Archive for the 'JSON' Category

July 8, 2016
“amr” Values specification distinguishing between iris and retina scan biometrics

OAuth logoThis draft distinguishes between iris and retina scan biometrics, as requested by NIST, and adds a paragraph providing readers more context at the end of the introduction, which was requested by the chairs during the call for adoption. The OpenID Connect MODRNA Authentication Profile 1.0 specification, which uses “amr” values defined by this specification, is now also referenced.

The specification is available at:

An HTML formatted version is also available at:

July 4, 2016
Token Binding for Access Tokens, Refresh Tokens, and ID Tokens

IETF logoTwo new related specifications define syntax and semantics for applying Token Binding to OAuth Access Tokens and Refresh Tokens and to OpenID Connect ID Tokens. draft-jones-oauth-token-binding contains the OAuth portions. openid-connect-token-bound-authentication-1_0 contains the OpenID Connect portions.

These are being submitted now to hopefully enable end-to-end implementations and interop testing of Token Bound Access Tokens, Refresh Tokens, and ID Tokens across multiple platforms before the Token Binding specifications are finalized.

The OAuth specification is available at:

The OpenID Connect specification is available at:

Thanks to Andrei Popov, Yordan Rouskov, John Bradley, and Brian Campbell for reviews of earlier versions of these specifications and to Dirk Balfanz and William Denniss for some earlier discussions providing input to these specifications.

April 6, 2016
Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) is now RFC 7800

IETF logoThe Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) specification is now RFC 7800 – an IETF standard. The abstract describes the specification as:

This specification describes how to declare in a JSON Web Token (JWT) that the presenter of the JWT possesses a particular proof-of-possession key and how the recipient can cryptographically confirm proof of possession of the key by the presenter. Being able to prove possession of a key is also sometimes described as the presenter being a holder-of-key.

Thanks to John Bradley, Hannes Tschofenig, and the OAuth working group for their work on this specification.

March 4, 2016
OAuth 2.0 Token Exchange draft -04

OAuth logoA new draft of “OAuth 2.0 Token Exchange” has been published addressing review comments on the prior draft. The changes from -03 are listed here:

The specification is available at:

An HTML-formatted version is also available at:

Thanks to Brian Campbell for doing most of the edits for this release.

February 25, 2016
JWS Unencoded Payload Option is now RFC 7797

IETF logoThe JWS Unencoded Payload Option specification is now RFC 7797 – an IETF standard. The abstract describes the specification as:

JSON Web Signature (JWS) represents the payload of a JWS as a base64url-encoded value and uses this value in the JWS Signature computation. While this enables arbitrary payloads to be integrity protected, some have described use cases in which the base64url encoding is unnecessary and/or an impediment to adoption, especially when the payload is large and/or detached. This specification defines a means of accommodating these use cases by defining an option to change the JWS Signing Input computation to not base64url-encode the payload. This option is intended to broaden the set of use cases for which the use of JWS is a good fit.

This specification updates RFC 7519 by stating that JSON Web Tokens (JWTs) MUST NOT use the unencoded payload option defined by this specification.

This option is used by including the header parameters "b64":false and "crit":["b64"]. JWTs never use this option.

February 17, 2016
OAuth Discovery spec pared down to its essence

OAuth logoIn response to working group input, this version of the OAuth Discovery specification has been pared down to its essence – leaving only the features that are already widely deployed. Specifically, all that remains is the definition of the authorization server discovery metadata document and the metadata values used in it. The WebFinger discovery logic has been removed. The relationship between the issuer identifier URL and the well-known URI path relative to it at which the discovery metadata document is located has also been clarified.

Given that this now describes only features that are in widespread deployment, the editors believe that this version is ready for working group last call.

The specification is available at:

An HTML-formatted version is also available at:

February 11, 2016
Authentication Method Reference Values spec incorporating adoption feedback

OAuth logoThis draft of the Authentication Method Reference Values specification incorporates OAuth working group feedback from the call for adoption. The primary change was to remove the “amr_values” request parameter, so that “amr” values can still be returned as part of an authentication result, but cannot be explicitly requested. Also, noted that OAuth 2.0 is inadequate for authentication without employing appropriate extensions and changed the IANA registration procedure to no longer require a specification.

The specification is available at:

An HTML-formatted version is also available at:

February 9, 2016
Initial OAuth working group Discovery specification

OAuth logoWe have created the initial working group version of OAuth Discovery based on draft-jones-oauth-discovery-01, with no normative changes.

The specification is available at:

An HTML-formatted version is also available at:

January 28, 2016
OAuth Discovery metadata values added for revocation, introspection, and PKCE

OAuth logoThe OAuth Discovery specification has been updated to add metadata values for revocation, introspection, and PKCE. Changes were:

  • Added “revocation_endpoint_auth_methods_supported” and “revocation_endpoint_auth_signing_alg_values_supported” for the revocation endpoint.
  • Added “introspection_endpoint_auth_methods_supported” and “introspection_endpoint_auth_signing_alg_values_supported” for the introspection endpoint.
  • Added “code_challenge_methods_supported” for PKCE.

The specification is available at:

An HTML-formatted version is also available at:

December 23, 2015
JWS Unencoded Payload Option spec addressing Stephen Farrell’s review

IETF logoJWS Unencoded Payload Option draft -09 addresses Stephen Farrell’s IESG review. In particular, the use of “crit” is now required with “b64”. This should be the version that is sent to the RFC Editor.

