<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-oauth-first-party-apps-04" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="OAuth for First-Party Apps">OAuth 2.0 for First-Party Applications</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-first-party-apps-04"/>
    <author fullname="Aaron Parecki">
      <organization>Okta</organization>
      <address>
        <email>aaron@parecki.com</email>
      </address>
    </author>
    <author fullname="George Fletcher">
      <organization>Practical Identity LLC</organization>
      <address>
        <email>george@practicalidentity.com</email>
      </address>
    </author>
    <author fullname="Pieter Kasselman">
      <organization>Defakto Security</organization>
      <address>
        <email>pieter@defakto.security</email>
      </address>
    </author>
    <date year="2026" month="July" day="01"/>
    <area>Security</area>
    <workgroup>Web Authorization Protocol</workgroup>
    <keyword>native apps</keyword>
    <keyword>first-party</keyword>
    <keyword>oauth</keyword>
    <abstract>
      <?line 90?>

<t>This document defines the Authorization Challenge Endpoint, which supports
clients that want to control the process of obtaining authorization from the user using a native experience.</t>
      <t>In many cases, this can provide an entirely browserless OAuth 2.0 experience suited for native
applications, only delegating to the browser in unexpected, high-risk, or error conditions.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://drafts.oauth.net/oauth-first-party-apps/draft-ietf-oauth-first-party-apps.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-oauth-first-party-apps/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Web Authorization Protocol Working Group mailing list (<eref target="mailto:oauth@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/oauth/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/oauth/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/oauth-wg/oauth-first-party-apps"/>.</t>
    </note>
  </front>
  <middle>
    <?line 99?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>This document, OAuth for First-Party Apps (FiPA),
extends the OAuth 2.0 Authorization Framework <xref target="RFC6749"/> with
a new endpoint to support
applications that want to control the process of obtaining authorization from
the user using a native experience, with browser redirection as described in
OAuth 2.0 for Native Apps <xref target="RFC8252"/> used only as a fallback when needed.</t>
      <t>The client collects any initial information from the user and POSTs that information
as well as information about the client's request to the Authorization Challenge Endpoint,
and receives either an authorization code, as defined in <xref section="1.3.1" sectionFormat="of" target="RFC6749"/>, or an
error code in response. The error code
may indicate that the client can continue to prompt the user for more information,
or can indicate that the client needs to launch a browser to have the user complete
the flow in a browser.</t>
      <t>The Authorization Challenge Endpoint is used to initiate the OAuth flow in place of redirecting
or launching a browser to the authorization endpoint.</t>
      <t>While a fully delegated approach using the redirect-based Authorization Code grant is generally
preferred, this draft provides a mechanism for the client to directly interact
with the user. This requires a high degree of trust between the authorization server
and the client, as there typically is for first-party applications.
It should be considered only when a redirect-based approach introduces usability issues, for example, when switching context between a native application and the browser disrupts the user journey and prevents task completion.</t>
      <t>This draft also extends the token response (typically for use in response to a refresh token request) and resource server response to allow the authorization server or resource server to indicate that the client should re-request authorization from the user. This can include requesting step-up authentication by including parameters defined in <xref target="RFC9470"/> as well.</t>
      <section anchor="usage-and-applicability">
        <name>Usage and Applicability</name>
        <t>This specification is designed for the security model of first-party applications. First-party applications are applications that are controlled by the same entity as the authorization server and that users understand as belonging to the same entity. This specification is designed to be used by first-party native applications, which includes both mobile and desktop applications.</t>
        <t>Profiles of this specification that extend the usage to non-first-party use cases <bcp14>MUST</bcp14> describe how their application of this specification avoids the risks associated with third-party apps directly interacting with the user. For example, an extension of this specification that enables federation between native apps does not ask any third-party app to collect credentials from the user, so avoids these risks.</t>
        <t>Using this specification in scenarios other than those described may lead to unintended security and privacy problems for users and service providers.</t>
        <t>If a service provides multiple apps, and expects users to use multiple apps on the same device, there may be better ways of sharing a user's login between the apps other than each app implementing this specification or using an SDK that implements this specification. For example, <xref target="OpenID.Native-SSO"/> provides a mechanism for one app to obtain new tokens by exchanging tokens from another app, without any user interaction. See <xref target="multiple-applications"/> for more details.</t>
        <t>Please review the entirety of <xref target="security-considerations"/>, and when more than one first-party application is supported, <xref target="multiple-applications"/>.</t>
      </section>
      <section anchor="limitations-of-this-specification">
        <name>Limitations of this specification</name>
        <t>This draft defines the overall framework for delivering a native OAuth user authentication experience. The precise client–server interactions used to authenticate the user (e.g., prompts, challenges, and step sequencing) are intentionally left to individual deployments and are out of scope for this specification.</t>
        <t>This specification is intended to be profiled to standardize specific interaction patterns enabling a complete interoperable solution.</t>
      </section>
      <section anchor="user-experience-considerations">
        <name>User Experience Considerations</name>
        <t>It is important to consider the user experience implications of different authentication challenges as well as the device with which the user is attempting to authorize.</t>
        <t>For example, requesting a user to enter a password on a limited-input device (e.g., a TV) creates a lot of user friction while also exposing the user's password to anyone else in the room. On the other hand, a challenge method that uses, for example, a fingerprint reader on the TV remote for FIDO2 passkey authentication would be a good experience.</t>
        <t>The Authorization Server <bcp14>SHOULD</bcp14> consider the user's device when presenting authentication challenges and developers <bcp14>SHOULD</bcp14> consider whether the device implementing this specification can provide a good experience for the user. If the combination of user device and authentication challenge methods creates a lot of friction or security risk, consider using a specification like OAuth 2.0 Device Authorization Grant <xref target="RFC8628"/>. If the OAuth 2.0 Device Authorization Grant <xref target="RFC8628"/> is selected, which uses a cross-device authorization mechanism, please incorporate the security best practices identified in Cross-Device Flows: Security Best Current Practice <xref target="I-D.ietf-oauth-cross-device-security"/>.</t>
        <t>This specification also allows for the Authorization Server (AS) to direct the user to a browser-based authorization
experience if the AS is not able to authorize the user via the requesting client app. This "redirect-to-web" experience
is necessary to allow the AS to manage the security and privacy risks associated with any specific authorization requested
by the user's client.</t>
      </section>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<section anchor="terminology">
        <name>Terminology</name>
        <t>This specification uses the terms "Access Token", "Authorization Code",
"Authorization Endpoint", "Authorization Server" (AS), "Client", "Client Authentication",
"Client Identifier", "Client Secret", "Grant Type", "Protected Resource",
"Redirection URI", "Refresh Token", "Resource Owner", "Resource Server" (RS)
and "Token Endpoint" defined by <xref target="RFC6749"/>.</t>
        <t>TODO: Replace RFC6749 references with OAuth 2.1</t>
      </section>
    </section>
    <section anchor="protocol-overview">
      <name>Protocol Overview</name>
      <t>There are three primary ways this specification extends various parts of an OAuth system.</t>
      <section anchor="initial-authorization-request">
        <name>Initial Authorization Request</name>
        <artwork type="ascii-art"><![CDATA[
                                                +-------------------+
                                                |   Authorization   |
                          (B)Authorization      |      Server       |
             +----------+    Challenge Request  |+-----------------+|
(A)Client+---|  First-  |---------------------->||  Authorization  ||
   Starts|   |  Party   |                       ||   Challenge     ||
   Flow  +-->|  Client  |<----------------------||    Endpoint     ||
             |          | (C)Authorization      ||                 ||
             |          |    Error Response     ||                 ||
             |          |         :             ||                 ||
             |          |         :             ||                 ||
             |          | (D)Authorization      ||                 ||
             |          |    Challenge Request  ||                 ||
             |          |---------------------->||                 ||
             |          |                       ||                 ||
             |          |<----------------------||                 ||
             |          | (E) Authorization     |+-----------------+|
             |          |     Code Response     |                   |
             |          |                       |                   |
             |          |                       |                   |
             |          |                       |                   |
             |          | (F) Token             |                   |
             |          |     Request           |+-----------------+|
             |          |---------------------->||      Token      ||
             |          |                       ||     Endpoint    ||
             |          |<----------------------||                 ||
             |          | (G) Access Token      |+-----------------+|
             |          |                       |                   |
             +----------+                       +-------------------+
]]></artwork>
        <t>Figure: First-Party Client Authorization Code Request</t>
        <ul spacing="normal">
          <li>
            <t>(A) The first-party client starts the flow by presenting the user with a "sign in" button or collecting information from the user, such as their email address or username (see <xref target="authorization-initiation"/>).</t>
          </li>
          <li>
            <t>(B) The client initiates the authorization request by making a POST request to the Authorization Challenge Endpoint (see <xref target="challenge-request"/>), optionally with information collected from the user (e.g., email or username).</t>
          </li>
          <li>
            <t>(C) The authorization server determines whether the information provided to the Authorization Challenge Endpoint is sufficient to grant authorization, and either responds with an authorization code or responds with an error (see <xref target="challenge-response"/>). In this example, it determines that additional information is needed and responds with an error. The error may contain additional information to guide the client on what information to collect next. This pattern of collecting information, submitting it to the Authorization Challenge Endpoint, and then receiving an error or authorization code may repeat several times.</t>
          </li>
          <li>
            <t>(D) The client gathers additional information (e.g., signed passkey challenge, or one-time code from email) and makes a POST request to the Authorization Challenge Endpoint.</t>
          </li>
          <li>
            <t>(E) The Authorization Challenge Endpoint returns an authorization code.</t>
          </li>
          <li>
            <t>(F) The client sends the authorization code received in step (E) to obtain a token from the Token Endpoint (see <xref target="token-request"/>).</t>
          </li>
          <li>
            <t>(G) The Authorization Server returns an Access Token from the Token Endpoint.</t>
          </li>
        </ul>
      </section>
      <section anchor="refresh-token-request">
        <name>Refresh Token Request</name>
        <t>When the client uses a refresh token to obtain a new access token, the authorization server <bcp14>MAY</bcp14> respond with an error to indicate that re-authentication of the user is required.</t>
      </section>
      <section anchor="resource-request">
        <name>Resource Request</name>
        <t>When making a resource request to a resource server, the resource server <bcp14>MAY</bcp14> respond with an error according to OAuth 2.0 Step-Up Authentication Challenge Protocol <xref target="RFC9470"/>, indicating that re-authentication of the user is required.</t>
        <t>The use of <xref target="RFC9470"/> in this specification is for interoperability with its defined error signaling and does not propose changes to <xref target="RFC9470"/> itself.</t>
      </section>
    </section>
    <section anchor="protocol-endpoints">
      <name>Protocol Endpoints</name>
      <section anchor="authorization-challenge-endpoint">
        <name>Authorization Challenge Endpoint</name>
        <t>The authorization challenge endpoint is a new endpoint defined by this specification that the first-party application uses to obtain an authorization code.</t>
        <t>The authorization challenge endpoint is an HTTP API at the authorization server that accepts HTTP POST requests with parameters in the HTTP request message body using the <tt>application/x-www-form-urlencoded</tt> format. This format has a character encoding of UTF-8, as described in <xref section="B" sectionFormat="of" target="RFC6749"/>. The authorization challenge endpoint URL <bcp14>MUST</bcp14> use the "https" scheme.</t>
        <t>If the authorization server requires client authentication for this client at the Token Endpoint, then the authorization server <bcp14>MUST</bcp14> also require client authentication for this client at the Authorization Challenge Endpoint. See <xref target="client-authentication"/> for more details.</t>
        <t>Authorization servers supporting this specification <bcp14>SHOULD</bcp14> include the URL of their authorization challenge endpoint in their authorization server metadata document <xref target="RFC8414"/> using the <tt>authorization_challenge_endpoint</tt> parameter as defined in <xref target="authorization-server-metadata"/>.</t>
        <t>The authorization challenge endpoint <bcp14>MUST</bcp14> accept the authorization request parameters as defined in <xref target="RFC6749"/> for the authorization endpoint as well as any authorization endpoint extensions supported by the authorization server. Examples of such extensions include Proof Key for Code Exchange (PKCE) <xref target="RFC7636"/>, Resource Indicators <xref target="RFC8707"/>, and OpenID Connect <xref target="OpenID"/>. Note that some extension parameters have meaning in a web context but do not have meaning in a native mechanism (e.g., <tt>response_mode=query</tt>). How the authorization server handles an extension parameter that has no meaning in this use case is out of scope.</t>
        <t>The client initiates the authorization flow with or without information collected from the user (e.g. a signed passkey challenge or MFA code).</t>
        <t>The authorization challenge endpoint response is either an authorization code or an error code, and may also contain an <tt>auth_session</tt> which the client uses on subsequent requests.</t>
        <t>Further communication between the client and authorization server <bcp14>MAY</bcp14> happen at the Authorization Challenge Endpoint or any other proprietary endpoints at the authorization server.</t>
      </section>
      <section anchor="token-endpoint">
        <name>Token endpoint</name>
        <t>The token endpoint is used by the client to obtain an access token by
presenting its authorization grant or refresh token, as described in
<xref section="3.2" sectionFormat="of" target="RFC6749"/>.</t>
        <t>This specification extends the token endpoint response to allow the authorization
server to indicate that further authentication of the user is required.</t>
      </section>
    </section>
    <section anchor="authorization-initiation">
      <name>Authorization Initiation</name>
      <t>A client may wish to initiate an authorization flow by first prompting the user for their user identifier or other account information. The authorization challenge endpoint is a new endpoint to collect this login hint and direct the client with the next steps, such as performing an MFA flow or an OAuth redirect-based flow. If the authorization server directs the client to complete the flow using a redirect-based authorization request in a browser, the client and authorization server <bcp14>SHOULD</bcp14> follow applicable best current practices for native apps (e.g., <xref target="RFC8252"/> and its successors) for redirect URI selection and external user-agent usage.</t>
      <t>To preserve the security of this specification, the Authorization Server <bcp14>MUST</bcp14> verify the "first-partyness" of the client before continuing with the authentication flow. Please see <xref target="first-party-applications"/> for additional considerations.</t>
      <section anchor="challenge-request">
        <name>Authorization Challenge Request</name>
        <t>The client makes a request to the authorization challenge endpoint by adding the
following parameters, as well as parameters from any extensions, using the <tt>application/x-www-form-urlencoded</tt>
format with a character encoding of UTF-8 in the HTTP request body:</t>
        <dl>
          <dt>"client_id":</dt>
          <dd>
            <t><bcp14>REQUIRED</bcp14>, unless the client is authenticating to the authorization server in a manner that unambiguously identifies the client, or the request includes an <tt>auth_session</tt> value associated with an existing session from which the authorization server can determine the client identity. The client <bcp14>MAY</bcp14> include the <tt>client_id</tt> even when one of these conditions applies. If it does, the authorization server <bcp14>MUST</bcp14> verify that the <tt>client_id</tt> identifies the same client as otherwise determined for the request, and <bcp14>MUST</bcp14> reject the request if it does not.</t>
          </dd>
          <dt>"scope":</dt>
          <dd>
            <t><bcp14>OPTIONAL</bcp14>. The OAuth scope defined in <xref target="RFC6749"/>.</t>
          </dd>
          <dt>"auth_session":</dt>
          <dd>
            <t><bcp14>OPTIONAL</bcp14>. If the client has previously obtained an auth session, described in <xref target="auth-session"/>.</t>
          </dd>
          <dt>"code_challenge":</dt>
          <dd>
            <t><bcp14>OPTIONAL</bcp14>. The code challenge as defined by <xref target="RFC7636"/>.
See <xref target="redirect-to-web"/> for details.</t>
          </dd>
          <dt>"code_challenge_method":</dt>
          <dd>
            <t><bcp14>OPTIONAL</bcp14>. The code challenge method as defined by <xref target="RFC7636"/>.
See <xref target="redirect-to-web"/> for details.</t>
          </dd>
          <dt>"response_type":</dt>
          <dd>
            <t><bcp14>REQUIRED</bcp14>. Per <xref section="3.1.1" sectionFormat="of" target="RFC6749"/>, <tt>response_type</tt> is required, and for this specification <bcp14>MUST</bcp14> contain the value of <tt>code</tt>.</t>
          </dd>
        </dl>
        <t>Specific implementations as well as extensions to this specification <bcp14>MAY</bcp14> define additional parameters to be used at this endpoint.</t>
        <t>For example, the client makes the following request to initiate a flow
given the user's phone number, line breaks shown for illustration purposes only:</t>
        <artwork><![CDATA[
POST /authorize-challenge HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded

login_hint=%2B1-310-123-4567
&scope=profile
&client_id=bb16c14c73415
&response_type=code
]]></artwork>
      </section>
      <section anchor="challenge-response">
        <name>Authorization Challenge Response</name>
        <t>The authorization server determines whether the information provided up to this point is sufficient to issue an authorization code, and if so responds with an authorization code. If the information is not sufficient for issuing an authorization code, then the authorization server <bcp14>MUST</bcp14> respond with an error response.</t>
        <section anchor="authorization-code-response">
          <name>Authorization Code Response</name>
          <t>The authorization server issues an authorization code
by creating HTTP response content using the <tt>application/json</tt>
media type as defined by <xref target="RFC8259"/> with the following parameters
and an HTTP 200 (OK) status code:</t>
          <dl>
            <dt>"authorization_code":</dt>
            <dd>
              <t><bcp14>REQUIRED</bcp14>. The authorization code issued by the authorization server.</t>
            </dd>
          </dl>
          <t>For example,</t>
          <artwork><![CDATA[
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store

