oauth tutorial - OAuth Extensibility - oauth2 tutorial - oauth authentication
Defining Access Token Types?
- Access tokens are credentials used to access protected resources. An access token is a string representing an authorization issued to the client.
- Types utilizing a URI name SHOULD be limited to vendor-specific implementations that are not commonly applicable, and are specific to the implementation details of the resource server where they are used.
- All other types MUST be registered. Type names MUST conform to the type-name ABNF.
- If the type definition includes a new HTTP authentication scheme, the type name SHOULD be identical to the HTTP authentication scheme name (as defined by [RFC2617]).
- The token type example is reserved for use in examples.
- There are two ways in which the access token types can be defined −
- By registering in the access token type's registry.
- By using a unique absolute URI (Uniform Resource Identifier) as its name.
Defining New Endpoint Parameters:
- Parameter names must obey the param-name ABNF (Augmented Backus-Naur Form is a metalanguage based on Backus-Naur Form consisting of its own syntax and derivation rules) and the syntax of parameter values must be well-defined.
Defining New Authorization Grant Types
- New authorization grant types can be assigned a distinct absolute URI for use, with the help of "grant_type" parameter.
- The extension grant type must be registered in the OAuth parameters registry, if it requires additional token endpoint parameters.
Defining New Authorization Endpoint Response Types
- The response type is compared as space-delimited list of values, if it has one or more space characters where the order of the values does not matter and only one order of value can be registered.
Defining Additional Error Codes
- The extension error codes must be registered, if the extensions they use are either a registered access token, or a registered endpoint parameter.
- The error code must obey the error ABNF (Augmented Backus-Naur Form) and when possible it should be prefixed by a name identifying it.