The specification is available at:

An HTML-formatted version is also available at:

December 18, 2015
Proof-of-Possession Key Semantics for JWTs spec addressing remaining comments

OAuth logoProof-of-Possession Key Semantics for JWTs draft -11 addresses Sec-Dir review comments by Chris Lonvick and ballot comments by Stephen Farrell. This should enable clearing the “point raised” status from yesterday’s IESG telechat and progressing the document to the RFC Editor.

The specification is available at:

An HTML-formatted version is also available at:

December 17, 2015
JWS Unencoded Payload Option spec for IESG telechat

IETF logoJWS Unencoded Payload Option draft -08 was published for consideration on the IESG telechat later today. The changes addressed Gen-Art review comments by Robert Sparks, Ops-Dir review comments by Stefan Winter, and ballot comments by Benoit Claise and Ben Campbell. Normative text was added describing the use of “crit” with “b64”.

The specification is available at:

An HTML-formatted version is also available at:

December 17, 2015
Proof-of-Possession Key Semantics for JWTs spec for IESG telechat

OAuth logoProof-of-Possession Key Semantics for JWTs draft -10 was published for consideration on the IESG telechat later today. All changes were editorial and addressed ballot comments by Barry Leiba.

The specification is available at:

An HTML-formatted version is also available at:

December 15, 2015
Authentication Method Reference Values coordination with OpenID MODRNA

OAuth logoAuthentication Method Reference Values draft -04 added the values “face” (facial recognition), “geo” (geolocation), “hwk” (proof-of-possession of a hardware-secured key), “pin” (Personal Identification Number or pattern), and “swk” (proof-of-possession of a software-secured key), and removed the value “pop” (proof-of-possession), based on input from members of the OpenID Foundation MODRNA working group.

The specification is available at:

An HTML formatted version is also available at:

December 14, 2015
OAuth 2.0 Token Exchange: An STS for the REST of Us

OAuth logoI’m happy to report that a substantially revised OAuth 2.0 Token Exchange draft has been published that enables a broad range of use cases, while still remaining as simple as possible. This draft unifies the approaches taken in the previous working group draft and draft-campbell-oauth-sts, incorporating working group input from the in-person discussions in Prague and mailing list discussions. Thanks to all for your interest in and contributions to OAuth Token Exchange! Brian Campbell deserves special recognition for doing much of the editing heavy lifting for this draft.

The core functionality remains token type independent. That said, new claims are also defined to enable representation of delegation actors in JSON Web Tokens (JWTs). Equivalent claims could be defined for other token types by other specifications.

See the Document History section for a summary of the changes made. Please check it out!

The specification is available at:

An HTML-formatted version is also available at:

December 13, 2015
JWS Unencoded Payload Option spec addressing Gen-Art and Sec-Dir comments

IETF logoDraft -07 of the JWS Unencoded Payload Option specification addresses Gen-Art review comments by Robert Sparks and Sec-Dir review comments by Benjamin Kaduk. Thanks to both of you for your useful reviews!

The specification is available at:

An HTML-formatted version is also available at:

December 4, 2015
Authentication Method Reference Values Registration Instructions

OAuth logoAuthentication Method Reference Values draft -03 adds the criterion to the IANA registration instructions that the value being registered be in actual use.

The specification is available at:

An HTML formatted version is also available at:

November 30, 2015
Proof-of-Possession Key Semantics for JWTs spec addressing additional AD comments

OAuth logoProof-of-Possession Key Semantics for JWTs draft -08 addresses additional Area Director review comments. A security consideration about utilizing audience restriction in combination with proof-of-possession was added. Thanks to John Bradley for working on the additional wording with me.

The specification is available at:

An HTML formatted version is also available at:

November 25, 2015
OAuth Discovery

OAuth logoI’m pleased to announce that Nat Sakimura, John Bradley, and I have created an OAuth 2.0 Discovery specification. This fills a hole in the current OAuth specification set that is necessary to achieve interoperability. Indeed, the Interoperability section of OAuth 2.0 states:

In addition, this specification leaves a few required components partially or fully undefined (e.g., client registration, authorization server capabilities, endpoint discovery). Without these components, clients must be manually and specifically configured against a specific authorization server and resource server in order to interoperate.

This framework was designed with the clear expectation that future work will define prescriptive profiles and extensions necessary to achieve full web-scale interoperability.

This specification enables discovery of both endpoint locations and authorization server capabilities.

This specification is based upon the already widely deployed OpenID Connect Discovery 1.0 specification and is compatible with it, by design. The OAuth Discovery spec removes the portions of OpenID Connect Discovery that are OpenID specific and adds metadata values for Revocation and Introspection endpoints. It also maps OpenID concepts, such as OpenID Provider, Relying Party, End-User, and Issuer to their OAuth underpinnings, respectively Authorization Server, Client, Resource Owner, and the newly introduced Configuration Information Location. Some identifiers with names that appear to be OpenID specific were retained for compatibility purposes; despite the reuse of these identifiers that appear to be OpenID specific, their usage in this specification is actually referring to general OAuth 2.0 features that are not specific to OpenID Connect.

The specification is available at:

An HTML-formatted version is also available at:

November 24, 2015
Proof-of-Possession Key Semantics for JWTs spec addressing Area Director comments

OAuth logoProof-of-Possession Key Semantics for JWTs draft -07 addresses review comments by our Area Director, Kathleen Moriarty, as well as comments by Hannes Tschofenig and Justin Richer. This should hopefully enable IETF last call.

The specification is available at:

An HTML formatted version is also available at:

Next »