<?xml version="1.0" encoding="UTF-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc2629 version  -->

<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY SELF "RFC nnnn">
]>

<?rfc tocindent="yes"?>
<?rfc strict="yes"?>
<?rfc compact="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>

<rfc ipr="trust200902" docName="draft-williams-http-bearer-extension-01" category="std" consensus="true" tocInclude="true" sortRefs="true" symRefs="true">
  <front>
    <title>HTTP Bearer Auth Method Extensions</title>

    <author initials="N." surname="Williams" fullname="Nico Williams">
      <organization></organization>
      <address>
        <postal>
          <postalLine>Austin</postalLine>
          <postalLine>United States</postalLine>
        </postal>
        <email>nico@cryptonector.com</email>
      </address>
    </author>

    <date />

    <area>Web and Internet Transport</area>
    <workgroup>HTTP</workgroup>
    <keyword>HTTP, Bearer, Authentication, OAuth</keyword>

    <abstract>


<t>This document specifies an improved HTTP 401 and 407 flow for Bearer
authentication where user-agents (or client applications) can
automatically fetch requested tokens from a Security Token Service
(STS).  A fallback to an OpenID Connect (OIDC) redirect flow is
included.</t>

<t>This improved 401/407 Bearer flow, when used, elides the need for Proof
Key for Code Exchange (PKCE) and does not impose on application
Universal Resource Identifier (URI) query parameter design.  As well
this extension allows for user-agent caching of tokens.</t>



    </abstract>

    <note title="About This Document" removeInRFC="true">
      <t>
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-williams-http-bearer-extension/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        NETWORK Working Group mailing list (<eref target="mailto:ietf-http-wg@w3.org"/>),
        which is archived at <eref target="https://lists.w3.org/Archives/Public/ietf-http-wg/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/nicowilliams/http-bearer-ext"/>.</t>
    </note>


  </front>

  <middle>


<section anchor="introduction"><name>Introduction</name>

<t>HTTP <xref target="HTTP"/> has a number of authentication methods available,
including Bearer <xref target="BEARER"/> that uses OAuth 2.0 <xref target="OAUTH2"/>, which is the
subject of this document.  Some HTTP authentication methods, like
Negotiate <xref target="NEGOTIATE"/>, allow the user-agent to automatically respond
to a <spanx style="verb">401</spanx> or <spanx style="verb">407</spanx> status response when possible by creating a token
locally using the GSS-API <xref target="GSSAPI"/>, typically using Kerberos
<xref target="KERBEROS"/>.  However, the Bearer method effectively requires that the
client application respond to the <spanx style="verb">401</spanx>/<spanx style="verb">407</spanx> authentication request
rather than the HTTP user-agent, and it provides little metadata that
either can use to figure out how to obtain a Bearer token.  Today an
OAuth application just has to know how to obtain the Bearer token, and
has to be configured appropriately, and this greatly limits the
applicability of the <spanx style="verb">401</spanx>/<spanx style="verb">407</spanx> flows.</t>

<t>Note that we will mostly refer to <spanx style="verb">401</spanx> flows here, but everything that
applies to <spanx style="verb">401</spanx> flows also applies to <spanx style="verb">407</spanx> flows.</t>

<t>Here we specify extension auth-params to the <spanx style="verb">401</spanx> WWW-Authenticate:
Bearer HTTP response so that either the client application or the
user-agent can figure out how to obtain the requested token after
applying local policy.</t>

<t>As well we provide a way to improve the OIDC redirect flow to make use
of this extension where possible, and this provides a migration path to
a world where URI q-param camping and PKCE <xref target="PKCE"/> and code-to-token
conversions are no-longer needed just to use OAuth 2.x.</t>

<t>The extended Bearer <spanx style="verb">401</spanx> flow presented here is a glorified redirect
that avoids the need for camping on the application's URI q-params.</t>

<section anchor="motivation"><name>Motivation</name>

<section anchor="automation-of-bearer"><name>Automation of <spanx style="verb">Bearer</spanx></name>

<t>In general it would be better for user-agents to know how to execute
HTTP auth methods, and generally they do, except for <spanx style="verb">Bearer</spanx>, where
they often only know when the application has provided the user-agent
with a token ahead of it being needed.</t>

<t>Some user-agents, such as for example (at the time of this writing)
<spanx style="verb">curl</spanx>, do not support redirect flows quite well enough.  This causes
users to work around these limitations by, for example, scripting around
these user-agents' limitations.</t>

<t>In order to make such user-agents automatically fetch tokens we want
improve the <spanx style="verb">401</spanx> Bearer flow so that the user-agent can learn where and
how to acquire a token.  This necessitates <bcp14>OPTIONAL</bcp14> local policy, but
only because some such user-agents do not enable redirect following by
default, whereas browser-type user-agents chase redirects by default.</t>

</section>
<section anchor="making-oauth-oidc-and-saml-not-camp-on-uri-design"><name>Making OAuth, OIDC, and SAML not Camp on URI Design</name>

<t>Besides automatic Bearer token fetching in tools such as <spanx style="verb">curl</spanx> there is
also the desire to not impose on application URI design.</t>

</section>
<section anchor="reducing-load-on-token-issuers-by-facilitating-token-caching"><name>Reducing Load on Token Issuers by Facilitating Token Caching</name>

<t>By making auth requests a first-class operation (by using <spanx style="verb">401</spanx> where
possible instead of a redirect) and the user-agent responsible for
executing auth request we make it possible for the user-agent to cache
tokens during their remaining lifetime.  This allows for a significant
reduction in issuer load in some cases.</t>

<t>The token cache can be in-memory or stored in local storage (e.g., a
local filesystem) for sharing among the user's non-browser applications,
further reducing issuer load.</t>

</section>
<section anchor="enabling-the-use-of-bearer-for-proxy-auth"><name>Enabling the Use of <spanx style="verb">Bearer</spanx> for Proxy Auth</name>

<t>Currently <spanx style="verb">Bearer</spanx> cannot be used for proxy auth (<spanx style="verb">407</spanx>) in browsers as
browsers do not know how to fetch the required token.</t>

<t>For many users this means being stuck with the New Technology LAN
Manager (NTLM) mechanism via <spanx style="verb">Negotiate</spanx> <xref target="NEGOTIATE"/>, or Kerberos
<xref target="KERBEROS"/> via <spanx style="verb">Negotiate</spanx>, or SCRAM <xref target="SCRAM"/>.  But NTLM is weak and
dangerous, Kerberos is often seen as legacy that one should be able to
avoid, and SCRAM requires passwords and thus is not a single-sign-on
solution.</t>

<t>Maintaining infrastructure for many auth methods is a burden on
operators.  Operators would like to reduce that burden.  And many
operators want to be able to use OAuth as the primary or only auth
method.  But there is a long tail of work to do to make OAuth a
replacement for Kerberos.  Proxy auth is part of that long tail, thus by
eliminating that part of the long tail we make the tail shorter.</t>

</section>
</section>
<section anchor="notational-conventions"><name>Notational Conventions</name>

<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>

</section>
</section>
<section anchor="Section-2"><name>Extended <spanx style="verb">401</spanx> <spanx style="verb">WWW-Authenticate: Bearer</spanx> Flow</name>

<t>Currently the following auth-params are supported in a <spanx style="verb">401</spanx> response with
<spanx style="verb">WWW-Authenticate=Bearer</spanx>:</t>

<t><list style="symbols">
  <t><spanx style="verb">realm</spanx></t>
  <t><spanx style="verb">scope</spanx></t>
  <t><spanx style="verb">error</spanx></t>
  <t><spanx style="verb">error_description</spanx></t>
  <t><spanx style="verb">error_uri</spanx></t>
</list></t>

<t>We add the following additional, <bcp14>OPTIONAL</bcp14> auth-params:</t>

<t><list style="symbols">
  <t><spanx style="verb">issuer</spanx> with a URI as a value</t>
  <t><spanx style="verb">server_token_type</spanx> with a token type Universal Resource Name (URN)
as a value</t>
  <t><spanx style="verb">server_token</spanx> with a token to be forwarded to the <spanx style="verb">issuer</spanx> by the
user-agent or client application</t>
  <t><spanx style="verb">state</spanx> with a "state" value -- this corresponds to the OIDC <spanx style="verb">state</spanx>
q-param in a redirect to the OpenID provider</t>
</list></t>

