<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-oauth-refresh-token-expiration-03" category="info" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="OAuth RT/Authorization Expiration">OAuth 2.0 Refresh Token and Authorization Expiration</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-refresh-token-expiration-03"/>
    <author fullname="Nicholas Watson">
      <organization>Google, LLC</organization>
      <address>
        <email>nwatson@google.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>Web Authorization Protocol</workgroup>
    <keyword>oauth</keyword>
    <keyword>refresh token</keyword>
    <keyword>authorization</keyword>
    <keyword>token endpoint</keyword>
    <abstract>
      <?line 52?>

<t>This specification extends OAuth 2.0 <xref target="RFC6749"/> by adding new token endpoint
response parameters to specify refresh token expiration and user authorization
expiration.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://drafts.oauth.net/rt-expiration/draft-ietf-oauth-refresh-token-expiration.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-oauth-refresh-token-expiration/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Web Authorization Protocol Working Group mailing list (<eref target="mailto:oauth@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/oauth/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/oauth/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/oauth-wg/rt-expiration"/>.</t>
    </note>
  </front>
  <middle>
    <?line 58?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>RFC6749 defines the OAuth 2.0 protocol, part of which is the ability for a
client to receive a refresh token that may be repeatedly exchanged for more
access tokens. OAuth 2.0 does not contain any normative language around
expiration or lack thereof for refresh tokens, mentioning only that they are
"typically long-lasting".</t>
      <t>In the years since the publication of OAuth 2.0, in response to changing
security and privacy landscapes, many authorization servers have begun to issue
shorter-lived refresh tokens for two main reasons:</t>
      <ul spacing="normal">
        <li>
          <t>The authorization server or user may decide that the access being granted is
too sensitive to allow indefinite access (e.g. mail or health data).</t>
        </li>
        <li>
          <t>The authorization server enforces a maximum duration that refresh tokens may
be held without being exchanged on the token endpoint.</t>
        </li>
      </ul>
      <t>Clients may wish to implement special handling for expiring refresh tokens. For
example, if the user has granted expiring access, the client may notify the user
that they will need to reauthorize access before a certain date to avoid
interruption of service.</t>
    </section>
    <section anchor="requirements-notation-and-conventions">
      <name>Requirements Notation and Conventions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

</section>
    <section anchor="terminology">
      <name>Terminology</name>
      <t>This specification uses terminology defined in <xref target="RFC6749"/>. The following terms
are used throughout this document:</t>
      <dl>
        <dt>Resource owner and user</dt>
        <dd>
          <t>May be used interchangeably to refer to the entity capable of granting
access to a protected resource.</t>
        </dd>
        <dt>Client, application, and relying party</dt>
        <dd>
          <t>May be used interchangeably to refer to the application making protected
resource requests on behalf of the resource owner and with its
authorization.</t>
        </dd>
        <dt>Authorization</dt>
        <dd>
          <t>The resource owner's permission grant for a client to access protected
resources on their behalf, as described in <xref target="RFC6749"/> Sec 4.1.1.</t>
        </dd>
        <dt>Access token</dt>
        <dd>
          <t>A credential used by the client to access protected resources on behalf of
the resource owner, as referenced in <xref target="RFC6749"/> Sec 1.4. Access tokens
represent proof of authorization.</t>
        </dd>
        <dt>Refresh token</dt>
        <dd>
          <t>A credential used by the client to obtain new access tokens without
prompting the user, as referenced in <xref target="RFC6749"/> Sec 1.5. Refresh tokens do
not grant authorization or renew authorization, they only provide a
mechanism for obtaining new access tokens within the bounds of an existing
authorization.</t>
        </dd>
      </dl>
    </section>
    <section anchor="concepts">
      <name>Concepts</name>
      <t>There are two mechanisms that can affect refresh token expiration.</t>
      <section anchor="authorization-expiration">
        <name>Authorization expiration</name>
        <t>When granting authorization for an application to access their data as
referenced in <xref target="RFC6749"/> Sec 4.1.1, the user may opt to time-limit that
authorization, especially if the data is sensitive or they aren't sure how long
they'll continue using the application. The authorization server itself may also
impose mandatory limits on authorization duration.</t>
      </section>
      <section anchor="refresh-token-timeout">
        <name>Refresh token timeout</name>
        <t>Authorization servers may wish to define a maximum amount of time clients can
hold a refresh token without exchanging it. Beyond the security benefit provided
by expiring credentials, this also provides a convenient mechanism for
authorization servers to ensure there aren't ancient valid credentials out in
the wild, which could complicate tasks like refresh token key rotation.</t>
      </section>
    </section>
    <section anchor="refresh-token-expiration">
      <name>Refresh token expiration</name>
      <t>The refresh token <bcp14>MUST NOT</bcp14> expire later than the user authorization expires. It
<bcp14>MAY</bcp14> expire earlier if the authorization server also enforces a maximum duration
between refresh token exchanges.</t>
      <t>If the user renews their authorization, the authorization server <bcp14>SHOULD</bcp14> update
the expiration time of existing refresh tokens if their lifetime was truncated
due to user authorization expiration. (This is especially true if the
authorization was updated out of band as discussed in
<xref target="ux-considerations">User Experience Considerations</xref>.) The
authorization server <bcp14>MUST NOT</bcp14> accept expired refresh tokens for any purpose,
even if it has no way to update the expiration time of existing refresh tokens.</t>
      <t>Access tokens <bcp14>MUST NOT</bcp14> expire later than the user authorization expires. If the
user renews their authorization, the authorization server <bcp14>MAY</bcp14> update the
expiration time of existing access tokens if possible. Resource servers <bcp14>MUST NOT</bcp14>
accept expired access tokens for any purpose, even if the authorization server
has no way to update the expiration time of existing access tokens.</t>
    </section>
    <section anchor="token-endpoint">
      <name>Token endpoint response</name>
      <t>This specification introduces two new response parameters.</t>
      <section anchor="successful-response">
        <name>Successful response</name>
        <artwork><![CDATA[
refresh_token_timeout
      The time in seconds that the refresh token may be held by the client
      without exchanging. For example, the value 604800 denotes that the
      refresh token will expire in one week from the time the response was
      generated. This value SHALL NOT exceed the value in
      authorization_expires_in.

