Archive for the 'JSON' Category

July 24, 2019
OAuth 2.0 Token Exchange specification sent to the RFC Editor

OAuth logoI’m very pleased to report that the OAuth 2.0 Token Exchange specification is now technically stable and will shortly be an RFC – an Internet standard. Specifically, it has now progressed to the RFC Editor queue, meaning that the only remaining step before finalization is editorial due diligence. Thus, implementations can now utilize the draft specification with confidence that that breaking changes will not occur as it is finalized.

The abstract of the specification is:

This specification defines a protocol for an HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation.

Thanks to the OAuth working group for completing this important specification. And thanks to Brian Campbell for taking point in making the recent updates to get us here.

The specification is available at:

An HTML-formatted version is also available at:

July 8, 2019
Refinements to COSE and JOSE Registrations for WebAuthn Algorithms

IETF logoThe “COSE and JOSE Registrations for WebAuthn Algorithms” specification has been updated to address feedback received since working group adoption. The one breaking change is changing the secp256k1 curve identifier for JOSE from “P-256K” to “secp256k1”, for reasons described by John Mattsson. The draft now also specifies that the SHA-256 hash function is to be used with “ES256K” signatures – a clarification due to Matt Palmer.

The specification is available at:

An HTML-formatted version is also available at:

March 27, 2019
Working group adoption of “COSE and JOSE Registrations for WebAuthn Algorithms”

IETF logoI’m pleased to report that the IETF COSE Working Group has adopted the specification “COSE and JOSE Registrations for WebAuthn Algorithms”. An abstract of what it does is:

This specification defines how to use several algorithms with COSE [RFC8152] that are used by implementations of the W3C Web Authentication (WebAuthn) [WebAuthn] and FIDO2 Client to Authenticator Protocol (CTAP) [CTAP] specifications. These algorithms are to be registered in the IANA “COSE Algorithms” registry [IANA.COSE.Algorithms] and also in the IANA “JSON Web Signature and Encryption Algorithms” registry [IANA.JOSE.Algorithms], when not already registered there.

The algorithms registered are RSASSA-PKCS1-v1_5 with four different hash functions and signing with the secp256k1 curve. Note that there was consensus in the working group meeting not to work on registrations for the Elliptic Curve Direct Anonymous Attestation (ECDAA) algorithms “ED256” and “ED512”, both because of issues that have been raised with them and because they are not in widespread use.

The -01 version will address the review comments received on the mailing list from Jim Schaad and John Mattsson.

The specification is available at:

An HTML-formatted version is also available at:

March 11, 2019
Additional COSE algorithms used by W3C Web Authentication (WebAuthn)

IETF logoThe new COSE working group charter includes this deliverable:

4. Define the algorithms needed for W3C Web Authentication for COSE using draft-jones-webauthn-cose-algorithms and draft-jones-webauthn-secp256k1 as a starting point (Informational).

I have written draft-jones-cose-additional-algorithms, which combines these starting points into a single draft, which registers these algorithms in the IANA COSE registries. When not already registered, this draft also registers these algorithms for use with JOSE in the IANA JOSE registries. I believe that this draft is ready for working group adoption to satisfy this deliverable.

The specification is available at:

An HTML-formatted version is also available at:

November 8, 2018
JWT BCP updates addressing Area Director review comments

OAuth logoThe JSON Web Token (JWT) Best Current Practices (BCP) specification has been updated to address the review comments from Security Area Director (AD) Eric Rescorla. Thanks to Eric for the review and to Yaron Sheffer for working on the responses with me.

Note that IETF publication has already been requested. The next step is for the shepherd review to be submitted and responded to.

The specification is available at:

An HTML-formatted version is also available at:

July 10, 2018
Security Event Token (SET) is now RFC 8417

IETF logoThe Security Event Token (SET) specification is now RFC 8417. The abstract describes the specification as:

This specification defines the Security Event Token (SET) data structure. A SET describes statements of fact from the perspective of an issuer about a subject. These statements of fact represent an event that occurred directly to or about a security subject, for example, a statement about the issuance or revocation of a token on behalf of a subject. This specification is intended to enable representing security- and identity-related events. A SET is a JSON Web Token (JWT), which can be optionally signed and/or encrypted. SETs can be distributed via protocols such as HTTP.

SETs are already in use to represent OpenID Connect Back-Channel Logout tokens and to represent Risk and Incident Sharing and Coordination (RISC) events. Thanks to my co-editors, members of the IETF ID Events mailing list, and members of the IETF Security Events working group for making this standard a reality!

June 28, 2018
OAuth 2.0 Authorization Server Metadata is now RFC 8414

OAuth logoThe OAuth 2.0 Authorization Server Metadata specification is now RFC 8414. The abstract describes the specification as:

This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities.