<t>The <spanx style="verb">issuer</spanx> parameter allows the user-agent or client application to
discover the URI of a Security Token Service (STS) to visit to get a
token.  Though of course a user-agent or client application could map a
<spanx style="verb">realm</spanx> auth-param value to an STS URI, or even the realm could consist
of an issuer URI, however by having an auth-param intended to carry an
issuer URI we avoid ambiguities about the meaning of "realm".</t>

<t>The <spanx style="verb">server_token</spanx> auth-param allows the server to pass a cryptographic
token to the issuer via the user-agent's or client application's
subsequent request to the issuer.  The user-agent or client application
will set a new requested header <spanx style="verb">Token-Request-Pref</spanx> to the value in the
<spanx style="verb">401</spanx> response's <spanx style="verb">server_token</spanx> auth-param.</t>

<t>Essentially this functions like a redirect response, but with a <spanx style="verb">401</spanx>
status code and with the <spanx style="verb">Server-Token</spanx> and <spanx style="verb">Server-Token-Type</spanx> carrying
the token and token type from the <spanx style="verb">server_token</spanx> and <spanx style="verb">server_token_type</spanx>
auth-params respectively, if present.</t>

<t>The user-agent and/or client application <bcp14>MUST</bcp14> apply local policy, where
any is set, as to whether to execute a token request against the
requrested issuer.</t>

<t>When making the token request to the issuer the user-agent or client
application <bcp14>MUST</bcp14> also set the following fields:</t>

<t><list style="symbols">
  <t><spanx style="verb">Referer</spanx>, as if the <spanx style="verb">401</spanx> response had been a redirect</t>
  <t>a new <spanx style="verb">Token-Request</spanx> header to indicate that the request is in
response to an extended Bearer token request by the server</t>
  <t><spanx style="verb">Token-Request-Token</spanx>, set to the token from the
<spanx style="verb">server_token</spanx> auth-param, if present</t>
</list></t>

<t>When making the token request to the issuer the user-agent or client
application <bcp14>SHOULD</bcp14> also set the following fields:</t>

<t><list style="symbols">
  <t><spanx style="verb">Token-Request-Auth-Params</spanx>, with all auth-params other than the
<spanx style="verb">issuer</spanx> and <spanx style="verb">server_token</spanx> parameters.</t>
</list></t>

<t>When the STS supports this feature then a successful response <bcp14>MUST</bcp14> be a
<spanx style="verb">200</spanx> status code response if successful rather than a <spanx style="verb">3xx</spanx> redirect
response, with a field <spanx style="verb">Location</spanx> field set to the value of the
<spanx style="verb">Token-Request-URI</spanx> field (if present) from the request to the STS and
with the issued token in the response body.</t>

<t>The value forms of these headers are specified <xref target="New-fields">below</xref>.</t>

<section anchor="example-flow"><name>Example flow</name>

<t>Request to <spanx style="verb">https://some.origin.example/some/resource</spanx>:</t>

<figure><sourcecode type="http-message"><![CDATA[
GET /some/resource HTTP/1.1
Host: some.origin.example
]]></sourcecode></figure>

<t>Here the user-agent or client <bcp14>MAY</bcp14> use a new field, <spanx style="verb">Token-Request-Pref</spanx>,
to indicate a preference for <spanx style="verb">401</spanx> or <spanx style="verb">3xx</spanx> flows.  Not specifying a
preference allows the server to honor that preference instead of having
to guess it from fingerprinting the user-agent.</t>

<t>The server may not support this feature, in which case it will either
use an unextended <spanx style="verb">401</spanx> <spanx style="verb">WWW-Authenticate: bearer</spanx> or a <spanx style="verb">3xx</spanx> OIDC
redirect flow.  Here we show the server responding with an extended
<spanx style="verb">401</spanx> <spanx style="verb">WWW-Authenticate: Bearer</spanx>:</t>

<figure><sourcecode type="http-message"><![CDATA[
HTTP/1.1 401 Authentication required
WWW-Authenticate: Negotiate
WWW-Authenticate: Bearer issuer=https://iam.foo.example/v1/token
        scope=read:some/resource
        server_token=Bearer:<some-JWT>
]]></sourcecode></figure>

<t>Token request to STS:</t>

<figure><sourcecode type="http-message"><![CDATA[
POST /v1/token
Host: iam.foo.example
Token-Request-Auth-Params: scope=read:some/resource
Token-Request-Token: Bearer:<some-JWT>
Token-Request-URI: https://some.origin.example/some/resource

grant_type=urn:ietf:params:oauth:grant-type:token-exchange&
audience=some.origin.example&
scope=read:some/resource&
...
]]></sourcecode></figure>

<t>The token request to the STS may elicit a <spanx style="verb">401</spanx> response instructing the
user-agent or client application to authenticate in some manner.  For
example, an STS might use <spanx style="verb">Bearer</spanx> with a "token granting token" that
the user-agent just has to have a priori (how such a
token-granting-token is acquired and refreshed is out of scope for this
document), and/or it might use <spanx style="verb">Negotiate</spanx>, <spanx style="verb">Basic</spanx>, or other
authentication methods.  The user-agent or client application might also
be configured to know which authentication methods a given issuer might
require and thus "pre-flight" an <spanx style="verb">Authorization</spanx> field in the token
request to the STS.  We elide the <spanx style="verb">401</spanx> and retry here for brevity.</t>

<t>It is also possible that an STS might issue a redirect or extended <spanx style="verb">401</spanx>
flow to another STS.  This too is elided here, but the user-agent <bcp14>MUST</bcp14>
save the state from the first token request, process the second, return
to the first STS, and retry the first request with the newly acquired
credential.</t>

<t>Thus after any authentication exchanges, a successful response from the
STS if it supports this feature is a <spanx style="verb">200</spanx> <spanx style="verb">Ok</spanx> response with a
<spanx style="verb">Location</spanx> field to remind the user-agent or client its state (but the
user-agent or client <bcp14>MUST</bcp14> recall this metadata anyways):</t>

<figure><sourcecode type="http-message"><![CDATA[
HTTP/1.1 200 Ok
Location: https://some.origin.example/some/resource

<token>
]]></sourcecode></figure>

<t>XXX Well, perhaps we should dispense with the <spanx style="verb">Location</spanx> field here
given that we require the user-agent/client to know that anyways.</t>

<t>XXX It might be desirable to allow the STS to tell the user-agent to set
some select fields in its return request to the origin, perhaps headers
named <spanx style="verb">Token-Response*</spanx> or specifically <spanx style="verb">Authorization</spanx>.</t>

<t>Otherwise if the STS does not support this feature but it would issue
the token then it should issue a code and respond with a redirect as in
an OIDC redirect flow:</t>

<figure><sourcecode type="http-message"><![CDATA[
HTTP/1.1 302 Found
Location: https://some.origin.example/some/resource?code=..&state=..
]]></sourcecode></figure>

<t>The user-agent or client <bcp14>MUST</bcp14> remember the URI in case the STS responds
with <spanx style="verb">200</spanx> <spanx style="verb">Ok</spanx> with the token as the response body and without a
<spanx style="verb">Location</spanx> field.</t>

<t>Armed with the requisite token (if it was issued), the user-agent/client
<bcp14>SHOULD</bcp14> retry the original request with the <spanx style="verb">Authorization</spanx> field set to
<spanx style="verb">Bearer &lt;token&gt;</spanx> with the token returned by the STS.</t>

<t>Note that the extended <spanx style="verb">Bearer</spanx> <spanx style="verb">401</spanx> flow <bcp14>MUST NOT</bcp14> change the browser's
window location when the user-agent is a browser.  Instead the
user-agent <bcp14>MUST</bcp14> execute the STS request and then retry the original
request (if the STS response is successful) in the same sort of way that
it would perform any Kerberos KDC exchanges had the selected HTTP
authentication method been Negotiate <xref target="NEGOTIATE"/>, that is: the STS
interaction <bcp14>MUST NOT</bcp14> be visible to any scripts on the web page that
produced the <spanx style="verb">401</spanx> response.</t>

</section>
<section anchor="server-response-type-selection"><name>Server Response Type Selection</name>

<t>When a server needs the client to authenticate or obtain a new access
token (with different scopes), it can respond with a <spanx style="verb">3xx</spanx> redirect or a
<spanx style="verb">401</spanx>.  The server needs to be able to decide which to use.</t>

<t>When the client includes a <spanx style="verb">Token-Request-Pref</spanx> field in its request,
the server that supports extended <spanx style="verb">401</spanx> flows <bcp14>SHOULD</bcp14> use the client's
preference.</t>

