Archive for the 'Claims' Category

September 12, 2017
Initial Working Group Draft of Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)

IETF logoThe initial working group draft of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been posted. It contains the same normative content as draft-jones-ace-cwt-proof-of-possession-01. The abstract of the specification is:

This specification describes how to declare in a CBOR Web Token (CWT) that the presenter of the CWT possesses a particular proof-of-possession key. Being able to prove possession of a key is also sometimes described as the presenter being a holder-of-key. This specification provides equivalent functionality to “Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)” (RFC 7800), but using CBOR and CWTs rather than JSON and JWTs.

I look forward to working with my co-authors and the working group to hopefully complete this quickly!

The specification is available at:

An HTML-formatted version is also available at:

September 7, 2017
OAuth Authorization Server Metadata spec incorporating Area Director feedback

OAuth logoThe OAuth Authorization Server Metadata specification has been updated to incorporate feedback from Security Area Director Eric Rescorla. Thanks to EKR for his useful review. A number of defaults and restrictions are now better specified.

The specification is available at:

An HTML-formatted version is also available at:

August 16, 2017
CBOR Web Token (CWT) specification addressing all known issues

IETF logoA new CBOR Web Token (CWT) draft has been published that updates the diagnostic notation for embedded objects in the examples. Thanks to Samuel Erdtman for making these updates. Thanks to Carsten Bormann for reviewing the examples!

This addresses all known issues with the specification. I believe that it is now time to request publication.

The specification is available at:

An HTML-formatted version is also available at:

July 27, 2017
Initial working group draft of JSON Web Token Best Current Practices

OAuth logoI’m happy to announce that the OAuth working group adopted the JSON Web Token Best Current Practices (JWT BCP) draft that Yaron Sheffer, Dick Hardt, and I had worked on, following discussions at IETF 99 in Prague and on the working group mailing list.

The specification is available at:

An HTML-formatted version is also available at:

July 4, 2017
JSON Web Token Best Current Practices draft describing Explicit Typing

OAuth logoThe JWT BCP draft has been updated to describe the use of explicit typing of JWTs as one of the ways to prevent confusion among different kinds of JWTs. This is accomplished by including an explicit type for the JWT in the “typ” header parameter. For instance, the Security Event Token (SET) specification now uses the “application/secevent+jwt” content type to explicitly type SETs.

The specification is available at:

An HTML-formatted version is also available at:

June 30, 2017
Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec addressing review comments

IETF logoThe Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been updated to address comments received since its initial publication. Changes were:

  • Tracked CBOR Web Token (CWT) Claims Registry updates.
  • Addressed review comments by Michael Richardson and Jim Schaad.
  • Added co-authors Ludwig Seitz, Göran Selander, Erik Wahlström, Samuel Erdtman, and Hannes Tschofenig.

Thanks for the feedback received to date!

The specification is available at:

An HTML-formatted version is also available at:

June 30, 2017
Security Event Token (SET) specification preventing token confusion

IETF logoA new version of the Security Event Token (SET) specification has been published containing measures that prevent any possibility of confusion between ID Tokens and SETs. Preventing confusion between SETs, access tokens, and other kinds of JWTs is also covered. Changes were:

  • Added the Requirements for SET Profiles section.
  • Expanded the Security Considerations section to describe how to prevent confusion of SETs with ID Tokens, access tokens, and other kinds of JWTs.
  • Registered the application/secevent+jwt media type and defined how to use it for explicit typing of SETs.
  • Clarified the misleading statement that used to say that a SET conveys a single security event.
  • Added a note explicitly acknowledging that some SET profiles may choose to convey event subject information in the event payload.
  • Corrected an encoded claims set example.
  • Applied grammar corrections.

This draft is intended to provide solutions to the issues that had been discussed in IETF 98 in Chicago and subsequently on the working group mailing list. Thanks for all the great discussions that informed this draft!

The specification is available at:

An HTML-formatted version is also available at:

June 29, 2017
CBOR Web Token (CWT) specification addressing editorial comments

IETF logoA new CBOR Web Token (CWT) draft has been published that addresses editorial comments made by Carsten Bormann and Jim Schaad. All changes were editorial in nature.