{
  "authorization_code": "uY29tL2F1dGhlbnRpY"
}
]]></artwork>
        </section>
        <section anchor="challenge-error-response">
          <name>Error Response</name>
          <t>If the request contains invalid parameters or incorrect data,
or if the authorization server wishes to interact with the user directly,
the authorization server responds with an HTTP 400 (Bad Request)
status code (unless specified otherwise by a particular error code)
and includes the following parameters with the response.</t>
          <t>Response parameters <tt>error</tt>, <tt>error_description</tt>,
and <tt>error_uri</tt> are defined and used according to <xref target="RFC6749"/>. <tt>request_uri</tt> and
<tt>expires_in</tt> are defined and used according to <xref target="RFC9126"/>. This specification
defines the <tt>auth_session</tt> response parameter.</t>
          <dl>
            <dt>"error":</dt>
            <dd>
              <t><bcp14>REQUIRED</bcp14>.  A single ASCII <xref target="USASCII"/> error code as described in
<xref target="error-codes"/>.
</t>
              <t>Values for the <tt>error</tt> parameter <bcp14>MUST NOT</bcp14> include characters
outside the set %x20-21 / %x23-5B / %x5D-7E.</t>
              <t>The authorization server <bcp14>MAY</bcp14> extend these error codes with custom
messages based on the requirements of the authorization server.</t>
            </dd>
            <dt>"error_description":</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14>.  Human-readable ASCII <xref target="USASCII"/> text providing
additional information, used to assist the client developer in
understanding the error that occurred.
Values for the <tt>error_description</tt> parameter <bcp14>MUST NOT</bcp14> include
characters outside the set %x20-21 / %x23-5B / %x5D-7E.</t>
            </dd>
            <dt>"error_uri":</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14>.  A URI identifying a human-readable web page with
information about the error, used to provide the client
developer with additional information about the error.
Values for the <tt>error_uri</tt> parameter <bcp14>MUST</bcp14> conform to the
URI-reference syntax and thus <bcp14>MUST NOT</bcp14> include characters
outside the set %x21 / %x23-5B / %x5D-7E.</t>
            </dd>
            <dt>"auth_session":</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14>.  The auth session allows the authorization server to
associate subsequent requests by this client with an ongoing
authorization request sequence. The client <bcp14>MUST</bcp14> include
the <tt>auth_session</tt> in follow-up requests to the authorization challenge
endpoint if it receives one along with the error response.</t>
            </dd>
            <dt>"request_uri":</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14>.  A request URI as described by <xref section="2.2" sectionFormat="of" target="RFC9126"/>.</t>
            </dd>
            <dt>"expires_in":</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14>.  The lifetime of the <tt>request_uri</tt> in seconds, as
described by <xref section="2.2" sectionFormat="of" target="RFC9126"/>.</t>
            </dd>
          </dl>
          <t>This specification requires the authorization server to define new
error codes that relate to the actions the client must take in order
to properly authenticate the user. These new error codes are specific
to the authorization server's implementation of this specification and are
intentionally left out of scope.</t>
          <t>The parameters are included in the content of the HTTP response
using the <tt>application/json</tt> media type as defined by <xref target="RFC8259"/>.  The
parameters are serialized into a JSON structure by adding each
parameter at the highest structure level.  Parameter names and string
values are included as JSON strings.  Numerical values are included
as JSON numbers.  The order of parameters does not matter and can
vary.</t>
          <t>The authorization server <bcp14>MAY</bcp14> define additional parameters in the response
depending on the implementation. The authorization server <bcp14>MAY</bcp14> also define
more specific content types for the error responses as long as the response
is JSON and conforms to <tt>application/&lt;AS-defined&gt;+json</tt>.</t>
          <section anchor="error-codes">
            <name>Error Codes</name>
            <t>This specification supports the use of error codes defined by <xref target="RFC6749"/>
and other error codes defined by OAuth extensions supported by the
authorization server.</t>
            <t>This specification defines the following error codes.</t>
            <t><tt>invalid_session</tt>:
     :     The provided <tt>auth_session</tt> is
           invalid, expired, revoked, or otherwise not acceptable.</t>
            <t><tt>insufficient_authorization</tt>:
     :     The presented authorization is insufficient, and the authorization
           server is requesting the client to take additional steps to
           complete the authorization. The authorization server <bcp14>MUST</bcp14> respond
           with the HTTP 403 (Forbidden) status code.</t>
            <t><tt>redirect_to_web</tt>:
     :     The request is not able to be fulfilled with any further
           direct interaction with the user. Instead, the client
           should initiate a new authorization code flow so that the
           user interacts with the authorization server in a web browser.
           See <xref target="redirect-to-web"/> for details. The authorization server <bcp14>MUST</bcp14>
           respond with the HTTP 403 (Forbidden) status code.</t>
            <section anchor="redirect-to-web">
              <name>Redirect to Web Error Response</name>
              <t>The authorization server may choose to interact directly with the user based on a risk
assessment, the introduction of a new authentication method not supported
in the application, or to handle an exception flow such as account recovery.
To indicate this error to the client, the authorization server returns an
error response as defined above with the <tt>redirect_to_web</tt> error code.</t>
              <t>The response <bcp14>MAY</bcp14> include a <tt>request_uri</tt>, in which case the client is expected
to use it to initiate an authorization request as described in <xref section="4" sectionFormat="of" target="RFC9126"/>.</t>
              <t>An example of the response including a <tt>request_uri</tt> is given below:</t>
              <artwork><![CDATA[
HTTP/1.1 403 Forbidden
Content-Type: application/json
Cache-Control: no-store

{
  "error": "redirect_to_web",
  "request_uri": "urn:ietf:params:oauth:request_uri:6esc_11ACC5bwc014ltc14eY22c"
}
]]></artwork>
              <t>If no <tt>request_uri</tt> is returned, the client is expected to initiate a new OAuth
Authorization Code flow with PKCE according to <xref target="RFC6749"/> and <xref target="RFC7636"/>.</t>
              <t>If the client expects the frequency of this error response to be high,
the client <bcp14>SHOULD</bcp14> include a PKCE <xref target="RFC7636"/> <tt>code_challenge</tt> in the initial authorization
challenge request.</t>
              <t>If the client does not include a PKCE <tt>code_challenge</tt> in the initial authorization
challenge request, the authorization server <bcp14>MUST NOT</bcp14> return a <tt>request_uri</tt> in the
<tt>redirect_to_web</tt> error response, as that would effectively be the same as a PAR request without PKCE.</t>
              <t>Clients and authorization servers using the <tt>redirect_to_web</tt> method <bcp14>SHOULD</bcp14> follow
current best practices of redirect-based OAuth flows, especially those defined in <xref target="RFC9700"/>,
including mechanisms such as the <tt>iss</tt> response parameter defined in <xref target="RFC9207"/>.</t>
            </section>
          </section>
        </section>
      </section>
      <section anchor="intermediate_requests">
        <name>Intermediate Requests</name>
        <t>If the authorization server returns an <tt>insufficient_authorization</tt> error as described
above, this is an indication that there is further information the client
should request from the user, and continue to make requests to the authorization
server until the authorization request is fulfilled and an authorization code returned.</t>
        <t>These intermediate requests are out of scope of this specification, and are expected
to be defined by the authorization server. The format of these requests is not required
to conform to the format of the initial authorization challenge requests
(e.g. the request format may be <tt>application/json</tt> rather than <tt>application/x-www-form-urlencoded</tt>).</t>
        <t>These intermediate requests <bcp14>MAY</bcp14> also be sent to proprietary endpoints at the authorization server
rather than the Authorization Challenge Endpoint.</t>
        <section anchor="auth-session">
          <name>Auth Session</name>
          <t>The <tt>auth_session</tt> is a value that the authorization server issues in order to be able to associate subsequent requests from the same client instance. It is intended to be analogous to how a browser cookie associates multiple requests by the same browser to the authorization server.</t>
          <t>The <tt>auth_session</tt> value is completely opaque to the client, and as such the authorization server <bcp14>MUST</bcp14> adequately protect the value from inspection by the client.</t>
          <t>If the client has an <tt>auth_session</tt>, the client <bcp14>MUST</bcp14> include it in future requests to the authorization challenge endpoint. The client <bcp14>MUST</bcp14> store the <tt>auth_session</tt> beyond the issuance of the authorization code to be able to use it in future requests.</t>
          <t>Every response defined by this specification may include a new <tt>auth_session</tt> value. Clients <bcp14>MUST NOT</bcp14> assume that <tt>auth_session</tt> values are static, and <bcp14>MUST</bcp14> be prepared to update the stored <tt>auth_session</tt> value if one is received in a response.</t>
          <t>Clients <bcp14>SHOULD</bcp14> discard the <tt>auth_session</tt> when the user logs out of the app.</t>
          <t>To mitigate the risk of session hijacking, the <tt>auth_session</tt> <bcp14>SHOULD</bcp14> be bound to the device, and the authorization server <bcp14>SHOULD</bcp14> reject an <tt>auth_session</tt> if it is presented from a different device than the one it was bound to. One method of binding the <tt>auth_session</tt> to the device is described in <xref target="auth-session-dpop"/>.</t>
          <t>The AS <bcp14>MUST</bcp14> ensure that the <tt>auth_session</tt> value is unique to the session and protected from accidental collisions.
For example, if the AS is using a random string for the <tt>auth_session</tt> value, the value <bcp14>SHOULD</bcp14> have a minimum of 256 bits of entropy.</t>
          <t>See <xref target="auth-session-security"/> for additional security considerations.</t>
        </section>
      </section>
    </section>
    <section anchor="token-request">
      <name>Token Request</name>
      <t>The client makes a request to the token endpoint using the authorization code it obtained from the authorization challenge endpoint.</t>
      <t>This specification does not define any additional parameters beyond the token request parameters defined in <xref section="4.1.3" sectionFormat="of" target="RFC6749"/>. However, notably, the <tt>redirect_uri</tt> parameter will not be included in this request, because no <tt>redirect_uri</tt> parameter was included in the authorization request.</t>
      <section anchor="token-endpoint-successful-response">
        <name>Token Endpoint Successful Response</name>
        <t>This specification extends the OAuth 2.0 <xref target="RFC6749"/> token response
defined in <xref section="5.1" sectionFormat="of" target="RFC6749"/> with the additional parameter <tt>auth_session</tt>, defined in <xref target="auth-session"/>.</t>
        <t>An example successful token response is below:</t>
        <artwork><![CDATA[
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store

{
  "access_token": "2YotnFZFEjr1zCsicMWpAA",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
  "auth_session": "uY29tL2F1dGhlbnRpY"
}
]]></artwork>
        <t>The response <bcp14>MAY</bcp14> include an <tt>auth_session</tt> parameter which the client is expected to include on any subsequent requests to the authorization challenge endpoint, as described in <xref target="auth-session"/>. The <tt>auth_session</tt> parameter <bcp14>MAY</bcp14> also be included even if the authorization code was obtained through a traditional OAuth authorization code flow rather than the flow defined by this specification.</t>
        <t>The <tt>auth_session</tt> mechanism described in <xref target="auth-session"/> is an optional feature the authorization server can leverage in order to enable flows such as step-up authentication <xref target="RFC9470"/>, so that the authorization server can restore the context of a previous session and prompt only for the needed step-up factors. See <xref target="step-up-sms-example"/> for an example application.</t>
      </section>
      <section anchor="token-endpoint-error-response">
        <name>Token Endpoint Error Response</name>
        <t>Upon any request to the token endpoint, including a request with a valid refresh token,
the authorization server can respond with an authorization challenge instead of a successful access token response.</t>
        <t>An authorization challenge error response is a particular type of
error response as defined in <xref section="5.2" sectionFormat="of" target="RFC6749"/> where
the error code is set to the following value:</t>
        <dl>
          <dt>"error": "insufficient_authorization":</dt>
          <dd>
            <t>The presented authorization is insufficient, and the authorization
server is requesting that the client take additional steps to
complete the authorization.</t>
          </dd>
        </dl>
        <t>The response <bcp14>MAY</bcp14> also contain an <tt>auth_session</tt> parameter which the client is expected to include on a subsequent request to the authorization challenge endpoint.</t>
        <dl>
          <dt>"auth_session":</dt>
          <dd>
            <t><bcp14>OPTIONAL</bcp14>.  The optional auth session value allows the authorization server to
associate subsequent requests by this client with an ongoing
authorization request sequence. The client <bcp14>MUST</bcp14> include
the <tt>auth_session</tt> in follow-up requests to the challenge
endpoint if it receives one along with the error response.</t>
          </dd>
        </dl>
        <t>Additionally, the response <bcp14>MAY</bcp14> contain custom values that describe instructions for how the client should proceed to interact with the user.</t>
        <t>For example:</t>
        <artwork><![CDATA[
HTTP/1.1 403 Forbidden
Content-Type: application/json
Cache-Control: no-store