<t>Otherwise the server should use local configuration, possibly including
user-agent fingerprinting (such as by user-agent substring matching), to
pick a response type.  When the user-agent is interactive the server can
return a <spanx style="verb">401</spanx> with a body with a script that will load a page that will
trigger an OIDC redirect flow, possibly after a few seconds, or with a
link that the user can click on.  Or the server can expose a way for the
user to choose the flow to use, though this presumably will not usually
be done except for debugging or demonstration purposes.</t>

</section>
<section anchor="user-agent-use"><name>User-Agent Use</name>

<t>Ideally user-agents will implement the <spanx style="verb">401</spanx> flow, but typically they
will not include the <spanx style="verb">Token-Request-Pref</spanx> field in their requests,
either at all or unless configured to do so (possibly only for some
sites).</t>

<t>Reasons for not including the <spanx style="verb">Token-Request-Pref</spanx> field include:</t>

<t><list style="symbols">
  <t>avoiding request bloat</t>
  <t>avoiding fingerprinting</t>
</list></t>

<t>User-agents <bcp14>SHOULD</bcp14> be configurable, possibly using a list of sites and
domainname stems for selecting when to include this header.</t>

</section>
<section anchor="client-application-use"><name>Client Application Use</name>

<t>Client applications can also implement the extended <spanx style="verb">401</spanx> flow as they
would a regular unextended <spanx style="verb">401</spanx> flow.</t>

<t>As with user-agents, when it is the client application that implements
the extended <spanx style="verb">401</spanx> flow the application <bcp14>SHOULD</bcp14> have local policy and
configuration.</t>

</section>
<section anchor="mapping-realm-to-issuer"><name>Mapping <spanx style="verb">realm</spanx> to <spanx style="verb">issuer</spanx></name>

<t>For the non-extended <spanx style="verb">401</spanx> case, user-agents and clients can be
configured to map the <spanx style="verb">realm</spanx> auth-param to an <spanx style="verb">issuer</spanx>, and engage in
the extended <spanx style="verb">401</spanx> flow anyways.</t>

</section>
<section anchor="token-caching"><name>Token Caching</name>

<t>Where a user-agent or client application implements this extended Bearer
<spanx style="verb">401</spanx> flow it can and <bcp14>SHOULD</bcp14> also implement some sort of token cache to
alleviate load on STSes and to improve availability.  Proxies, however,
should never cache token request responses, and the STS <bcp14>SHOULD</bcp14> set the
<spanx style="verb">Cache-Control</spanx> field accordingly to include the the following
directives:</t>

<t><list style="symbols">
  <t><spanx style="verb">no-cache</spanx>, unqualified</t>
  <t><spanx style="verb">max-age</spanx> set to the number of seconds after which the token should
not be used due to impending expiration</t>
  <t><spanx style="verb">s-maxage=0</spanx> so as to reinforce that shared caches must not cache
this token</t>
</list></t>

<t>If the <spanx style="verb">Cache-Control</spanx> is absent then the user-agent or client <bcp14>MAY</bcp14>
infer:</t>

<t><list style="symbols">
  <t><spanx style="verb">no-cache</spanx>, unqualified</t>
  <t><spanx style="verb">max-age</spanx> with any lifetime it can glean from the token if that
metadata is unencrypted in the token</t>
</list></t>

<t>Similarly, if <spanx style="verb">Cache-Control</spanx> but <spanx style="verb">no-cache</spanx> is absent then the
user-agent or client <bcp14>MAY</bcp14> infer it, and if <spanx style="verb">max-age</spanx> is absent then the
user-agent or client <bcp14>MAY</bcp14> infer it as well.</t>

</section>
</section>
<section anchor="extended-redirect-flow"><name>Extended Redirect Flow</name>

<t>The extended redirect flow has a normal <spanx style="verb">3xx</spanx> response from the server
but with the <spanx style="verb">WWW-Authenticate</spanx> field present, possibly including new
auth-params.</t>

<t>Note well that some user-agents terminate <spanx style="verb">3xx</spanx> response processing as
soon as they see the expected <spanx style="verb">Location</spanx> field, and thus may not see a
<spanx style="verb">WWW-Authenticate</spanx> field if it comes after, and note that proxies are
allowed to reorder fields (but not field values for multi-valued
fields), therefore it is not possible for a server to reliably count on
the <spanx style="verb">WWW-Authenticate</spanx> field being seen by the client.</t>

<t>Still, when a client sees the <spanx style="verb">WWW-Authenticate</spanx> field then it <bcp14>SHOULD</bcp14>
act as though the response was a <spanx style="verb">401</spanx> response engaging in an extended
OAuth <spanx style="verb">401</spanx> flow.</t>

</section>
<section anchor="negotiation-of-401-vs-redirect-flows"><name>Negotiation of 401 vs Redirect Flows</name>

<t>A server may only support redirect flows, only <spanx style="verb">401</spanx> flows, or it may
support negotiation as described here.  Ideally all servers will
eventually support negotiation, and/or all user-agents will support the
extended Bearer <spanx style="verb">401</spanx> flow.</t>

<t>The <spanx style="verb">Token-Request-Pref</spanx> field has two values: <spanx style="verb">401</spanx> and <spanx style="verb">redirect</spanx>.
When present the server <bcp14>SHOULD</bcp14> use the expressed preference if it needs
a new token.</t>

<t>When this field is absent the server must choose a response type using
configuration and user-agent fingerprinting.</t>

</section>
<section anchor="local-policy"><name>Local Policy</name>

<t>Local policy is <bcp14>OPTIONAL</bcp14>.  When present, local policy expresses:</t>

<t><list style="symbols">
  <t>whether to enable automatic token request handling when using the
extended Bearer <spanx style="verb">401</spanx> flow</t>
  <t>allow lists for issuers and/or realms</t>
  <t>mappings of realms to issuers</t>
  <t>authentication methods to allow at each issuer, if any</t>
  <t>global and site-specific flow type preferences, and whether to
express those flow type preferences via the <spanx style="verb">Token-Request-Pref</spanx>
field</t>
  <t>for each allowed issuer optionally record its authentication method
preferences so that the user-agent or client application may
pre-flight an <spanx style="verb">Authorization</spanx> field in the token requests to that
issuer</t>
</list></t>

</section>
<section anchor="New-fields"><name>New fields</name>

<t><list style="symbols">
  <t><spanx style="verb">Token-Request-Pref</spanx> is a structured field of kind Item with a value
of "401" or "redirect"</t>
  <t><spanx style="verb">Token-Request</spanx> is a structured field of kind Item with a value of
"true" if present</t>
  <t><spanx style="verb">Token-Request-Token</spanx> is a structured field of kind Item with a token
as its value</t>
  <t><spanx style="verb">Token-Request-Auth-Params</spanx> is a structured field of kind List with
the <spanx style="verb">401</spanx> response's auth-params from the <spanx style="verb">WWW-Authenticate: Bearer</spanx>
field</t>
  <t><spanx style="verb">Token-Request-URI</spanx> is a field of kind Item containing the URI that
requested the token</t>
</list></t>

</section>
<section anchor="new-auth-params"><name>New auth-params</name>

<t><list style="symbols">
  <t><spanx style="verb">issuer</spanx></t>
  <t><spanx style="verb">server_token_type</spanx></t>
  <t><spanx style="verb">server_token</spanx></t>
  <t><spanx style="verb">state</spanx></t>
</list></t>

<t>See <xref target="Section-2">section 2</xref> for details.</t>

</section>
<section anchor="wider-applicability-negotiate-auth-wo-gss-or-kerberos-implementations"><name>Wider Applicability: Negotiate Auth w/o GSS or Kerberos Implementations!</name>

<t>This section is INFORMATIONAL.</t>

<t>A similar extension design can be applied to the <spanx style="verb">Negotiate</spanx> HTTP auth
method that would allow user-agents to support <spanx style="verb">Negotiate</spanx> without
having a local implementation of the GSS-API <xref target="GSSAPI"/>, Kerberos
<xref target="KERBEROS"/>, or other GSS mechanisms.  All that would be needed is an
STS-like service that itself can issue Kerberos tickets or can
impersonate users to a Kerberos Key Distribution Center (KDC) and thus
obtain tickets on their behalf, then the STS can mint GSS-API tokens for
the Kerberos mechanism <xref target="GSSKRB5"/>.  The rest of the flow would be
remarkably similar to the extended Bearer <spanx style="verb">401</spanx> flow.</t>

