- Title
- Secure REST-based Request Response Profile
- Description
- The Secure REST-based Request Response profile supports consistent and compliant use of the uniform interface offered by HTTP for accessing a federated protected resource (REST-based Web Service). The Client makes a protected access request to the Resource Server (authority part referred to within the request URI) presenting the Access Token in the Header of the HTTP request. If the Access Token is successfully validated the Resource Server processes the authorised request and the result is returned to the Client.
Taxonomy
Standards
Guidance
The Access Token is encoded in the HTTP Authorization entity-header by the Client.
The auth-scheme parameter for the HTTP Authorization entity-header is specified to indicate the type of Access Token
As a minimum for complying with this profile, the auth-scheme parameter value for the HTTP Authorization Header is Bearer.
Note If supporting the OAuth 2.0 DPoP Profile the auth-scheme parameter value is DPoP).
Note If supporting the OAuth 2.0 HTTP Message Signatures Profile the auth-scheme parameter value is PoP).
In the cases where a Client receives a 401 status error code, that Client SHALL request an Access Token from the Authorization Server as specified in PRF-139 OAuth 2.0 Assertion Grant Profile.