Web Authorization Protocol                                      O. Chalk
Internet-Draft                            Government Digital Service, UK
Intended status: Standards Track                        15 November 2025
Expires: 19 May 2026


                      OAuth Tokens in HTTP Header
               draft-chalk-oauth-tokens-in-header-latest

Abstract

   This specification extends OAuth 2.0 [RFC6749] by defining a
   mechanism for resource servers or authorisation servers to convey
   inline token updates and related metadata to clients using the
   Authentication-Info HTTP header.

About This Document

   This note is to be removed before publishing as an RFC.

   The latest revision of this draft can be found at
   https://OllieJC.github.io/draft-chalk-oauth-tokens-in-header/draft-
   chalk-oauth-tokens-in-header.html.  Status information for this
   document may be found at https://datatracker.ietf.org/doc/draft-
   chalk-oauth-tokens-in-header/.

   Discussion of this document takes place on the Web Authorization
   Protocol Working Group mailing list (mailto:oauth@ietf.org), which is
   archived at https://mailarchive.ietf.org/arch/browse/oauth/.
   Subscribe at https://www.ietf.org/mailman/listinfo/oauth/.

   Source for this draft and an issue tracker can be found at
   https://github.com/OllieJC/draft-chalk-oauth-tokens-in-header.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 19 May 2026.

Copyright Notice

   Copyright (c) 2025 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction
   2.  Conventions and Definitions
   3.  Security Considerations
   4.  IANA Considerations
   5.  Normative References
   Acknowledgments
   Author's Address

1.  Introduction

   OAuth deployments range from simple bearer-only configurations to
   complex ecosystems with distinct authorisation and resource servers.
   In some scenarios a resource server holds enough contextual
   information to advise the client of a refreshed or more suitable
   token for future use.  Existing OAuth flows, however, obligate the
   client to perform a separate interaction with the authorisation
   server to obtain such updates, and certain deployments may lack an
   authorisation server altogether.

   This document defines a lightweight mechanism that leverages the
   Authentication-Info header (originally specified in [RFC7615] and
   incorporated into [RFC9110]) to convey inline token updates and
   associated metadata within a normal HTTP response.  The header can be
   processed transparently by HTTP implementations, potentially even at
   a proxy or edge service, and does not alter the client's request
   semantics.  Recipients treat the conveyed values as hints - they may
   adopt the suggested token but are not required to do so - thereby
   preserving compatibility with existing OAuth behaviour while offering
   an optional optimisation for efficiency and flexibility.

2.  Conventions and Definitions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

3.  Security Considerations

   TODO Security

4.  IANA Considerations

   This document has no IANA actions.

5.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/rfc/rfc2119>.

   [RFC6749]  Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
              RFC 6749, DOI 10.17487/RFC6749, October 2012,
              <https://www.rfc-editor.org/rfc/rfc6749>.

   [RFC7615]  Reschke, J., "HTTP Authentication-Info and Proxy-
              Authentication-Info Response Header Fields", RFC 7615,
              DOI 10.17487/RFC7615, September 2015,
              <https://www.rfc-editor.org/rfc/rfc7615>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.

   [RFC9110]  Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
              Ed., "HTTP Semantics", STD 97, RFC 9110,
              DOI 10.17487/RFC9110, June 2022,
              <https://www.rfc-editor.org/rfc/rfc9110>.

Acknowledgments

   TODO acknowledge.

Author's Address

   Ollie Chalk
   Government Digital Service, UK
   Email: ollie.chalk@dsit.gov.uk