<t>An implementation of such an Negotiate token issuer could have a
certification authority credential to mint user certificates for use
with PKINIT <xref target="PKINIT"/> to impersonate users to a Kerberos KDC.  Thus
such a service would not need intimate access to the KDC's key database,
and can be interoperate with any KDC implementation that supports
PKINIT.  In all cases such a service would be as security-sensitive as a
KDC, and would best be seen as part of the KDC, and for discovery
purposes should probably be co-located with the KDC.</t>

<t>As in the case of <spanx style="verb">Bearer</spanx> an <spanx style="verb">issuer</spanx> URI auth-param for <spanx style="verb">Negotiate</spanx>
might be useful, though perhaps the user will have to have selected an
issuer from a server-provided list of choices.  In the case of Kerberos,
for example, the choice of token issuer will be dependent on the user's
credentials' issuer, thus local configuration at the user-agent will be
the best source of an <spanx style="verb">issuer</spanx> value for a <spanx style="verb">Negotiate</spanx> <spanx style="verb">401</spanx> flow that
resembles the extended <spanx style="verb">Bearer</spanx> <spanx style="verb">401</spanx> flow.  But even in the case of
Kerberos if the user-agent can help the server include the correct
<spanx style="verb">issuer</spanx> auth-param value then the flow can work in spite of the lack of
local configuration.</t>

</section>
<section anchor="single-sign-on"><name>Single Sign-On</name>

<t>This section is INFORMATIVE.</t>

<t>When engaging in an OIDC or SAML redirect flow, or an extended
<spanx style="verb">401</spanx>/<spanx style="verb">407</spanx> flow as in this document, ultimately the user-agent, the
client, and/or the user will have to authenticate the user to an issuer.
How that is done initially (e.g., with passwords, smartcards and PINs,
etc.) is out of scope here, but for Single Sign-On (SSO) one will want
to distinguish between "initial authentication" and non-initial
authentication (i.e., <em>not</em> passwords, smartcards, PINs, etc.), much
like Kerberos <xref target="KERBEROS"/> does.  A user-agent could use cookies, or a
"token-granting token" (similar to a Kerbero ticket-granting ticket,
both sharing the same acronym of 'TGT') to repeatedly authenticate to an
issuer for a limited time after which the user has to once again engage
in "initial authentication".</t>

</section>
<section anchor="iana-considerations"><name>IANA Considerations</name>

<t>As there is no registry of HTTP auth method auth-params, we do not
register any of the new auth-params created here.  However, it might be
desirable to create such a registry before this document's publication
as an RFC.</t>

<t>This document registers several new HTTP fields listed below.</t>

<section anchor="http-field-registrations"><name>HTTP Field Registrations</name>

<t><list style="symbols">
  <t>Field Name: <spanx style="verb">Token-Request-Pref</spanx>  <vspace blankLines='1'/>
Status: permanent  <vspace blankLines='1'/>
Structured Type: Item  <vspace blankLines='1'/>
Reference: this document</t>
  <t>Field Name: <spanx style="verb">Token-Request</spanx>  <vspace blankLines='1'/>
Status: permanent  <vspace blankLines='1'/>
Structured Type: Item  <vspace blankLines='1'/>
Reference: this document</t>
  <t>Field Name: <spanx style="verb">Token-Request-Token</spanx>  <vspace blankLines='1'/>
Status: permanent  <vspace blankLines='1'/>
Structured Type: Item  <vspace blankLines='1'/>
Reference: this document</t>
  <t>Field Name: <spanx style="verb">Token-Request-Auth-Params</spanx>  <vspace blankLines='1'/>
Status: permanent  <vspace blankLines='1'/>
Structured Type: Item  <vspace blankLines='1'/>
Reference: this document</t>
  <t>Field Name: <spanx style="verb">Token-Request-URI</spanx>  <vspace blankLines='1'/>
Status: permanent  <vspace blankLines='1'/>
Structured Type: Item  <vspace blankLines='1'/>
Reference: this document</t>
</list></t>

</section>
</section>
<section anchor="security-considerations"><name>Security Considerations</name>

<t>Existing user-agents that support redirect flows usually trust all
redirects.  As a result we make local policy <bcp14>OPTIONAL</bcp14> for use in the
automatic the extended Bearer <spanx style="verb">401</spanx> flow.  The specification of an
"abstract schema" for local policy is an improvement.</t>

<t>User-agents such as browsers <bcp14>MUST NOT</bcp14> allow scripts embedded or injected
into web pages to access to the STS responses from extended Bearer <spanx style="verb">401</spanx>
flow.  This is already the case, thus this requirement is not a new
requirement and does not impose on other working groups or standards
development organizations.</t>

<t>Apart from the above this document does not add new security
considerations beyond those of OAuth and OIDC, but it does remove the
need for "codes" and PKCE <xref target="PKCE"/> by not abusing URI q-params to carry
tokens or token-like "codes", instead carrying tokens only in the
<spanx style="verb">Authorization</spanx> field and in the STS response body invisible to scripts
on web pages.  As well by not abusing URI q-params no sensitive
cryptographic material such as "codes" and tokens can end up in
user-agent history nor in client- or server-side logs.</t>

<t>Thus this extended <spanx style="verb">Bearer</spanx> <spanx style="verb">401</spanx> flow is strictly an improvement in
security for OAuth.</t>

<t>But note that when the server does not implement the extended Bearer
<spanx style="verb">401</spanx> flow then a fallback to a redirect flow may happen, thus
user-agents and/or clients still need to implement PKCE <xref target="PKCE"/>.</t>

</section>


  </middle>

  <back>

    <references title='Normative References'>



<reference anchor='BEARER' target='https://www.rfc-editor.org/info/rfc6750'>
  <front>
    <title>The OAuth 2.0 Authorization Framework: Bearer Token Usage</title>
    <author fullname='M. Jones' initials='M.' surname='Jones'/>
    <author fullname='D. Hardt' initials='D.' surname='Hardt'/>
    <date month='October' year='2012'/>
    <abstract>
      <t>This specification describes how to use bearer tokens in HTTP requests to access OAuth 2.0 protected resources. Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens need to be protected from disclosure in storage and in transport. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name='RFC' value='6750'/>
  <seriesInfo name='DOI' value='10.17487/RFC6750'/>
</reference>

<reference anchor='OAUTH2' target='https://www.rfc-editor.org/info/rfc6749'>
  <front>
    <title>The OAuth 2.0 Authorization Framework</title>
    <author fullname='D. Hardt' initials='D.' role='editor' surname='Hardt'/>
    <date month='October' year='2012'/>
    <abstract>
      <t>The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name='RFC' value='6749'/>
  <seriesInfo name='DOI' value='10.17487/RFC6749'/>
</reference>

<reference anchor='HTTP' target='https://www.rfc-editor.org/info/rfc9110'>
  <front>
    <title>HTTP Semantics</title>
    <author fullname='R. Fielding' initials='R.' role='editor' surname='Fielding'/>
    <author fullname='M. Nottingham' initials='M.' role='editor' surname='Nottingham'/>
    <author fullname='J. Reschke' initials='J.' role='editor' surname='Reschke'/>
    <date month='June' year='2022'/>
    <abstract>
      <t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes.</t>
      <t>This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230.</t>
    </abstract>
  </front>
  <seriesInfo name='STD' value='97'/>
  <seriesInfo name='RFC' value='9110'/>
  <seriesInfo name='DOI' value='10.17487/RFC9110'/>
</reference>

<reference anchor='RFC2119' target='https://www.rfc-editor.org/info/rfc2119'>
  <front>
    <title>Key words for use in RFCs to Indicate Requirement Levels</title>
    <author fullname='S. Bradner' initials='S.' surname='Bradner'/>
    <date month='March' year='1997'/>
    <abstract>
      <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
    </abstract>
  </front>
  <seriesInfo name='BCP' value='14'/>
  <seriesInfo name='RFC' value='2119'/>
  <seriesInfo name='DOI' value='10.17487/RFC2119'/>
</reference>

<reference anchor='RFC8174' target='https://www.rfc-editor.org/info/rfc8174'>
  <front>
    <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
    <author fullname='B. Leiba' initials='B.' surname='Leiba'/>
    <date month='May' year='2017'/>
    <abstract>
      <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
    </abstract>
  </front>
  <seriesInfo name='BCP' value='14'/>
  <seriesInfo name='RFC' value='8174'/>
  <seriesInfo name='DOI' value='10.17487/RFC8174'/>
</reference>




