Symmetric Proof of Possession for the OAuth Authorization Code Grant

The information below is for an old version of the document
Document Type None Internet-Draft (oauth WG)
Last updated 2014-11-12
Replaces draft-sakimura-oauth-tcse
Stream IETF
Intended RFC status Proposed Standard
Expired & archived
pdf htmlized bibtex
Additional URLs
- Mailing list discussion
Stream WG state (None)
Document shepherd Hannes Tschofenig
IESG IESG state Unknown state
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


The OAuth 2.0 public client utilizing Authorization Code Grant (RFC 6749 - 4.1) is susceptible to the code interception attack. This specification describes a mechanism that acts as a control against this threat.


Nat Sakimura (
John Bradley (
Naveen Agarwal (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)