authorization_expires_in
      The lifetime in seconds of the user's authorization for the scopes
      contained in the issued or presented refresh token. For example, the
      value 2629800 denotes that the authorization will expire in one month
      from the time the response was generated. This value MAY exceed that
      of refresh_token_timeout.
]]></artwork>
        <t>An authorization server <bcp14>MAY</bcp14> return only one of these parameters. Providing
<tt>refresh_token_timeout</tt> without <tt>authorization_expires_in</tt> indicates that the
user's authorization is indefinite, but the refresh token must be used within
the specified timeout to remain valid. Providing <tt>authorization_expires_in</tt>
without <tt>refresh_token_timeout</tt> indicates that the authorization has a fixed
duration, but the refresh token has no maximum idle time and may remain valid if
the authorization is extended out of band.</t>
        <t>If finite, the authorization server <bcp14>MUST</bcp14> return these values whenever the token
endpoint response contains the <tt>refresh_token</tt> field. The authorization server
<bcp14>MAY</bcp14> return these values even if the response contains no <tt>refresh_token</tt> field,
in which case the values correspond to the presented <tt>refresh_token</tt>. This can
be useful in the following example cases:</t>
        <ul spacing="normal">
          <li>
            <t>For <tt>refresh_token_timeout</tt>, the authorization server could have
updated the existing refresh token lifetime in place.</t>
          </li>
          <li>
            <t>For <tt>authorization_expires_in</tt>, the user's authorization lifetime could have
been modified out of band.</t>
          </li>
          <li>
            <t>In all cases, it can be convenient for the client to receive these values
in each response.</t>
          </li>
        </ul>
        <section anchor="relationship-of-authorizationexpiresin-to-scopes">
          <name>Relationship of <tt>authorization_expires_in</tt> to scopes</name>
          <t>Though <tt>authorization_expires_in</tt> is returned from the token endpoint when
refresh tokens are used, it corresponds to the user's authorization for <em>scopes</em>
(or finer-grained access through RAR <xref target="RFC9396"/>) rather than individual tokens.
The authorization server <bcp14>SHOULD</bcp14> ensure consistent lifetimes across multiple
refresh tokens for the same scopes.</t>
          <t>Tying authorization lifetime to scopes means it's possible to have some access
valid for one duration and other access valid for a different duration. For
example, a user could grant indefinite access for the <tt>openid</tt> scope and
short-lived access for a calendar scope. In situations like this, it is
<bcp14>RECOMMENDED</bcp14> that the authorization server return the minimum time that any
access granted by the refresh token is valid. This does run some risk of the
client asking the user to reauthorize prematurely. In the previous example, the
client might ask the user to reauthorize the <tt>openid</tt> scope because it received
an <tt>authorization_expires_in</tt> value corresponding to the short-lived calendar
scope.</t>
          <t>If clients are requesting multiple scopes that can have different lifetimes,
they will ultimately need to make their own tradeoffs to decide how and when to
ask the user for reauthorization. This specification's goal is simply to provide
them with more information to make this decision.</t>
        </section>
        <section anchor="indefinite-expiration">
          <name>Indefinite Expiration</name>
          <t>Omitted values indicate that there is no fixed upper bound on the lifetime of
the credential or authorization. If the authorization server has not declared
its support for refresh token lifetime in the Authorization Server Metadata,
omitted response fields could indicate either indefinite validity or simply lack
of support for this specification. However, indefinite expiration and lack of
information about expiration should be handled by the client in the same way.
