| Internet-Draft | OAuth Groupware Auth | July 2025 |
| Bunch | Expires 21 January 2026 | [Page] |
The OAuth 2.0 authorization framework is widely used to provide clients with delegated access to user data. However, the core specification leaves the definition of access scopes to individual service providers. This has led to a fragmented ecosystem for common groupware services (Mail, Calendaring, Contacts), where each provider uses proprietary, non-interoperable scope identifiers. Client applications, such as desktop mail clients, are forced to hardcode configurations for a small number of large providers, stifling innovation and harming open ecosystems.¶
This document proposes a framework that combines a minimal set of standardized OAuth 2.0
scopes with a detailed structure for use with OAuth 2.0 Rich Authorization Requests (RAR).
This hybrid approach provides a simple baseline for legacy clients while enabling powerful,
granular, and privacy-preserving authorization for modern clients. It defines RAR type
values, actions, datatypes, and custom fields for specifying fine-grained permissions
for groupware resources.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 21 January 2026.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
While OAuth 2.0 [RFC6749] is ubiquitous, its reliance on provider-defined scopes has created a fragmented ecosystem for groupware. A client application cannot automatically configure itself for a new mail or calendar provider, as it has no standard way to request specific permissions like "read-only access to the 'Work' calendar."¶
This document specifies a solution that leverages the recent OAuth 2.0 Rich Authorization Requests (RAR) [RFC9396] standard to define structured, granular permissions. To maintain backward compatibility and provide a simple path for basic clients, this detailed RAR structure is paired with a minimal set of three high-level scopes.¶
This allows a client to request simple access (e.g., scope=mail) or to make a much more
specific request, such as asking for permission to read and delete messages only from the
"INBOX" folder and send email as a specific alias. This improves both security and user
privacy by adhering to the principle of least privilege.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This specification proposes three aggregate scope values to represent high-level access to a user's groupware data. These scopes are intended as a baseline for simple clients or as a companion to more detailed Rich Authorization Requests.¶
urn:ietf:params:oauth:auth-type:mail. If RAR is not used, this scope implies full
access.¶
urn:ietf:params:oauth:auth-type:calendar.¶
urn:ietf:params:oauth:auth-type:contacts.¶
This document defines a set of type values and associated fields for use within the
authorization_details array of an OAuth 2.0 Rich Authorization Request.¶
This specification defines the following new fields for use within the
authorization_details object to provide granular control over groupware resources.¶
collections (array of strings):"*"
indicates all collections of the specified datatypes. To solve the initial client
bootstrapping problem, the special string value "__default" (two underscores)
may be used. If provided, the Authorization Server SHOULD grant access to
the user's primary or default collection for the given type (e.g., the INBOX
for mail, the default calendar for CalDAV). If this field is omitted entirely, access SHOULD be treated as if no collections were granted. To prevent ambiguity,
Resource Servers SHOULD NOT allow users to create collections with names
that begin with two underscores.¶
type_specific_details (object):type
and do not fit into the other standard fields.¶
This type is used to request granular access to a user's email.¶
urn:ietf:params:oauth:auth-type:mail¶
urn:ietf:params:oauth:scope:mail¶
datatypes:folder, message, flag¶
actions:list, create, read, update, delete¶
type_specific_details:send_as_aliases (array of strings):From: header
when performing a send action. The value "*" indicates any of the user's
available sending addresses.¶
This type is used to request granular access to a user's calendars.¶
This type is used to request granular access to a user's address books.¶
The principle of least privilege SHOULD be followed. A client application SHOULD use Rich Authorization Requests to request the narrowest set of permissions
required for their functionality. For example, a scheduling assistant application that only
needs to find open time slots should request only the freebusy datatype and the list and
read actions for the calendar type, limited to specific calendars if possible.¶
Authorization servers MUST ensure that a user has explicitly consented to the scopes and rich authorization details requested by a client. Resource Servers are responsible for parsing the access token and correctly enforcing the authorized permissions.¶
This document requests the registration of new values in several IANA-managed registries.¶
This document requests registration of the following three values in the "OAuth Scope Registry".¶
This document requests registration of the following three values in the "OAuth Authorization Details Types Registry".¶
This appendix provides non-normative JSON Schema definitions for the
authorization_details objects defined in this document.¶
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "Mail Authorization Details",
"type": "object",
"properties": {
"type": {
"const": "urn:ietf:params:oauth:auth-type:mail"
},
"locations": {
"type": "array",
"items": {
"type": "string",
"format": "uri"
}
},
"actions": {
"type": "array",
"items": {
"type": "string",
"enum": [
"list",
"create",
"read",
"update",
"delete"
]
}
},
"datatypes": {
"type": "array",
"items": {
"type": "string",
"enum": [
"folder",
"message",
"flag"
]
}
},
"collections": {
"type": "array",
"items": {
"type": "string"
}
},
"type_specific_details": {
"type": "object",
"properties": {
"send_as_aliases": {
"type": "array",
"items": {
"type": "string"
}
}
}
}
},
"required": [
"type",
"actions",
"datatypes"
]
}¶
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "Calendar Authorization Details",
"type": "object",
"properties": {
"type": {
"const": "urn:ietf:params:oauth:auth-type:calendar"
},
"locations": {
"type": "array",
"items": {
"type": "string",
"format": "uri"
}
},
"actions": {
"type": "array",
"items": {
"type": "string",
"enum": [
"list",
"create",
"read",
"update",
"delete"
]
}
},
"datatypes": {
"type": "array",
"items": {
"type": "string",
"enum": [
"calendar",
"event",
"freebusy"
]
}
},
"collections": {
"type": "array",
"items": {
"type": "string"
}
}
},
"required": [
"type",
"actions",
"datatypes"
]
}¶
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "Contacts Authorization Details",
"type": "object",
"properties": {
"type": {
"const": "urn:ietf:params:oauth:auth-type:contacts"
},
"locations": {
"type": "array",
"items": {
"type": "string",
"format": "uri"
}
},
"actions": {
"type": "array",
"items": {
"type": "string",
"enum": [
"list",
"create",
"read",
"update",
"delete"
]
}
},
"datatypes": {
"type": "array",
"items": {
"type": "string",
"enum": [
"addressbook",
"contact"
]
}
},
"collections": {
"type": "array",
"items": {
"type": "string"
}
}
},
"required": [
"type",
"actions",
"datatypes"
]
}¶
This version represents a significant revision based on initial community feedback. The core focus has shifted from defining a large set of granular scopes to a more flexible and modern framework that combines a minimal set of aggregate scopes with the structured data model of OAuth 2.0 Rich Authorization Requests (RAR) [RFC9396].¶
Major changes include:¶
mail, calendar, contacts) to provide a simple baseline for all
clients.¶
type values, actions,
datatypes, and custom fields (collections, type_specific_details)
that allow for fine-grained permission requests.¶
locations field.¶
authorization_details objects.¶