I’m pleased to report that OAuth 2.0 has won the 2013 European Identity Award for Best Innovation/New Standard. I was honored to accept the award from Kuppinger Cole at the 2013 European Identity and Cloud Conference on behalf of all who contributed to creating the OAuth 2.0 standards [RFC 6749, RFC 6750] and who are building solutions with them.
1 Comment » Posted under Events & OAuth & Specifications
A fourth set of release candidates for the upcoming OpenID Connect Implementer’s Drafts has been released. Changes since the third release candidates mostly consist of editorial improvements. There were only two changes that will result in changes to implementations. The first was replacing the “updated_time” claim, which used a textual date format, with the “updated_at” claim, which uses the same numeric representation as the other OpenID Connect date/time claims. The second was replacing the “PKIX” JWK key type with the “x5c” JWK key member (a change actually made this week by the JOSE working group).
These are ready for discussion at Monday’s in-person OpenID Connect working group meeting. All issues filed have been addressed.
The updated specifications are:
These specifications did not change:
Thanks to all who continued reviewing and implementing the specifications, resulting in the improvements contained in this release. I’ll look forward to seeing many of you on Monday!
No Comments » Posted under Claims & Events & Federation & JSON & OAuth & OpenID & Specifications
New versions of the JSON Object Signing and Encryption (JOSE) specifications JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), and JSON Web Algorithms (JWA) and the JSON Web Token (JWT) specification have been released that incorporate the working group decisions made during and since IETF 86.
The primary new features in these working group drafts are:
More details on the changes made can be found in the Document History entries.
The specifications are available at:
HTML formatted versions are also available at:
No Comments » Posted under Claims & Cryptography & JSON & OAuth & Specifications
Tim Bray has written a post giving his take on what ID Tokens are and why they’re valuable, both for OpenID Connect and beyond. Full of geeky identity goodness…
No Comments » Posted under Claims & Documentation & OAuth & OpenID & People
Thanks to Justin Richer for publishing an updated version of the OAuth Dynamic Client Registration specification. This draft adds the internationalization support introduced in the recent OpenID Connect Dynamic Client Registration draft. Justin did the bulk of the editing and I did some editorial work at the end of the process.
The new specification is:
An HTML formatted version is also available at:
No Comments » Posted under OAuth & Specifications
Thanks to Brian Campbell for publishing updated versions of all three OAuth Assertions specifications. These drafts address comments and “discuss” issues from the IESG review of the Assertion Framework specification as well as issues that arose in subsequent discussions and decisions made during IETF 86 in Orlando. Brian did the bulk of the heavy lifting and I added some editorial work at the end of the process.
The documents now have new titles to make the scope of these specifications more explicit. The new titles and links to the documents are:
Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants
JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
See http://www.ietf.org/mail-archive/web/oauth/current/msg11213.html or the document History entries for more details on the changes made.
HTML formatted versions are also available at:
No Comments » Posted under Claims & OAuth & Specifications
A third set of Release Candidates for the pending OpenID Connect Implementer’s Drafts have been released. Like the first set, the second set of Release Candidates, which were published earlier this month, also received thorough review, resulting in a smaller set of additional refinements. The changes primarily made some the claim definitions more precise and provided more guidance on support for multiple languages and scripts.
Were it not for a set of pending changes about to be made to the JSON Object Signing and Encryption (JOSE) specifications, this set of specifications would likely actually be the Implementer’s Drafts. However, the OpenID Connect working group made the decision to have those (non-breaking) JOSE changes be applied before we declare that the Implementer’s Drafts are done. Expect announcements about both the JOSE updates and the OpenID Connect Implementer’s Drafts soon.
The new specifications are:
See the History entries in the specs for more details on the changes made.
Thanks again to all who reviewed and implemented the recent drafts!
1 Comment » Posted under Claims & Federation & JSON & OAuth & OpenID & Specifications
Last week at the Japan Identity and Cloud Symposium I gave a presentation on this topic: A new set of simple, open identity protocols is emerging that utilize JSON data representations and REST-based communication patterns, including OAuth, JSON Web Token (JWT), JSON Object Signing and Encryption (JOSE), and WebFinger. I’ve posted PowerPoint and PDF versions of the presentation.
Thanks again to the organizers of JICS 2013 for a great event!
No Comments » Posted under Claims & Cryptography & Events & Federation & JSON & OAuth & OpenID & Specifications
I’m pleased to announce that a second set of Release Candidates for the upcoming OpenID Connect Implementer’s Drafts have been released. The first set of Release Candidates received thorough review, resulting in quite a bit of detailed feedback. The current specs incorporate the feedback received, making them simpler, more consistent, and easier to understand.
Please review these this week – especially if you had submitted feedback. The working group plans to decide whether we’re ready to declare Implementer’s Drafts during the OpenID Meeting before IETF 86 on Sunday.
The new specifications are:
See the History entries in the specs for details on the changes made.
Thanks again to all who did so much to get us to this point, including the spec writers, working group members, and especially the implementers!