That is to say, the client must always handle refresh token invalidation not
caused by expiration, such as by explicit user revocation. Clients <bcp14>MUST NOT</bcp14>
make any assumptions that omitted response fields in one response imply their
omission in later responses too.</t>
          <t>Rather than omitting a response value, an authorization server may choose to
return a large arbitrary value, e.g. 315569520 for 10 years. This avoids any
ambiguity around support for indefinite values while achieving a similar
practical effect. Clients <bcp14>MUST</bcp14> treat all large values as literals and <bcp14>MUST NOT</bcp14>
make any assumptions about which may be considered indefinite.</t>
        </section>
      </section>
      <section anchor="error-response">
        <name>Error response</name>
        <t>The existing <tt>invalid_grant</tt> error code already explicitly covers token
expiration and should be sufficient. Upon receiving this error code the client
<bcp14>SHOULD</bcp14> start a new authorization grant flow.</t>
      </section>
      <section anchor="example">
        <name>Example</name>
        <t>Suppose an authorization server enforces that refresh tokens must be exchanged
at least once every 7 days, and a user has granted authorization to an
application for access for 10 days. The initial authorization code grant (Day 0)
will result in the following response values:</t>
        <artwork><![CDATA[
refresh_token_timeout: 604800  // 7 days
authorization_expires_in: 864000  // 10 days
]]></artwork>
        <t>A refresh token grant on Day 2 will result in the following response values:</t>
        <artwork><![CDATA[
refresh_token_timeout: 604800  // 7 days
authorization_expires_in: 691200  // 8 days
]]></artwork>
        <t>A refresh token grant on Day 7 will result in the following response values:</t>
        <artwork><![CDATA[
refresh_token_timeout: 259200  // 3 days
authorization_expires_in: 259200  // 3 days
]]></artwork>
        <t>If instead, the client held the initial refresh token for 8 days (i.e. exceeding
<tt>refresh_token_timeout</tt> but not <tt>authorization_expires_in</tt>), the refresh token
grant will fail:</t>
        <artwork><![CDATA[
error: invalid_grant
error_description: "expired refresh token"
]]></artwork>
        <t>Note that the error description text is non-normative and for illustrative
purposes only.</t>
      </section>
    </section>
    <section anchor="update-to-token-introspection">
      <name>Update to Token Introspection</name>
      <t>While Token Introspection <xref target="RFC7662"/> is primarily intended for resource servers
seeking information about received access tokens, the specification does permit
refresh token introspection as well. Authorization servers supporting refresh
token introspection <bcp14>SHOULD</bcp14> support the <tt>refresh_token_timeout</tt> and
<tt>authorization_expires_in</tt> parameters on the endpoint with the same semantics as
defined in <xref target="token-endpoint">Token endpoint response</xref>. These parameters <bcp14>SHOULD</bcp14>
be returned only when the presented <tt>token</tt> is a refresh token.</t>
      <t>Use of a refresh token on token introspection <bcp14>MUST NOT</bcp14> reset any
<tt>refresh_token_timeout</tt> duration.</t>
    </section>
    <section anchor="update-to-authorization-server-metadata">
      <name>Update to Authorization Server Metadata</name>
      <t>Support for the expiring refresh tokens <bcp14>SHOULD</bcp14> be declared in the
OAuth 2.0 Authorization Server Metadata <xref target="RFC8414"/> with the following
metadata:</t>
      <artwork><![CDATA[
refresh_token_expiration_types_supported
    OPTIONAL. JSON array of supported expiration types. The possible values
    are "authorization" and "token_timeout".
]]></artwork>
      <t>If the authorization server omits expiration time response fields to indicate