{
  "error": "insufficient_authorization",
  "auth_session": "uY29tL2F1dGhlbnRpY",
  "otp_required": true
}
]]></artwork>
      </section>
    </section>
    <section anchor="resource-server-error-response">
      <name>Resource Server Error Response</name>
      <t>Step-Up Authentication <xref target="RFC9470"/> defines error code values that a resource server can use to tell the client to start a new authorization request including <tt>acr_values</tt> and <tt>max_age</tt> from <xref target="OpenID"/>. This specification reuses the Step-Up Authentication <xref target="RFC9470"/> error response to initiate a first-party authorization flow to satisfy the step-up authentication request.</t>
      <t>Upon receiving this error response, the client starts a new first-party authorization request at the authorization challenge endpoint, and includes the <tt>acr_values</tt>, <tt>max_age</tt> and <tt>scope</tt> that were returned in the error response.</t>
      <t>This specification does not update or alter <xref target="RFC9470"/> resource server error behavior and does not define any new parameters for the resource server error response beyond those defined in <xref target="RFC9470"/> and <xref target="RFC6750"/>. It only defines first-party client behavior for continuing authorization at the authorization challenge endpoint when such an error is received.</t>
    </section>
    <section anchor="authorization-server-metadata">
      <name>Authorization Server Metadata</name>
      <t>The following authorization server metadata parameters <xref target="RFC8414"/> are introduced to signal the server's capability and policy with respect to first-party applications.</t>
      <dl>
        <dt>"authorization_challenge_endpoint":</dt>
        <dd>
          <t>The URL of the authorization challenge endpoint at which a client can initiate
an authorization request and eventually obtain an authorization code.</t>
        </dd>
      </dl>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <section anchor="first-party-applications">
        <name>First-Party Applications</name>
        <t>First-party applications are applications that are controlled by the same entity as the authorization server used by the application, and that users understand as belonging to the same entity.</t>
        <t>For first-party applications, it is important that the user recognizes the application and authorization server as belonging to the same brand. For example, a bank publishing their own mobile application.</t>
        <t>Because this specification enables a client application to interact directly with the end user, and the application handles sending any information collected from the user to the authorization server, it is expected to be used only for first-party applications when the authorization server also has a high degree of trust of the client.</t>
        <t>This specification is not prescriptive on how the Authorization Server establishes its trust in the first-partyness of the application. For mobile platforms, most support some mechanism for application attestation that can be used to identify the entity that created/signed/uploaded the app to the app store. App attestation can be combined with mechanisms such as Attestation-Based Client Authentication <xref target="I-D.ietf-oauth-attestation-based-client-auth"/> or Dynamic Client Registration <xref target="RFC7591"/> to enable strong client authentication in addition to client verification (first-partyness). The exact steps required are out of scope for this specification. Note that for applications running inside a browser context (e.g., Single Page Apps), it is much more difficult to verify the first-partyness of the client. Please see <xref target="single-page-apps"/> for additional details.</t>
      </section>
      <section anchor="phishing">
        <name>Phishing</name>
        <t>There are two ways using this specification increases the risk of phishing.</t>
        <ol spacing="normal" type="1"><li>
            <t>Malicious application: With this specification, the client interacts directly with the end user, collecting information provided by the user and sending it to the authorization server. If an attacker impersonates the client and successfully tricks a user into using it, they may not realize they are giving their credentials to the malicious application.</t>
          </li>
          <li>
            <t>User education: In a traditional OAuth deployment using the redirect-based authorization code flow, the user will only ever enter their credentials at the authorization server, and it is straightforward to explain to avoid entering credentials in other "fake" websites. By introducing a new place the user is expected to enter their credentials using this specification, it is more complicated to teach users how to recognize other fake login prompts that might be attempting to steal their credentials.</t>
          </li>
        </ol>
        <t>Because of these risks, the authorization server <bcp14>MAY</bcp14> decide to require that the user go through a redirect-based flow at any stage of the process based on its own risk assessment.</t>
      </section>
      <section anchor="credential-attacks">
        <name>Credential Stuffing Attacks</name>
        <t>The authorization challenge endpoint is capable of directly receiving user credentials and other authentication material like OTPs. This exposes a new vector to perform credential stuffing or brute force attacks if additional measures are not taken to ensure the authenticity of the application.</t>
        <t>An authorization server may already have a combination of built-in or third-party security tools in place to monitor and reduce this risk in browser-based authentication flows. Implementors <bcp14>SHOULD</bcp14> consider similar security measures to reduce this risk in the authorization challenge endpoint. Additionally, the attestation APIs <bcp14>SHOULD</bcp14> be used when possible to assert a level of confidence to the authorization server that the request is originating from an application owned by the same party.</t>
        <t>Implementors <bcp14>SHOULD</bcp14> rate-limit requests from the same <tt>auth_session</tt>.</t>
      </section>
      <section anchor="client-authentication">
        <name>Client Authentication</name>
        <t>Typically, mobile and desktop applications are considered "public clients" in OAuth, since they cannot be shipped with a statically configured set of client credentials <xref target="RFC8252"/>. Because of this, client impersonation should be a concern of anyone deploying this pattern. Without client authentication, a malicious user or attacker can mimic the requests the application makes to the authorization server, pretending to be the legitimate client.</t>
        <t>Implementers <bcp14>SHOULD</bcp14> consider additional measures to limit the risk of client impersonation, such as using attestation APIs available from the operating system.</t>
      </section>
      <section anchor="sender-constrained-tokens">
        <name>Sender-Constrained Tokens</name>
        <t>Tokens issued in response to an authorization challenge request <bcp14>SHOULD</bcp14> be sender-constrained to mitigate the risk of token theft and replay.</t>
        <t>Proof-of-Possession techniques constrain tokens by binding them to a cryptographic key. Whenever the token is presented, it <bcp14>MUST</bcp14> be accompanied by a proof that the client presenting the token also controls the cryptographic key bound to the token. If a proof-of-possession sender-constrained token is presented without valid proof of possession of the cryptographic key, it <bcp14>MUST</bcp14> be rejected.</t>
        <section anchor="dpop-demonstrating-proof-of-possession">
          <name>DPoP: Demonstrating Proof-of-Possession</name>
          <t>DPoP <xref target="RFC9449"/> is an application-level mechanism for sender-constraining OAuth <xref target="RFC6749"/> access and refresh tokens. If DPoP is used to sender constrain tokens, the client <bcp14>SHOULD</bcp14> use DPoP for every token request to the Authorization Server and interaction with the Resource Server.</t>
          <t>DPoP includes an optional capability to bind the authorization code to the DPoP key to enable end-to-end binding of the entire authorization flow. Given the back-channel nature of this specification, there are far fewer opportunities for an attacker to access the authorization code and PKCE code verifier compared to the redirect-based Authorization Code Flow. In this specification, the Authorization Code is obtained via a back-channel request. Despite this, omitting Authorization Code binding leaves a gap in the end-to-end protection that DPoP provides, so DPoP Authorization Code binding <bcp14>SHOULD</bcp14> be used.</t>
          <t>The mechanism for Authorization Code binding with DPoP is similar to that defined for Pushed Authorization Requests (PARs) in <xref section="10.1" sectionFormat="of" target="RFC9449"/>. In order to bind the Authorization Code with DPoP, the client <bcp14>MUST</bcp14> add the DPoP header to the Authorization Challenge Request. The authorization server <bcp14>MUST</bcp14> check the DPoP proof JWT that was included in the DPoP header as defined in <xref section="4.3" sectionFormat="of" target="RFC9449"/>. The authorization server <bcp14>MUST</bcp14> ensure that the same key is used in all subsequent Authorization Challenge Requests and in the eventual token request. The authorization server <bcp14>MUST</bcp14> reject subsequent Authorization Challenge Requests, or the eventual token request, unless a DPoP proof for the same key presented in the original Authorization Challenge Request is provided.</t>
          <t>The above mechanism simplifies the implementation of the client, as it can attach the DPoP header to all requests to the authorization server regardless of the type of request. This mechanism provides a stronger binding than using the <tt>dpop_jkt</tt> parameter, as the DPoP header contains a proof of possession of the private key.</t>
        </section>
        <section anchor="other-proof-of-possession-mechanisms">
          <name>Other Proof of Possession Mechanisms</name>
          <t>It may be possible to use other proof-of-possession mechanisms to sender-constrain access and refresh tokens. Defining these mechanisms is out of scope for this specification.</t>
        </section>
      </section>
      <section anchor="auth-session-security">
        <name>Auth Session</name>
        <t>Binding the <tt>auth_session</tt> to the device requesting authorization is important to prevent session hijacking and replay of the <tt>auth_session</tt> value. Without the device binding a captured <tt>auth_session</tt> could be replayed from another device. The following section describes one way to bind the <tt>auth_session</tt> to the requesting device. Other device binding methods are available and usable to prevent this potential security exposure.</t>
        <section anchor="auth-session-dpop">
          <name>Auth Session DPoP Binding</name>
          <t>If the client and authorization server are using DPoP binding of access tokens and/or authorization codes, then the <tt>auth_session</tt> value <bcp14>SHOULD</bcp14> be protected as well. The authorization server <bcp14>SHOULD</bcp14> associate the <tt>auth_session</tt> value with the DPoP public key. This removes the need for the authorization server to include additional claims in the DPoP proof, while still benefitting from the assurance that the client presenting the proof has control over the DPoP key. To associate the <tt>auth_session</tt> value with the DPoP public key, the authorization server:</t>
          <ul spacing="normal">
            <li>
              <t><bcp14>MUST</bcp14> check that the same DPoP public key is being used when the client presents the DPoP proof.</t>
            </li>
            <li>
              <t><bcp14>MUST</bcp14> verify the DPoP proof to ensure the client controls the corresponding private key whenever the client includes the <tt>auth_session</tt> in an Authorization Challenge Request as described in <xref target="challenge-request"/>.</t>
            </li>
          </ul>
          <t>DPoP binding of the <tt>auth_session</tt> value ensures that the context referenced by the <tt>auth_session</tt> cannot be stolen and reused by another device.</t>
        </section>
        <section anchor="auth-session-lifetime">
          <name>Auth Session Lifetime</name>
          <t>This specification makes no requirements or assumptions on the lifetime of the <tt>auth_session</tt> value. The lifetime and expiration is at the discretion of the authorization server, and the authorization server may choose to invalidate the value for any reason such as scheduled expiration, security events, or revocation events.</t>
          <t>Clients <bcp14>MUST NOT</bcp14> make any assumptions or depend on any particular lifetime of the <tt>auth_session</tt> value.</t>
        </section>
      </section>
      <section anchor="multiple-applications">
        <name>Multiple Applications</name>
        <t>When multiple first-party applications are supported by the AS, then it is important to consider a number of additional risks. These risks fall into two main categories: experience risk and technical risk, which are described below.</t>
        <section anchor="user-experience-risk">
          <name>User Experience Risk</name>
          <t>Any time a user is asked to provide the authentication credentials in user experiences that differ, it has the effect of increasing the likelihood that the user will fall prey to a phishing attack because they are used to entering credentials in different looking experiences. When multiple first-party applications are supported, the implementation <bcp14>MUST</bcp14> ensure the native experience is identical across all the first-party applications.</t>
          <t>Another experience risk is user confusion caused by different looking experiences and behaviors. This can increase the likelihood the user will not complete the authentication experience for the first-party application.</t>
        </section>
        <section anchor="technical-risk">
          <name>Technical Risk</name>
          <t>In addition to the experience risks, multiple implementations in first-party applications increase the risk of an incorrect implementation as well as increasing the attack surface as each implementation may expose its own weaknesses.</t>
        </section>
        <section anchor="mitigation">
          <name>Mitigation</name>
          <t>To address these risks, when multiple first-party applications must be supported, and other methods such as <xref target="OpenID.Native-SSO"/> are not applicable, it is <bcp14>RECOMMENDED</bcp14> that a client-side SDK be used to ensure the implementation is consistent across the different applications and to ensure the user experience is identical for all first-party apps.</t>
        </section>
      </section>
      <section anchor="single-page-apps">
        <name>Single Page Applications</name>
        <t>Single Page Applications (SPAs) run in a scripting language inside the context of a browser instance. This environment poses several unique challenges compared to native applications, in particular:</t>
        <ul spacing="normal">
          <li>
            <t>Significant attack vectors due to the possibility of Cross-Site Scripting (XSS) attacks</t>
          </li>
          <li>
            <t>Fewer options to securely attest to the first-partyness of a browser-based application</t>
          </li>
        </ul>
        <t>See <xref target="I-D.ietf-oauth-browser-based-apps"/> for a detailed discussion of the risks of XSS attacks in browsers.</t>
        <t>Additionally, the nature of a Single-Page App means the user is already in a browser context, so the user experience cost of doing a full-page redirect or a popup window for the traditional OAuth Authorization Code Flow is much less than the cost of doing so in a native application. The complexity and risk of implementing this specification in a browser likely does not outweigh the user experience benefits that would be gained in that context.</t>
        <t>For these reasons, it is <bcp14>NOT RECOMMENDED</bcp14> to use this specification in browser-based applications.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="oauth-parameters-registration">
        <name>OAuth Parameters Registration</name>
        <t>IANA has (TBD) registered the following values in the IANA "OAuth Parameters" registry of <xref target="IANA.oauth-parameters"/> established by <xref target="RFC6749"/>.</t>
        <t><strong>Parameter name</strong>: <tt>auth_session</tt></t>
        <t><strong>Parameter usage location</strong>: token response</t>
        <t><strong>Change Controller</strong>: IETF</t>
        <t><strong>Specification Document</strong>: <xref target="auth-session"/> of this document</t>
      </section>
      <section anchor="oauth-server-metadata-registration">
        <name>OAuth Server Metadata Registration</name>
        <t>IANA has (TBD) registered the following values in the IANA "OAuth Authorization Server Metadata" registry of <xref target="IANA.oauth-parameters"/> established by <xref target="RFC8414"/>.</t>
        <t><strong>Metadata Name</strong>: <tt>authorization_challenge_endpoint</tt></t>
        <t><strong>Metadata Description</strong>: URL of the authorization server's authorization challenge endpoint.</t>
        <t><strong>Change Controller</strong>: IESG</t>
        <t><strong>Specification Document</strong>: <xref target="authorization-server-metadata"/> of this document</t>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC6749">
          <front>
            <title>The OAuth 2.0 Authorization Framework</title>
            <author fullname="D. Hardt" initials="D." role="editor" surname="Hardt"/>
            <date month="October" year="2012"/>
            <abstract>
              <t>The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6749"/>
          <seriesInfo name="DOI" value="10.17487/RFC6749"/>
        </reference>
        <reference anchor="RFC7515">
          <front>
            <title>JSON Web Signature (JWS)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7515"/>
          <seriesInfo name="DOI" value="10.17487/RFC7515"/>
        </reference>
        <reference anchor="RFC7519">
          <front>
            <title>JSON Web Token (JWT)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7519"/>
          <seriesInfo name="DOI" value="10.17487/RFC7519"/>
        </reference>
        <reference anchor="RFC7591">
          <front>
            <title>OAuth 2.0 Dynamic Client Registration Protocol</title>
            <author fullname="J. Richer" initials="J." role="editor" surname="Richer"/>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="M. Machulak" initials="M." surname="Machulak"/>
            <author fullname="P. Hunt" initials="P." surname="Hunt"/>
            <date month="July" year="2015"/>
            <abstract>
              <t>This specification defines mechanisms for dynamically registering OAuth 2.0 clients with authorization servers. Registration requests send a set of desired client metadata values to the authorization server. The resulting registration responses return a client identifier to use at the authorization server and the client metadata values registered for the client. The client can then use this registration information to communicate with the authorization server using the OAuth 2.0 protocol. This specification also defines a set of common client metadata fields and values for clients to use during registration.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7591"/>
          <seriesInfo name="DOI" value="10.17487/RFC7591"/>
        </reference>
        <reference anchor="RFC7636">
          <front>
            <title>Proof Key for Code Exchange by OAuth Public Clients</title>
            <author fullname="N. Sakimura" initials="N." role="editor" surname="Sakimura"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="N. Agarwal" initials="N." surname="Agarwal"/>
            <date month="September" year="2015"/>
            <abstract>
              <t>OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. This specification describes the attack as well as a technique to mitigate against the threat through the use of Proof Key for Code Exchange (PKCE, pronounced "pixy").</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7636"/>
          <seriesInfo name="DOI" value="10.17487/RFC7636"/>
        </reference>
        <reference anchor="RFC8259">
          <front>
            <title>The JavaScript Object Notation (JSON) Data Interchange Format</title>
            <author fullname="T. Bray" initials="T." role="editor" surname="Bray"/>
            <date month="December" year="2017"/>
            <abstract>
              <t>JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format. It was derived from the ECMAScript Programming Language Standard. JSON defines a small set of formatting rules for the portable representation of structured data.</t>
              <t>This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="90"/>
          <seriesInfo name="RFC" value="8259"/>
          <seriesInfo name="DOI" value="10.17487/RFC8259"/>
        </reference>
        <reference anchor="RFC8414">
          <front>
            <title>OAuth 2.0 Authorization Server Metadata</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <date month="June" year="2018"/>
            <abstract>
              <t>This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8414"/>
          <seriesInfo name="DOI" value="10.17487/RFC8414"/>
        </reference>
        <reference anchor="RFC8628">
          <front>
            <title>OAuth 2.0 Device Authorization Grant</title>
            <author fullname="W. Denniss" initials="W." surname="Denniss"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <date month="August" year="2019"/>
            <abstract>
              <t>The OAuth 2.0 device authorization grant is designed for Internet- connected devices that either lack a browser to perform a user-agent- based authorization or are input constrained to the extent that requiring the user to input text in order to authenticate during the authorization flow is impractical. It enables OAuth clients on such devices (like smart TVs, media consoles, digital picture frames, and printers) to obtain user authorization to access protected resources by using a user agent on a separate device.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8628"/>
          <seriesInfo name="DOI" value="10.17487/RFC8628"/>
        </reference>
        <reference anchor="RFC8707">
          <front>
            <title>Resource Indicators for OAuth 2.0</title>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <date month="February" year="2020"/>
            <abstract>
              <t>This document specifies an extension to the OAuth 2.0 Authorization Framework defining request parameters that enable a client to explicitly signal to an authorization server about the identity of the protected resource(s) to which it is requesting access.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8707"/>
          <seriesInfo name="DOI" value="10.17487/RFC8707"/>
        </reference>
        <reference anchor="RFC9126">
          <front>
            <title>OAuth 2.0 Pushed Authorization Requests</title>
            <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <author fullname="D. Tonge" initials="D." surname="Tonge"/>
            <author fullname="F. Skokan" initials="F." surname="Skokan"/>
            <date month="September" year="2021"/>
            <abstract>
              <t>This document defines the pushed authorization request (PAR) endpoint, which allows clients to push the payload of an OAuth 2.0 authorization request to the authorization server via a direct request and provides them with a request URI that is used as reference to the data in a subsequent call to the authorization endpoint.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9126"/>
          <seriesInfo name="DOI" value="10.17487/RFC9126"/>
        </reference>
        <reference anchor="RFC9449">
          <front>
            <title>OAuth 2.0 Demonstrating Proof of Possession (DPoP)</title>
            <author fullname="D. Fett" initials="D." surname="Fett"/>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="D. Waite" initials="D." surname="Waite"/>
            <date month="September" year="2023"/>
            <abstract>
              <t>This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9449"/>
          <seriesInfo name="DOI" value="10.17487/RFC9449"/>
        </reference>
        <reference anchor="RFC9470">
          <front>
            <title>OAuth 2.0 Step Up Authentication Challenge Protocol</title>
            <author fullname="V. Bertocci" initials="V." surname="Bertocci"/>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <date month="September" year="2023"/>
            <abstract>
              <t>It is not uncommon for resource servers to require different authentication strengths or recentness according to the characteristics of a request. This document introduces a mechanism that resource servers can use to signal to a client that the authentication event associated with the access token of the current request does not meet its authentication requirements and, further, how to meet them. This document also codifies a mechanism for a client to request that an authorization server achieve a specific authentication strength or recentness when processing an authorization request.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9470"/>
          <seriesInfo name="DOI" value="10.17487/RFC9470"/>
        </reference>
        <reference anchor="I-D.ietf-oauth-cross-device-security">
          <front>
            <title>Cross-Device Flows: Security Best Current Practice</title>
            <author fullname="Pieter Kasselman" initials="P." surname="Kasselman">
              <organization>Defakto Security</organization>
            </author>
            <author fullname="Daniel Fett" initials="D." surname="Fett">
              <organization>Authlete</organization>
            </author>
            <author fullname="Filip Skokan" initials="F." surname="Skokan">
              <organization>Okta</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   This document describes threats against cross-device flows along with
   practical mitigations, protocol selection guidance, and a summary of
   formal analysis results identified as relevant to the security of
   cross-device flows.  It serves as a security guide to system
   designers, architects, product managers, security specialists, fraud
   analysts and engineers implementing cross-device flows.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-cross-device-security-16"/>
        </reference>
        <reference anchor="OpenID.Native-SSO" target="https://openid.net/specs/openid-connect-native-sso-1_0.html">
          <front>
            <title>OpenID Connect Native SSO for Mobile Apps</title>
            <author initials="G." surname="Fletcher">
              <organization/>
            </author>
            <date year="2022" month="November"/>
          </front>
        </reference>
        <reference anchor="OpenID" target="https://openid.net/specs/openid-connect-core-1_0.html">
          <front>
            <title>OpenID Connect Core 1.0</title>
            <author initials="N." surname="Sakimura">
              <organization/>
            </author>
            <author initials="J." surname="Bradley">
              <organization/>
            </author>
            <author initials="M." surname="Jones">
              <organization/>
            </author>
            <author initials="B." surname="de Medeiros">
              <organization/>
            </author>
            <author initials="C." surname="Mortimore">
              <organization/>
            </author>
            <date year="2014" month="November"/>
          </front>
        </reference>
        <reference anchor="IANA.oauth-parameters" target="https://www.iana.org/assignments/oauth-parameters">
          <front>
            <title>OAuth Parameters</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="IANA.JWT">
          <front>
            <title>*** BROKEN REFERENCE ***</title>
            <author>
              <organization/>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="USASCII">
          <front>
            <title>Coded Character Set -- 7-bit American Standard Code for Information Interchange, ANSI X3.4</title>
            <author initials="A. N. S." surname="Institute" fullname="American National Standards Institute">
              <organization/>
            </author>
            <date year="1986"/>
          </front>
        </reference>
        <reference anchor="SHS" target="http://dx.doi.org/10.6028/NIST.FIPS.180-4">
          <front>
            <title>"Secure Hash Standard (SHS)", FIPS PUB 180-4, DOI 10.6028/NIST.FIPS.180-4</title>
            <author initials="N. I. of S. and" surname="Technology" fullname="National Institute of Standards and Technology">
              <organization/>
            </author>
            <date year="2015" month="August"/>
          </front>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC6750">
          <front>
            <title>The OAuth 2.0 Authorization Framework: Bearer Token Usage</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="D. Hardt" initials="D." surname="Hardt"/>
            <date month="October" year="2012"/>
            <abstract>
              <t>This specification describes how to use bearer tokens in HTTP requests to access OAuth 2.0 protected resources. Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens need to be protected from disclosure in storage and in transport. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6750"/>
          <seriesInfo name="DOI" value="10.17487/RFC6750"/>
        </reference>
        <reference anchor="RFC8252">
          <front>
            <title>OAuth 2.0 for Native Apps</title>
            <author fullname="W. Denniss" initials="W." surname="Denniss"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <date month="October" year="2017"/>
            <abstract>
              <t>OAuth 2.0 authorization requests from native apps should only be made through external user-agents, primarily the user's browser. This specification details the security and usability reasons why this is the case and how native apps and authorization servers can implement this best practice.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="212"/>
          <seriesInfo name="RFC" value="8252"/>
          <seriesInfo name="DOI" value="10.17487/RFC8252"/>
        </reference>
        <reference anchor="RFC9700">
          <front>
            <title>Best Current Practice for OAuth 2.0 Security</title>
            <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="A. Labunets" initials="A." surname="Labunets"/>
            <author fullname="D. Fett" initials="D." surname="Fett"/>
            <date month="January" year="2025"/>
            <abstract>
              <t>This document describes best current security practice for OAuth 2.0. It updates and extends the threat model and security advice given in RFCs 6749, 6750, and 6819 to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0. Further, it deprecates some modes of operation that are deemed less secure or even insecure.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="240"/>
          <seriesInfo name="RFC" value="9700"/>
          <seriesInfo name="DOI" value="10.17487/RFC9700"/>
        </reference>
        <reference anchor="RFC9207">
          <front>
            <title>OAuth 2.0 Authorization Server Issuer Identification</title>
            <author fullname="K. Meyer zu Selhausen" initials="K." surname="Meyer zu Selhausen"/>
            <author fullname="D. Fett" initials="D." surname="Fett"/>
            <date month="March" year="2022"/>
            <abstract>
              <t>This document specifies a new parameter called iss. This parameter is used to explicitly include the issuer identifier of the authorization server in the authorization response of an OAuth authorization flow. The iss parameter serves as an effective countermeasure to "mix-up attacks".</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9207"/>
          <seriesInfo name="DOI" value="10.17487/RFC9207"/>
        </reference>
        <reference anchor="I-D.ietf-oauth-browser-based-apps">
          <front>
            <title>OAuth 2.0 for Browser-Based Applications</title>
            <author fullname="Aaron Parecki" initials="A." surname="Parecki">
              <organization>Okta</organization>
            </author>
            <author fullname="Philippe De Ryck" initials="P." surname="De Ryck">
              <organization>Pragmatic Web Security</organization>
            </author>
            <author fullname="David Waite" initials="D." surname="Waite">
              <organization>Ping Identity</organization>
            </author>
            <date day="3" month="December" year="2025"/>
            <abstract>
              <t>   This specification details the threats, attack consequences, security
   considerations and best practices that must be taken into account
   when developing browser-based applications that use OAuth 2.0.

