Archive for the 'Claims' Category

August 20, 2014
Microsoft JWT and OpenID Connect RP libraries updated

This morning Microsoft released updated versions of its JSON Web Token (JWT) library and its OpenID Connect RP library as part of today’s Katana project release. See the Microsoft.Owin.Security.Jwt and Microsoft.Owin.Security.OpenIdConnect packages in the Katana project’s package list. These are .NET 4.5 code under an Apache 2.0 license.

For more background on Katana, you can see this post on Katana design principles and this post on using claims in Web applications. For more on the JWT code, see this post on the previous JWT handler release.

Thanks to Brian Campbell of Ping Identity for performing OpenID Connect interop testing with us prior to the release.

August 14, 2014
The Increasing Importance of Proof-of-Possession to the Web

W3C  logoMy submission to the W3C Workshop on Authentication, Hardware Tokens and Beyond was accepted for presentation. I’ll be discussing The Increasing Importance of Proof-of-Possession to the Web. The abstract of my position paper is:

A number of different initiatives and organizations are now defining new ways to use proof-of-possession in several kinds of Web protocols. These range from cookies that can’t be stolen and reused, identity assertions only usable by a particular party, password-less login, to proof of eligibility to participate. While each of these developments is important in isolation, the pattern of all of them concurrently emerging now demonstrates the increasing importance of proof-of-possession to the Web.

It should be a quick and hopefully worthwhile read. I’m looking forward to discussing it with many of you at the workshop!

August 5, 2014
OAuth Dynamic Client Registration specs addressing remaining WGLC comments

OAuth logoAn updated OAuth Dynamic Client Registration spec has been published that finished applying clarifications requested during working group last call (WGLC). The proposed changes were discussed during the OAuth working group meeting at IETF 90 in Toronto. See the History section for details on the changes made.

The OAuth Dynamic Client Registration Management was also updated to change it from being Standards Track to Experimental.

The updated specifications are available at:

HTML formatted versions are also available at:

July 23, 2014
OAuth Assertions specs describing Privacy Considerations

OAuth logoBrian Campbell updated the OAuth Assertions specifications to add Privacy Considerations sections, responding to area director feedback. Thanks, Brian!

The specifications are available at:

HTML formatted versions are also available at:

July 4, 2014
JWT Proof-of-Possession draft updated for IETF 90

OAuth logoIn preparation for IETF 90 in Toronto, I’ve updated the JWT Proof-of-Possession specification. The changes are mostly editorial in nature, plus a few changes that hadn’t received adequate review prior to inclusion in the -01 draft were reverted.

This specification is available at:

An HTML formatted version is also available at:

July 4, 2014
Act-As and On-Behalf-Of for OAuth 2.0

OAuth logoIn preparation for IETF 90 in Toronto, I’ve updated the OAuth Token Exchange draft to allow JWTs to be unsigned in cases where the trust model permits it. This draft also incorporates some of the review feedback received on the -00 draft. (Because I believe it deserves more working group discussion to determine the right resolutions, John Bradley’s terminology feedback was not yet addressed. This would be a good topic to discuss in Toronto.)

This specification is available at:

An HTML formatted version is also available at:

July 4, 2014
JOSE -31 and JWT -25 drafts addressing additional AD comments

IETF logoIn preparation for IETF 90 in Toronto, I’ve published yet another round of small deltas to the JOSE and JWT specifications motivated by additional comments from our area director, Kathleen Moriarty. These drafts add some references to Security Considerations sections, adds a Privacy Considerations section to JWT, and clarifies wording in a few places. Once again, no normative changes were made.

The specifications are available at:

HTML formatted versions are available at:

July 3, 2014
OAuth Dynamic Client Registration specs clarifying usage of registration parameters

OAuth logoAn updated OAuth Dynamic Client Registration spec has been published that clarifies the usage of the Initial Access Token and Software Statement constructs and addresses other review feedback received since the last version. See the History section for more details on the changes made.

The OAuth Dynamic Client Registration Management has also been updated in the manner discussed at IETF 89 in London to be clear that not every server implementing Dynamic Client Registration will also implement this set of related management functions.

The updated specifications are available at:

HTML formatted versions are also available at:

July 1, 2014
JOSE -30 and JWT -24 drafts incorporating AD feedback on fifth spec of five

IETF logoJOSE -30 and JWT -24 drafts have been posted incorporating improvements resulting from Kathleen Moriarty’s JWE review. At this point, actions requested in her reviews of the JWS, JWE, JWK, JWA, and JWT specifications have all been incorporated. All changes in this release were strictly editorial in nature.

The specifications are available at:

HTML formatted versions are available at:

June 20, 2014
JOSE -29 and JWT -23 drafts coalescing duplicative terminology definitions

IETF logoSurprise! For the first time ever, I’ve released two sets of JOSE and JWT drafts in one day! I wanted to separate the changes addressing recent AD comments from this set of changes that reduces duplication in the drafts.

These drafts replaced the terms JWS Header, JWE Header, and JWT Header with a single JOSE Header term defined in the JWS specification. This also enabled a single Header Parameter definition to be used and reduced other areas of duplication between the specifications. No normative changes were made.