indefinite validity, it <bcp14>MUST</bcp14> declare <tt>refresh_token_expiration_types_supported</tt>
in its metadata to indicate to the client that it's aware of this spec.</t>
    </section>
    <section anchor="ux-considerations">
      <name>User Experience Considerations</name>
      <t>While clients must be able to gracefully handle tokens' expiring at any time,
the user experience may suffer if there's an unintended interruption of service.
This degradation of experience would most likely be felt by users of clients
running in the background, such as task or travel management apps that rely on
access to a user's calendar or inbox.</t>
      <t>If an application recognizes that its access is nearing expiration, it can
proactively prompt the user for reauthorization next time they're "in the loop"
(e.g. using a parameter like <tt>prompt=consent</tt> from <xref target="OpenID"/>), or even
communicate to the user out of band that their granted access is expiring.</t>
      <t>Another option an authorization server could provide to the user is a management
surface where the user can go proactively extend the lifetime of their own
grant, which would update the lifetime of the client's refresh token(s) in
place. The client would discover the extended expiration on its next refresh
token grant request.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>While it is possible to allow refresh token expiration to exceed that of user
authorization expiration if the authorization server checks both timestamps when
validating a refresh token, this is a potentially dangerous source of bugs in
systems with complicated user authorization models. By requiring refresh tokens
to expire no later than user authorization expires, there is less risk of bugs
that accidentally provide data access to the client beyond the term of the
user's authorization.</t>
      <t>Authorization servers implementing token rotation on every refresh [RFC 9700]
Sec 4.14 may wish to enforce a maximum duration that a refresh token may be held
without rotation, and this specification allows that duration to be communicated
as part of the API rather than relying on documentation.</t>
      <t>Clients may wish to maintain multiple refresh tokens with different access in
order to separate different lifetimes across different scopes. For example, a
short-lived token to access financial data and a long-lived token to access
basic user info. There is a tradeoff here, both in complexity of token
management and also in increased friction for the user to authorize multiple
tokens.</t>
    </section>
    <section anchor="privacy-considerations">
      <name>Privacy Considerations</name>
      <t>Allowing users to time-limit their authorization is a privacy improvement. While
this was already doable in regular OAuth implementations, the potential
interruption of service for the user may have discouraged implementation of the
feature. This specification provides a standardized way to mitigate that concern
and should lead to greater adoption of time-limited authorization.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="oauth-parameters-registration">
        <name>OAuth Parameters Registration</name>
        <t>This specification registers the following OAuth parameter definitions in the
IANA OAuth Parameters registry.</t>
        <section anchor="registry-contents">
          <name>Registry Contents</name>
          <ul spacing="normal">
            <li>
              <t>Name: refresh_token_timeout
              </t>
              <ul spacing="normal">
                <li>
                  <t>Parameter Usage Location: token response</t>
                </li>
                <li>
                  <t>Change Controller: IETF</t>
                </li>
                <li>
                  <t>Reference: This document</t>
                </li>
              </ul>
            </li>
            <li>
              <t>Name: authorization_expires_in
              </t>