The specification is available at:

An HTML-formatted version is also available at:

June 16, 2017
Authentication Method Reference Values is now RFC 8176

IETF logoThe Authentication Method Reference Values specification is now RFC 8176. The abstract describes the specification as:

The amr (Authentication Methods References) claim is defined and registered in the IANA “JSON Web Token Claims” registry, but no standard Authentication Method Reference values are currently defined. This specification establishes a registry for Authentication Method Reference values and defines an initial set of Authentication Method Reference values.

The specification defines and registers some Authentication Method Reference values such as the following, which are already in use by some Google and Microsoft products and OpenID specifications:

  • face” – Facial recognition
  • fpt” – Fingerprint
  • hwk” – Proof-of-possession of a hardware-secured key
  • otp” – One-time password
  • pin” – Personal Identification Number
  • pwd” – Password
  • swk” – Proof-of-possession of a software-secured key
  • sms” – Confirmation using SMS
  • user” – User presence test
  • wia” – Windows Integrated Authentication

See https://www.iana.org/assignments/authentication-method-reference-values/ for the full list of registered values.

Thanks to Caleb Baker, Phil Hunt, Tony Nadalin, and William Denniss, all of whom substantially contributed to the specification. Thanks also to the OAuth working group members, chairs, area directors, and other IETF members who helped refine the specification.

June 5, 2017
CBOR Web Token (CWT) specification addressing WGLC feedback

IETF logoA new CBOR Web Token (CWT) draft has been published that addresses the Working Group Last Call (WGLC) feedback received. Changes were:

  • Say that CWT is derived from JWT, rather than CWT is a profile of JWT.
  • Used CBOR type names in descriptions, rather than major/minor type numbers.
  • Clarified the NumericDate and StringOrURI descriptions.
  • Changed to allow CWT claim names to use values of any legal CBOR map key type.
  • Changed to use the CWT tag to identify nested CWTs instead of the CWT content type.
  • Added an example using a floating-point date value.
  • Acknowledged reviewers.

Thanks to Samuel Erdtman for doing the majority of the editing for this draft. As always, people are highly encouraged to validate the examples.

The specification is available at:

An HTML-formatted version is also available at:

June 4, 2017
Initial JSON Web Token Best Current Practices Draft

OAuth logoJSON Web Tokens (JWTs) and the JSON Object Signing and Encryption (JOSE) functions underlying them are now being widely used in diverse sets of applications. During IETF 98 in Chicago, we discussed reports of people implementing and using JOSE and JWTs insecurely, the causes of these problems, and ways to address them. Part of this discussion was an invited JOSE/JWT Security Update presentation that I gave to two working groups, which included links to problem reports and described mitigations. Citing the widespread use of JWTs in new IETF applications, Security Area Director Kathleen Moriarty suggested during these discussions that a Best Current Practices (BCP) document be written for JSON Web Tokens (JWTs).

I’m happy to report that Yaron Sheffer, Dick Hardt, and myself have produced an initial draft of a JWT BCP. Its abstract is:

JSON Web Tokens, also known as JWTs [RFC7519], are URL-safe JSON-based security tokens that contain a set of claims that can be signed and/or encrypted. JWTs are being widely used and deployed as a simple security token format in numerous protocols and applications, both in the area of digital identity, and in other application areas. The goal of this Best Current Practices document is to provide actionable guidance leading to secure implementation and deployment of JWTs.

In Section 2, we describe threats and vulnerabilities. In Section 3, we describe best practices addressing those threats and vulnerabilities. We believe that the best practices in Sections 3.1 through 3.8 are ready to apply today. Section 3.9 (Use Mutually Exclusive Validation Rules for Different Kinds of JWTs) describes several possible best practices on that topic to serve as a starting point for a discussion on which of them we want to recommend under what circumstances.

We invite input from the OAuth Working Group and other interested parties on what best practices for JSON Web Tokens and the JOSE functions underlying them should be. We look forward to hearing your thoughts and working on this specification together.

The specification is available at:

An HTML-formatted version is also available at:

April 20, 2017
Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)

IETF logoWith the CBOR Web Token (CWT) specification nearing completion, which provides the CBOR equivalent of JWTs, I thought that it was also time to introduce the CBOR equivalent of RFC 7800, “Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)”, so that applications using CWTs will have a standard representation for proof-of-possession keys. I know that PoP keys are important to ACE applications, for instance. I therefore took RFC 7800 and produced the CBOR/CWT equivalent of it.