Discussion Venues

   This note is to be removed before publishing as an RFC.

   Discussion of this document takes place on the Web Authorization
   Protocol Working Group mailing list (oauth@ietf.org), which is
   archived at https://mailarchive.ietf.org/arch/browse/oauth/.

   Source for this draft and an issue tracker can be found at
   https://github.com/oauth-wg/oauth-browser-based-apps.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-browser-based-apps-26"/>
        </reference>
        <reference anchor="I-D.ietf-oauth-attestation-based-client-auth">
          <front>
            <title>OAuth 2.0 Attestation-Based Client Authentication</title>
            <author fullname="Tobias Looker" initials="T." surname="Looker">
              <organization>MATTR</organization>
            </author>
            <author fullname="Paul Bastian" initials="P." surname="Bastian">
              <organization>Bundesdruckerei</organization>
            </author>
            <author fullname="Christian Bormann" initials="C." surname="Bormann">
              <organization>SPRIND</organization>
            </author>
            <date day="25" month="May" year="2026"/>
            <abstract>
              <t>   This specification defines an extension to the OAuth 2.0 protocol
   [RFC6749] that enables a client instance to include a key-bound
   attestation when interacting with an Authorization Server or Resource
   Server.  This mechanism allows a client instance to prove its
   authenticity verified by a client attester without revealing its
   target audience to that attester.  It may also serve as a mechanism
   for client authentication as per OAuth 2.0.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-attestation-based-client-auth-09"/>
        </reference>
      </references>
    </references>
    <?line 742?>

<section anchor="example-user-experiences">
      <name>Example User Experiences</name>
      <t>This section provides non-normative examples of how this specification may be used to support specific use cases.</t>
      <section anchor="passkey">
        <name>Passkey</name>
        <t>A user may log in with a passkey (without a password).</t>
        <ol spacing="normal" type="1"><li>
            <t>The Client collects the username from the user.</t>
          </li>
          <li>
            <t>The Client sends an Authorization Challenge Request (<xref target="challenge-request"/>) to the Authorization Challenge Endpoint (<xref target="authorization-challenge-endpoint"/>) including the username.</t>
          </li>
          <li>
            <t>The Authorization Server verifies the username and returns a challenge.</t>
          </li>
          <li>
            <t>The user is prompted for verification with biometrics or a PIN, enabling the Client to sign the challenge using the passkey.</t>
          </li>
          <li>
            <t>The Client sends the signed challenge, username, and credential ID to the Authorization Challenge Endpoint (<xref target="authorization-challenge-endpoint"/>).</t>
          </li>
          <li>
            <t>The Authorization Server verifies the signed challenge and returns an Authorization Code.</t>
          </li>
          <li>
            <t>The Client requests an Access Token and Refresh Token by issuing a Token Request (<xref target="token-request"/>) to the Token Endpoint.</t>
          </li>
          <li>
            <t>The Authorization Server verifies the Authorization Code and issues the requested tokens.</t>
          </li>
        </ol>
      </section>
      <section anchor="redirect-to-authorization-server">
        <name>Redirect to Authorization Server</name>
        <t>A user may be redirected to the Authorization Server to perform an account reset.</t>
        <ol spacing="normal" type="1"><li>
            <t>The Client collects a username from the user.</t>
          </li>
          <li>
            <t>The Client sends an Authorization Challenge Request (<xref target="challenge-request"/>) to the Authorization Challenge Endpoint (<xref target="authorization-challenge-endpoint"/>) including the username.</t>
          </li>
          <li>
            <t>The Authorization Server verifies the username and determines that the account is locked and returns a Redirect error response.</t>
          </li>
          <li>
            <t>The Client parses the redirect message, opens a browser, and redirects the user to the Authorization Server to perform an OAuth 2.0 flow with PKCE.</t>
          </li>
          <li>
            <t>The user resets their account by performing a multi-step authentication flow with the Authorization Server.</t>
          </li>
          <li>
            <t>The Authorization Server issues an Authorization Code in a redirect back to the client, which then exchanges it for an access and refresh token.</t>
          </li>
        </ol>
      </section>
      <section anchor="passwordless-one-time-password-otp">
        <name>Passwordless One-Time Password (OTP)</name>
        <t>In a passwordless One-Time Password (OTP) scheme, the user is in possession of a one-time password generator. This generator may be a hardware device, or implemented as an app on a mobile phone. The user provides a user identifier and one-time password, which is verified by the Authorization Server before it issues an Authorization Code, which can be exchanged for an Access and Refresh Token.</t>
        <ol spacing="normal" type="1"><li>
            <t>The Client collects a username and OTP from the user.</t>
          </li>
          <li>
            <t>The Client sends an Authorization Challenge Request (<xref target="challenge-request"/>) to the Authorization Challenge Endpoint (<xref target="authorization-challenge-endpoint"/>) including the username and OTP.</t>
          </li>
          <li>
            <t>The Authorization Server verifies the username and OTP and returns an Authorization Code.</t>
          </li>
          <li>
            <t>The Client requests an Access Token and Refresh Token by issuing a Token Request (<xref target="token-request"/>) to the Token Endpoint.</t>
          </li>
          <li>
            <t>The Authorization Server verifies the Authorization Code and issues the requested tokens.</t>
          </li>
        </ol>
      </section>
      <section anchor="email-confirmation-code">
        <name>Email Confirmation Code</name>
        <t>A user may be required to provide an email confirmation code as part of an authentication ceremony to prove they control an email address. The user provides an email address and is then required to enter a verification code sent to the email address. If the correct verification code is returned to the Authorization Server, it issues Access and Refresh Tokens.</t>
        <ol spacing="normal" type="1"><li>
            <t>The Client collects an email address from the user.</t>
          </li>
          <li>
            <t>The Client sends the email address in an Authorization Challenge Request (<xref target="challenge-request"/>) to the Authorization Challenge Endpoint (<xref target="authorization-challenge-endpoint"/>).</t>
          </li>
          <li>
            <t>The Authorization Server sends a verification code to the email address and returns an Error Response (<xref target="challenge-error-response"/>) including <tt>"error": "insufficient_authorization"</tt>, <tt>"auth_session"</tt> and a custom property indicating that an email verification code must be entered.</t>
          </li>
          <li>
            <t>The Client presents a user experience guiding the user to copy the email verification code to the Client. Once the email verification code is entered, the Client sends an Authorization Challenge Request to the Authorization Challenge Endpoint, including the email verification code as well as the <tt>auth_session</tt> parameter returned in the previous Error Response.</t>
          </li>
          <li>
            <t>The Authorization Server uses the <tt>auth_session</tt> to maintain the session and verifies the email verification code before issuing an Authorization Code to the Client.</t>
          </li>
          <li>
            <t>The Client sends the Authorization Code in a Token Request (<xref target="token-request"/>) to the Token Endpoint.</t>
          </li>
          <li>
            <t>The Authorization Server verifies the Authorization Code and issues the Access Token and Refresh Token.</t>
          </li>
        </ol>
        <t>An alternative version of this verification involves the user clicking a link in an email rather than manually entering a verification code. This is typically done for email verification flows rather than inline in a login flow. The protocol-level details remain the same for the alternative flow despite the different user experience. All steps except step 4 above remain the same, but the client presents an alternative user experience for step 4 described below:</t>
        <ul spacing="normal">
          <li>
            <t>The Client presents a message to the user instructing them to click the link sent to their email address. The user clicks the link in the email, which contains the verification code in the URL. The URL launches the app providing the verification code to the Client. The Client sends the verification code and <tt>auth_session</tt> to the Authorization Challenge Endpoint.</t>
          </li>
        </ul>
      </section>
      <section anchor="mobile-confirmation-code">
        <name>Mobile Confirmation Code</name>
        <t>A user may be required to provide a confirmation code as part of an authentication ceremony to prove they control a mobile phone number. The user provides a phone number and is then required to enter a confirmation code sent to the phone. If the correct confirmation code is returned to the Authorization Server, it issues Access and Refresh Tokens.</t>
        <ol spacing="normal" type="1"><li>
            <t>The Client collects a mobile phone number from the user.</t>
          </li>
          <li>
            <t>The Client sends the phone number in an Authorization Challenge Request (<xref target="challenge-request"/>) to the Authorization Challenge Endpoint (<xref target="authorization-challenge-endpoint"/>).</t>
          </li>
          <li>
            <t>The Authorization Server sends a confirmation code to the phone number and returns an Error Response (<xref target="challenge-error-response"/>) including <tt>"error": "insufficient_authorization"</tt>, <tt>"auth_session"</tt> and a custom property indicating that a confirmation code must be entered.</t>
          </li>
          <li>
            <t>The Client presents a user experience guiding the user to enter the confirmation code. Once the code is entered, the Client sends an Authorization Challenge Request to the Authorization Challenge Endpoint, including the confirmation code as well as the <tt>auth_session</tt> parameter returned in the previous Error Response.</t>
          </li>
          <li>
            <t>The Authorization Server uses the <tt>auth_session</tt> to maintain the session context and verifies the code before issuing an Authorization Code to the Client.</t>
          </li>
          <li>
            <t>The Client sends the Authorization Code in a Token Request (<xref target="token-request"/>) to the Token Endpoint.</t>
          </li>
          <li>
            <t>The Authorization Server verifies the Authorization Code and issues the Access Token and Refresh Token.</t>
          </li>
        </ol>
      </section>
      <section anchor="refresh-token-example">
        <name>Re-authenticating to an app a week later using OTP</name>
        <t>A client may be in possession of an Access and Refresh Token as the result of a previous successful user authentication. The user returns to the app a week later and accesses the app. The Client presents the Access Token, but receives an error indicating the Access Token is no longer valid. The Client presents a Refresh Token to the Authorization Server to obtain a new Access Token. If the Authorization Server requires user interaction for reasons based on its own policies, it rejects the Refresh Token and the Client re-starts the user authentication flow to obtain new Access and Refresh Tokens.</t>
        <ol spacing="normal" type="1"><li>
            <t>The Client has a short-lived access token and long-lived refresh token following a previous completion of an Authorization Grant Flow which included user authentication.</t>
          </li>
          <li>
            <t>A week later, the user launches the app and tries to access a protected resource at the Resource Server.</t>
          </li>
          <li>
            <t>The Resource Server responds with an error code indicating an invalid access token since it has expired.</t>
          </li>
          <li>
            <t>The Client presents the refresh token to the Authorization Server to obtain a new access token (<xref section="6" sectionFormat="of" target="RFC6749"/>).</t>
          </li>
          <li>
            <t>The Authorization Server responds with an error code indicating that an OTP from the user is required, as well as an <tt>auth_session</tt>.</t>
          </li>
          <li>
            <t>The Client prompts the user to enter an OTP.</t>
          </li>
          <li>
            <t>The Client sends the OTP and <tt>auth_session</tt> in an Authorization Challenge Request (<xref target="challenge-request"/>) to the Authorization Challenge Endpoint (<xref target="authorization-challenge-endpoint"/>).</t>
          </li>
          <li>
            <t>The Authorization Server verifies the <tt>auth_session</tt> and OTP, and returns an Authorization Code.</t>
          </li>
          <li>
            <t>The Client sends the Authorization Code in a Token Request (<xref target="token-request"/>) to the Token Endpoint.</t>
          </li>
          <li>
            <t>The Authorization Server verifies the Authorization Code and issues the requested tokens.</t>
          </li>
          <li>
            <t>The Client presents the new Access Token to the Resource Server in order to access the protected resource.</t>
          </li>
        </ol>
      </section>
      <section anchor="step-up-sms-example">
        <name>Step-up Authentication using Confirmation SMS</name>
        <t>A Client previously obtained an Access and Refresh Token after the user authenticated with an OTP. When the user attempts to access a protected resource, the Resource Server determines that it needs an additional level of authentication and triggers a step-up authentication, indicating the desired level of authentication using <tt>acr_values</tt> and <tt>max_age</tt> as defined in the Step-Up Authentication specification. The Client initiates an authorization request with the Authorization Server indicating the <tt>acr_values</tt> and <tt>max_age</tt> parameters. The Authorization Server responds with error messages prompting for additional authentication until the <tt>acr_values</tt> and <tt>max_age</tt> values are satisfied before issuing fresh Access and Refresh Tokens.</t>
        <ol spacing="normal" type="1"><li>
            <t>The Client has a short-lived access token and long-lived refresh token following the completion of an Authorization Code Grant Flow which included user authentication.</t>
          </li>
          <li>
            <t>When the Client presents the Access Token to the Resource Server, the Resource Server determines that the <tt>acr</tt> claim in the Access Token is insufficient given the resource the user wants to access and responds with an <tt>insufficient_user_authentication</tt> error code, along with the desired <tt>acr_values</tt> and <tt>max_age</tt>.</t>
          </li>
          <li>
            <t>The Client sends an Authorization Challenge Request (<xref target="challenge-request"/>) to the Authorization Challenge Endpoint (<xref target="authorization-challenge-endpoint"/>) including the <tt>auth_session</tt>, <tt>acr_values</tt> and <tt>max_age</tt> parameters.</t>
          </li>
          <li>
            <t>The Authorization Server verifies the <tt>auth_session</tt> and determines which authentication methods must be satisfied based on the <tt>acr_values</tt>, and responds with an Error Response (<xref target="challenge-error-response"/>) including <tt>"error": "insufficient_authorization"</tt> and a custom property indicating that an OTP must be entered.</t>
          </li>
          <li>
            <t>The Client prompts the user for an OTP, which the user obtains and enters.</t>
          </li>
          <li>
            <t>The Client sends an Authorization Challenge Request to the Authorization Challenge Endpoint including the <tt>auth_session</tt> and OTP.</t>
          </li>
          <li>
            <t>The Authorization Server verifies the OTP and returns an Authorization Code.</t>
          </li>
          <li>
            <t>The Client sends the Authorization Code in a Token Request (<xref target="token-request"/>) to the Token Endpoint.</t>
          </li>
          <li>
            <t>The Authorization Server verifies the Authorization Code and issues an Access Token with the updated <tt>acr</tt> value along with the Refresh Token.</t>
          </li>
          <li>
            <t>The Client presents the Access Token to the Resource Server, which verifies that the <tt>acr</tt> value meets its requirements before granting access to the protected resource.</t>
          </li>
        </ol>
      </section>
      <section anchor="registration">
        <name>Registration</name>
        <t>This example describes how to use the mechanisms defined in this draft to create a complete user registration flow starting with an email address. In this example, it is the Authorization Server's policy to allow these challenges to be sent to email addresses and phone numbers that were previously unrecognized, creating the user account on the fly.</t>
        <ol spacing="normal" type="1"><li>
            <t>The Client collects a username from the user.</t>
          </li>
          <li>
            <t>The Client sends an Authorization Challenge Request (<xref target="challenge-request"/>) to the Authorization Challenge Endpoint (<xref target="authorization-challenge-endpoint"/>) including the username.</t>
          </li>
          <li>
            <t>The Authorization Server returns an Error Response (<xref target="challenge-error-response"/>) including <tt>"error": "insufficient_authorization"</tt>, <tt>"auth_session"</tt>, and a custom property indicating that an email address must be collected.</t>
          </li>
          <li>
            <t>The Client collects an email address from the user.</t>
          </li>
          <li>
            <t>The Client sends the email address as part of a second Authorization Challenge Request to the Authorization Challenge Endpoint, along with the <tt>auth_session</tt> parameter.</t>
          </li>
          <li>
            <t>The Authorization Server sends a verification code to the email address and returns an Error Response including <tt>"error": "insufficient_authorization"</tt>, <tt>"auth_session"</tt> and a custom property indicating that an email verification code must be entered.</t>
          </li>
          <li>
            <t>The Client presents a user experience guiding the user to copy the email verification code to the Client. Once the email verification code is entered, the Client sends an Authorization Challenge Request to the Authorization Challenge Endpoint, including the email verification code as well as the <tt>auth_session</tt> parameter returned in the previous Error Response.</t>
          </li>
          <li>
            <t>The Authorization Server uses the <tt>auth_session</tt> to maintain the session context, and verifies the email verification code. It determines that it also needs a phone number for account recovery purposes and returns an Error Response including <tt>"error": "insufficient_authorization"</tt>, <tt>"auth_session"</tt> and a custom property indicating that a phone number must be collected.</t>
          </li>
          <li>
            <t>The Client collects a mobile phone number from the user.</t>
          </li>
          <li>
            <t>The Client sends the phone number in an Authorization Challenge Request to the Authorization Challenge Endpoint, along with the <tt>auth_session</tt>.</t>
          </li>
          <li>
            <t>The Authorization Server uses the <tt>auth_session</tt> parameter to link the previous requests. It sends a confirmation code to the phone number and returns an Error Response including <tt>"error": "insufficient_authorization"</tt>, <tt>"auth_session"</tt> and a custom property indicating that an SMS confirmation code must be entered.</t>
          </li>
          <li>
            <t>The Client presents a user experience guiding the user to enter the SMS confirmation code. Once the SMS verification code is entered, the Client sends an Authorization Challenge Request to the Authorization Challenge Endpoint, including the confirmation code as well as the <tt>auth_session</tt> parameter returned in the previous Error Response.</t>
          </li>
          <li>
            <t>The Authorization Server uses the <tt>auth_session</tt> to maintain the session context, and verifies the SMS verification code before issuing an Authorization Code to the Client.</t>
          </li>
          <li>
            <t>The Client sends the Authorization Code in a Token Request (<xref target="token-request"/>) to the Token Endpoint.</t>
          </li>
          <li>
            <t>The Authorization Server verifies the Authorization Code and issues the requested tokens.</t>
          </li>
        </ol>
      </section>
    </section>
    <section anchor="example-implementations">
      <name>Example Implementations</name>
      <t>To successfully implement this specification, the Authorization Server will need to define its own specific profile for what values clients are expected to send in the Authorization Challenge Request (<xref target="challenge-request"/>), as well as AS-defined specific error codes in the Authorization Challenge Response (<xref target="challenge-response"/>).</t>
      <t>It is expected that service providers will wrap the implementation of this specification in an SDK that will be used by application developers, removing the need for application developers to implement the specification themselves.</t>
      <t>Below is an example profile that allows for a successful implementation that enables the user to log in with a
username and OTP. This example is included for illustration purposes only to help AS developers define the profile
for their deployment and ecosystem.</t>
      <section anchor="authorization-challenge-request-parameters">
        <name>Authorization Challenge Request Parameters</name>
        <t>In addition to the request parameters defined in <xref target="challenge-request"/>, the authorization server defines the additional parameters below.</t>
        <dl>
          <dt>"username":</dt>
          <dd>
            <t><bcp14>REQUIRED</bcp14> for the initial Authorization Challenge Request.</t>
          </dd>
          <dt>"otp":</dt>
          <dd>
            <t>The OTP collected from the user. <bcp14>REQUIRED</bcp14> when retrying an Authorization Challenge Request in response to the <tt>otp_required</tt> error defined below.</t>
          </dd>
        </dl>
      </section>
      <section anchor="authorization-challenge-response-parameters">
        <name>Authorization Challenge Response Parameters</name>
        <t>In addition to the response parameters defined in <xref target="challenge-response"/>, the authorization server defines the additional parameter below.</t>
        <dl>
          <dt>"otp_required":</dt>
          <dd>
            <t>The client should collect an OTP from the user and send the OTP in
a second request to the Authorization Challenge Endpoint.</t>
          </dd>
        </dl>
      </section>
      <section anchor="example-sequence-initial-authorization">
        <name>Example Sequence - Initial Authorization</name>
        <t>The client prompts the user to enter their username, and sends the username in an initial Authorization Challenge Request.</t>
        <artwork><![CDATA[
POST /authorize-challenge HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded

username=alice
&scope=photos
&client_id=bb16c14c73415
]]></artwork>
        <t>The Authorization Server sends an error response indicating that an OTP is required.</t>
        <artwork><![CDATA[
HTTP/1.1 403 Forbidden
Content-Type: application/json
Cache-Control: no-store

{
  "error": "insufficient_authorization",
  "auth_session": "ce6772f5e07bc8361572f",
  "otp_required": true
}
]]></artwork>
        <t>The client prompts the user for an OTP, and sends a new Authorization Challenge Request.</t>
        <artwork><![CDATA[
POST /authorize-challenge HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded

auth_session=ce6772f5e07bc8361572f
&otp=555121
]]></artwork>
        <t>The Authorization Server validates the <tt>auth_session</tt> to find the expected user, then validates the OTP for that user, and responds with an authorization code.</t>
        <artwork><![CDATA[
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store

{
  "authorization_code": "uY29tL2F1dGhlbnRpY"
}
]]></artwork>
        <t>The client sends the authorization code to the token endpoint.</t>
        <artwork><![CDATA[
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&client_id=bb16c14c73415
&code=uY29tL2F1dGhlbnRpY
]]></artwork>
        <t>The Authorization Server responds with an access token and refresh token.</t>
        <artwork><![CDATA[
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store

{
  "token_type": "Bearer",
  "expires_in": 3600,
  "access_token": "d41c0692f1187fd9b326c63d",
  "refresh_token": "e090366ac1c448b8aed84cbc07"
}
]]></artwork>
      </section>
      <section anchor="example-sequence-refresh-token-request-triggering-additional-authorization">
        <name>Example Sequence - Refresh Token Request Triggering Additional Authorization</name>
        <t>This example illustrates the use case described in <xref target="refresh-token-example"/>.</t>
        <t>The client sends a refresh token request to obtain a new access token.</t>
        <artwork><![CDATA[
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token
&client_id=bb16c14c73415
&refresh_token=e090366ac1c448b8aed84cbc07
]]></artwork>
        <t>The Authorization Server determines that additional authorization is required (for example, step-up or re-verification) before the refresh token can be used, and returns an authorization challenge error response.</t>
        <artwork><![CDATA[
HTTP/1.1 403 Forbidden
Content-Type: application/json
Cache-Control: no-store

{
  "error": "insufficient_authorization",
  "auth_session": "ce6772f5e07bc8361572f",
  "otp_required": true
}
]]></artwork>
        <t>The client prompts the user for an OTP, and sends an Authorization Challenge Request to continue the authorization session identified by <tt>auth_session</tt>.</t>
        <artwork><![CDATA[
POST /authorize-challenge HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded

auth_session=ce6772f5e07bc8361572f
&otp=555121
]]></artwork>
        <t>The Authorization Server validates the <tt>auth_session</tt> to find the expected user, then validates the OTP for that user, and responds with an authorization code.</t>
        <artwork><![CDATA[
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store

{
  "authorization_code": "uY29tL2F1dGhlbnRpY"
}
]]></artwork>
        <t>The client sends the authorization code to the token endpoint.</t>
        <artwork><![CDATA[
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&client_id=bb16c14c73415
&code=uY29tL2F1dGhlbnRpY
]]></artwork>
        <t>The Authorization Server responds with an access token and new refresh token.</t>
        <artwork><![CDATA[
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store