The specification defines a JSON metadata representation for OAuth 2.0 authorization servers that is compatible with OpenID Connect Discovery 1.0. This specification is a true instance of standardizing existing practice. OAuth 2.0 deployments have been using the OpenID Connect metadata format to describe their endpoints and capabilities for years. This RFC makes this existing practice a standard.

Having a standard OAuth metadata format makes it easier for OAuth clients to configure connections to OAuth authorization servers. See https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#authorization-server-metadata for the initial set of registered metadata values.

Thanks to all of you who helped make this standard a reality!

May 9, 2018
Security Event Token (SET) updates addressing IESG feedback

IETF logoWe’ve updated the Security Event Token (SET) specification to address feedback received from Internet Engineering Steering Group (IESG) members. We’ve actually published three versions in quick succession in preparation for tomorrow’s evaluation by the IESG.

Draft -11 incorporated feedback from Security Area Director Eric Rescorla and IANA Designated Expert Ned Freed. Changes were:

  • Clarified “iss” claim language about the SET issuer versus the security subject issuer.
  • Changed a “SHOULD” to a “MUST” in the “sub” claim description to be consistent with the Requirements for SET Profiles section.
  • Described the use of the “events” claim to prevent attackers from passing off other kinds of JWTs as SETs.
  • Stated that SETs are to be signed by an issuer that is trusted to do so for the use case.
  • Added quotes in the phrase ‘”token revoked” SET to be issued’ in the Timing Issues section.
  • Added section number references to the media type and media type suffix registrations.
  • Changed the encodings of the media type and media type suffix registrations to binary (since no line breaks are allowed).
  • Replaced a “TBD” in the media type registration with descriptive text.
  • Acknowledged Eric Rescorla and Ned Freed.

Draft -12 incorporated feedback from Adam Roach, Alexey Melnikov, and Alissa Cooper. Changes were:

  • Removed unused references to RFC 7009 and RFC 7517.
  • Corrected name of RFC 8055 in Section 4.3 to “Session Initiation Protocol (SIP) Via Header Field Parameter to Indicate Received Realm”.
  • Added normative references for base64url and UTF-8.
  • Section 5.1 – Changed SHOULD to MUST in “personally identifiable information MUST be encrypted using JWE [RFC7516] or …”.
  • Section 5.2 – Changed “MUST consider” to “must consider”.
  • Acknowledged Adam Roach, Alexey Melnikov, and Alissa Cooper.

Draft -13 incorporated feedback from Martin Vigoureaux. Changes were:

  • Changed a non-normative “MAY” to “may” in Section 1.1.
  • Acknowledged Martin Vigoureux and Mirja Kühlewind.

The specification is available at:

An HTML-formatted version is also available at:

May 9, 2018
JWT BCP updates addressing WGLC feedback

OAuth logoThe JSON Web Token (JWT) Best Current Practices (BCP) specification has been updated to address the Working Group Last Call (WGLC) feedback received. Thanks to Neil Madden for his numerous comments and to Carsten Bormann and Brian Campbell for their reviews.

Assuming the chairs concur, the next step should be to request publication.

The specification is available at:

An HTML-formatted version is also available at:

May 1, 2018
Security Event Token (SET) spec addressing additional SecDir review comments

IETF logoAn updated Security Event Token (SET) specification has published to address recent review comments received. Changes were:

  • Incorporated wording improvements resulting from Russ Housley’s additional SecDir comments.
  • Registered +jwt structured syntax suffix.

The specification is available at:

An HTML-formatted version is also available at:

April 24, 2018
Late-breaking changes to OAuth Token Exchange syntax

OAuth logoThe syntax of two JWT claims registered by the OAuth Token Exchange specification has been changed as a result of developer feedback. Developers pointed out that the OAuth Token Introspection specification [RFC 7662] uses a “scope” string to represent scope values, whereas Token Exchange was defining an array-valued “scp” claim to represent scope values. The former also uses a “client_id” element to represent OAuth Client ID values, whereas the latter was using a “cid” claim for the same purpose.

After consulting with the working group, the OAuth Token Exchange claim names have been changed to “scope” and “client_id”. Thanks to Torsten Lodderstedt for pointing out the inconsistencies and to Brian Campbell for seeking consensus and making the updates.

The specification is available at:

An HTML-formatted version is also available at:

April 17, 2018
Security Event Token (SET) spec addressing Area Director review comments

IETF logoThe Security Event Token (SET) specification has been updated to address Area Director review comments from Benjamin Kaduk. Thanks for the thorough and useful review, as always, Ben.