The specification is available at:

An HTML-formatted version is also available at:

April 13, 2017
CBOR Web Token (CWT) specification correcting inconsistencies in examples

IETF logoA revised CBOR Web Token (CWT) draft has been published that corrects inconsistencies in the examples. Thanks to Jim Schaad for validating the examples and pointing out the inconsistencies and to Samuel Erdtman for fixing them. As before, people are highly encouraged to validate the updated examples.

The specification is available at:

An HTML-formatted version is also available at:

March 13, 2017
AMR Values specification addressing Stephen Farrell’s comments

OAuth logoSecurity area director Stephen Farrell had asked us to make it as clear as possible to people who might be registering new “amr” values that names can identify families of closely-related authentication methods. This is now said right in the IANA Registration Template, so that people who might not have read the spec can’t miss it.

FYI, all the previous IESG DISCUSSes have now been cleared, so hopefully that means this is the last version to be published before the Authentication Method Reference Values specification becomes an RFC.

Thanks again to Stephen for his always-thorough reviews of the specification.

The specification is available at:

An HTML-formatted version is also available at:

March 10, 2017
OAuth Authorization Server Metadata spec incorporating WGLC feedback

OAuth logoThe OAuth Authorization Server Metadata specification has been updated to incorporate the working group last call feedback received. Thanks to William Denniss and Hannes Tschofenig for their reviews. Use of the “https” scheme for the “jwks_uri” URL is now required. The precedence of signed metadata values over unsigned values was clarified. Unused references were removed.

The specification is available at:

An HTML-formatted version is also available at:

March 2, 2017
CBOR Web Token (CWT) with better examples and a CBOR tag

IETF logoA new CBOR Web Token (CWT) draft is available with completely rewritten and much more useful examples, thanks to Samuel Erdtman. There are now examples of signed, MACed, encrypted, and nested CWTs that use all of the defined claims (and no claims not yet defined). A CBOR tag for CWTs is now also defined. People are highly encouraged to review the new examples and validate them.

The specification is available at:

An HTML-formatted version is also available at:

February 28, 2017
AMR Values specification addressing IESG comments

OAuth logoThe Authentication Method Reference Values specification has been updated to address feedback from the IESG. Identifiers are now restricted to using only printable JSON-friendly ASCII characters. All the “amr” value definitions now include specification references.

Thanks to Stephen Farrell, Alexey Melnikov, Ben Campbell, and Jari Arkko for their reviews.

The specification is available at:

An HTML-formatted version is also available at:

January 24, 2017
“amr” Values specification addressing IETF last call comments

OAuth logoDraft -05 of the Authentication Method Reference Values specification addresses the IETF last call comments received. Changes were:

  • Specified characters allowed in “amr” values, reusing the IANA Considerations language on this topic from RFC 7638.
  • Added several individuals to the acknowledgements.

Thanks to Linda Dunbar, Catherine Meadows, and Paul Kyzivat for their reviews.

The specification is available at:

An HTML-formatted version is also available at:

January 19, 2017
OAuth Authorization Server Metadata decoupled from OAuth Protected Resource Metadata

OAuth logoThe IETF OAuth working group decided at IETF 97 to proceed with standardizing the OAuth Authorization Server Metadata specification, which is already in widespread use, and to stop work on the OAuth Protected Resource Metadata specification, which is more speculative. Accordingly, a new version of the AS Metadata spec has been published that removes its dependencies upon the Resource Metadata spec. In particular, the “protected_resources” AS Metadata element has been removed. Its definition has been moved to the Resource Metadata spec for archival purposes. Note that the Resource Metadata specification authors intend to let it expire unless the working group decides to resume work on it at some point in the future.

The specifications are available at:

HTML-formatted versions are also available at:

January 13, 2017
Media Type registration added to CBOR Web Token (CWT)

IETF logoThe CBOR Web Token (CWT) specification now registers the “application/cwt” media type, which accompanies the existing CoAP Content-Format ID registration for this media type. The description of nested CWTs, which uses this content type, was clarified. This draft also corrected some nits identified by Ludwig Seitz.

The specification is available at:

An HTML-formatted version is also available at:

Next »