Enterprise Mission Tailored OAuth 2.1 and OpenID Connect Profiles 

The OAuth 2.0 and OpenID Connect standards are used ubiquitously across the Internet for delegated authorization and federated authentication. However, the base specifications alone are insufficient for enterprise adoption due to numerous optional requirements, undefined behaviors, and issues that have been identified since their publication, hindering security and interoperability. The OAuth profile has been updated to reflect the current draft OAuth 2.1 specification.

These profiles detail how to use the standards in a more secure and interoperable manner to address enterprise environment use cases by levying requirements upon OAuth clients (also known as OpenID Connect relying parties), OAuth authorization servers (also known as OpenID Connect identity providers), and OAuth protected resources.

Use cases include:

• user authorization delegation to a web application.
• user authorization delegation to a native application.
• user authentication to a web application.

The profiles assume the presence of an available Public Key Infrastructure (PKI) and make use of the PKI to bolster cyber assurance by enabling strong user authentication, strong OAuth client authentication, and protection against use of lost or stolen OAuth access tokens.

The profiles leverage protocol extensions, profiles, and other work by the Internet Engineering Task Force (IETF)'s OAuth Working Group and the OpenID Foundation's International Government Assurance Profile (iGov) Working Group and Financial-grade API (FAPI) Working Group.

Please note, we have been working with the standards bodies to move these concepts forward. These current profiles should be considered as informational as we seek additional feedback from subject matter experts throughout the community. We welcome your comments and suggestions at OAuthOIDCProfiles@groups.mitre.org.