HTTP APIs

The IANA registry for well-known URIs - iana.org/assignments/we…

"To address this, this memo defines a path prefix in HTTP(S) URIs for these "well-known locations", "/.well-known/"." In tools.ietf.org/html/rfc5785 (2/2)

"It is increasingly common for Web-based protocols to require the discovery of policy or other information about a host ("site-wide metadata") before making a request." (1/2)

"The immutable HTTP response Cache-Control extension allows servers to identify resources that will not be updated during their freshness lifetime. This ensures that a client never needs to revalidate a cached fresh resource (...)" In tools.ietf.org/html/rfc8246

The OWASP "API Security Top 10 2019" owasp.org/www-project-ap…

"PKCE vs. Nonce: Equivalent or Not?" In danielfett.de/2020/05/16/pkc… by @dfett42

"The Link header field provides a means for serialising one or more links into HTTP headers." In #section-3" target="_blank" rel="nofollow noopener">tools.ietf.org/html/rfc8288#s…

Early hints example from tools.ietf.org/html/rfc8297 HTTP/1.1 103 Early Hints Link: </style.css>; rel=preload; as=style Link: </script.js>; rel=preload; as=script HTTP/1.1 200 OK Date: Fri, 26 May 2017 10:02:11 GMT (...)

"This memo introduces an informational HTTP status code that can be used to convey hints that help a client make preparations for processing the final response." In tools.ietf.org/html/rfc8297

"acr - Authentication Context Class Reference - String specifying an Authentication Context Class Reference value that identifies the Authentication Context Class that the authentication performed satisfied" In #IDToken" target="_blank" rel="nofollow noopener">openid.net/specs/openid-c…

"azp - Authorized Party - the party to which the ID Token was issued. (...) This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party" In #IDToken" target="_blank" rel="nofollow noopener">openid.net/specs/openid-c…

"The "aud" (audience) claim identifies the recipients that the JWT is intended for. Each principal intended to process the JWT MUST identify itself with a value in the audience claim." In #section-4.1.3" target="_blank" rel="nofollow noopener">tools.ietf.org/html/rfc7519#s…

"The "sub" (subject) claim identifies the principal that is the subject of the JWT. The claims in a JWT are normally statements about the subject." in #section-4.1.2" target="_blank" rel="nofollow noopener">tools.ietf.org/html/rfc7519#s…

"The "iss" (issuer) claim identifies the principal that issued the JWT." In #section-4.1.1" target="_blank" rel="nofollow noopener">tools.ietf.org/html/rfc7519#s…

"What makes HTTP significantly different from RPC is that the requests are directed to resources using a generic interface with standard semantics that can be interpreted by intermediaries (..) " In "HTTP is not RPC" by @fielding #sec_6_5_2" target="_blank" rel="nofollow noopener">ics.uci.edu/~fielding/pubs…

"The Web is based on numerous standards that together make up the surface of the Web: By knowing and supporting those standards, problems can be solved in well-known ways." By @dret, in dret.net/netdret/docs/w…

"If the same issuer can issue JWTs that are intended for use by more than one relying party or application, the JWT MUST contain an "aud" (audience) claim that can be used to determine whether the JWT is being used by an intended party (...)" In #name-use-and-validate-audience" target="_blank" rel="nofollow noopener">rfc-editor.org/rfc/rfc8725.ht…

"Sometimes, one kind of JWT can be confused for another. If a particular kind of JWT is subject to such confusion, that JWT can include an explicit JWT type value, and the validation rules can specify checking the type." In #name-use-explicit-typing" target="_blank" rel="nofollow noopener">rfc-editor.org/rfc/rfc8725.ht…

"JSON Web Tokens (...) are URL-safe JSON-based security tokens that contain a set of claims that can be signed and/or encrypted.This (...) document updates RFC 7519 to provide actionable guidance leading to secure implementation and deployment of JWTs." In rfc-editor.org/rfc/rfc8725.ht…

"The OAuth 2.0 device authorization grant is designed for Internet-connected devices that either lack a browser to perform a user-agent-based authorization or are input constrained" In "OAuth 2.0 Device Authorization Grant" tools.ietf.org/html/rfc8628