorization-evidence
2026-06-22
TLS-Session-Bound Access Tokens for OAuth 2.0
draft-mw-oauth-tls-session-bound-tokens
2026-06-21
Cryptographically Verifiable Actor Chains for OAuth 2.0 Token Exchange
draft-mw-oauth-actor-chain
2026-06-16
Sovereign Policy Token Transactions (SPT-Txn)
draft-coetzee-oauth-spt-txn-tokens
2026-06-15
Attenuating Authorization Tokens for Agentic Delegation Chains
draft-niyikiza-oauth-attenuating-agent-tokens
2026-06-15
OAuth 2.0 RAR Metadata and Error Signaling
draft-zehavi-oauth-rar-metadata
2026-06-14
Rego Policy Language for OAuth 2.0 Authorization
draft-liu-oauth-rego-policy
2026-06-12
OAuth 2.0 Attestation Based Authorization for Native Applications
draft-ekahraman-oauth-attestation-authz-native-app
2026-06-09
Delegation Chain for OAuth 2.0
draft-liu-oauth-chain-delegation
2026-06-08
OAuth 2.0 Insufficient Claims Challenge
draft-mcguinness-oauth-insufficient-claims
2026-05-27
Sender-Constrained Delegation Handle for Asynchronous OAuth 2.0 Identity Chaining
draft-zhu-oauth-async-delegation
2026-05-22
Transaction Tokens For Agents
draft-araut-oauth-transaction-tokens-for-agents
2026-05-22
OAuth Client Challenge Protocol
draft-kahrer-oauth-client-challenge-protocol
2026-05-19
JSON Web Token (JWT) Profile for OAuth 2.0 Enveloped Proof of Possession (EPOP)
draft-ambekar-oauth-epop
2026-05-19
A Comprehensive Roadmap for OAuth 2.0 Standards and Drafts
draft-chen-oauth-roadmap
2026-05-06
OAuth Actor Profile for Delegation
draft-mcguinness-oauth-actor-profile
2026-04-30
OAuth 2.0 Agent Authorization Explicit Revocation
draft-chen-oauth-agent-revocation
2026-04-27
Policy, Lifecycle, and Intent Extensions for OAuth Rich Authorization Requests
draft-chen-oauth-rar-agent-extensions
2026-04-22
Delegate SD-JWT
draft-gco-oauth-delegate-sd-jwt
2026-04-22
VEIL: Verified Ephemeral Identity Layer for OAuth 2.1
draft-valverde-oauth-veil
2026-04-18
PACT: Private Agent Consent and Trust Profile for OAuth 2.1 and CIBA
draft-valverde-oauth-pact
2026-04-18
Browser Session Establishment Using OAuth 2.0 Token Exchange and Short-Lived Authorization Codes
draft-moros-oauth-browser-session-handoff
2026-04-17
OAuth 2.0 Entity Profiles
draft-mora-oauth-entity-profiles
2026-04-15
OAuth 2.0 Agents Native Authorization via Structured Elicitation
draft-embesozzi-oauth-agent-native-authorization
2026-04-03
Agent Credential Attestation Protocol (ACAP)
draft-yakung-oauth-agent-attestation
2026-03-26
JWT Authorization Grant Interaction Response
draft-parecki-oauth-jwt-grant-interaction-response
2026-03-25
OAuth 2.0 Resource Parameter in Access Token Response
draft-mcguinness-oauth-resource-token-resp
2026-03-23
OAuth 2.0 Delegated Authorization
draft-li-oauth-delegated-authorization
2026-03-02
OAuth 2.0 Rich Authorization Requests for AS-Attested User Certificates
draft-chu-oauth-as-attested-user-cert
2026-03-02
Delegated Agent Authorization Protocol (DAAP)
draft-mishra-oauth-agent-grants
2026-03-02
Resource Indicator Response Parameter for OAuth 2.0
draft-skokan-oauth-resource-response
2026-03-02
Structured and Constraint Extensions for OAuth Scopes
draft-chen-oauth-scope-agent-extensions
2026-03-01
Additional Hash Algorithms for OAuth 2.0 PKCE and Proof-of-Possession
draft-skokan-oauth-additional-hashes
2026-02-28
Global Token Revocation
draft-parecki-oauth-global-token-revocation
2026-02-25
Update to OAuth 2.0 Protected Resource Metadata Resource Identifier Validation
draft-mcguinness-oauth-rfc9728bis
2026-02-24
OAuth 2.0 direct interaction for native clients using federation
draft-zehavi-oauth-native-clients-federation
2026-02-17
OAuth 2.0 Scope Aggregation for Multi-Step AI Agent Workflows
draft-jia-oauth-scope-aggregation
2026-02-10
Agent Authorization Profile (AAP) for OAuth 2.0
draft-aap-oauth-profile
2026-02-07
OAuth 2.0 JWT Authorization Grant with DPoP Binding
draft-parecki-oauth-jwt-dpop-grant
2026-01-30
OAuth 2.1 Government Content Access Control
draft-fx-oauth-government-content-access-control
2026-01-25
OAuth 2.0 Extension for AI Model Access
draft-hemanth-oauth-ai-scopes
2026-01-06


RFCs

Selective Disclosure for JSON Web Tokens
RFC 9901
OAuth 2.0 Protected Resource Metadata
RFC 9728
JSON Web Token (JWT) Response for OAuth Token Introspection
RFC 9701
Best Current Practice for OAuth 2.0 Security
RFC 9700
Best Current Practice
OAuth 2.0 Step Up Authentication Challenge Protocol
RFC 9470
OAuth 2.0 Demonstrating Proof of Possession (DPoP)
RFC 9449
OAuth 2.0 Rich Authorization Requests
RFC 9396
JWK Thumbprint URI
RFC 9278
OAuth 2.0 Authorization Server Issuer Identification
RFC 9207
OAuth 2.0 Pushed Authorization Requests
RFC 9126
The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)
RFC 9101
JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
RFC 9068
JSON Web Token Best Current Practices
RFC 8725
Best Current Practice
Resource Indicators for OAuth 2.0
RFC 8707
OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
RFC 8705
OAuth 2.0 Token Exchange
RFC 8693
OAuth 2.0 Device Authorization Grant
RFC 8628
OAuth 2.0 Authorization Server Metadata
RFC 8414
OAuth 2.0 for Native Apps
RFC 8252
Best Current Practice
Authentication Method Reference Values
RFC 8176
Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)
RFC 7800
OAuth 2.0 Token Introspection
RFC 7662
Proof Key for Code Exchange by OAuth Public Clients
RFC 7636
OAuth 2.0 Dynamic Client Registration Management Protocol
RFC 7592
Experimental
OAuth 2.0 Dynamic Client Registration Protocol
RFC 7591
JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
RFC 7523
Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants
RFC 7522
Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
RFC 7521
JSON Web Token (JWT)
RFC 7519
OAuth 2.0 Token Revocation
RFC 7009
OAuth 2.0 Threat Model and Security Considerations
RFC 6819
Informational
An IETF URN Sub-Namespace for OAuth
RFC 6755
Informational
The OAuth 2.0 Authorization Framework: Bearer Token Usage
RFC 6750
The OAuth 2.0 Authorization Framework
RFC 6749