oauth2.dev

resource

IESG

Registry Context

The `resource` parameter lets a client identify the protected API or service for which it is requesting access. Its value must be an absolute URI without a fragment, and the client should generally use the most specific applicable API base URI.

Technical Summary

RFC 8707 defines `resource` for authorization requests and access token requests. Each value is an absolute URI without a fragment; a query component is discouraged but may be useful for application scoping. Multiple parameter instances can identify multiple target resources.

When Used

Authorization requests to the authorization endpoint and access token requests to the token endpoint.

Normative Requirements

Clients

SHOULD
2
  1. RFC 8707 - Section 2

    provide the most specific URI it can for the complete API or set of resources it intends to access.

    Condition: When selecting a `resource` value.

    The client SHOULD provide the most specific URI

  2. RFC 8707 - Section 2

    use the base URI of the API as the `resource` parameter value.

    Condition: Unless specific knowledge of the resource dictates otherwise.

    The client SHOULD use the base URI of the API

MAY
2
  1. RFC 8707 - Section 2

    indicate the protected resource by including the `resource` parameter in a request to the authorization server.

    Condition: When requesting access from the authorization server.

    a client MAY indicate the protected resource

  2. RFC 8707 - Section 2

    use multiple `resource` parameters to indicate that the requested token is intended for multiple resources.

    Condition: When requesting a token usable at multiple resources.

    Multiple resource parameters MAY be used

Authorization servers

SHOULD
1
  1. RFC 8707 - Section 2

    audience-restrict issued access tokens to the resources indicated by the `resource` parameter.

    Condition: When issuing access tokens for indicated resources.

    The authorization server SHOULD audience-restrict issued access tokens

MAY
3
  1. RFC 8707 - Section 2.1

    process an authorization request with no specific resource or with a predefined default resource value.

    Condition: If the client omits the `resource` parameter.

    the authorization server MAY process the request

  2. RFC 8707 - Section 2.1

    require clients to specify the resources they intend to access.

    Condition: As an alternative to processing omitted `resource` parameters with no resource or a default.

    the authorization server MAY require clients to specify the resource(s)

  3. RFC 8707 - Section 2.1

    fail an authorization request with an `invalid_target` error.

    Condition: If the client omits a required `resource` parameter.

    MAY fail requests that omit the parameter with an invalid_target error

resource parameter URI value

MAY
1
  1. RFC 8707 - Section 2

    be a locator corresponding to a network-addressable location where the target resource is hosted.

    MAY be a locator

resource parameter value

MUST
1
  1. RFC 8707 - Section 2

    be an absolute URI.

    Condition: When the `resource` parameter is present.

    Its value MUST be an absolute URI

resource URI

MUST NOT
1
  1. RFC 8707 - Section 2

    include a fragment component.

    Condition: When used as a `resource` parameter value.

    The URI MUST NOT include a fragment component

SHOULD NOT
1
  1. RFC 8707 - Section 2

    include a query component.

    Condition: Unless a query component is useful and necessary, such as for scoping requests to an application.

    It SHOULD NOT include a query component

Validation Guidance

error

Reject `resource` values that are not absolute URIs or that contain a fragment component.

warning

Warn when a `resource` URI includes a query component unless the query is useful and necessary for application scoping.

info

Support repeated `resource` parameters for requests targeting multiple resources.

info

Prefer the most specific applicable API base URI when generating a `resource` value, unless specific resource knowledge dictates otherwise.

warning

Audience-restrict issued access tokens to the indicated resources.

info

Apply documented authorization-server policy when `resource` is omitted: process without a specific resource, use a default, or require the parameter and return `invalid_target`.

Security Notes

RFC 8707 - Section 2

The authorization server should audience-restrict issued access tokens to the resources indicated by the `resource` parameter. It may use the exact value or map it to a more general URI or abstract resource identifier.

Reference

Details

Entry Id
resource
Name
resource
Parameter Usage Location
authorization request, token request
Change Controller
IESG
Reference
RFC8707