              <ul spacing="normal">
                <li>
                  <t>Parameter Usage Location: token response</t>
                </li>
                <li>
                  <t>Change Controller: IETF</t>
                </li>
                <li>
                  <t>Reference: This document</t>
                </li>
              </ul>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="oauth-authorization-server-metadata-registration">
        <name>OAuth Authorization Server Metadata Registration</name>
        <t>This specification registers the following Authorization Server Metadata
definitions in the IANA OAuth Authorization Server Metadata registry.</t>
        <section anchor="registry-contents-1">
          <name>Registry Contents</name>
          <ul spacing="normal">
            <li>
              <t>Metadata Name: refresh_token_expiration_types_supported
              </t>
              <ul spacing="normal">
                <li>
                  <t>Metadata Description: What types of refresh token expiration are
supported by the authorization server</t>
                </li>
                <li>
                  <t>Change Controller: IETF</t>
                </li>
                <li>
                  <t>Reference: This document</t>
                </li>
              </ul>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="change-history">
        <name>Change History</name>
        <t>Delete this section before publication.</t>
        <ul spacing="normal">
          <li>
            <t>May 8, 2026:
            </t>
            <ul spacing="normal">
              <li>
                <t>Incorporate Vanshaj's review:
                </t>
                <ul spacing="normal">
                  <li>
                    <t>Add language on backwards compatibility for definite duration
becoming finite.</t>
                  </li>
                  <li>
                    <t><tt>refresh_token_expiration_types_supported</tt> <tt>"credential"</tt> value
renamed to <tt>"token_timeout"</tt>.</t>
                  </li>
                  <li>
                    <t>Simplified example</t>
                  </li>
                  <li>
                    <t>Linking UX considerations from RT expiration section</t>
                  </li>
                </ul>
              </li>
            </ul>
          </li>
          <li>
            <t>Feb 27, 2026:
            </t>
            <ul spacing="normal">
              <li>
                <t>Address Issues 4, 5, 6 from George to discuss tradeoffs around managing
multiple tokens or scopes with different expirations, as well as out of
band reauthorization by the user.</t>
              </li>
              <li>
                <t>Rewording and clarification based on Dan's suggestions on the list.</t>
              </li>
            </ul>
          </li>
        </ul>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC6749">
          <front>
            <title>The OAuth 2.0 Authorization Framework</title>
            <author fullname="D. Hardt" initials="D." role="editor" surname="Hardt"/>
            <date month="October" year="2012"/>
            <abstract>
              <t>The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6749"/>
          <seriesInfo name="DOI" value="10.17487/RFC6749"/>
        </reference>
        <reference anchor="RFC7662">
          <front>
            <title>OAuth 2.0 Token Introspection</title>
            <author fullname="J. Richer" initials="J." role="editor" surname="Richer"/>
            <date month="October" year="2015"/>
            <abstract>
              <t>This specification defines a method for a protected resource to query an OAuth 2.0 authorization server to determine the active state of an OAuth 2.0 token and to determine meta-information about this token. OAuth 2.0 deployments can use this method to convey information about the authorization context of the token from the authorization server to the protected resource.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7662"/>