The specifications are available at:

HTML formatted versions are available at:

June 20, 2014
JOSE -28 and JWT -22 drafts incorporating additional AD feedback

IETF logoUpdated JOSE and JWT drafts have been released that incorporate additional wording improvements in places suggested by Kathleen Moriarty. Most of the changes were rewording and reorganization of the Security Considerations sections. An explanation of when applications typically would and would not use the typ and cty header parameters was added. The one normative change was to specify the use of PKCS #7 padding with AES CBC, rather than PKCS #5 – a correction pointed out by Shaun Cooley. (PKCS #7 is a superset of PKCS #5, and is appropriate for the 16 octet blocks used by AES CBC.) No breaking changes were made.

The specifications are available at:

HTML formatted versions are available at:

June 10, 2014
JOSE -27 and JWT -21 drafts incorporating area director feedback

IETF logoThe -27 drafts of the JOSE specs (JWS, JWE, JWK, & JWA) and the -21 draft of the JWT spec have been posted that incorporate feedback received from our security area director, Kathleen Moriarty. The one normative change was to add certificate thumbprint parameters using SHA-256 as the hash function. There were no breaking changes. A number of additional security considerations were added across the drafts. An example JWK was added early in the JWK draft (paralleling the early examples in the JWS, JWE, and JWT drafts). Several algorithm cross-reference entries were updated in the JWA draft. A number of other editorial improvements were also applied.

The specifications are available at:

HTML formatted versions are available at:

Thanks for the detailed feedback, Kathleen.

May 22, 2014
Merged OAuth Dynamic Client Registration Spec

OAuth logoA new version of the OAuth Dynamic Client Registration specification has been published that folds the client metadata definitions back into the core registration specification, as requested by the working group. The updated spec is clear that the use of each of the defined client metadata fields is optional. The related registration management specification remains separate.

The updated specifications are available at:

HTML formatted versions are also available at:

May 14, 2014
JWT and JOSE have won a Special European Identity Award

IETF logoToday the JSON Web Token (JWT) and JSON Object Signing and Encryption (JOSE) specifications were granted a Special European Identity Award for Best Innovation for Security in the API Economy. I was honored to accept the award, along with Nat Sakimura and John Bradley, on behalf of the contributors to and implementers of these specifications at the European Identity and Cloud Conference.

It’s great to see this recognition for the impact that these specs are having by making it easy to use simple JSON-based security tokens and other Web-friendly cryptographically protected data structures. Special thanks are due to all of you have built and deployed implementations and provided feedback on the specs throughout their development; they significantly benefitted from your active involvement!

These specifications are:

The authors are:

Dirk Balfanz, Yaron Goland, John Panzer, and Eric Rescorla also deserve thanks for their significant contributions to creating these specifications.

May 8, 2014
Publication requested for JSON Web Token (JWT), OAuth Assertions, and JOSE specifications

IETF logoToday, the OAuth Working Group requested publication of four specifications as proposed standards:

This follows on the JOSE Working Group likewise requesting publication of the JSON Object Signing and Encryption specifications last month:

This means that the working groups have sent the specifications to the IESG for review, which is the next step towards them becoming IETF Standards – RFCs.

April 30, 2014
JOSE -26 and JWT -20 drafts addressing editorial issues

IETF logoThe JOSE -26 and JWT -20 drafts address a few editorial issues recently identified by reviewers, hopefully further clarifying these aspects of the specifications. No normative changes were made.

See the Document History entries for details on the specific changes made.

The specifications are available at:

HTML formatted versions are also available at:

April 1, 2014
Proof-Of-Possession Semantics for JSON Web Tokens (JWTs)

OAuth logoI’ve written a concise Internet-Draft on proof-of-possession for JWTs with John Bradley and Hannes Tschofenig. Quoting from the abstract:

This specification defines how to express a declaration in a JSON Web Token (JWT) that the presenter of the JWT possesses a particular key and that the recipient can cryptographically confirm proof-of-possession of the key by the presenter. This property is also sometimes described as the presenter being a holder-of-key.

This specification intentionally does not specify the means of communicating the proof-of-possession JWT, nor the messages used to exercise the proof key, as these are necessarily application-specific. Rather, this specification defines a proof-of-possession JWT data structure to be used by other specifications that do define those things.

The specification is available at:

An HTML formatted version is available at:

March 20, 2014
Growing list of OpenID Connect libraries available

OpenID logoAs described in today’s openid.net post, a growing list of OpenID Connect and JWT/JOSE libraries are available. Check them out at http://openid.net/developers/libraries/.

March 19, 2014
OAuth Assertions drafts updating spec references

OAuth logoI’ve released updated versions of the OAuth Assertions, OAuth SAML Assertion Profile, and OAuth JWT Assertion Profile specs that use current citations for the other specs they reference, including the JSON, JWT, OAuth Dynamic Registration, and OpenID Connect specs. I also improved the formatting of hanging lists. There were no content changes.

The specifications are available at:

HTML formatted versions are also available at:

March 18, 2014
JOSE -24 and JWT -19 drafts fixing errors found in examples

IETF logoJOSE -24 drafts have been released that fix two errors found in example values. The JWT -19 draft clarifies that support for Nested JWTs is optional. The JSON reference was also updated to RFC 7159 in all drafts.

The specifications are available at:

HTML formatted versions are also available at:

Thanks to Edmund Jay and Hideki Nara for finding the bugs in the examples.

Next »