Specifications (RFC) involved in the process of accessing the protected resource

The OAuth 2.0 framework is extensive and complex. This section explains which RFCs are involved in the process of accessing a Social Security protected resource.

The client authenticates itself to the Social Security authorization server to obtain an access token

Currently, Social Security APIs are protected by using the following OAuth protocol: OAuth 2.0 Client Credentials Grant using Client Assertion authentication method with a signed JSON Web Token.

• The Client Credentials Grant protocol is described in section 4.4 of RFC 6749.
• The Client Assertion authentication method is described in section 4.2 of RFC 7521.
• The use of a JSON Web Token as a Client Assertion is described in section 2.2 of RFC 7523.
• The JSON Web Token message format is described in RFC 7519.
• The JSON Web Token is signed according to RFC 7515.

If the client is successfully authenticated and authorized, the authorization server issues an access token as described in section 5.1 of RFC 6749.

Social security authorization server will always issue a ’Bearer’ access token, the usage of this token type is described in RFC 6750.

The client accesses the protected resource by presenting the access token to the resource server

The client sends the bearer access token in the request to resource server using the ’Authorization Request Header Field’ method. This method is described in section 2.1 of RFC 6750.