OAuth is a standard, but like so many standards, there's a lot of implementations to choose from and that can make it hard to pass around tokens.

Ideally, to help thin out the number of passwords a user needs, they can authenticate to one OAuth service, which can verify a user to other servers.

A bunch of IETF 'net boffins has run up an Internet-Draft to deal with this with a simple and standard token exchange mechanism that needs only HTTP and JSON at the client side (rather than the heavyweight WS-Trust protocol).

The idea is that OAuth 2.0-style logins would be easier to extend beyond the world of Facebook, Twitter and the rest. It's an extension to what already exists, giving OAuth 2.0 authorisation servers the ability to act as fully-fledged security token services (STSs).

The work-in-progress explains that the OAuth 2.0 Authorisation Framework and OAuth 2.0 Bearer Tokens (RFCs 6749 and 6750 respectively) “do not provide everything necessary to facilitate token exchange interactions”.

In keeping with the aim to make the protocol lightweight, the request only needs fields for grant_type, resource (the location of the target service, which forms part of the admin policy), “audience” (the logical name of the target, which can be used instead of location), scope, and various token definitions.

Responses would take the form of standard OAuth 2.0 responses.

There are also three JSON Web Token (JWT) claims defined in the document, for the actor holding the token, the scope of the token, and (representing delegation of trust), an “acts_for” claim.

The co-authors on the document are M Jones and A Nadalin of Microsoft, J Bradley of Ping Identity, and C Mortimore of Salesforce. ®