{
  "token_type": "Bearer",
  "expires_in": 3600,
  "access_token": "d41c0692f1187fd9b326c63d",
  "refresh_token": "f2b0f7d9a41f4d59a8c1e9b3ab"
}
]]></artwork>
      </section>
    </section>
    <section anchor="design-goals">
      <name>Design Goals</name>
      <t>This specification defines a new authorization flow the client can use to obtain an authorization grant. There are two primary reasons for designing the specification this way.</t>
      <t>This enables existing OAuth implementations to make fewer modifications to existing code by not needing to extend the token endpoint with new logic. Instead, the new logic can be encapsulated in an entirely new endpoint, the output of which is an authorization code which can be redeemed for an access token at the existing token endpoint.</t>
      <t>This also mirrors more closely the existing architecture of the redirect-based authorization code flow. In the authorization code flow, the client first initiates a request by redirecting a browser to the authorization endpoint, at which point the authorization server takes over with its own custom logic to authenticate the user in whatever way appropriate, possibly including interacting with other endpoints for the actual user authentication process. Afterwards, the authorization server redirects the user back to the client application with an authorization code in the query string. This specification mirrors the existing approach by having the client first make a POST request to the Authorization Challenge Endpoint, at which point the authorization server provides its own custom logic to authenticate the user, eventually returning an authorization code.</t>
      <t>An alternative design would be to define new custom grant types for the different authentication factors such as WebAuthn, OTP, etc. The drawback to this design is that conceptually, these authentication methods do not map to an OAuth grant. In other words, the OAuth authorization grant captures the user's intent to authorize access to some data, and that authorization is represented by an authorization code, not by different methods of authenticating the user.</t>
      <t>Another alternative option would be to have the Authorization Challenge Endpoint return an access token upon successful authentication of the user. This was deliberately not chosen, as this adds a new endpoint that tokens would be returned from. In most deployments, the Token Endpoint is the only endpoint that actually issues tokens, and includes all the implementation logic around token binding, rate limiting, etc. Instead of defining a new endpoint that issues tokens which would have to have similar logic and protections, instead the new endpoint only issues authorization codes, which can be exchanged for tokens at the existing Token Endpoint just like in the redirect-based Authorization Code flow.</t>
      <t>These design decisions should enable authorization server implementations to isolate and encapsulate the changes needed to support this specification.</t>
    </section>
    <section anchor="document-history">
      <name>Document History</name>
      <t>-04</t>
      <ul spacing="normal">
        <li>
          <t>Editorial clarifications and improvements</t>
        </li>
        <li>
          <t>Updated HTTP response codes for consistency</t>
        </li>
      </ul>
      <t>-03</t>
      <ul spacing="normal">
        <li>
          <t>Editorial clarifications and improvements</t>
        </li>
        <li>
          <t>Pointed definition of authorization code to section 1.3.1 of RFC 6749</t>
        </li>
        <li>
          <t>Updated <tt>auth_session</tt> binding requirements to <bcp14>SHOULD</bcp14>, and added a reference to DPoP</t>
        </li>
        <li>
          <t>Revised introduction and context to clarify this draft is intended for first-party applications but can be extended for third-party in some situations</t>
        </li>
        <li>
          <t>Added <tt>response_type=code</tt> as a required parameter to match RFC 6749</t>
        </li>
      </ul>
      <t>-02</t>
      <ul spacing="normal">
        <li>
          <t>Updated affiliations and acks</t>
        </li>
        <li>
          <t>Editorial clarifications</t>
        </li>
        <li>
          <t>Added reference to Attestation-Based Client Authentication</t>
        </li>
      </ul>
      <t>-01</t>
      <ul spacing="normal">
        <li>
          <t>Corrected "re-authorization of the user" to "re-authentication of the user"</t>
        </li>
      </ul>
      <t>-00</t>
      <ul spacing="normal">
        <li>
          <t>Adopted into the OAuth WG, no changes from previous individual draft</t>
        </li>
      </ul>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The authors would like to thank the attendees of the OAuth Security Workshop 2023 session in which this was discussed, as well as the following individuals who contributed ideas, feedback, and wording that shaped and formed the final specification:</t>
      <t>Alejo Fernandez, Brian Campbell, Dean Saxe, Dick Hardt, Dmitry Telegin, Evert Pot, Filip Skokan, Janak Amarasena, Jeff Corrigan, John Bradley, Joseph Heenan, Justin Richer, Kristina Yasuda, Martin Besozzi, Matt MacAdam, Mike Jones, Orie Steele, Tim Cappalli, Tobias Looker, Yaron Sheffer, Yaron Zehavi.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+196XbbVprgfz4FRjndZaVIWpLlTadcU7JkO0piS23JnU5P
z7FB8FJERAJsAJTMOOkz7zAvMM8yjzJPMt92V1xQtONKpbrj052iSOAu3/3u
ty+DwaDX5M1MHSRbp4fLZprsDXeSSVklz/OqbgZnadWsksPFYpZnaZOXRb3V
S0ejSl2bFyIPw0PwtLosq9VBUjfjXm9cZkU6h1nGVTppBrlqJoMyhdcHE3p1
ga8OUnh1sLPfq5ejeV7XMF2zWsBLJ88unveK5XykqoPeGEY+6GWwFFXUy/og
aaql6sF67vXSSqWwrnOVLau8WW31bsrq6rIqlwv49js1SnDBZZX/SFtJzqqy
KbNyttW7Uit4dHzQSwZJAT9eqwTXgn8668M/adG9a1UsYRFJssngScK72PoO
VpMXl8kLfAm/n6f5DL6nMf+CMBmW1SX+kFbZFH6YNs2iPrh7F5/Dr2BdQ/3Y
Xfzi7qgqb2p1l0a4i29e5s10OdKDDm4u78bBjM/OAJJ148xDh1MP6Y1hoZqO
d+/eeojDaTOHnfdSAgmCFaZLkslyNmM0OEwrhBEcWHaV02+wpbQQ4B0kp1dN
Sl8rhlGKz/9lwc8Ps3KOZ+GM90LB+yp5PlNNNlVVZMSzKs0aQOJZcjJWBeD8
Kvn22yN3jksa4y8L/WAuz0WmO4O9qyr5Jq1rNZunRWS+YzVJr5oy0cjozrSg
1/8y5keGtX6kV5TVnNAPcev186MHD/cfy8eH93fv24/228e7+uODew/k46O9
+/qBR/u7+/rjg71H+uPDnYfy8fHunn7t8b6Z7fH+wx38eDI4HjrnnFVlXQ/G
6jrP1EAvG587Xaji5Hj4ihY/OD8/PaD9CmnhX5OjsihU1iT8VAJPEfF4WY7y
mSK6wS+lcAyAlhorS3g7HxM+1guV1fLFIOPhBnxhB3VdDnbf7hDq0TgG+ejf
IMkLIBYvhj6SEDVJXpXXCqlLsrezt2e2s24PR2Wlkt3hzietOIOX/bUGy3jU
h5Xs7ndv49UwOU+v8vmySv0fvh4mT6t0PFMr//uXw+TrslC1/+3TYTJWyUs1
VjmcrP/b0RBOpmryOSwWMeHw1SFTBrzncAsAg+sD/cPX313g5zfnh+dHJyce
4LaOyrEaJ0fTFC8WbO5cNclgkDwcjPImOZyrCi5bkZw3aTFOK3gQHie8OCkm
fB2AUpwU8GY2TYtL1U8OX52fJP9yb7i/FQEQX9AtM+4rGgCuvZ6ghsFqWNuy
UVsO7HcfP3oAf55/de6v/t+Ynajkq7Se2lXegQe3/22rnzw/OTtPzt48TXYf
7Qz2+8nx6UmyuzN8sLP36O6rk/OLIT4wpB/XLNes0qwtKSfOkuF/kwuVTYty
Vl6u3HUfLi+XdYPocr+Fi0jS3w/HZU4Mo2NVvV6uAe3Qnfs7lpbsaaLwcEd/
+3iPCUhAH5gdVYNRWqsxcYLIQ2mDbIc2LA9msxxI7QB/Pej1BoAc6ahuEF16
vYtpXicgPizn8Ahg6yQHLE6aqQr4LeDXbKYAP5JnxXhR5kXTT26meTZN6uVi
AYhc93gafDltkpsUhgP6DHeyqcoZjbioykzVNYK+HDVpXiC3Tr1pJlU5p2eX
sE/4Dz2hZQb1fgFYp4pMDXu9kwL4e7FKMthi3Yd3YB+IkDDJNbAWONIE+Uul
ZqtE4DbDya0YZoeDPeQNXCK8FjxXL3Vksn5SFjDKWM3UJXwDS4KN4SJlXLjQ
ybLA4eACjvvJNL+cDqq8voIXq0RVFfwX4DDOaTRYO53BPB8DHen1vsDbV5Xj
ZYY/ByfST7qlwOTO8/zscLvfU+8bVYz51Oz2/PN7jjQF5bXkwwfhfD//nNyA
ONMD+KobABYfK+5NjtQDwi8+1t7tx9qnBRmwVmoM50dgSVKAiaqzKh/BOeVF
z5emheURVGh/eK1gfzDdmA8P3k+TCeDwKM2uAHNVAbsGwjweIsRVwsgL+wIs
zxqkCCuYBk4MiEbuUEofQZFunJ2eXwh0nAd7MOGNms1wYvf9dFQuGxqAZ/xD
Ddv89yXcWI1Ut967Hs4KcFGw5TpRADFaSQDyDOh8n8GGdxqBBqA5F3DuDu8N
d/HEDC4QroKopdEVrhC8Ual6garAMEEg2d968xThM0bsULz5xoFiWhCG5CDG
47YAQ+aLxoINjwz5nguZfg+Hhhc7R8XzqnG4WbosgPCkBlHgu2l6rewEIFIu
QAxRhHOTWXmDezHPy5HfBugE7iEhEAzPqNAo547pYRezNCN2YtC1uMS98CoZ
052F4gD+SembB8v6boqiWkqisCE4sAK4iFWZwp756uAYejam8eFm8Pguq5Q3
cakKVcHuVr1FpSZwiEikiGCSpqFJJt6QuUIpIK/ndEYO8GHlPN8Mzx2kBeQe
dFs10BFFcsZmeBAHQzoIm7isFMEHFEnA8pFqbhTcvjYcYIxrEBsRu+3EhMKI
4QrVPNQbcAE1Lc9RixKXVA17J01ST8vlbAzTISbWsL1KkwK6/GkIQAPiXKix
wtNPQXZGXQbU5SWyGZxWvU8Ru/o8UA1A4GNGjAdSbHaYOrquXluid6cxYpzX
1XLR1BZ3fyiXVaFW9CSc1zXz1LS+0lgNwww1m6DzS2d1mbhMoCmvlL27yR0L
OVw/zOJebTxahMYEvpiaV4kkbSdMampYEnJJOiD/xRnegq6zRJISvk2XqeOG
y5mB9K5p4hrpQPCNSUY2W46VXjYeRt2oxWC5oAFQDhDwj1byMD5jBW2fSIqC
BvxDiDiA+4svkjd1eqkIImKwYdyQo0BNJJ/oeXJiV/llIVIFLlordED64Gbj
jehEYOH17V8SUNGTNlvGb4Ulz2BG2CVNCLtLRBnnWxQ/JcZJGAbBClhfwGWp
UTbGt0ZqVhaXjtDjjCpH0L11eGWkmIjCmtzttq9GrQVKOU2YugTyMmf1FVcD
34E+vwjueu+sKifwCAkgTXs9tDO+HYI7eIywsgIEZHdJeC9Imkxevjm/MOJG
MmUMzyvvIscnS6/LXC4hCoBwXqA3ZzkRcaGWeTW2B1u3qSqCOiCsz12qg4It
7qbuXgVvuUhHCJUJSDmVYL9QJscGB5ImPFOUgENAYVDqCVbI0h5JRUkGNBNP
HgiOfxf7CVAgu/dadg+H80YYVhtNAP0yWGOVl3ByJMPAsnHtJbxuZT0UNGYq
JVxaFgikAvVdc5mYTObXabZCRgZbnteazFWs2SGa55nSfK7CdZ1MgOgFP9TJ
fDlr8sWMQdOnl1msr2U4XAQsz3suKQt7Mdh40xeWhYsHDAK4o2Z+k64ISWvQ
1VkuwEFBAgSlMy98zkjjWqgo5Ex4GjkiAWoGHWAtjXgNOv/xNyKX6pfqyCsB
en340DI2ASHsFBHKQmksYeGflAniIjXeefWezApMP+hLQpy04M3Bqyz0o1SM
2LdkfUquAq7uHKSHDx80xAfu5YeFGVFyrGD2GdEDQBfEQDgJxbyJFUFAFgD+
hw8adQZaMNCD8YETV6chCfK4wQ46jaROVCWUqDoXyezj23yeN0K0o9fW4+mu
Jl5ek/gGkNM6HO4aeAicT+WpUiyZsmriMz5HdyZRHiSLLK815/1//+t/Cy9w
QG+lX2csR8i+o4aXw74I93BbMi1By81BFgxXDFhykcEqt4lL0QVmY8wML/ak
0RIB4NcSlK2xWszKFSMrsSB4CZED701WLpSw0xYWd7FhQzGYFy2YWdCftdh/
8h+Vec8FAAgIeG8BEERLGdJateAHYUEVklmgf7OlrINEBYDPM2tfOPIwrYfy
KS5tjqhjNWp6xMLXsU/gBTYcHyAxzicgx6PIFByzPYPEUUBxSCZMzFmYz5qJ
YCm4UThFYfNaSkA7i0ccHAGLiRc+rRAQ8PcCeB26eZAepskM0V2NB3mxWDZ6
dkGZNLn4523kJughwWdLOl/WDaucgX/DuhDLtovSKD5CM81suN5ihddUzViy
Je5blvNhcsp/MK2B2zzGuQ2MgJTBPq3sE8r3oIfBpKoC9gKQhtXi8Qixv/hn
+GJeNoyPz0+OT/doSVcouftncqMVkTS5LMuxb8ZqK6LnfBHPvzp98+1xGy3+
UJujREIF97gWbrAGFUh4ugZJboFMLBwaBhJOY9DkNjbjWdrCbRmJl6WXkwnL
+OV8lBdGeKLDltnonnesXg6pbqOLwRSYzYgDbHYzW9OmJn/1s/zKtZQd8yr8
Y3hB2jMbkx7sPQIqrjfysS8Sm1AzMQ7y3UNsQ1R0HD6BbG7YLFBYZmggF5cV
UAxNhM2eR6gpiV8NhmXH2iRndeaIppCVPgdtrT4wTrPkKb55tKyIlIgLD7nt
Jn4p4msRmks3lvTC2iBCFMPvHJ5vW7uCJUekj3qmbh80PZcw8pEcniOQSYpF
YuySMDvudZ6K5cQQMdE7gV2LKrNlrAJNObhRoy0HrXs4hUJTZ1qtfOUX5oe/
52lBqoV7Nq54GtcIUOox3MfHAVmpGvdEoxMCwMtGVoOc5ZoZKl/zY5QbcmEz
SFyQICGdhL2hWrPV5/9NXp3S59fP/unNyetnx/j5/KvDb781H3ryBFML+8m+