    </references>

    <references title='Informative References'>



<reference anchor='GSSAPI' target='https://www.rfc-editor.org/info/rfc2743'>
  <front>
    <title>Generic Security Service Application Program Interface Version 2, Update 1</title>
    <author fullname='J. Linn' initials='J.' surname='Linn'/>
    <date month='January' year='2000'/>
    <abstract>
      <t>This memo obsoletes [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name='RFC' value='2743'/>
  <seriesInfo name='DOI' value='10.17487/RFC2743'/>
</reference>

<reference anchor='NEGOTIATE' target='https://www.rfc-editor.org/info/rfc4559'>
  <front>
    <title>SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows</title>
    <author fullname='K. Jaganathan' initials='K.' surname='Jaganathan'/>
    <author fullname='L. Zhu' initials='L.' surname='Zhu'/>
    <author fullname='J. Brezak' initials='J.' surname='Brezak'/>
    <date month='June' year='2006'/>
    <abstract>
      <t>This document describes how the Microsoft Internet Explorer (MSIE) and Internet Information Services (IIS) incorporated in Microsoft Windows 2000 use Kerberos for security enhancements of web transactions. The Hypertext Transport Protocol (HTTP) auth-scheme of "negotiate" is defined here; when the negotiation results in the selection of Kerberos, the security services of authentication and, optionally, impersonation (the IIS server assumes the windows identity of the principal that has been authenticated) are performed. This document explains how HTTP authentication utilizes the Simple and Protected GSS-API Negotiation mechanism. Details of Simple And Protected Negotiate (SPNEGO) implementation are not provided in this document. This memo provides information for the Internet community.</t>
    </abstract>
  </front>
  <seriesInfo name='RFC' value='4559'/>
  <seriesInfo name='DOI' value='10.17487/RFC4559'/>
</reference>

<reference anchor='KERBEROS' target='https://www.rfc-editor.org/info/rfc4120'>
  <front>
    <title>The Kerberos Network Authentication Service (V5)</title>
    <author fullname='C. Neuman' initials='C.' surname='Neuman'/>
    <author fullname='T. Yu' initials='T.' surname='Yu'/>
    <author fullname='S. Hartman' initials='S.' surname='Hartman'/>
    <author fullname='K. Raeburn' initials='K.' surname='Raeburn'/>
    <date month='July' year='2005'/>
    <abstract>
      <t>This document provides an overview and specification of Version 5 of the Kerberos protocol, and it obsoletes RFC 1510 to clarify aspects of the protocol and its intended use that require more detailed or clearer explanation than was provided in RFC 1510. This document is intended to provide a detailed description of the protocol, suitable for implementation, together with descriptions of the appropriate use of protocol messages and fields within those messages. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name='RFC' value='4120'/>
  <seriesInfo name='DOI' value='10.17487/RFC4120'/>
</reference>

<reference anchor='GSSKRB5' target='https://www.rfc-editor.org/info/rfc4121'>
  <front>
    <title>The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2</title>
    <author fullname='L. Zhu' initials='L.' surname='Zhu'/>
    <author fullname='K. Jaganathan' initials='K.' surname='Jaganathan'/>
    <author fullname='S. Hartman' initials='S.' surname='Hartman'/>
    <date month='July' year='2005'/>
    <abstract>
      <t>This document defines protocols, procedures, and conventions to be employed by peers implementing the Generic Security Service Application Program Interface (GSS-API) when using the Kerberos Version 5 mechanism.</t>
      <t>RFC 1964 is updated and incremental changes are proposed in response to recent developments such as the introduction of Kerberos cryptosystem framework. These changes support the inclusion of new cryptosystems, by defining new per-message tokens along with their encryption and checksum algorithms based on the cryptosystem profiles. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name='RFC' value='4121'/>
  <seriesInfo name='DOI' value='10.17487/RFC4121'/>
</reference>

<reference anchor='SCRAM' target='https://www.rfc-editor.org/info/rfc7804'>
  <front>
    <title>Salted Challenge Response HTTP Authentication Mechanism</title>
    <author fullname='A. Melnikov' initials='A.' surname='Melnikov'/>
    <date month='March' year='2016'/>
    <abstract>
      <t>This specification describes a family of HTTP authentication mechanisms called the Salted Challenge Response Authentication Mechanism (SCRAM), which provides a more robust authentication mechanism than a plaintext password protected by Transport Layer Security (TLS) and avoids the deployment obstacles presented by earlier TLS-protected challenge response authentication mechanisms.</t>
    </abstract>
  </front>
  <seriesInfo name='RFC' value='7804'/>
  <seriesInfo name='DOI' value='10.17487/RFC7804'/>
</reference>

<reference anchor='PKCE' target='https://www.rfc-editor.org/info/rfc7636'>
  <front>
    <title>Proof Key for Code Exchange by OAuth Public Clients</title>
    <author fullname='N. Sakimura' initials='N.' role='editor' surname='Sakimura'/>
    <author fullname='J. Bradley' initials='J.' surname='Bradley'/>
    <author fullname='N. Agarwal' initials='N.' surname='Agarwal'/>
    <date month='September' year='2015'/>
    <abstract>
      <t>OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. This specification describes the attack as well as a technique to mitigate against the threat through the use of Proof Key for Code Exchange (PKCE, pronounced "pixy").</t>
    </abstract>
  </front>
  <seriesInfo name='RFC' value='7636'/>
  <seriesInfo name='DOI' value='10.17487/RFC7636'/>
</reference>

<reference anchor='PKINIT' target='https://www.rfc-editor.org/info/rfc4556'>
  <front>
    <title>Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)</title>
    <author fullname='L. Zhu' initials='L.' surname='Zhu'/>
    <author fullname='B. Tung' initials='B.' surname='Tung'/>
    <date month='June' year='2006'/>
    <abstract>
      <t>This document describes protocol extensions (hereafter called PKINIT) to the Kerberos protocol specification. These extensions provide a method for integrating public key cryptography into the initial authentication exchange, by using asymmetric-key signature and/or encryption algorithms in pre-authentication data fields. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name='RFC' value='4556'/>
  <seriesInfo name='DOI' value='10.17487/RFC4556'/>
</reference>