          <seriesInfo name="DOI" value="10.17487/RFC7662"/>
        </reference>
        <reference anchor="RFC8414">
          <front>
            <title>OAuth 2.0 Authorization Server Metadata</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <date month="June" year="2018"/>
            <abstract>
              <t>This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8414"/>
          <seriesInfo name="DOI" value="10.17487/RFC8414"/>
        </reference>
        <reference anchor="RFC9700">
          <front>
            <title>Best Current Practice for OAuth 2.0 Security</title>
            <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="A. Labunets" initials="A." surname="Labunets"/>
            <author fullname="D. Fett" initials="D." surname="Fett"/>
            <date month="January" year="2025"/>
            <abstract>
              <t>This document describes best current security practice for OAuth 2.0. It updates and extends the threat model and security advice given in RFCs 6749, 6750, and 6819 to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0. Further, it deprecates some modes of operation that are deemed less secure or even insecure.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="240"/>
          <seriesInfo name="RFC" value="9700"/>
          <seriesInfo name="DOI" value="10.17487/RFC9700"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC9396">
          <front>
            <title>OAuth 2.0 Rich Authorization Requests</title>
            <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
            <author fullname="J. Richer" initials="J." surname="Richer"/>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <date month="May" year="2023"/>
            <abstract>
              <t>This document specifies a new parameter authorization_details that is used to carry fine-grained authorization data in OAuth messages.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9396"/>
          <seriesInfo name="DOI" value="10.17487/RFC9396"/>
        </reference>
        <reference anchor="OpenID" target="https://openid.net/specs/openid-connect-core-1_0.html">
          <front>
            <title>OpenID Connect Core 1.0</title>
            <author initials="N." surname="Sakimura">
              <organization/>
            </author>
            <author initials="J." surname="Bradley">
              <organization/>
            </author>
            <author initials="M." surname="Jones">
              <organization/>
            </author>
            <author initials="B." surname="de Medeiros">
              <organization/>
            </author>
            <author initials="C." surname="Mortimore">
              <organization/>
            </author>
            <date year="2014" month="November"/>
          </front>
        </reference>
      </references>
    </references>
    <?line 419?>

<section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>A special thanks to Aaron Parecki for his continuous feedback and invaluable
assistance in guiding the author through the IETF draft process.</t>
      <t>The author would also like to thank Andrii Deinega, George Fletcher, Dan Moore,
and Vanshaj Singhania for their reviews and technical suggestions on the repo
and mailing list.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA8Vc63LcNpb+j6fAtn/YTrVal8iyrZqbYjuJUr6tLG92KuWy
0CS6Gys20QOQkntSeZd9ln2yPRcABNmX9WSndjVTUYtNAgfn+p0LfXBwIBrT
VPpcjt5dtM1CnkyO5JWeOe0X8tre6lqqupT4lXXm76oxtpavvqyMo48joaZT
p+/S41fXh7vvLVSj59atz6WpZ1aI0ha1WsLepVOz5sDoZnZgFTx+4JiCgwYp
ONBpjYOjb4Vvp0vjPfzVrFfw8OWr6++lfCBV5S3QYepSrzT8p25GYznSpWmA
GlXhH5cX38Ev6+DT1fX3I1G3y6l256IEws5FYWuva9/6c9m4Vgs41bdCOa1g
1Q+6aJ1p1iNxb93t3Nl2BVd/1tMBa94729jCViNxq9dwa3ku5IGkQ+GHcC5J
58ILKn8aL9A3EuhfWVM34k7XLZAm5ddsKSVzZPQz0GjqufwBH8LrS2UquE50
