Archive for the 'OAuth' Category

November 21, 2014
A JSON-Based Identity Protocol Suite

quillMy article A JSON-Based Identity Protocol Suite has been published in the Fall 2014 issue of Information Standards Quarterly, with this citation page. This issue on Identity Management was guest-edited by Andy Dale. The article’s abstract is:

Achieving interoperable digital identity systems requires agreement on data representations and protocols among the participants. While there are several suites of successful interoperable identity data representations and protocols, including Kerberos, X.509, SAML 2.0, WS-*, and OpenID 2.0, they have used data representations that have limited or no support in browsers, mobile devices, and modern Web development environments, such as ASN.1, XML, or custom data representations. A new set of open digital identity standards have emerged that utilize JSON data representations and simple REST-based communication patterns. These protocols and data formats are intentionally designed to be easy to use in browsers, mobile devices, and modern Web development environments, which typically include native JSON support. This paper surveys a number of these open JSON-based digital identity protocols and discusses how they are being used to provide practical interoperable digital identity solutions.

This article is actually a follow-on progress report to my April 2011 position paper The Emerging JSON-Based Identity Protocol Suite. While standards can seem to progress slowly at times, comparing the two makes clear just how much has been accomplished in this time and shows that what was a prediction in 2011 is now a reality in widespread use.

September 10, 2014
General Availability of Microsoft OpenID Connect Identity Provider

Microsoft has announced that the Azure Active Directory OpenID Connect Identity Provider has reached general availability. Read about it in Alex Simons’ release announcement. The OpenID Provider supports discovery of the provider configuration information as well as session management (logout). The team participated in public OpenID Connect interop testing prior to the release. Thanks to all of you who performed interop testing with us.

August 21, 2014
Working Group Draft for OAuth 2.0 Act-As and On-Behalf-Of

OAuth logoThere’s now an OAuth working group draft of the OAuth 2.0 Token Exchange specification, which provides Act-As and On-Behalf-Of functionality for OAuth 2.0. This functionality is deliberately modelled on the same functionality present in WS-Trust.

Here’s a summary of the two concepts in a nutshell: Act-As indicates that the requestor wants a token that contains claims about two distinct entities: the requestor and an external entity represented by the token in the act_as parameter. On-Behalf-Of indicates that the requestor wants a token that contains claims only about one entity: the external entity represented by the token in the on_behalf_of parameter.

This draft is identical to the previously announced token exchange draft, other than that is a working group document, rather than an individual submission.

This specification is available at:

An HTML formatted version is also available at:

August 20, 2014
Microsoft JWT and OpenID Connect RP libraries updated

This morning Microsoft released updated versions of its JSON Web Token (JWT) library and its OpenID Connect RP library as part of today’s Katana project release. See the Microsoft.Owin.Security.Jwt and Microsoft.Owin.Security.OpenIdConnect packages in the Katana project’s package list. These are .NET 4.5 code under an Apache 2.0 license.

For more background on Katana, you can see this post on Katana design principles and this post on using claims in Web applications. For more on the JWT code, see this post on the previous JWT handler release.

Thanks to Brian Campbell of Ping Identity for performing OpenID Connect interop testing with us prior to the release.

August 14, 2014
The Increasing Importance of Proof-of-Possession to the Web

W3C  logoMy submission to the W3C Workshop on Authentication, Hardware Tokens and Beyond was accepted for presentation. I’ll be discussing The Increasing Importance of Proof-of-Possession to the Web. The abstract of my position paper is:

A number of different initiatives and organizations are now defining new ways to use proof-of-possession in several kinds of Web protocols. These range from cookies that can’t be stolen and reused, identity assertions only usable by a particular party, password-less login, to proof of eligibility to participate. While each of these developments is important in isolation, the pattern of all of them concurrently emerging now demonstrates the increasing importance of proof-of-possession to the Web.

It should be a quick and hopefully worthwhile read. I’m looking forward to discussing it with many of you at the workshop!

August 5, 2014
OAuth Dynamic Client Registration specs addressing remaining WGLC comments

OAuth logoAn updated OAuth Dynamic Client Registration spec has been published that finished applying clarifications requested during working group last call (WGLC). The proposed changes were discussed during the OAuth working group meeting at IETF 90 in Toronto. See the History section for details on the changes made.

The OAuth Dynamic Client Registration Management was also updated to change it from being Standards Track to Experimental.