    </references>


<section anchor="acknowledgements"><name>Acknowledgements</name>

</section>


  </back>

<!-- ##markdown-source:
H4sIAHPKS2oAA71c/XLbRpL/f55iVq6KpS1Ssh0n3qjWeyvLcqyzLfkk+bxb
qZQFgkMSEQgwGFA0z+V9lnuWe7LrX3cPMAApO9m62/wRUwBmpqe/v2aGw6Gp
szp3h/bl1dVb+8wllavs0bKe2TeunpVje/KxdoXPysKbZDSq3O2hGZdpkcxp
zLhKJvVwleV5lsz9cFbXi+GIpxi6MGz44KEZJzV9/en50dXJZ5PSH9OyWh9a
X4+NyRbVoa2rpa8fPXjww4NH5satV2U1FogGCtKAYXJFndFwmnVgz/HA0Jc3
06pcLuRzQ98mh/a9G9mkGNvTonZV4Wp7VSWFX5RVbYyv6c2HJC8LAmntvPHz
pKo//Losa+cPbVGaRXZof6rLdGDpf1kxplUH1tPgyk08/VrP9UddZSm9Ssv5
ItEfc/qYXmVFnhXuZ2NuXbF0h8ZaBfLs5Or9+cUrelCvFwTAe4I/K6b2R7ym
p/Mkyw9t5uqJYHM1/evq2/2ymtK7pEpnhxaP/eHBQZ752u/Ly4MjepXdOn/w
djnKs/QgnuCAhlZuUbZDp1k9W472CdyDIkvLQL+DHv2MSQjFZUXgD2kOS7si
BJ3t2/c6gB8KJ5zRPN3nBFZSZP/F1DrkJ4uScJ/Lb2uHRFFfZwX/mZbLogZL
vCuy2o3tZU1MIvM4QQkA/WtarRc1ES6tywrgG1OU1ZyWuGUcPzs5uji5OLQX
L46/f/LdA3pyfvTu6uUjffL4B3oCLuG/f3j48AFxXzFpZ6DXP15eHr095Q8e
PXn8LT05O/nx/OqUOJcfPv7uO8zy6uTi2cnF+aU8e/jogQx9dfHsu/DoIT26
PL44esMPnvzpwWN68PbVsczz5Ptvv+e/T89Or8LM3xsDDq/X2MzlyesXh3aH
3tiC/tsxZjgc2mREXEfMZszVLPOWJHEJlrN+4dJskjlPfG+z+aIqbwmNLNOP
HzxkYXj84Imd5OXK0o5VqpjArVDZ1cxVzi490T+ZgpPtLn2b5hmWSBaLXD/0
ezZNCowugbs0yfO1nbg6nRGn/bp0HjSsyxvSAHZSlXOb2EuXLivamr3CY/qz
us1SZ3Yvry739q09shOaZJSkNzQOezhfuOL0uT0uC5Db7p6fPj/eo9nHWYW/
eSOZJ/ql+XLsxvuKkGbrtOsD7Fg1Gr4fYH8FtjceWJdnY8IWbd8Wjr4HUt5W
ZTkxr9ya/zoux460XzpLiqmzuyDdHiNyXNLAoqyxWOmdJcRFuDHEwreu8klu
L5wvl1Xq7Cl0CMhT2d13F6d7lnBUre0iqUh4SEVZAiWbFsCDtyuX56bGZhod
agk35cozWC11iAYk9aQ8yokie1+YZJ6Nx7kzxtyDBqzK8TJlyAzzw6dP+Ofz
ZztLiFtssZyPCAKao8cMc9b/9MktCWAyyt1AsY0lFa2fPonM0Wz1LKkBnBfN
bB/tP6DXIoCfPwP3GbFHxig3fjn6BWQE5DEfEwYuy7kTxt0Oz8Dm2Y0zZ2RD
6oy0BC3SiCjWYVQxXSNMgac6zFo5MgfF2OCFvSZmuSaFhR9PrkmvJ/XS6ydE
X+YaorTPCAl2tLYpGZkaWEgE7yYvZdalx1OsTcpgSIqEgBONAshI42fxd69c
RZgvvfn0KeiTz58JAy/LlbuFycNEimjZvHWTCaGN+Iu38OuShMEL5oHVTUEN
+wQCMBvv9EC22UOvCq6pEnpcYdKChzApWlQOWASy2kLOWITyrCYHAhAmZOcT
Bse4jGchLYGxWH6STZekXMplbWcgUGnLUZ1kxNthj4xL2v9VOU7WtIwRRoq3
8wuZDOZbGn5T0DTdqSKE8WQMrNHvR47MTCFgjDFrVS4qcFC+lk0xJ05BW8Ju
ns2zWphVARhlOfQXs2wXk1AukL0zciGEGiviGjKGdk4mj0k1YZCU0/h7C107
sCPCB6i9rmfCO4Q8XtD5/oAk96XtvosWfwnVTeuKJVjHyoOwOGRd4zt8YN+/
fz+M3CqygIo8pnnD/76UTSlNMX4Lp5X8xnTUU3E31TFLz1ZYciZhk2jSNXDB
UkWCR0usaYOqGrFH5T1inRVxCk2qap9nhaXoGQr6Yp7csEYwQeW0+BGrFwQ8
4oWGxRNSqdNK9rkg+aAJDa1dVvlYR5NWt78Kkmnf8wVrB5oHVoOUAP4hHYkn
KZmVYV0ORXMQR8JYwKaSf0e2qBySZzolNMMqEWaY4wl+SFFQrB/Z2jnZAj5S
srXMQqA7TzSgdwxehj1M87KCERo32DFM1+S2zMY9Uxj2UAqlIkLf9/FmwXn3
7tk3pItvxfzRn/fgrLOyBV9M7LXAd23MaWGJNVxFdCUVsiqXhECSy5GrYQW7
5m1DyN1H8iFqZxrj0JoEIFYnJnEjiNdkUsjIf0zdouZ5AwwDIZjhb0piOIKw
oDG8EGv63n5Z3SgnjHt2xawyKKjAvjOXjLFf2trIAXtCQ0IRG7VoaxQ8LMka
JmLS3UfCNqnQXdHjts7o68CnK/KaaK49c00OVE7wj0t2PvxygYCmy+mePAty
oEVQXFEupzMoVMyTJjDOLJ+MWUROxHLkePOuiL1Y5Yl/R1ZuEING8KZVthCj
x2OMjIn2dD+eYJ9pTWGc6D2WPt5yTN9t/qN6jVCgCSE4Fmxh78ihazRTz9pD
8eT0WRBtNgLCQ0nKRjPQLCCHfExH4s9Rhz1/e3V6fnb0uqOAWFMbZpWRY1zS
6vMtm1LyuAIuU0SdEn4J8Ddam7GbJMu8Vl4kLhhVRDuaA0FhZzbyPn07C+hi
dfC+SNqbhONHVg0D1n0iDZdHb14zIMdEQIgxhPY5u5mG1LwXvRYI0LGaQgnM
Cj1dlrlvuFV4EPhmpWLYJAH7cGArtvN3OsYMgTq6AvuFI88U67wuITiFxgan
3i/BpLTXF0kKqyvelrw9FqeXNrEGWzFHQheoMYGim2SVr4dpnnhvy4VTxb07
Co6XMJLogcavo+C2VvlNGoTvqTHosJcaRh5FMmJEL/UBAQsz28NXCotMxEr2
XFP48aSRhPPHFCaJE5lVNBdFvwUbw4yoQnohcGwUESQWOCXNnkJiKqfuPqiX
MSqJkWlj9CdzbEoc5dWCCL15fZaaEfAwnLt5SeEJTe0p0HY8VGQBfyeIhtz+
dJ8YTTxfQnju/JrwN99jiPws4U0k81L9YWz4PqKmYqi83oknB2ayrNi7qAJP
RKAru5xApIKD/c672LSE+O3jmhNFxhwvq4rQS+LafEIbBHOOGBoxcwsewWTb
ZXdqD3tVCAnJ3jS/Va5jg6QaSz2ZrAqODMH7giafJ8Xaqr4FyeYugWZly+Dr
JYW6bD4w/syt7JVLZ0WZl9O1fX10Zt4kRQI/YPfs6vWbPRqMQDTzc3ubUcTS
hD/X/fiHFt4aWPTH8ZecoKAZ+F8OPp6Rp4YV4TKsXHLDynOMEJjUPtmtMDfe
i/n0DraP4gA3TdK1KOSyIM04C+adNSFcJjgaqp544SaEWZCoIunnVd6WPD/w
DeYuprkbgseH5F/4Ml+CZwjJb0g2apWPrJhUia8r4n04nJOA/9hPEDdotCSr
BKtvRDeUlad9n4ff6pUgyASNmR/Vq5eRiNIJSMzezsDWSqMM3W7ksiXiXVG4
MU9EsNiQADYjsCnm69Zby1l0KPQGm7OxpimJCYM11ZlJ3hd5kjrOAk0i4tOM
b1vuhjebVBpw01aa2QeCbTJKDua7EFXL37QDXARNUGvsqOAB0bki700cQQqB