/AX5PLFujl8oVyzgi0XTrPz54SHeh5fMnZ7E2w7xwuHU2XuvD2mFQ3xybppF
O42LHtzPD12TSQpvqYCtvsmWJzn7CT0xqXXTf+Twq9VgsmiWcF7B3EMWw25S
ztqqYoV6a4qFrZSXP6vGI2PhB46i6sC0c/mDtfNKj+Xr1y/oW80squ/pgb/M
6etJYZdC1NYt4ak7ksPV9y/Onp4+Dx+fnp2dhI/PTo9Pw8fnT4+OzoVAJe8/
+fzb52f48R0o6OXLc9o4mB9fki9sXeuigd9Oy+PJEd+i3FwDHyMbLdxrSmKg
X+nChwsHBT8Mv50+OP58RGyiFUjB5Vt7p1Hh5bOxPDk6PqWvEg/p5wBME/T/
7UR+ULdm2TrV/+KnifzOqbLS6/71NxP5k62171/9biJLLd/oUhtnB9+9mMg3
1jVmCcQKcXAAtjD1jVNFI8T1wniJRzMzU7CW6y8NGIWXnZf6JYjik5yupSpL
VPha3w8tCBRohYYtV8qBbjTaebglrL7uW6TsVIzcXuuBWX0TzZSQqV6aEtgh
xAN5WTfOlm1B94lAHTBgZoAxslnojPhVMNoxktVIO5P3C9BZafhGNTUVeBsJ
CiSVKCoD3gypdrrQoE5SDehuFqoBI1/LqYZvVhrEXVZrOE6xUPVcl7QQcVoV
hfaeH/OTjKLSApG1bSRoUaMMMmAtk+qDLdfzVs1ha/ApdZnxAf1ppYpbJNxp
OAnu1SPPj+USDgD3ooxsDZQRwfAASA6IGoHfAkFX8EVl6/kBWG4Dt46AxZc1
MWStFcjNm7rQ9PeqnVZRNWDLdIwxKJdMIgeOEQNgLeGDByfBrpy5U8UaT1X6
Qq00kogH7glbgvjvUF8WCjgw1fO2xiUh+EB08HAfKNNBBdwpB+clFjT3Fv0u
kqPApXjwCN+A+l+jeLfsgmwkfUMxlqCcpU5ckkFqU40MnDtVg3yBDvYOFrQZ
NjUkJ6AP+GjvJcZB0DzTpKcf6cl8QqEA91poVQHPwDOox5P9lGl0ZLAEqN1S
fQGvsJRlG4RPJA5ODycgykAZF7oq5T2ECts2gfxOKS3Ltm+wIPMXpO+0DjxL
60qzXFUatYgtV1UglLqscEFkNqkj/tEnZSK/tw50VeHToBsz2pDYvIDoEDmZ
nmZOjemuYHVIBJgF+or4rOi0995UFXgdWIOsM7Ivk9gMPbmShXZkVeiJSUh3
1pQQIkCFXLuKeowMN4WeoDu50n9rjaMze3DdTeeWIEjcsT159JVa3iIlADa8
HL35+OEaoQ7+lm/f0eerV//68fLq1Uv8/OHHi9ev0wcR7vjw47uPr192n7on
X7x78+bV25f8MFyVvUti9Obir/ANUjV69/768t3bi9cjtMEGXTgAvJZkBkaO
hwaFoBOvnEa2Ky9K7QtnpqjNtfzuxfv/+s/jU/nrr/8C3vPk+Pj5b7+FP54d
Pz2FP+4XuubdyIvwnygIoVbg9RyuAuovwaRNA4AQ7gWvsbD3tUTnBHz95hfk
zKdz+YdpsTo+/VO4gAfuXYw8610knm1e2XiYmbjl0pZtEjd71wec7tN78dfe
35Hv2cU//BksQ8uD42d//pNAZbrWbmlqW9n5emt4BbWGoNDdFMIWiSUF2gm5
iJlF/4LWgvd7RMj4OFjAAkLDnCy9J31wfFfa2xZciARJYEgNsVWcg5d4w2GL
liDtYPegphgm0Khm8AR8QOtDrQcXDuKFrzVaDJkw+nfCMjG4gcFhhAUwRL6Z
N0+eBbRitYrhg9XJ6WqNR8JovP6HycqWA39B0DttT4RFEuDD31rAxB5931Qv
VDXDQ+AabpNF6DelaXyG04JnhqP0kgCi+HpjlYderlCmlC0xqxhSyA5SBJ5t
p9cHH21coJYMqme0HQyDHEmeTo7hf0BdBjOIuAtZOI1JGbpuYup0nbvZLZT0
qUjc4qC3cVaijKSiASRsIe14cjqROV0+HBW8kUcSYGNL4hiy+qqXtX3laeyU
/D0i0h7mitGQNoctl6uGbCnElq84xpOJvOoH3NLSaojeWMj9ME54jAjJL7Pj
ZEcKdNwh4GC0v9So68YvSVn4IBFdb57FcBSfIiz0xD7E0cZ3Vjlg5wMMYIVe
NRy9MDxieEC4FDf2jCsKWErNZpgQ7cLpuN6DQUbcfSvEzxAikpMY8IVMoe5Z
b6eGrPUIjzBO7ZMI6fy4QxaIGOyKlADSGw0IcWkaOpAYCEAHLAMSCNCE9kPv
nAAdIsmAk+uHgH5a4BUENALKAr95iPHO4vlaJCAqU3aqyW5oB95Fg1UhyVg/
EQCzLABnwMJAiXWAkJF4MsD+8xEAMv+v+tkInBo1vO+jEprOYR2HmQxYqiXo
ESVEuEqwJ4+aICCjLzcyn4gtA6rE05sGklS9tnVJjEjAfwo2MDNNVPZSTNcd
8uvsmeAfiAD5Ee9F6FsQ6mJMmBuI2J4zwOGwmOQ050VRfqouaIk7VZky31Xi
KUyNIkVUWY5DRljYFo5dgJ8gccJyyt96kMutHrACUaALODEgyO02w6Cx/3AE
QXybptoNap6qO8VWm1amAWJfNgIgSXwQUBjIzEWF3qp1xNo9WYWY6uZe63rD
6jkGe8wLMyhPzi1a7KaP205DAGTtChE5cT1LaUn3QAejHxtmOHw42K0yM003
34Pbblxbo4hKUbaEd3dxLVjlIwJi8P/MD2DlMSw/UCzcgaktSVeAvCmiBAzI
xhetZ6QifvmIu776ApHfoMdCb+tBh3lX/+nRg/YLloqya48nj9FFbNXkTjPQ
Ma6aIOetKS9m0KvWoQsZCw3WgicBi8Ncq7ZwAoJOfAj5j7F8gCn8/0phmb2/
X3dQ3btTiH2n6MdLYAcwxxsArxjEA36JLiMeSQw43V9jyGgZGb2LXPG72N8v
FFEO0cvTuyrLrw9CfTZ889vWDMOE6hjmGRDqEUtsKc1xOPnQ0uaztkr3iADW
SCc+04afY5yR6Qf9Gp3E4OFByUvfFVH6ziRUy6hA0QNv2XKbwYUKCjIVFPAp
8ORgsmdHp8+OjiCeAQjT3abZYsO4BWE7qC4QayEIgse7lTNAhFwVwWMEmMtc
AgeQLTcHxXXoDDC6A7eZjJSPIs1UlkgUmjp7uqcnn4NlfDYYN/Z9PWB18n4Z
u23nmCH92ARcFJILu9L5YULNkdEV3kE1thLBT0DnQ4ezKYhsOT7wydnJ820y
GRC1RRJLIGeRrbdfKDtEwTExCEHlagUs2qrI6OOGOCvzOE43rasZsCOVzOm+
+WA3CAALQu+brXvcJKW+2SXkG6wdEtbI9HirPDF6pTLjWE7brYbW+iZl0pww
ULgN7gHZw6RxWk0lU0JH2WH2ECvSeXacd/Mwg1Oge1RyZr5Q4HbB+W8/THCl
EbCYsgpKgZEYXUp+AHDKYnM7jPfUzOjHccY0kZW7Qw/GiKAJLH3SNk+1MH2n
XVdSFZuuOtgZNxn6DLuBvcEX7s4VRKaDvZ3z+LO5E3Br60ZjAWwKEFd53Tkq
APvW8TplLLB0TmCwVrA4TA9YxTBmBB/SFaqCm6CNYh0e3ccOldnDfkbj2A8g
e454jIPpNuDS85GrSmEZKm2/U6nHu31oWm9AyhTx8tKWbFI9xcL9LmNh1GOv
w3BuPdV5VhO982a7KRc3bQZn0QokF8VNYRsTjooB5cKscPs9LgZbcBwFACxg
2XCvP/JB8bCTlXxxH46g/osBJo2lST5w0iof1WpnkPqGaftGPII/MEN1B3PH
ASqVB6jYKa8urqgcgK3dT48leI9FhKHoeMB9tapKKGpnHh6ykZAxEjr3DUoh
ihuoLBxAR3CnVWNAmYdnTbEVQkFgLUjler1Z9kgalGQACa1CdNpgwTDgU/yW
+l7eLmM7Q7Bbo6oQBKDUBKKCPB08cKe7T0FyMqPaSdPVDPpdGcVgnfWZ61eb