eXT68uWzV8f8MnybeF/1tl4efr/FosDW6dnFyemrw2+3mD67Pgdk8MybiaMC
QSOLV91z7b3J06Oz//t/dvcBN/8bXKy93V00X/Mfj3Yf7qMtG8gHz2asPCSG
r9CMrVKy0qMUlaULkMNmNVmWalDuigRldYDml/8DIfM/D5I/jbLF7v6f5Qvc
sPelhpn3JcGs/U3rZQZi5KvINAaa3vcBpP31Hn7v/a3h7nz5p/8OkoxKBruP
/vufeyStXKhqnrPrK3qjiViRXQkeBDw6zMjef4HyPB592/aIp+9/q42q7eeZ
GmwROYAfjwi3t8wnoh2WMeDI8sOJpnOV8zSQNkAg/ILp8MVqofAvjBchCpy8
FoMUjvTa8TC8eX1CaC2GMLM7/XxyelPwVOYbs/TX59tkt9yit+xmjV0J7q/j
d0HCeXp8egBrYeux/JKQeRZpTc20QbOaXbzqOuQlOb1GvVXd0AVHexDpKmhl
BUozR+JEmmaEbWsj4TWq3UsUoqqGBEpg5zxXvQJ6M2cp9kT8H/55vWai1Ov9
x3/8B1yhLM8HMIr4Wzf/98dB+98fP3qUn+D//eXBd2tGufN0O3xcRoF/wpfk
O38UZ7l/xL+tu0DgAW+0t/THn3p3DrcZNfFXmIgte/B0ZP/w788//dTa0U+0
lvMGD+snXi57Ac3K23D5yVsjf4WjoARAu/kzPCF3JvnpT/HF0CjWH2JH8Q/A
fLxzFIVue5FrR8EpydH0WhuaP3EU+nfQhsuvPsqd488ElxjWfdwoa7DuI9cS
+feRo6zFus3XcufZdosGdN3G9Tsit5mPdbFdfjxc/o5HufN8m3nhL16LQVn7
/ced0S2466zy03HXJXa/Bu6+ANx1xCn5/hNwN7Kj2HfruVrkX5xPA+/vPc8v
l5U68OJSHJkt8EYbsWEAkt422SBds6r2ABKTS4zbfrRyLRxGlWPFKdlCNxPI
9VvJaNk0bAkQXwU+3hm30U/qJdrTa/HrUNxoko7HFcWxsO8AQ8eSOzVZnz21
bCDBAPDx55+3h7ihp7wh2YQOFoi53LRjEzY2T6/YOIERJB8bBaJXZuwk2mUK
S+on5cKYWAlULiQEQOiY9GJZxDbHsHBgwDs84h1G/Ydj9KHOyVztmpLcScVW
NN54e2Ran4DgqqMPOJrBm18cNBwAw17pca2V6kg4jLij/cc4piUCTeYCeMIg
CLMwbSyDeeNuml2wY47vCuKFyGaAcUbalR6Z3Q2uQY8RenLRk9IxJAJjiYY3
x3NO9lI/Asl13BUg+IuFQ2zaKPTHrwpejtE8b/j7zcOSdGhDIbFJ4oTibZVV
7Dxws5UC5RwuviInR9Lkc1UTxh17d+oyxVOuu2AiyCtuZ22INcdJwU1loQY4
PM9NyE/IzlEOcBvJJPcpl5HW+4zXeytmg3q6rMhaEwEJjfTc23ltwjoiEJQw
MDKRkL8Fl2F9canEc5ib7uunGu3pIYeA0CpexPZzrkNAzB487tUxD6uTnmZt
+cF3U/F5yn7FNOoHpLhbQgdjyrPSj/3uyIaXh9/rOxdc+FYYSqUGgQm6nHgu
EglsGuvNiA3A34eh6SbsxUGlNAyG6Ys90o+Q6V407LqsxuKksWboc4x1ebMI
LCUO7hnLgRPb0tf7Z8b6kRC44K/ZoWrjZbRxr+WFQ0Ow4zDjoCpmTY2NvuFd
4iVO2duGfgsdnwAsZIGhARymTq54b+qmVrPJ0DOUaPyr6chuvZkfvvD5vOUG
OkTvZ955cBHNSMrhXkFUrWMI6grYaKbdnmY2wdlLEKcdmy+uSL66uDhLDs9O
Epk5en+Ys8Fdwwg1esMlj8LGnDAqcb7Rkxrx52gwh/lH5XjlxC++c7Z39/3g
5uZmgOR8sKxgubid8buE6bswLv4jmVIkb2bSHehhHBRQ8c3F88GjfhgrDGhy
uFjA9vP3yVMv5nUYkWkiAHvz+lsOCUKMx7VzRtdWUmdTNVccTdIJQxMQqZ0N
/h0z7mz9cxMhoH1mrN10DldHjheZ7eMmu5W/SRCGk0hgB40HYRxGlmmiJTqc
imIH19F8uDIEPVOhvCVBRDC7iD4pQAIcTcdpk1rXAzvp9nf3KVTcYqb79lsz
z1s9zzuL8q0Aa5+C8MwDPbO4zDZAOT5QunhrlAjn5oXrsDH+2gcXDzp2wwTQ
E9XxlIk4cyJedJhhDNjD5BnLyhzwhNqWM4Q+YSDU8Os3iuNSSU18xvFCoHmd
fXMEsgztBHPvkGMZpnvCrKusdLj/w52HOn4nyCTT8Ux421+VmtvXJQYxmjA6
B5AUSD5XacFiMdCaGzWysb0Yy1ASP2o/KEE4NkBKpNJ3Wpl4i5GfT+DsqtU7
UCu+Whc6i9EKM/Ldx9bJu0BaWJTuIuhW6UBGpPRu6Iyf6rBOSyXdm4h7WZnw
rI2VSPS3dwjiON7L54fEr7Y3vQwm4Dhfn+7AGQxOlkJfJPsV00ajVxV8x98C
U0WwvnMCYlwhFA9jOeIIpsYwPYyJWVa0iqycz5eFiS124vc0fS3G3YLpFP2S
xaY0mDe3klgWFIaqHMhKtTJwqtex8qG4+oit6DcY/o33ncl6kNtt4/8d2cOR
vuG5nmOiQXHOn58Vd1K9HYm+xaV7Njnl3nDPZ9NRr2Q74L2NMN0R6r2ucPSJ
nO3GonAvlCxPjHmoJVE6liNgkRq2iKA3OUHGJpq0MFzbw0hElKg7zygmhD6v
ZJXGPUrKL28KFIhl4V3lDWWgtkTrmBeI6nAQ6zQXtHeiOmSbJqgZrRGkrdbW
EAdqAS5JjAZIImi/fKNZ1QkSNvB3E5MTt0vR43WAxiaAzxgZdZBQmBES5blu
IlF/o7suYs2kJEwUsRfDVChuJ5PoGxu/Y7MQOQxYuIib14Zz4U0D6OFNBD64
Ta/pHaAzW2KOckk6wetSodkEkWMAAjlROfhfvF0lW1mr6yB6JRqn2u8O6SGx
BYNSJ0w8thx9poCFbul7JDAbqUkpqQt5sfQi30PJlU5bQnvZahFURQijgh1L
kR/oO1yrDWovxYcv2qZVj39qg1FgK7r1JsEVxqXxze0xVvjZKH1XKHNEE4mc
XjmiVP/jNKqeKFFiP1+jRUVVOVThDnq9LYbA23y8ddA7SHQ4DKyloBRb54Dz
2jtIm0USvSl0t+YpCG4i4CyLdD7KL5flssYMCU3R3CnItOeEddn0kTabv05n
SxUJwAKA5pI2xI8yqK1UEF0txkAaK7C3aV3ZwjXjIcd3NZt3BojvEkzy4nBO
DGPlK1IrJ2eYqYaqid6h8bnknOd16qC5hiIVuBMGkKTMBU3GJO/gJqc0DNme
zWISMLNoRRNV6gdN6c0ZmFWiqAwXbosEUEIXHZLE0JGoE4rsjisw+LZ7jMEg
Jx5BQYkYk+ZyxhgWWcj4TpDS59sPDQQU5ig/8pR4YazuF1k5SZz2fjsKmA72
YbVliGUPiGAFsYVCp6zOHMz5liNfb59awpg/xwqMpoI1dbzbDcQXMMsV0nZb
GcTvvNffuYIS40s8dp/RSEvneJp8UWHwd7jVd7CycxOfryOTJRreIZWOhklU
pj0P3EEGkcsdHArr5KulItY42bleKHwTcgISJww1d7iCFemIi/Uu82vREnQo
+xSvPRdg6icUnTeqVHqlwxPJeDqbLbFmA3vTlhWaQmuKdASCjH5aMszdNWGv
1nhJJPwuHBY99lWJJYlEJ5DNcAWeBOMfKDtjcEEFlW5lJzwxyX1vUe578g97
T3cH93Z3Brt79wb79x88pAf+kW73E8m84K8MLXoyGu0+yHb3s4f39qXExj96
WPSE0s3Xc2yR9n2WLf67mI75CX7L5cLgVIeDklKEO/PwUWCbJGSgu9VPaYha
6EgsG3dOQguYVGTm2LQbWA3jngaT94+Qb4HeDZNZA19Omo6vDSOaKaIfVy9C
hhxjxljYJdn8UAMr782BkqVU+StG97BCk5S3CO6lvewUsKkN4Xs7O8md02+2
MQChWda0xANhPI4pEENbkSgmDlmMqE9UPAE3v95G5lMUvk36stKKTr+55Voi
LPiRNJuqwRGnAB8ApgzqBgsL0Y8fJOgjuptka/n93uPm273nu+MX09moeL34
ngvg/MxnH8TiuZeMcMW9aoK3mvgJSUeD3zUW/HJJLTmEsrIidQWNo1QAIl+j
zqGKzF4QnaPl58maVNp+b40xPrh9dPr7ePpP07EW/rd7Dhokd0SsFV6CZQSM
gITCPEXR5tlyllaO7YkDgo0w2oWFdgvOlTPAdp57R0O/68uHtyzAUJzHOy4J
Ij+A5vaOQoL1pcDfmKW57kNXwkLGTRuXl4tx7516v0Cvxdu82Hg0rHXGTpVW
aqObzhgI5VVrsyiI0F7krjmXLTlMkCpgPTOshAXzSk0suO1O5ZLQtkTo/+ED
4ys+wVmZ9PU/o6xhU1UEzo6pVecAGPHdqE1S0qtcNrWOx6hVk/zD+72dwd5u
chc/3Rvcf0qf7h8PHj7Tk3bSTBRRbLJ67dZcEVzJQA4Qfq19a3XCFouyMNcP
zo5zKMvuG2Xg7CKThrmVOJOvlqCTDTD/jcwWbciTaZxZJRY/oaXFAzX6NqcU
jr/27EMmQ82cmK1EoDmBOO9RpykzMp2Mh2uO0bsla46Uh7Dn+pFHumVuXgR6
h2SMEY1rxZamqQ9R9DAs0EdK9ZhoLfGaQTSPhaHOwLNA5JctJJnMxWNmgmHX
wpHoQgA/oO44mGj0/DZsdWCSGJJ6BfT/vQQGLetPukmdMG/phD7Y9Q0zKr2k
pHX7uktBXG0eiBn/jf/etWlSlvhlaVE/ajiUTGjlWwUQIh4SRihkXgjrwIIm
ZiXr7U08mDXfkkJuikZR1j7W9bDspyX3bTk8IYrWemOI3h7BJSlM64l7xpgv
7AGvi+EtHQc3yyeKQrWEevn8CWOdFBpHyFKmUX7T2SOuBOOiX4McWnEs1E3P
pckSOjMjB4IciaTPuyoilj5qQE/ExQPbVFWP7y9c0pmXMWwTFglRasVWd2dG
5MZ6/b015rQ/1IGy3FWzhLPse5HU/Ij30PU5Uz4/4e5Y2wu18C4H50n2vXUS
fbKJRM/o0QvWANvNQbz8kVZBcVZfn5++AlG+WmYN1pa0Jleso9FzvPdM/7BQ
FV1R88YMKeiQ8mzkUQyFlXIiDRZd6F0zofSAAAvXU8MjNQzwasmVMmdJ5Pme
fp51/1qwn/ADIegWKNJhUHOK36SFZGkBq6hWUT+qI0+sNXnofHl9RmNFoTJo
CuZffByK6TvOVORn5fl6FBFiMls1YuABW/biUx2y5hBZkqIFZlW5AIq2zXyH
KKCHR386PB8I3vz5j4RUrL5qHeaIrs+HL1wxMEoPdElLfRXxLNwbGM/qIyGc
/WwdD7Oxc00sRa9DTIus0ZWorWLhTAyvvRO9y7ASKYt6YGRQY98IWY6uVivC
CA3TT5hwj7EQxHV5hR+0a5G0IUrApqAVFGt4AdZg8dbbXGwt5EVued6oiIcd
xgQaBw5dZ73G/uDmevteQKLFzo0gd6SRAfif5yn0Jlt3CxyjijuYYbSicd5L
7oD2P8rHIBh6ZgcEm7bTvm3KtyActmFlDO1+1vtIYenASU5VwEx2ubi03dWI
m9AtdhLUnMJKuSCfuoZOD8Rcqs2xbVJYbtsOQh7WujR+CHcQr9hP7fv+4s4h
lJRNFUdnpE3M2+vPzB3Ns4lteGZEaDAuWDu+ywSr1resJ+Ea19BuygWYliUH
Mhijh6kY5ls/jAqYUqGBHhZPr2suIsvGRFtlllJ+zYk5blZxJbClUWhTLzc1
qWbGBVxK1U0MUmIPGl57E6eg3fo64ABWjFWMgFVdeAEXaGDX8diuT2+NAUdH
nvd83uEKDaDZXCsLntZ1csik8E4ziuumS325EyOmxSdI0VW+m1OX/+1JibC8
WR/OYSoctoJVtey6H0quh4U2FmrxykZGmaKGaSgs1wk7HLCQ381BYGVEnDYo
/XmNjWLBsSU1BPpbff2Ep2AkW3CuB1h05ICkk/qAao8cOA8dPABAvd3dPTw6
uj+6yXZ292dNtruvvt/by4zJ8mSCIXEtGDDeKI+euccWOGrwahC3DgJZjwxJ
I+zCGMVOsxrxKc8N1/Odlbq0HLHwitVDG3MRoDdTd5RU2bwpYwQxsykvyZmV
XWjWq/hOS3y6urHPRa3bSCDYWrWRRIM5f+E8t7mz0WzAh9hGcZqozTUDEEop
WQx/IN6lJhO8addUIVxZRzgFmJ8dvjZXVAdA4jYBHEdS57wr4Kd2PRetNQmF
9YKCejoIKKjk4xQVlpgkW3oYdF9FEiFpa41UTQyqmD7cwUyPnqUOJja1dlMg
k3d5Xccsse0R9zDQVoIJqWsAqW2NiZtB+Tp3vn+r7RU/3xYlbzKK1gmNOhHG
IZo9ovZS0JhzG3Rmi5NZUVH0qA7u89LkrHxj6s/yuQc5o6J7mKrW6PZdb47R
QYbAAfNZZO+OFGfFNnFLRZO9mIYxz6qlYI4+ALOSVsW8jiguXV3P5VwjlXiZ
Kl3R3RekdVAskQlXMQsQoVS7/ntc3c6xFfqvxilE0qIQdY+ji10PkwwkdTYj
VoUqbUwRzQ0CpLZvga3RcUdodmBV4qNjcXvuovCh2/MLrRsWRF22Z3JsqQla
YTmmpcYBKeNgChMHtM5Vq41Twm1MMa21JlFzTdwwIrjDTUrWTql16JdhTEHn
Ki+xBA1KkRgWaSpiZ2V5lTtRWk5VVt8KKxOura3uaNAt4DBc0JYreh4GDC3S
f1+qUBqVUshEMddzqXQMS0xpqAVXHHLiWQhQAJiFCHhehHWLz1KiUxjC5okv
rvEY5U20Ey/JfLWhkdgGt7Rs0iTRxYzRI7UqRf9GpMEzjvuYiGT5eCRycXud
sPlnqB5YFrQ+X467D2jxA4W12NkOE82qjQQBWLWcy2WIvSIGRbR1ZU6IGxUO
Vdgfi+sQL8amCB/CqWU+EdSakKGdpE+bppu6Rna9QBEHxnmdYfubCNxvpk7Q
EAbdmNwO0c04jncOpPRSLw71QGIDQjKm+Q9phgmq/dgMsgasVww6m0nV1xWN
o1aXIMZZQgHbkZfsf8hrx8jD0axOKVMpg2ioIsEOW47UZkFY0dPEu8HGRrl1
DQYzequXouRdEX8DuAULk5x1eM6Hjv3vKodwdpGPZZE7NMO4m6jwny46xpvN
MnIDUkTybJaTDXDoh5V5BQ1NYDoMBu+zVdm65iLr6TvkRs6E8pRSQIwiny/n
CLW9+w8AcuwbVqjELdCEfG4qXRiw2FKPYUS1iRBvh1b7+d3Apvzs8k1iqIN0
DitOx+JsGhvlaTjRrfQublLVmo02mBerDqO5QwS9hgmdLQWMTj/cHd4LclC/
Km8UJYPD1EApV/1Acwh8rzcgJtIqR6H3xdo7+/Bjli7JJLtmpLROQv9NVEAd
OrlDJh/pnHMPQHD1YsHW5unYnHVXT/bbVfSigLsfBJs6xsLICbW4ZitH0wv2
dQwrtd1V0EUjr+MmlL9KoBYt4i2tAE0je9+XTfH8X58/+6Ha/fGozrOX3y0O
D60lhR6UmN1k66kCRlXZX113a3Lvwc6OY4GhlCw7UfPix+t7X59ePd/5lxf3
/+n93sXsm+9OnIl8p/va2LFus1qLOzgoGSbitUw0PAYR2FVUHN1Q5ImliQeI
kUSERicGwlEFzC2iSP5oEBsRK7xxhlo106pcXmIeRlOlBof5inQZ0kPNgb5c
KyvFZV+bo7oWBKJP63JCyUSlzbKKOETcnIgZlXK5VJ42wd0o2HJhTA8dTVq8
KhWO66B7SsAzI6/qVF0ycetcgJAtYzsqKhOrmakU6dErmqQZZhfrxHf5elDP
64FQCs0TLelw7ruXbWkopu8L6PXeLASN17K/vmfcdW1SrNvl4yCzsjv6UUDl
xft23ZOc/T8MRocqermfjiR72D1UYMkkpdSJmSSXfzlZY88POMFewAnQutOz
3mQJv6UAImNv0A5SEo0ObIBhstVtbaLglM/imexwSPrdj9a4JNd4IiOE9pZk
50+jthFau7F2uVm0lqEyXtiW5Gz95wze+ozhWocGcbQE6eGERgeOHtXKLqGg
aXSEV75aSvASEjfpfBS056J+jxpBYoHYfmD738LltOZOf4woY54tm8Vbbc7c
kpboIub0nFpQkgUb0vmO+kxu9SIdzeFQMPeIWpWjiJQv2S3UYPqTS0dKLqMY
9cn7WZJIht6lWfWWJ6PQ7+TdPH3/NkUPDulTbgGNaOycKQ++wT7bTi03O8ot
fuStmsQc3Bf8WUtucYfwYFUWYq+2Fl3EqeZZ06T0JAOteynGbxsTSaJiZpgG
4AK870CbYE8W+3fiplKVNfprBa118dcpsmKoQjll1lD6nj2KEKN44JGapiAx
VX7tLUchRui4OckmLTQ2mjloozBH3VTSbE+7S7E9MvXbaHTjXb4ckXqhZrkT
7rGr08j9Y9nwrKShIwmnOhHKMd4N26UedNq7riwU1nsI6/8ws7bSSDzsQ4/m
gNmtVCRtlLhJJTcyooppYn6S0M8sXeg6ayTzlkBUJWSkIschEYruFpqt3KdW
GSQjHtkiTbeDGNGapI7UbRariQAQ1e5AiYLVq2ZJHs9bKqHBUZkuJ373JTik
rg5gJLQHbZZt36UPX3RWHACG92s2bHTrs3hROZ/eyZFZdhc69MV663Ss0sIr
maMxvOeyyH/UIdRBw9PoJjpXNEJzZ9j0MBmlxVWyWI5meT0Vc2BeJZgeqztE
eurXU7F/xZogSGNEg4HuctcHWilOfqocSd95V5dsqiWAlntI3140aY3nSgPe
lcp1hrLRX7tOzfoM4geAagKX04t26vVKdXT2V+PSjDrN5pqUBS03RoklNqen
U0R/I4rCNJlwt6BeiOPeMGdLiCFnvpilDcUC9+Gb2sSscXkvv1Ghh5NNo+rG
CRBAGqTBihggyTpy5nQf+TnqQTW+y+Wt7i4XszIlpyav0ZwkfCT5dIgUxJtO
ZuJmWDpIMxKVcWjfGTyl0I9oO5R2ryZnMo4ZGThV+4B7ACiOV0U6zzM94mt1
mZvUco4cuv94l+yy2mwDP5dOuyR/CU6lYqqvww9R+Qn9yJ3gXLel5PF7vGas
52rxeuOGf041t+B8YbBlIRXRau5QZp3LbBySmjrnnEt4htYqbB6/re/bHI+B
SxrmqEgsZ8QundI2HZgqt8WvVMMpiwNM8UK+EalQY0swAAc6mwqN+/DFQj7+
7PV6uSm5w8uyu7kqYqqWy7UbUA8Gs+wOk5cpwItsYw7oDpLvpEtttOiPce7r
kN11JLKjErsJOXd6WkmbViabeYdhQceenFC7GsDzNLtCo8ocm9oBFHUpO6ce
k7VbYYxUlWfYf8uEHZcCwJyDz1bkVubIFUon4S8R4pdahUCe43bBlYXOY7Ac
9vaG3AlSgaQm4D0povZe2/Wyu8V7h024b6FIriFiC4oobcGVAsNFr7GmirrC
5Q1gmcAXkMDepNxoEdjQjGp0SLdfnoI6qTnjo92XzNRbk/RKbWHQdp03WL3m
6cpIrtK3FLUJaoFkNhFwu65NdOG+ucFcWEoaZ0rleWqjy7LRlDVKI7nIknHF
UspMGpsyiZkjJCiWweuUiTbSWXt1jgBiw6Ow+9sttarHKss5akLXcfXlrMvS
8RpE6qHh0ZJfpEGKJiSJ7DW1kyNMrl8QnIgu2DBxJj5HZhegz6MRBTZ6SHcN
JWC7xwFfwPojSiKTSsLBy4ZuWP2cNuihqUmnCYPU04YyvqSP48VZLZYJ6hOq
tA5/rdCGTxFaXFzOGR0gJHtDnbdach/PTAlZqdEC55DnORDTZSXRIUgh0FZb
MHrWrkOEVmkqp4VCactG7gT6pzNMB15pd33QLXO0zGfNgBwqidug2/jhm7Lk