WKJJKRzDtS1YvEXZ3JDHJUTeefPu8mpnIP/as3P+fXHyH+9OL06e4/fly6PX
r5sfRr+4fHn+7vXz9lc78vj8zZuTs+cymJ7aziOz8+bo7zvCeDvBuu+wdesk
0RKxYKwEaUfkQ8OBJiVAVovcn5FowmfHb//nvx8+Jqn5A7KEDx/+QMIlf/zp
4ZPH9AfcSFmNySx/wuFEbEPKCLOQ/iaFtCDblsN/9UDjqmBvnTD5x5+AmZ8P
7Z9H6eLh47/oA2y48zDgrPOQcbb5ZGOwIHHLoy3LNNjsPO9hugvv0d87fwe8
Rw+RoDoJMYwY5euNmNQG9f0CHt+ne5eOrdvw0edYyYMbWxcrjnhBVPWVhX4h
39Pmd0gLm42Fn+q6SAsP7TW5afn8mn/6lMRefrqqKqvo5wfhlAUgjB+TTafo
5z3phvG4D+t4nInEDFrPM9qAri/m8NpqxAFfitN3t0m+dAKWqyiU/MAW6AMc
yeZjsfLsW25JTp4l5BTsvrs420O+/QuT9udjSSGVs0oqDo00tRAgHTFVMGfk
7WxNJ8tKNVszXWKH/9wRSOxwKJKalpUmtJpMBkf7OhhrhSCcCd143+FjSSpr
NFeJWmoAbtOx6lz1PLWtsMOujTNiiVtNjYAy7ENuz3hbzngDoNuMAg78mDqa
0bTxCKI2TJESfTxCla/CkLLJmicLmkc5NWIhRaLk1Wl1gMjW3926kIihITpL
CtfW18iTJI0DySNmkpcEYWfJrWQ44mWgNAvlhDSpKs7htRPAcrAHQG7hKJtS
nMrlilEpdo/dI81m7zBAO+qk9pgwWjGik3yDpeFLENKkVjStksUsS03DsvhW
YYJD1CUxeahbEXzfI2Pt4diz/y8Ofmc2ptzX2cVwWtCD4hR0rqIUGJIHyOEw
twwv5PnwbeUm12EloaMkz0xXiRHkd6KJ0HjikQ3KNDtCkjRZFqlE+uzoRKIS
ZpTUpIojL2Y0MY4MFlu3xn29vuSlh1e6NL3rPBpesTpipkDsVjehB7t7rXri
YlG9heaYcVPBmVjRA/CQHB/YbBJyYMpFEWVotoPtgsRGlhOQveBfgkU4lIQ8
Ih+bbGRRZk6Sok16qtGPgU2SaYLYkomGZ5XQW9mGrAKSThrJtojZymR3aiSz
uQlE5uCzrrWZZC4fB5tygbQ058RoM1mU125t4yyBB+9iZYqhwrxdXr0OLIx8
bDFmI9qmZ8J+UKPjmm+zhOilfi6ziwWxJSrkDHtXTITxBrLhMkJjYCiseKeA
xNzy/0APdap+C0W6u4I7MnzL3I28JYsiaY+Y6ctOsYZ3GczZhsxEFs4HvgMs
MAnqIWmkOnEJR1HwhhCBLVOkxybLvKUaMxmCHXP96MGDpmjGuqH5iNAaj40q
S6RSvv348bplqlbtqMphvNjr16Vg8VofRBQWdSgBiumhjuxNGLHbEnevVTA9
egIHiHQblcZYDLqpqVfovkbleK1qRYBAE4FXUCA1LAjqe2plfmx/Gjmi+c+7
9yjaHwrZ9yRqOtEEMJKaxly0oF2Hlg1kbvbLKptmxb7mZPnZQaVuHPzUf/zj
H9zjMZwTxokjzY8nV7b7GZd2Dh7uPzQvS18f2i3zYhotJ93pAJFzz+Gt6AHe
y2Cr6RqYWBskIAR0TpFKiN5WXpkbpJZlEUWGOha7GSYattXmz8qCM2uIWttP
o5SeOCwAZkrAeSTlmBUmGTIbFJgXdRalqmTDSmJdZp6sO4n3WFLQ8aMVbqTX
uLgBQy8lM8OoKuyycF+NdkYa7XBeT7ACF9d00vwoEody30yr3Qql+sfYjAhS
q1rN10KsbSwU+IXbSI42S8bIepnNGZs805Z3quFFTz0NHJ6RozIpy4a7bx8e
SInM6n8cdj0lz3B82GHp9oNI12n0dvhnfDr89/dXfxG2vuorcxL8bdt+e07q
rYVBhKUHorlTWx/eDewWuxUwEgO7oc3a7q2vqgJjyOstanaRni6r4hDdYIca
TZawHof8AVcbDnmDQ6d9Lt+QSzXOID1Pt6zzjblrX9+Y/f19RfFdNhM6FkLk
yDJm9WYcDnFF/k4F0fyG0CtuYnBNhnueFAV75C84O68VLA1+5tl0xo0qbWI4
xJwCNeOGYcCfO1KS72nCuA+BVItotoyQZXchj1IukaBjGOYbqi3xoQg1ZhNN
6oowMGOPkOvkpK0Yy1osyLwJCaq9QXBdCX3RPuKk7vWzxGepZHfZOej3eGku
9DfGK7oMfBfTbaAIxVnRenf1DtlpduuaMJInM6o22lTvDuns4STHyx2Q6fqI
+w61eTDYcTXCIpCbrEUbeu+krStyZAXDNcWinFkFStHDSmE5KpTsjrJf1lRo
pCIeswrDHkdIXBaN9bgJTQZJIf6YgMN1mrossQjDNY56PnoMBXfK+EQrnZzO
aH0Vrmd1ZWqAJAYcK9X9RBiywLRTknejSJFhBMsgQkP7oqlTBZeHTDmS0sqc
JqX/SdDIdpDoxP0ZNmTVI3IH7YFM5lZvsXHDgdaMK+TbPU5OfYtHeX1+00vS
wdns+4Ocop9nm1W6lp3RxyMY3VXMb1ct7NISheFja8FGW5poy6tk7fe+aCAJ
aHt+YwKAv0th/5mJqzbqb3/7G7FynhONXTVLFl7tPLIz44z8ogYfzOd9jHCk
KmIXepGCxHVRdKD7DpKsrM9b3RcwToOeGWmJN9Q22i47UBQM5xhr/dImuetG
6uQuZ++F3V4uTdZe+bVvJwRV7e7VmzboNB63XqYwxh/ZVVInWxoJeuqDtnIO
qVxlEpEEoJs2zm0OHcto06LCKiDKWnBcBB6eta+RcgqJkdB1p4al0RwJB7/o
bt3oUfoia3374BHZMnRd/BPc9W8A6+n+/jcsA09jM/0lMZg77gsNKc2sEM82
YC/kYSViiiS2YUxN8PjN0KlJHsHcbco0er0qkLqZivnXo7FFJt0VFbICPjlO
2xts522jsXer+wRTSb6p/rZbHYk3jfoKVgV1Y5vCyQSzZipgAeKGwDpu12oc
j6hhK5R3rPYbY4DWnu8DycWYPsrLtlG76EubFDdlCFmfUw1+euqO1wmpqpaY
mqoSNVpswVdjcXcjEWpdNx+p/b1gqj0qCzg4wSXMRGrDppEqkm/EzWxQmrLy
KxKMxpxw+kkMHLSHdrRv92gkTXVnWzBTISPPXGE3XOJL0jZjBuSTmkNaPig5
AkzKOT40wq3cyC6SqVCVwlL0VmtbWNeblcBekqA2KCuLPCg9zJ02ZL/XBIt8
hnYxEZdWM3ccXPh0oWkWgXfCKNfk9i6z5DibcPhbixPpSTIy6YjqKaVu/oXj
TQkQ1TPswtQpbI9J2Y6den5S6I7zScHsSms+G/RtSe3GqxNLIG6NieN6kKxx
E3qhs3S7qXgvVTHJyiQvbRKgo/2jyVV1Y6RkeoNrq8eL1CFc26bnPZaiXtpg
N/RHjdaxRKJmUHMjzDyRjiroKRwwSm/YLIQMKHEF3NftQt0w6m1nAziAofYz
RFJKWVax+lvYVx0BZCS4FShpeZifGoJyOmXfbotpipChHiBZyZU6nZ4jDfXO
8qy4sZ2OPOY8IgttuER167zq7YHoyr1i0so7ibqIuYw0K0ulW/Cxl8gR1lIk
0y5d55fzBODxDmHSl34JVwAhyxi9KFEj6NiNltMpF5rwx7xE1KmtvcsKsGhP
6ztQ4YipQD8pWhg7bd5v2/N4wQw2lxsIWjUgeGN3s+n6r9EB0ICo4iFjvigf
tbaCSX/bIPTWw1mjudAzW+SIBLrB2bhEe+RuQzpuReDmLHIODIwpZx8vXOJR
BsKbFqyQC/siYAy/JK65rodBTcKe+KzuvOmKjDHvIjSqGEcBJp83aflO+vYS