No Comments » Posted under Claims & Federation & JSON & OAuth & OpenID & Specifications
I’m pleased to announce that release candidate versions of the soon-to-come OpenID Connect Implementer’s Drafts have been released. All the anticipated breaking changes to the protocol are now in place, including switching Discovery over from using Simple Web Discovery to WebFinger and aligning Registration with the OAuth Dynamic Client Registration draft. While several names changed for consistency reasons, the changes to Discovery and Registration were the only architectural changes.
Please thoroughly review these drafts this week and report any issues that you believe need to be addressed before we release the Implementer’s Draft versions.
Normative changes since the December 27th, 2012 release were:
acct: scheme when passed to WebFinger.c_hash” and “at_hash” be computed using SHA-2 algorithms (for crypto agility reasons).display_values_supported”, “claim_types_supported”, “claims_supported”, and “service_documentation” discovery elements.javascript_origin_uris”, which is no longer present in Session Management.session_state” parameter to the authorization response for Session Management.post_logout_redirect_url” registration parameter for Session Management.Also, renamed these identifiers for naming consistency reasons:
user_jwk -> sub_jwk (used in self-issued ID Tokens)token_endpoint_auth_type -> token_endpoint_auth_methodtoken_endpoint_auth_types_supported -> token_endpoint_auth_methods_supportedcheck_session_iframe_url -> check_session_iframeend_session_endpoint_url -> end_session_endpointtype -> operation (in Registration)associate -> register (in Registration)application_name -> client_namecheck_session_endpoint -> check_session_iframeSee the History entries in the specifications for more details.
The new specification versions are at:
Thanks to all who did so much to get us to this point, including the spec writers, working group members, and implementers!
1 Comment » Posted under Claims & Federation & JSON & OAuth & OpenID & Specifications
Draft 10 of the Assertion Framework for OAuth 2.0 has been published. It contains non-normative changes that add the “Interoperability Considerations” section, rename “Principal” to “Subject” to use the same terminology as the SAML Assertion Profile and JWT Assertion Profile specs, and apply Shawn Emery’s comments from the security directorate review.
The draft is available at:
An HTML formatted version is available at:
No Comments » Posted under Claims & OAuth & Specifications
I highly recommend a piece that my friend Vittorio Bertocci wrote on the relationship between OAuth 2.0 and sign-in/federation protocols. While OAuth 2.0 can be used to sign in users and the term “OAuth” is often bandied about in identity contexts, as he points out, there’s a lot of details to fill in to make that possible. That’s because OAuth 2.0 is a resource authorization protocol – not an authentication protocol.
Read his post for a better understanding of how OAuth 2.0 relates to sign-in protocols, including a useful discussion of how OpenID Connect fills in the gaps to enable people to sign in with OAuth 2.0 in an interoperable manner.
No Comments » Posted under Federation & OAuth & OpenID
New versions of the OpenID Connect specifications have been released resolving numerous open issues raised by the working group. The most significant change is changing the name of the “user_id” claim to “sub” (subject) so that ID Tokens conform to the OAuth JWT Bearer Profile specification, and so they can be used as OAuth assertions. (Also, see the related coordinated change to the OAuth JWT specifications.) A related enhancement was extending our use of the “aud” (audience) claim to allow ID Tokens to have multiple audiences. Also, a related addition was defining the “azp” (authorized party) claim to allow implementers to experiment with this proposed functionality. (This is a slightly more general form of the “cid” claim that Google and Nat Sakimura had proposed.)
Other updates were:
offline_access” scope value was defined to request that a refresh token be returned when using the code flow that can be used to obtain an access token granting access to the user’s UserInfo endpoint even when the user is not present.tos_url” registration parameter was added so that the terms of service can be specified separately from the usage policy.jwk_url” and “jwk_encryption_url” refer to documents containing JWK Sets – not single JWK keys.Implementers need to apply these name changes to their code:
user_id -> subprn -> subuser_id_types_supported -> subject_types_supporteduser_id_type -> subject_typeacrs_supported -> acr_values_supportedalg -> kty (in JWKs)See the Document History section of each specification for more details about the changes made.
This release is part of a coordinated release of JOSE, OAuth, and OpenID Connect specifications. You can read about the other releases here: JOSE Release Notes, OAuth Release Notes.
The new specification versions are:
3 Comments » Posted under Claims & JSON & OAuth & OpenID & Specifications
New versions of the OAuth JWT, JWT Bearer Profile, and Assertions specs have been released incorporating feedback since IETF 85 in Atlanta. The primary change is changing the name of the “prn” claim to “sub” (subject) both to more closely align with SAML name usage and to use a more intuitive name for this concept. (Also, see the related coordinated change to the OpenID Connect specifications.) The definition of the “aud” (audience) claim was also extended to allow JWTs to have multiple audiences (a feature also in SAML assertions).
An explanation was added to the JWT spec about why should be signed and then encrypted.
The audience definition in the Assertions specification was relaxed so that audience values can be OAuth “client_id” values. Informative references to the SAML Bearer Profile and JWT Bearer Profile specs were also added.