mye3qYQLAEqVKPIVUiARhunUsd10q8NiUG4Nq03p3K8y0ja0zuc52u9tX3sN
JcLf9owb2YqTtiHTlZ8Oz05qJ1KFJDZuhFrWdW7j1RTZvyiNj1sdFBOU6jK1
jrfY2+ZEZsJDl3QSGHrBFdj8RvA3RaDB0dFgPFcEeti9c0C9cbsC6Hz7sVzK
uOz3RbwgM9zI1QJzDhGAWjuiFrD1VVMu2vqpPlLYxxapWJkw0Zr6NRKLwuYK
RSY8EaRYiUAAgWKxMMlGEjlFCjqBHDvEjMkTg4cgCr9zx52ihsAdXJKZY0dp
ETcMh6ejmtp+ujBHJs0spAcwM1LDGqTbxZDEGpQqoyJsn8rOaRZOhAgvjpYw
UGaf5ygxO6jR1nSlDNQ6ZY6aWxY6V0CCzmcgfzc5EjUnFFCjTqxfb4wwwXCM
Va7AF4OfLbkp0UXh5UqvQRJlZ63GSyraz/XxdHtAxMpzjOis0CpPogJeA/J4
YudR7vUuRXDywjP5rvE66ntnb3jNk2TOJE1HmJu0iphi5jJTPSCGeBGpzvQA
/u+srLVfqQGdiwK36sSMndi+9U5k2Zx7N2TVatGUl1UKYnSGbVUBqQCH1LWU
jeLZ3RA3EkV0/CBmicwXoOUxsUDXdEmI7jsBg25HPKhx6FVI5OnpcDF+zB69
xpIyz4ObX9jNR4EaLt/kPUjtHlovqhF2HK30hKvxds5BgdI444vk+Kw8O0iO
1Zwnp61GDqjXwwe1gZgcvRyM4Fy5AdN3X9EP94bjs5Dt5eawG5vRxPGec4lF
mloXQkYxj8ZsIYqnFAnKIgGj16mVOAW1+iFi0Z4yYhthX0EkJzNwMQ0FOm6t
S+M+dSy/SGTyaNymjs7FX2goxCGr8MN+MUERlTl9E+SsETmrcDSuzvrCFLYb
AeHECnRFAcdTcMxIdy1ZUWsnIEtM1A0SX7LiLNEoLLnirsKHt1GCEOLbQihS
ShL70cgQwdW6TQRvRL2KJHo95xLDsaYmsSK4RxJ4YCJ8sON06gNDu6fgAtSL
XHIg+0mpGy5FRtQHMFPpNQm3l+nCeIPsOUmwqbFp0amKsl1THA19s2YCX6yS
yAL/cq15m3BVXxwtGzal9jFPTBXRs2U9bcHbpA/dOTt8XW/7IR+7Oyb6j0kB
HYrNVNAoHlmdWVU7ch7YqEX/KQjf1hTblZDxWp9eW+VxswCyqcqu7NhMOb/+
7kLcepGwS3cNXYEv+yZyVANh/SrC+GWSLvGaa8ImDbGdSIlb9l0LgWLUE1+M
T95uz4ynCPGPmNMU+I1PaKoOpy6wtVvS7NlyNVm+iPVhd+N2IWhiiWyy0oU2
KL3YXowaS2TYarqxoitOLglavUmkJII2jaEgnsr6eEaTNXeZVuOZY3+UYCr3
ONAYYtaqCQLJ6mjUxcxxI+tQUIEJqMeo+Lc/XLn9TvraL+Wu2JT5S9cJCYsq
v0aJDSUnlgROSbk/0684wtlLYxAHUdikd7kqHukJjbRCaMk3jkHdcG8rEaxj
/sd48wQCtXIHCpppdJmlTanSjkQtG1QPQvTTTfMXnLCxdgiadcpRHfdrimYI
Uz4cidhUVYrmzGhNyZldI0iKskWzjCS8ZFon4xlMxkPBZ8Tj6LRB7f2uhbDp
ACQOdLpJfbklDhcHIHrwU2cqs2TOFRE3rNFsuIihTkvSMJPqro02EWm7BpmV
YNfDSBYe3QN9jMFJU1ZJL8zr6naIVkpuHw3qyF1uzCWh7d1oP8XaKfgaTVax
DN5mpkj95DV0W96yoXWd4xtxlSkxWxJIU7rg5IR5eS1EEuNtO1oTuZ05JGLc
KeU/S/N57bFNIgB9DCsgTxXawEegl01EorJJIaCMVinbMNYqXUzE0DMqOldS
aiVPi8qwo/KXQKTbDozhcgNfjHD5dzAOZyWI+XRsHb7+xuoAWEMzhePQcrin
b9fUZhtP/8TCrRRITOVMLWmnJRid2PiLvPCnMD4Su0jewoTbsfqRxrdaKwo0
lujB8P5qBxXEM2iqFxqbXkjqrO2rKWeqEMKqYzICkhchGd9KcbuoR52NSIVx
AEgRz4ozFxdssyv5kFtV8qL0/MJ9kjuBLPLKcA/ZPmYeVsoVWLrdQ51XNixY
Q4YDfT8kB1baGKF7sixsJgDg+niJoTB2dX2HAiN9ZkkQK0/pQA761smiNGme
lJpP6Vsu1PBQsLiZzh5xYtA3AiVbvV7qbOQgOEhnKYeRQdwXVL/UGatBeadh
a7XDcyHprfCb0jEHSvk44hSWUpK/SdcQpD9Aw57N2PGJLuQ5xQPD8VzCQar6
gNxu8AkpJLuG8KzJTJbJeH0dvEUFgU3FRUyLEkwnf+czO9BrLEXUOwRoM/4Z
H19aX7WLmAZeiMCpSK/aRerwZUogJYvTVIRTruyB8BBHuKbs6DCa5YCh48Cx
Rp5TAg+QzBUb/LS7XCwPJqWu0V5hbR3qcoLa1NYZ5rRjeTa7eLYefixi9GMa
hq/tKd08yDlOxJ0xAxYzOKoSpV+JGl4TAngotCxEjFyM5GjiX9Yc1qLp39pN
E0rpmE3tteMAQA5YaJ+Se0BId1upEA6+OOvUokXH7gRbLwx2M56e+KEshEv+
3jHSSB9Z2IoCQ/27TtHboDZY88alBnpwqE5fiwCJBR3huCfo6sPGF6hHBu8j
LWZ/qPH33qj0CmNVVC3bf8lWdLK2ojwzHldiVrP+6pvNsJQKnI48TLX+Wy2E
a2qvQ8qHrwhTB+fnpxLXSsXsTIcs7ct//ezo9OXLZ6+Onx0nEg8vni8K7zk/
/saN3nJuQgCTnG39eU2VKOUeMPfTSOtfvSIcMCBB/sUi3oZ0xAeSRPUEsUYu
62jFB/V6nU/fOT87rLcxwomLCUjgHdoH0+JyyXl3poiylwyng6BsbQ72mhfX
eVUWFHzC/nPdjF0y242oVXs2VNujzI0TLRy2CrLsl7Dvy4LkG4r+JdRlzzyI
dDZtnnV7tlrDYo/waAbnaCA9Nxu88y/n59vaQw8jPxdjMQOGFH2QF7D2Bju1
TPZXO1QrDd3fdhM6Ez6Iq/Oe96K4JHhLjUmIWnpGD+a78Acs3cYWGOd7HU3c
sQbzVLBmoPGAen3WFhWRkUrggNuYTp+7pE+28TYrOcBzXLJejxFShH/GKk4y
JxzLYrkA4luMyxtDU9vhSx22cxNJJ23BUl0j2J28LhO3e6oX6nkxlRge9V4H
smvaaa52ZwicAw7iKCubz1AumxuFMa8x2Ijy6NUKA/JymeYmDSNtNIQlcFpI
Jgm1JloaJVGPdJVJR0hyOxzDZ8S9L5KTw1eHQSQ7kRU+gDObKuCGcwJHw9dQ
Lrpz8fR4Gw2GSP0qiVkN8iKNXk1vbYVDb8nr1Yr7vuNTQ74dNlUBk3xMhG9Y
Ihe28uWXfk3lL788CKRt/xnqUQiyBAMDnw7KBcDTR9wy+EgH1Ff42Mmzi+f4
47kH6WPp/YxPtLKdtYtKN4h2ABxmenxuKK/NK/klgOekEQK8WfwrF+7rUjze
ea8d22YK+HZn2ofJQdkgMbTz8M5fbHJ43ak2sdMcDAbkjcP7JP2pQ4Wl1lq5
2CaNvbyAOQoOYiXZ2na35mj3aI0iRyoxoem6ILbu0qyDfrlVMraFJYKEr89K
auossTW6mfId7Zfnr27KarzNIb1ILo+0tYaCby2rwLvm5x0Mg1dqKtOxgTHm
TtT6sn2b88zkwd8Jz87pKCTP4HA2RdHdg1l19MaIszfYNltopMCgxUMzlGal
HPEphkkvgJ2OYJSXgF5VnrFBJjk7edVnh7le5JHNwASph5md2b/1rMhJxg+A
TH3cPtu82zd7kTKENpDx5Pgzw/0jABwu0wd0C5EoM8vfsi1aCE+zlZuLJuBI
r8U3cyF9pm23s6DGEGzMLzJkkdEvwfARe4uINOT85EJ5jgtCx87IPXYLQMdm
8S74yMpbNi4hujYnipUbcEtZ5Vo13Xc//f3mU9ijafNnK4noRtjYbyC7krKb
lkaYUwzTbX3AAfc1SRb6DenJ1MeoORrLNIuWSFynK7Wb/rXBsdvySX4JYp+Q
EVLQ+Lnt+A23x22xzRr9AFNvYqG/1m8RW9X6g7Bd/2LRMYUTuE68OKy1aGpS
UE1xkg3IY66jgDpct2KcPROGSArHaaEGF2h11N8md04vzrbZzGN457pHyS49
V06KRc5B1p53O0W/5YDsm3rQ5BKUCJAOy0qUbPO3vvcpyIvV+IYtqVxhr6ys
VsOeOQ534/obOuUNm4U6p+049MO272SACVemIQxrkitjrc2x45QW3aTRdB9s
3xRGp/Q2fXJjfWyH9tg8qr4R7cK34DT+M9AwvZdPpWUIht+ZbPJsnuYzVBkm
uU4rO6I2sSFvlZxCx82Amf30dua+rbsGopFILLOhL0Kh+7pY6bF0JLx4iM2w
YkSN3tDgGdkrEzt3rZzzlPoiKC1R1xwmy7Q/n44yEHNy+12nCv46ntN37nrX
ta3X3Ntwk8Gt3esQef2XNvMK/zpXedi7twafhe5E4B07pvDyBu1BvA0F3VU9
mvJuo1o3WF7Er3PDVUZSXQaIG5A1K1MxXZelMqfY3pa29BOSYkzcvi8S6ZCD
tGVYu1zmHkFkL+Zi5YCpE4pHkld7Kjkonc+TQZtW1ndVso3Zw4a40w8IfNdy
HDdOxK9sS3GFZV5M4TofQ4a9+2tw0VTiacdMobPXtFd3i+F59LhrF1oIsN2m
I5TbP6neg46L3iUVfjK3efj5uM167igZfFhJR4zV2O3BWPuNRGWMutfl7Nrh
4ijjSiwednm/EirHQHcrO87TgoucGM9yhL6IYIn8Q2d7JWMMoKPEg/ZBculF
d5q8oF7zBH1OeeU4/ospB4iVQNQlxULy0zGEyyARqZU6gssBitSk1OHtrnct
oAjD5HCm69xxAyH6I9mXENtgtn4yWsbitlhOdlYQEh5KC+GBg6gF8lDFqZfo
cRrrltpzRhXSnMwgOlTxW8OZOhw6rzplAnqptm/pmGp83MjSOqwWf4kQOn7l
zetvh6YKzyxdFtnUVmGxTXk7Bgmoa/TCRoha0QoA3ZBssvj2klWZT5PfPrfg
5ilWEkoT16/cJ26V3dqrdGU30eICma39zq8ks8VgsIm6Zbai3/ltyW3r9BAt
t7Vh7h6Re9p/D2JbZDsteW33l8hrphxDeyZHOPtbSmJR8vB5ZbB1ePWxMpiO
0GjJYp8seHVd1M8ueH1GNf9WwYss616iO+dQi4UMO0OqqwS7MFfiaEFTCbZb
pHEGvCdduxkZjWlBsOIK3qFRr9to5XSnxbpAQaFpWyqZK9t43Mgz0zI5cWpG
ebugG09jWX4ev7khAFlOMtVjbS1Dl1oEMKdKXtR7Fw8P43a7qIQPiluM17pK
HxXkcCc0vC/6pmnI7XUIJSmWrPEUZtEuaEJFDnPFARicacbQCY5PYpiNeWwg
tT8NoYuZxO1unL1swGW5wloNm2wGM2oC45XQxhEQ7PKbZ9R2K0VaDJMISAdP
PRC+qDDSisJvxNKrcw1j+IiLPXTQzjF1t4RJgluVc7UBbYh3UklMDVBxsrSS
lgUwYb1cySSoTUFmt463xVnSWDgX3YMg16WQ8F/pUNzJ5fjeujD+GAz25r1j
UzMfeBXJb5E8NtyutsO0LN+6jDh3YnaYW6vUdxsKuqJRyNB5nm7eoe3On5S8
8VsQ9zx+FOxCDOv9UMq73bL+98Fc2zb0NZcjJNR6feGldZs7OOn4bWog0a9S
rfnQp6zMqj1F8PzlOYbERjouINe2SyZiaArBkgd3DceeaLE1JIK2UTbdAI7K
tw9yta/bKF4/CqLQ8QwkCtPe2FxhEzVMkaKA6wi5vbzEqL60o951P+TqoKqS
Kto1KkN8TdFvP/0ch+yo6x2UY3QQSpfzrdulXrz+FZ10N9jTmtXa+LeNKS6T
WzHv6KAf3VjLOZcQcKaJ55rluE3kUqxVTu5VX4hnvPy1BQhWKdZKDkQ7Pl58
MDfmNrm0g5Rsdnk04N9xCqjGzVCIddVqaXwtojqPbm72TVr415pof8CZ33la
Or731geA20q8H/Zo0FexG1/+vpzYYVOtza7lL2LLDhZI5pl/KXVmiUk/sZdO
Kwfhje3Hj/qvbNLZ3O+GotatNptAjpMoCxJibFMXLmQ2ktoMhVTrbLH/z22Q
WYs1nxAA8UkxD799ySwMxrAtVKhpw1ione5/41GWwDqyRpzbiP4yyjhr9+gt
r2CuMKgMNW0vM1l42yVyDVLSNGtaKw360fNSu5PjsW0xCKnQKimXbikOTz7B
CO8K5DvyxVB9bi6fyVmCYmpxKlyTMk8Kv6la1A7e0DWfbF/ORqz90XP/Q60b
LHD1Fq5/XnupU43XNNqbTxIjXYuzzj7B4liOsLssTMFa0P1ou56FVof7lbo9
3Or36NBrVf1Nbff9j4250LEimguYvgHhyWwcdNNFG4PYFMeNhgkQ2LHlsxnp
AwrWZYTfzGnzWYJtfpvRNL/IO/N7NM3f3pPT3zishjocRYwEVO5TLAWBS7as
nNj/rKTykotlJWWvfyvo7i/6I8jYr+yH/jzE69OwyCIrle4trnxE1TG7hCOf
01f9q1I9tOX9eh7p6GwOkcPffzMk7u/TTR0hbnGo/ldxXMfi001u6YlfIISK
bHgtSUy6R7JZhVlZIxdDkR6c0ptP+0BNfincywnSUuQZN3gfxTYpld3JRuk2
2kB4G6vap0n6njfq8Hyg9TSzJmssq2+fKiagO6L5kEpDet1CcJeYB4wFACVu
q6oZWjdVuqD5YtU5o8UDCqorwloY15Qzfdfcqu9jtLMjBaz7XOBOX3BT4S7+
NFXIco5fBUuAb+a1wvhRaiYi1RScdtP6fJnWcn9crkfhhCAEu6Vndf8zl4h6
mca9VrZK4qnouVO/FmcE6CyNem2kEepDA0NP1WwByOBuXVBWLAS4i54EkuaV
2wqHbFZZaYrOfxH2X2xjpq1WEK3mo90PTmtFr9ZuBKvXtGzRjSnpAes4cAbX
pbG2NEipaeLrZ//05uT1s2MTPssOk1tr0eJAZbMwjRfRMtbRVG5oJ7nhEMWm
WsUpcbvirV+un7iE2wFXG71N33nZ5PrzkQFvPSB5bpMT0rTgFxyRPSG/xy93
qHa7PUvfCYF33DOv21gZu2VeSAtho1CvLQPfFTCrGcq5tKFOBslJDGW4PnF2
m7efL5qfUm7Zrbn9TAU3x03c59np+UVyVx+FsiYc0wCau0GXdXOgO3oJXRlm
5fyWftDvBzc3NwPMYh0sKxgWOcmYJ9arfoJ9PLg78z9Sod4nIBw3Zc3fMGje
5uMno9Hug2x3P3t4b3/3PsNtncmhaHWxj1vundiM4d9J4+tMPXj4cG9yX+08
HGWP7j3YvQ9/bdT7eh2yuS4Ji18SCPbbRiUXQE+i0GFkAsg8uX///u7e7hr8
0TUwu6Ttia5zbMQY7p6Hbq7gZaI3pXQpsm1IW64snxBKQ1wPFfd2dpLTbz4v
DnqzvsVZO7qqR7DHEp/22jWlZIe2UzrG4gj/9FfGCnJxvMX66k/aW11PXfhH
eOxJGxxrUKd9sKHfP0yB/6sfMk1EQMDDfapAiagsqeDgu/ptjnTl3oOdHUtz
aOVv6XV8c7y/m+08eLw32d199HAyfjy6t/cge3BvbMeSrdlX1M7jnXsPHqTZ
bra//2j0KFXjR/vZKNt5aDAqzin9SCAt5FxwZA313LByQYubumKvFnOt7EwF
fMLKxPGQ45+HEYxPg3ANRzjojDv8m2K+dyobIL33/JPuI1xzC0IDaRChY593
WG9yZ+J2j9ahU8S/B66xYlsbKlj2dM/C6QncigwMqJQtbBVUC/ldAGgJABsZ
1NDalBdLFZXr2SBl6lyQRt5qmve7APG7APG7AHGrAIHM5b+SEDHZG+1MHo4f
p/u7k/3x/cfpo2xXwYvpyAoRWOcQq7e9KNNZHS3Sr40Kwpw90E8k+MO0TaCe
Ospl6eEFI8Qgk7TT4HtR5fO00oXy2bQ3poVpA2NoL4Rl3lC7Q6nqy1Y+9T7n
NilcPCqsWU32/isljdfm5diMSL+Zt9moz+2x0bIp6VfqfaPNHf71YpRD8GBm
eYYRNdgrWXws5ntTMKjI0kW9nKXSoQn1bWo0N1vRw8p4UfD1ctksuBWPqWUU
pVp+USKsmQdbHwelpOQyNEJDZb8tYkFAJc/sPEdmqztMz8oaF+m9nFbZNMfA
J9P3btNm3hJ5FCVjttm3oBbVNXaDrY38OFqZ+Th5SBfC1clm3ugWuGjrJpDx
GXZa1RrqUlGyLwKxSpwP4hLko8VQKCfO3koGaGgGDkRdQrDbD5CSqgR8h6/6
usnTynGXmfwv7YOVqvSy7NpWIcioP1gshUuaYA+TQ8wEwH7m63pxR6q0tWuV
eYb9btapHR1wMhV25kaVQwzqQcFQwSsflRA2WN59RK2hjffQxQDudsGs7CPN
i5sfucmD/6iz7puubdTrGwVoMUJHZYygvAbTO1uC2Xq7kCbIAoh6Ut8ziwhO
PXcfDSYpVx7Xlei/UyMEUdFnOVU1GbsGx1V6Y088r/VSclFCqPHwgvdFeFS3
mhHo0ORxSURzjv4nyldlQixEH/sYEjZjbTZBSX4gwiN0+y2Lln+o6XZwTKGR
dJ0ozLqcw27SJtWtW9ImpjbZ9njUwiZyOn3ahdfgQe8wSDJx/PNODwn3XLlk
u3eu1PZ8E4wVLGoR8OWiLFzPV3AaQoXZNXLBvBJPdQZ6O6r0M2Zt2RTIeSFd
7pDgj43R0nA2Do/lXlw3tu+ZOOXRIUDHOscq59aZJWfru6J1TCn5yvwJmJbN
VsbZLB1nuQOjbvsqPTwCNx/fybSSlsBU2I17IvWpATm3iqY/CeOFN1NNdt3/
LrZpbylCNhgCfHxyjLr5pyzD601KLQJ4Ni0ImDkICjo6uoWA9doag7o3WsDG
A3D/gJEnWAxeE+Xbe8BO2D10QVdcqMAYyHZNIpI4haRrbpRwRiSuvC5nFKdM
MflG8mHKLiUvUcjyK0dHmw2iuCr1rZOvcpS2V73eYGcf69o8G+fwd85d0ypH
sCMcmlMxFEJNePaNBJ2j4G+dHOypn5SV7ZuR0fj3Pnb8M4Q/tkgg/NJXMq6s
6drbu8N7pu9rgqm1zjoDPVi3/PJi02Eo7l0nEbhjBGhqO3zhA9gwDIZ9ra5z
bokKmst4yfNTpWUpz0CFflJplmZCznMhv9oT3tkeBRPyDd46L8BY1VheAJQk
al3ncPM5YORLtE3ibvWJsPqIgKJEvdRavLx4snnawEUxYIMD2+s5wEsnk3yW
O4clDTW6DtSswwPdoe0cP3hK10cidw490ouz7+LsR1zlBp4DvWzgH71Dnrdw
bP1EnIJv4Zg7PVpWuWCVQQQe5p3fvUB2Ze4SOWlNmBSiCogyKCnSKdIlOsyu
ivJmpsaXjLEfDjiaTo2fbE1A7FdbYnDgdWvKT7SEpk4lgg8zRuF4lenIqvsH
SCuz78rqCqjGAjTrvXvWmlWYvB3NmriXSJDijQPanD67E6TG0iI+B1xDiIxB
ceyDXqfGKMjwFUAhw3gs62m6kMLHaK/QzQqoKa5HZg6Ai8/UD2XyHDk4bO7H
fvIU0AQoZDpfjGBpfdCZMWAmfQ9ywjHWw/oKJGyQLo+Bz4DUe6Fm6jIHvvoM
KGIDxAB+eg4ouEjOr8qrFH74Oi3Sq+QQVF7ApAKkla/VZEIok1/S7+W0gEnT
8QybJ34NXHoxTb5S8Cj+uERqn7wGAKLI+U1F1D9Nvk/r5RjGeknJHslTVZc/
/pjj300D/8kOx+kc/sIz/LoskMOcVjnluyo0G1/kc9jhYgFcFl66KEc5nMC3
JbAUmOR7YK+w46ni7mP8579Sa6th7/8DwTNMTvgVAQA=

-->

</rfc>