The updated specifications are available at:

HTML formatted versions are also available at:

July 23, 2014
OAuth Assertions specs describing Privacy Considerations

OAuth logoBrian Campbell updated the OAuth Assertions specifications to add Privacy Considerations sections, responding to area director feedback. Thanks, Brian!

The specifications are available at:

HTML formatted versions are also available at:

July 4, 2014
JWT Proof-of-Possession draft updated for IETF 90

OAuth logoIn preparation for IETF 90 in Toronto, I’ve updated the JWT Proof-of-Possession specification. The changes are mostly editorial in nature, plus a few changes that hadn’t received adequate review prior to inclusion in the -01 draft were reverted.

This specification is available at:

An HTML formatted version is also available at:

July 4, 2014
Act-As and On-Behalf-Of for OAuth 2.0

OAuth logoIn preparation for IETF 90 in Toronto, I’ve updated the OAuth Token Exchange draft to allow JWTs to be unsigned in cases where the trust model permits it. This draft also incorporates some of the review feedback received on the -00 draft. (Because I believe it deserves more working group discussion to determine the right resolutions, John Bradley’s terminology feedback was not yet addressed. This would be a good topic to discuss in Toronto.)

This specification is available at:

An HTML formatted version is also available at:

July 3, 2014
OAuth Dynamic Client Registration specs clarifying usage of registration parameters

OAuth logoAn updated OAuth Dynamic Client Registration spec has been published that clarifies the usage of the Initial Access Token and Software Statement constructs and addresses other review feedback received since the last version. See the History section for more details on the changes made.

The OAuth Dynamic Client Registration Management has also been updated in the manner discussed at IETF 89 in London to be clear that not every server implementing Dynamic Client Registration will also implement this set of related management functions.

The updated specifications are available at:

HTML formatted versions are also available at:

May 22, 2014
Merged OAuth Dynamic Client Registration Spec

OAuth logoA new version of the OAuth Dynamic Client Registration specification has been published that folds the client metadata definitions back into the core registration specification, as requested by the working group. The updated spec is clear that the use of each of the defined client metadata fields is optional. The related registration management specification remains separate.

The updated specifications are available at:

HTML formatted versions are also available at:

May 14, 2014
JWT and JOSE have won a Special European Identity Award

IETF logoToday the JSON Web Token (JWT) and JSON Object Signing and Encryption (JOSE) specifications were granted a Special European Identity Award for Best Innovation for Security in the API Economy. I was honored to accept the award, along with Nat Sakimura and John Bradley, on behalf of the contributors to and implementers of these specifications at the European Identity and Cloud Conference.

It’s great to see this recognition for the impact that these specs are having by making it easy to use simple JSON-based security tokens and other Web-friendly cryptographically protected data structures. Special thanks are due to all of you have built and deployed implementations and provided feedback on the specs throughout their development; they significantly benefitted from your active involvement!

These specifications are:

The authors are:

Dirk Balfanz, Yaron Goland, John Panzer, and Eric Rescorla also deserve thanks for their significant contributions to creating these specifications.

May 8, 2014
Publication requested for JSON Web Token (JWT), OAuth Assertions, and JOSE specifications

IETF logoToday, the OAuth Working Group requested publication of four specifications as proposed standards:

This follows on the JOSE Working Group likewise requesting publication of the JSON Object Signing and Encryption specifications last month:

This means that the working groups have sent the specifications to the IESG for review, which is the next step towards them becoming IETF Standards – RFCs.

April 1, 2014
Proof-Of-Possession Semantics for JSON Web Tokens (JWTs)

OAuth logoI’ve written a concise Internet-Draft on proof-of-possession for JWTs with John Bradley and Hannes Tschofenig. Quoting from the abstract:

This specification defines how to express a declaration in a JSON Web Token (JWT) that the presenter of the JWT possesses a particular key and that the recipient can cryptographically confirm proof-of-possession of the key by the presenter. This property is also sometimes described as the presenter being a holder-of-key.

This specification intentionally does not specify the means of communicating the proof-of-possession JWT, nor the messages used to exercise the proof key, as these are necessarily application-specific. Rather, this specification defines a proof-of-possession JWT data structure to be used by other specifications that do define those things.

The specification is available at:

An HTML formatted version is available at:

March 19, 2014
OAuth Assertions drafts updating spec references

OAuth logoI’ve released updated versions of the OAuth Assertions, OAuth SAML Assertion Profile, and OAuth JWT Assertion Profile specs that use current citations for the other specs they reference, including the JSON, JWT, OAuth Dynamic Registration, and OpenID Connect specs. I also improved the formatting of hanging lists. There were no content changes.