The specification is available at:

An HTML-formatted version is also available at:

April 4, 2018
Security Event Token (SET) spec addressing SecDir review comments

IETF logoA new draft of the Security Event Token (SET) specification has published that addresses comments from Russ Housley, who reviewed the spec for the IETF Security Directorate (SecDir). Changes were:

  • Incorporated wording improvements resulting from Russ Housley’s SecDir comments.
  • Acknowledged individuals who made significant contributions.

The specification is available at:

An HTML-formatted version is also available at:

March 23, 2018
JWT BCP draft adding Nested JWT guidance

OAuth logoThe JSON Web Token (JWT) Best Current Practices (BCP) specification has been updated to add guidance on how to explicitly type Nested JWTs. Thanks to Brian Campbell for suggesting the addition.

The specification is available at:

An HTML-formatted version is also available at:

March 4, 2018
OAuth Authorization Server Metadata spec addressing additional IESG feedback

OAuth logoThe OAuth Authorization Server Metadata specification has been updated to address additional IESG feedback. The only change was to clarify the meaning of “case-insensitive”, as suggested by Alexey Melnikov.

The specification is available at:

An HTML-formatted version is also available at:

February 28, 2018
Security Event Token (SET) spec addressing 2nd WGLC and shepherd comments

IETF logoA new draft of the Security Event Token (SET) specification has published that addresses review comments from the second Working Group Last Call and shepherd comments from Yaron Sheffer. Changes were:

  • Changed “when the event was issued” to “when the SET was issued” in the “iat” description, as suggested by Annabelle Backman.
  • Applied editorial improvements that improve the consistency of the specification that were suggested by Annabelle Backman, Marius Scurtescu, and Yaron Sheffer.

The specification is available at:

An HTML-formatted version is also available at:

February 27, 2018
OAuth Authorization Server Metadata spec addressing IESG feedback

OAuth logoThe OAuth Authorization Server Metadata specification has been updated to address feedback received from IESG members. Changes were:

  • Revised the transformation between the issuer identifier and the authorization server metadata location to conform to BCP 190, as suggested by Adam Roach.
  • Defined the characters allowed in registered metadata names and values, as suggested by Alexey Melnikov.
  • Changed to using the RFC 8174 boilerplate instead of the RFC 2119 boilerplate, as suggested by Ben Campbell.
  • Acknowledged additional reviewers.

The specification is available at:

An HTML-formatted version is also available at:

February 2, 2018
Security Event Token (SET) spec simplifying claims usage

IETF logoThe Security Event Token (SET) specification has been updated to simplify the definitions and usage of the “iat” (issued at) and “toe” (time of event) claims. The full set of changes made was:

  • Simplified the definitions of the “iat” and “toe” claims in ways suggested by Annabelle Backman.
  • Added privacy considerations text suggested by Annabelle Backman.
  • Updated the RISC event example, courtesy of Marius Scurtescu.
  • Reordered the claim definitions to place the required claims first.
  • Changed to using the RFC 8174 boilerplate instead of the RFC 2119 boilerplate.

Thanks to Annabelle Backman, Marius Scurtescu, Phil Hunt, and Dick Hardt for the discussions that led to these simplifications.

The specification is available at:

An HTML-formatted version is also available at:

January 20, 2018
Security Event Token (SET) spec incorporating clarifications and a RISC example

IETF logoA new version of the Security Event Token (SET) specification has been published that incorporates clarifications suggested by working group members in discussions since IETF 100. Changes were:

  • Clarified that all “events” values must represent aspects of the same state change that occurred to the subject — not an aggregation of unrelated events about the subject.
  • Removed ambiguities about the roles of multiple “events” values and the responsibilities of profiling specifications for defining how and when they are used.
  • Corrected places where the term JWT was used when what was actually being discussed was the JWT Claims Set.
  • Addressed terminology inconsistencies. In particular, standardized on using the term “issuer” to align with JWT terminology and the “iss” claim. Previously the term “transmitter” was sometimes used and “issuer” was sometimes used. Likewise, standardized on using the term “recipient” instead of “receiver” for the same reasons.
  • Added a RISC event example, courtesy of Marius Scurtescu.
  • Applied wording clarifications suggested by Annabelle Backman and Yaron Sheffer.
  • Applied numerous grammar, syntax, and formatting corrections.

No changes to the semantics of the specification were made.

The specification is available at:

An HTML-formatted version is also available at:

November 15, 2017
OAuth Authorization Server Metadata spec incorporating IETF last call feedback

OAuth logoThe OAuth Authorization Server Metadata specification has been updated to incorporate feedback received during IETF last call. Thanks to Shwetha Bhandari, Brian Carpenter, Donald Eastlake, Dick Hardt, and Mark Nottingham for their reviews. See the Document History appendix for clarifications applied. No normative changes were made.

The specification is available at:

An HTML-formatted version is also available at:

Next »