i0NvHCADfGlNKtEhV7Clqd1cNiLmgnNgMyn7tdjOgkMpVD4WZXUU9ymC2seb
h56YXTla7FJ8i2ZSt4fIzVoGsj5d5km1mQLkdJ40t0OGOj3CK3Uzs45R6GRA
2KoFaLy5C5y619OsCOfURVzoYpR2NKH2d9Ng7pzU4jJS01pnkF43jh/LYthb
HC7joNvzixZ43ojXjkPT5VtUsZn1NuvYUikKC0tU64opVBm51XeSooloaCO9
HtL30h/89TRIi2Pbnh5oy1UmWk/NLXe5RZWflmckHlK3KO7ARItcnrtb9l9y
7YklX8VpW1x7zkHPZPGJFG30yhB9a4l+YNS8FU7UbLqRkwvGx4fzDuLRKcRa
pjLXwJQbHpc4RpYH0Se3o6wg1Pm6K1uuW9syYkRwMFXrW0U5ZGCIeMviV9LR
XBnhV/PkIyhwHVd42rNpamzUAKnn0WxKdotEcNzgOZamB8KZk4Q4mZqsijpO
hrQmLfkU5atSC7qV4yOhoeUPnaw0FQPt7RxpPywhHbu0Xi05HqSkzKlWUHs4
g18+8qosNgx8p6aC46iu+h240hT/umkPDtw3zV3SVj9DGUua/wB3k9og6Egn
Fdwt4XpJNnOZzYnNKq2n9zcG69ZCuWWfd6RZjv5ueZ8Eq54mm0Rb+memAe1w
5GG/01F2EZyYF1xWu4r1Q/d8kJ6ExEngvHGMe6mrUHxuuiKY1v3qRhARLThu
8yPhuceNCyFOXEkGJVEF0TkI4ypuzXR94DQJyMbRG1+WIeBeoy1XrdNCQqd+
mD1oE7BNactxQfeuTUnUnRJ0KogyRdFEuQvRQ6h7Gs4QOU3QyUEQTf5wFg7L
yaxcQRW7PV/mdTbkB2OjFVKO7MnvKCunthBDOx31SVQJrFyesS/IR8rR5ftF
Omk3NkJHjdyFvXBmp86Qg1tJiKZcR1/6L1M+5IZEk5pE0j6NwxqlQlbMdb0i
CNszPXsR1+6k3bfjM9xrol09Z4US3a3v8r0n3yKuYLIbuP3s0EBeRvEV+/ao
NSRrE8YU0Zq0gbY1lltXrQ1ucsJ9TlhX3GSDbrOa3XK7Za6mtIFxGy52m6Jz
5u5Tb6Ff7G6nlUs2q1J57jAqElwHXFzvSySrEhyHK71okySLvoGliWvOLCMc
NRsJ0sORAA3vkGMUaYoVXUMiWBiNenoRojjBXe+MQb8zLmUeec3u3Vt274x5
HTt7WXvWKYSfjd7qeIVhp2rG46YnOebUHiTqehkzgi9v/PDmeDQs0N1klIiC
E8x8yQXLeKaHgpRL2Dn0/OVcfFNuv5DHbPXle5lre3GqSWPjbGvCh9Mxhm0d
mvsxdJqXI8ID0IyYYxgSzepWgywt8dWXatEj+2TcQQN4t31Y04m4jXMxBzMM
w8Nn8gBrUK9aWSsX0kPMh43hnXFWZevGMWG8+B2H6O4oB5ImkPFasPtt9br2
dFZdNj6IgC56bBWMw6eoO+bztqYoEWdOdjbHPca6JHHADUpBpxQJhgyI9jJb
7islHtvBznaCtO9srvC7J6c3mH+HBriduJXsrj6137FA0wKBVDehr+3MvrtV
7CvTv8406y3+az9xed93Gszajsw720ZaDt2Ei/uwMt/0c3X2SKosHN8JZYbA
G9HR8NYdFUaJoOu0xt/RBL/Zxh61m5OVJ5fnJy/5WPvo5932fMGepotwyIWj
R/seTeMhVSDBV9TpIrcmrQ5KXP4QH8OypyH0kzzCH/SukrAq/Tw9e3F+8eZI
dTGbbHG9o2PqcnQyHNOTewDarvvoQFhzPlrPFmmeTzIRrPB6h6yDdY0n0fKM
CZ3eahCyzlbC6aBtt11sPYTWtiUwkppDbWhHOArub3MsXI/Ag30KVI6H3Kvs
tZFech+1d/mEkSJVuAbpxKQ3rpaGbvShUxRY+ZKd6OYMdBLVHchlfp4hXTvi
42X22CHvandf4d6Z4CmbcHtBmDxk50ZuluSTQRviIZgGVOS31w1+wpU4ZcVe
abN4e7iPMYhrhPgw3pW4i80pLLYeAT0Gh0OrG3Z2A7coN3zRRToqtlBREthx
/SR0q7B5kaMB0uliUlfVXGytw+0SJZ9zaBsGOI+DjUsKuPneNVfYSNlQrj/i
+xHwA7fISLz+RUo9P2bULNGUn87U+wdHCGYQHvA9BnCC5tx2mEqnhCCHxpOO
w2E0BMAjZKgMZ6XC+Vciu5zrc218jbJUD2ud8oSRHXDdTc924SqcrQBCeln6
+XjI0EO+ObuPeMC8Cie4w8eeMxrhlGV8KK/5lBWVHkJZm5DGDjUOispGzCWc
Xx1yETGurgKhnIFUi8113vhsbZR0k4NHbUqOmzhbtWGabgGi3GSZN5n6UMtv
6gLs1jNDhRaqpsbXnhrRu6NEew+bSxhCFpj8ZMKqF6THkAdeGZjOHQb8CY9p
M2+6EoPDTQ5IFrH/06Zq7vuoGcbfb/xEjp23VI/spjel87PYM0m1HVdO2TTY
bbqJbfeMbyeVm3C3tJuT4+2/WljWg6V81KdLX9Me5Z30wYUszFy+iEOTOM3H
B7HS2rTN5hunjYIiZKAxH59hRYveAoX8cK4UN34RLFuwyCb3kg//0j/TYnhe
fMFw/udJCLF6ETTXs3DUGRci9OpaZbXZHxvd6SP9GrZzSHRgkaOY87VBPawx
g+klTE04u53hO1Xd5hPJb4eDIS9DSw6vXkAzZXqER4/fswQ3R6cHlm8yTJNw
jPrt6RmqRXW6v7fRW9g2ooHZuli2u5eX53t8hpuB5os4UFHKcF/fdJn5GW5s
WUEj7ShQvVBjRxNDxVDf92v2u9m+ox18IGX9YfsWBgK/ZfgHFBinM8P2v2Hb
zul2dPPwPXIxFzcl3rQsbzhBzmXunW5jZmj03I2saGNv1NRHH/PfAzMiN6a5
6KDpdkjSqizWcyD6/tWPV/f3JCe1cFC5+bpH+DLWdSz0fIUK3DrkcvvJbmYS
7TotuRceR4u0BGKyu6nBonR6dHaEQ9m4+kMkzLPWr8OZ8wKQTuED8S1X/Wt2
Ysd7gK4yuRHByBhtDFSxLrp+utyY1uaImhvOsra/zHT6y2RAsJ8NWCPJA3Yk
koz5gm+9lMx+wlcgXrw43u/fkRgAhQK55TuIACZvU4NPGBb08DhNsN2Tty84
dLkQIALmKIiQ52d8AebW0B2RzCUfjDmEBZwnBZ8w4qdNdHbFF4EiIOI3FyEy
P+xu8ysr/ksX0zj2X7pkHOH+SxdGCPt/vOC99nBwXyBPPoqW7cZokavZv/BJ
Wx3kCl24ns1RES/3SXIakYxWc3NDJ7XXHDlXxzwcL40yel8OKLRbKDRghoCC
FNtOuKyUbM6MYpUdXiPvZSDb+0rnknePGwOavppwC0vTqSWBbOjOQq/iGPAh
U1j8wn4kOrzKpmFLoohOIBB3sGmiY+s+TbPPTK4QyXH+Yd34UuoIMo2103au
vTtygwkKPvGLOy4Rlbh4pTcC84XBXi7hoQEwiaQib0k1LeaSn2vv10V64ogj
gyZdk4zk2qxYATZr4haCQlp4mAtN2uFCUoBrvjSSU5ZETL1rhB7JBVPaHMvz
0Z70gi7T3B63g5ZTv7PlBryRFJqSkeSC45vkmmPj4SakUk+BStivcw6aU13h
NHGIqrl4EQ5Hb81Icq2x2KC9NExlRdT5p3xl0GoZGKi9nfWLuyjQ9KwRnekc
QkcXmKtgngNbx3jSXXBLFJL6C/Q0RM4MUbLGrUwFs7jmZofMHxIegYAkXVMf
2vW7jQrbmk7hS/Ml1vBMOnKIxQN3MEmZBWjmZ1K7C81jwcvXGCHm6m0dMpvd
ErWU1zq3//aqsyhbzXBzSiGSZnr9JO1ZbmyH+6ucC+0SCkWHC/WaXKwHXXyU
ov09d+OpdtGY/wVycuXRF10AAA==

-->

</rfc>