The specifications are available at:

HTML formatted versions are also available at:

March 18, 2014
JOSE -24 and JWT -19 drafts fixing errors found in examples

IETF logoJOSE -24 drafts have been released that fix two errors found in example values. The JWT -19 draft clarifies that support for Nested JWTs is optional. The JSON reference was also updated to RFC 7159 in all drafts.

The specifications are available at:

HTML formatted versions are also available at:

Thanks to Edmund Jay and Hideki Nara for finding the bugs in the examples.

March 3, 2014
JWT -18 addressing remaining WGLC comments

IETF logoDraft -18 of the JSON Web Token (JWT) spec has been released, which addresses the few remaining outstanding comments from Working Group Last Call (WGLC). All edits were clarifications, rather than normative changes. See the Document History appendix for a description of the changes made.

New -23 versions of the JSON Object Signing and Encryption (JOSE) specs were also released since one clarification made to JWT also applied to JWS.

The specifications are available at:

HTML formatted versions are also available at:

March 2, 2014
JOSE -22 drafts fixing requirements language nits

IETF logoUpdated JOSE and JWT drafts have been published that fix a few instances of incorrect uses of RFC 2119 requirements language, such as changing an occurrence of “MUST not” to “MUST NOT”. These drafts also reference the newly completed JSON specification – RFC 7158.

The specifications are available at:

HTML formatted versions are also available at:

February 26, 2014
OpenID Connect Specifications are Final!

OpenID logoThe OpenID Connect Core, OpenID Connect Discovery, OpenID Connect Dynamic Registration, and OAuth 2.0 Multiple Response Types specifications are now final! These are the result of almost four years of intensive work, both by specification writers including myself, and importantly, by developers who built, deployed, and interop tested these specifications throughout their development, significantly improving the quality of both the specs and their implementations as a result.

Throughout the development of OpenID Connect, we applied the design philosophy “keep simple things simple”. While being simple, OpenID Connect is also flexible enough to enable more complex things to be done, when necessary, such as encrypting claims, but this flexibility doesn’t come at the cost of keeping simple things simple. Its simplicity is intended to make it much easier for deployers to adopt than previous identity protocols. For instance, it uses straightforward JSON/REST data structures and messages, rather than XML/SOAP or ASN.1.

I want to take this opportunity to thank several key individuals without whose enthusiastic participation and expertise OpenID Connect wouldn’t have come into being. Nat Sakimura and John Bradley were there every step of the way, both motivating the features included and providing their insights into how to make the result both highly secure and very usable. Breno de Medeiros and Chuck Mortimore were also key contributors, bringing their practical insights informed by their implementation and deployment experiences throughout the process. I want to acknowledge Don Thibeau’s leadership, foresight, wisdom, and perseverance in leading the OpenID Foundation throughout this effort, bringing us to the point where today’s completed specifications are a reality. Numerous people at Microsoft deserve credit for believing in and supporting my work on OpenID Connect. And finally, I’d like to thank all the developers who built OpenID Connect code, told us what they liked and didn’t, and verified that what was specified would actually work well for them in practice.

Of course, final specifications are really just the beginning of the next journey. I look forward to seeing how people will use them to provide the Internet’s missing identity layer, making people’s online experiences, both on the Web and on their devices, easier, safer, and more satisfying!

February 14, 2014
JOSE -21 drafts incorporating WGLC feedback

IETF logoJSON Object Signing and Encryption (JOSE) drafts have been published that address the feedback received during Working Group Last Call (WGLC) on the specifications, which ran from January 22 to February 13, 2014. Two breaking (but very local) changes were made as a result of working group discussions:

  • Replaced the JWK key_ops values wrap and unwrap with wrapKey and unwrapKey to match the KeyUsage values defined in the current Web Cryptography API editor’s draft.
  • Compute the PBES2 salt parameter as (UTF8(Alg) || 0x00 || Salt Input), where the p2s Header Parameter encodes the Salt Input value and Alg is the alg Header Parameter value.

A few editorial changes were also made to improve readability. See the Document History sections for the issues addressed by these changes. One parallel editorial change was also made to the JSON Web Token (JWT) specification.

The specifications are available at:

HTML formatted versions are also available at:

Thanks to those of you who provided feedback on the specs during Working Group Last Call.

Next »