zat4vBvudd8w5bgzd+JCHy67GzJ2VYF6KMf3TtAGvGlaVlHOoDHTJ+0wXmT1
9l2hIkir84JyCVRiJAjIQGGGv45d1thfCviy7xiMj2HumqvlIAdIIJnfzvjb
EOBj+xfS/rxQOGw4rTDyAFm6WtNJg9u8M7b1fZwUG1tmvqBVdy65hd9TXSi4
FTkWnEMpQNX32C6Doc746AxsfrngoqwEy4qCYSz+oBmHwjk+HS0gKm8qFZK6
duqWTGcsul4dPgt8Ai6ltt1SkSJgAoiNosapUtvZzHN9ihqxWHCjijxWExsr
elzjfne/yik3MyCwrbkFX4DXsZtJyVioLyGBS673Y5deptERLkkGClFLYEEf
y244cpDs5FVW3nm3NA3qXYinEQElrcYdKDIT6IEotoJjUAE39mSTj7AMYbJy
tx3kyTGf3m4qDJgaJLwCOZYCq4kedgTRb04K9KIlrtmvIH4IGEg3CgulY2HD
QRPsIGjhgy9J59aGnFPmVcjysCgIFARp4AyDwB5sRlyzIcWJ/NHeI84a58sN
5kZoHAI4l4tRTTmTTDeC9iORmINiJ3ujhxA4QP4cUncMHqqhARFw22rdb1Ij
xlYV3ObDakNnU9OJeWeQhyAzpi07ksZwdgjqIDG+XJkC7DyUSe5sZEBsz6dy
BaknTU9A1rZcsXslXdsln5BnpcvBHtAGUabcr4KbuKgTb8OjW+zHZEGWdqAY
161Gaj+m0v42lUSYXiyspQEREXy5gr0cjbdMDXgAt46r0NDEt8dPnpw9f3Jy
RFpxfMTzKMHKqZXv2e8vp2be0pQJjcn0lKmvfozZTYURbmHAT9MZQBdxAk+s
cBAKR2Kkpv7HgOsN+JuGAB1THdZTGNWAY1hORj3cLyHWSIbgoRoSy4KUiEdq
uSbzyjnbiYJLyAny3gT9+kwR70Zqurmw2FKqgNay0yeQc2FDhZySlL7pdFbh
2xkYHR56Ij/CpiHgcAzEJKrbIyveBCDlGxyrUnKj6xW7oJAZhHNxaBTiA4rK
651qk+rVW0deQpKbhlsE3FNpBVex14U5EqjUU1mChXLHWW2OofS3xVZULfLm
FKGaDuCAGuJynLGhpNA799cg7vCJH70EER89FhQFgXQIhJuJUt+EMFXaWXU7
jyUveXgYDra3dHQun52dHoX7A+lCXAz8FNMKlCO1J/L/j9iz58cn4f5nX0Pr
038irSdPnse9v/0aWjfvR/QEyXcDlteLE1TtbDJ16Z8ItYpPKx+ZCSBmrl/t
qyZhmQTj+24E+Hi8CX4F845YNsPBW+YHmfS57DmT7ovPPHew4gHe0dY+xEiI
tzZDOsFLZE/KRn9pGP7UB918I5okOemqanEMFS+KUGL3VHOjGvjHVRzg4mo4
zXwiQIjdZnToW76iHBGnhT/h1isHGNQZbPvWoRLEUKjfEBBea8L8mzgigu9+
mZ453a+7U15BUyCNGGKCnEDwQ/e6qiYDyBV7EyGQZfUNsW2V6H5D2NssM3Wa
g6nbnrwhG9cNmLRL9REnd7ku5D2ATAvP82Td2NKOfsWnR4N+xWPyoP0JYT6H
oHHaUHhIE2fDilSoaiESGNSohfjoqU477FqTe9/kXupp4eKcSe7iXt5/z7Ry
L14OMc51pZ4dY5NRjHD8iNuDSxPdwPDerUjfcST+Uyet5A3FMty11Q12gOAz
vs7gPwdlCqNJ+BMn3ibypw/v3gLWcjhykaB7nOgMcRQX4SCZahtZKYtcKyRE
o54qjnikscf0Udd23j7AS5MSw57aEPriLGvIS8SWhISKEaQHgfND+9nNnhus
qCIJkb35XjHnjsU9yiWw3qPucRMqNYRch1VqbxNZ/rrZRP4tur+YtkdMpEI1
Cdx5gfVZMKOQo7C2Pczmb0npiXGUtDNG0h0ZiFMRGKYBA6fxDLVs6+RKdw7V
cp1FAx1lmhzP1r4n5Lm0vqHaUEWIeKYhnEM6hIRQcyucTri2rtk38/gTpHxz
wvxdFoWTGjS/49SdrnCoRs15hhlQXcKR1M0R+ehiKEum8hXlDlP7hfVvMLEE
kcDOa/P3CExRAcJiGOQgT+EKeJfkcfEXUgyLOcad5vmv5arZW9KApSBuxgbY
+iGaTDh7Ze1qJHi8nAeQVOdLuc52wzv8kd+xAv9FZdxf+K2XT4/ppSzsI4jC
Lpcgy1xliaJ84iEGd+M66JxOHHWJmmlclLSrkF7sq+nHEbh8U8PDKVFswrdu
plBTqISSbsPa05xqOYmh3OEZllK6KhMDoDjjw5qXNeYHzwSle+j7fvqRf4xd
Xe4qkIML1s3r4VSIjR2h1HLKX9xgd0GC7Qd1hmeh5kb+IL4AN3AE0eapgtqr
HfNbCDtfr8HxqK45iuekgeBdwzJ7x4mKhS5uvZxaDDRY8GsgpeOOmIhlj1Ah
yKgJY14k45VtuLoFoisxf3NYNY3jpaB27RyLFsKvAVMvee4xm8na9qYQ9mJ0
BYHnuzUxclucFcQF6jzXNp9g2T29Mu7qdxVqfCwUI4X8XgKYgsFaHR0majXP
MSYfk0WCaTcph/Pcsei8rTUynDpO4DC9nMHFXRR1HERDJePkNx4dkYHEV+Q+
iTA9edobCQx59s6XTYZYKhvkSL3guDun2ptVPNbO4DG75S3XQJIHgizepxe0
qBz5/rLX4olj44Szedo9cmrbSyzYGqap4FTCHuAu0quugh29Wi2sK7k+7zV6
1mZrnTu2iLqvQh+oPyuheh2TMLKZ5l4Bj+CMIuSGrDNUquC3srbdL6bKmyK4
S5Ac+SHWT5VK6fTyxZgN1NRsOPoLlV9nISHMgyNuiROCCGfqAl+for6fKXpD
JLFj0fUrUmssG1p6H970Grqti5iZc2AfzupuTIMFPxFWA4V3+DIlFafIAwpS
MpwGiQWv0hLwoRfA5i1AufCWWjIWJoVztuSAdr0S1D82KlXodoCIQX/xdar+
wtGQZ5q6Qts6Evl0K/hMxBol8LGMk2LACjNPfYMCC1kOkEpXpavgoIzsNPku
VdpEd8fOYWWL5HJ58fZiQygPHgQeve8ysSs9N5yQ8+DqxiEc3UBC7JVceKUO
hwSoTfA1JDNExMaOvKBbp6Y2/4nUNgT9qKH+ll403j2QhvekRQFO47uTr0MN
/Tw6yVhNjQ+8oOIh7eTgINrx6+3p+6s4hn4em4bsdDKK9o5u/d8S1clzf674
u0W8P9vdFLjMBL6fpK/TgXT7NmX4H/LY3vMv88rWzwRv8ZFsUmwTQeGLszGB
7RLf0EPaOsDzTxFoePhH4Id1ayFe6ko3oTvpQx0jvPWYvaQ7CQwDx0Ivn5+c
naftLuvCOiAfPc2/qdov1H8Q0r0z+v48HRHvvCjL7kVk3AeSLkhfqeG3XMFG
2WvTKbNOQ+Uy+5lC1rSkl0dDiyPf5uszbnkz6jqjo9Ds7m0EfATdIC95Mygn
3PR3/YD+m6d3Qqjuff3a1FQL/Pjvsp93cyp1dd3rLYaCJE0a6ak8eTpkOrDS
Ybi/xEFLL0/H8slYnvFaP2iLTSVsf/NgedYTD30tCtfxBR/8SYgmIBnrYnt+
gGk6KvntTCw64m9O8NJ6U34rr6/H0+4d3EmmrfjqKwF8eARrJp3jmBJ0oBI9
9t99O5/jEAFyLTW6KcHBN/lRmzA0XRS3tb2vdDmnd2/Fr+f874To8o+jGQAT
PfoNmwHxPWQEgreEIC6AOTX6V0hHDCkhzabxuzmYUMwg38FdiFKqcreIEQBl
4riPwiIEOKp5yzOPnR2naSPyYfjvndA/lYHxGzHYRGSDRSH5IwDFIy6WSZQX
demMAV9jaj1X4yjm78F+IYNyY2SSfGPBcscU5IMtgmLWc3zdRUUMYlywTu4y
NrpY1NSr3MJfp1dW8HCkobe1meH/DRUFreB5RgAA

-->

</rfc>