This release incorporates editorial improvements suggested by Jeff Hodges, Hannes Tschofenig, and Prateek Mishra in their reviews of the JWT specification. Many of these simplified the terminology usage. See the Document History section of each specification for more details about the changes made.
This release is part of a coordinated release of JOSE, OAuth, and OpenID Connect specifications. You can read about the other releases here: JOSE Release Notes, OpenID Connect Release Notes.
The new specification versions are:
HTML formatted versions are available at:
3 Comments » Posted under Claims & JSON & OAuth & Specifications
OAuth 2.0 (a.k.a. RFC 6749) has an extension point for defining additional response_type values beyond the code and token values defined within the specification. The OAuth 2.0 Multiple Response Type Encoding Practices specification uses this extension point to define the additional response_type values id_token and none, as well as values for the combinations of code, token, and id_token. These response_type values are used by OpenID Connect, as well as other systems using OAuth 2.0.
I’m writing this now because I just updated the Multiple Response Types spec to add an IANA Considerations section to make IANA’s job easier when registering these additional response_type values. No normative changes were made.
The specification is available at:
No Comments » Posted under OAuth & OpenID & Specifications
I’ve made a small set of updates to the JSON Object Signing and Encryption (JOSE) and JSON Web Token (JWT) specs in preparation for the JOSE and OAuth working group meetings at IETF 85. These updates incorporate resolutions to issues that have been discussed by the working groups since publication of the previous drafts.
Normative changes to the working group specs were to add length fields for PartyUInfo and PartyVInfo values for key derivation calculations and to change the JWK field identifiers for RSA keys from (mod, xpo) to (n, e). Fields for representing the RSA private key values needed for Chinese Remainder Theorem (CRT) calculations were added to the JSON Private Key specification.
The updated specs are available at:
HTML formatted versions are available at:
See the history entries in the specs for detailed change descriptions.
No Comments » Posted under Claims & Cryptography & JSON & OAuth & Specifications
The OAuth 2.0 Core and Bearer specifications are now RFC 6749 and RFC 6750. This completes the journey to standardize a pair of simple identity specifications that are already in very widespread use for Web, enterprise, cloud, and mobile applications. They make things better by enabling access to resources to be granted without giving the password for the resource to the party being granted access (a pattern that used to be all too common).
I believe that the completion of these RFCs will only accelerate the momentum behind the adoption of simple REST/JSON based identity solutions. Some of the related standards that are already well under way and in use include the OAuth Assertion Framework, the OAuth SAML 2.0 Assertion Profile and OAuth JWT Assertion Profile, JSON Web Token (JWT), the JSON Object Signing and Encryption (JOSE) specs – JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), and JSON Web Algorithms (JWA), and OpenID Connect. Watch this space for future developments. Like OAuth 2.0, all of these are the product of collaboration by numerous people around the world and in many industries to build and deploy simple, usable identity solutions that solve real-world problems.
The goal of all these specs is to standardize functionality that is not only useful, but is simple enough that it will actually be used. OAuth 2.0 is an early success story in this regard. While the number of words in the spec has increased since early drafts, most of that is due to doing a more complete job of describing things not to do (adding security considerations), rather than adding bells and whistles. It doesn’t get much simpler than a couple of HTTP GETs and replies with simple request parameters and responses.
Dick Hardt deserves special thanks for his role both in starting what became OAuth 2.0 and seeing it through to completion. I recommend his post on the process that brought us the OAuth 2.0 RFCs.
3 Comments » Posted under JSON & OAuth & Specifications
Updated drafts of all three OAuth Assertion specifications have been published. These specs define how to use assertions/security tokens as OAuth 2.0 authorization grants and for client authentication. They are: Assertion Framework for OAuth 2.0, SAML 2.0 Bearer Assertion Profiles for OAuth 2.0, and JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0.
Language was added to all three explicitly clarifying that an assertion grant type can be used with or without client authentication via an assertion and that client authentication using an assertion is nothing more than an alternative way for a client to authenticate to the token endpoint. Two new examples were added to the SAML and JWT profile drafts to illustrate the use of assertions/security tokens in both cases. Thanks to Brian Campbell for making these updates.
The authors believe that draft-ietf-oauth-assertions and draft-ietf-oauth-saml2-bearer are now ready for Working Group Last Call.
The drafts are available at:
HTML-formatted versions are available at:
No Comments » Posted under Claims & JSON & OAuth & Specifications
Draft 05 of the Assertion Framework for OAuth 2.0 has been published. It contains non-normative editorial changes to improve readability.
The draft is available at:
An HTML-formatted version is available at:
No Comments » Posted under Claims & OAuth & Specifications
Hopefully final versions of the OAuth Core and Bearer specs have been published. These versions correct an editorial issue with the security clarification made in Core -30 and remove David Recordon from the author lists, at his request.
The specifications are available at:
Changes in http://tools.ietf.org/html/draft-ietf-oauth-v2-31 are:
Changes in http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-23 are:
HTML-formatted versions are available at:
No Comments » Posted under OAuth & Specifications
