Mike Jones: self-issued

OAuth 2.0 has won the 2013 European Identity Award

Mike Jones — Wed, 15 May 2013 17:23:44 +0000

I’m pleased to report that OAuth 2.0 has won the 2013 European Identity Award for Best Innovation/New Standard. I was honored to accept the award from Kuppinger Cole at the 2013 European Identity and Cloud Conference on behalf of all who contributed to creating the OAuth 2.0 standards [RFC 6749, RFC 6750] and who are building solutions with them.

OpenID Connect Update Presentation

Mike Jones — Tue, 14 May 2013 16:05:36 +0000

I’ve posted the OpenID Connect Update presentation that I gave today during the OpenID Workshop at the European Identity and Cloud Conference. It’s available in PowerPoint and PDF formats.

Fourth Release Candidates for OpenID Connect Implementer’s Drafts

Mike Jones — Sat, 04 May 2013 07:49:42 +0000

A fourth set of release candidates for the upcoming OpenID Connect Implementer’s Drafts has been released. Changes since the third release candidates mostly consist of editorial improvements. There were only two changes that will result in changes to implementations. The first was replacing the “updated_time” claim, which used a textual date format, with the “updated_at” claim, which uses the same numeric representation as the other OpenID Connect date/time claims. The second was replacing the “PKIX” JWK key type with the “x5c” JWK key member (a change actually made this week by the JOSE working group).

These are ready for discussion at Monday’s in-person OpenID Connect working group meeting. All issues filed have been addressed.

The updated specifications are:

These specifications did not change:

Thanks to all who continued reviewing and implementing the specifications, resulting in the improvements contained in this release. I’ll look forward to seeing many of you on Monday!

Draft -10 of the JOSE Specifications

Mike Jones — Fri, 26 Apr 2013 08:19:40 +0000

Based upon working group feedback on the -09 drafts, I’ve released an update to the JSON Object Signing and Encryption (JOSE) specifications that changes the processing rules for JWEs encrypted to multiple recipients. The new processing rules enable using AES GCM for multiple-recipient JWE objects. This update makes no changes to the single-recipient case.

The updated specification versions are:

HTML formatted versions are also available at:

JOSE and JWT specs incorporating decisions from IETF 86

Mike Jones — Wed, 24 Apr 2013 02:02:00 +0000

New versions of the JSON Object Signing and Encryption (JOSE) specifications JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), and JSON Web Algorithms (JWA) and the JSON Web Token (JWT) specification have been released that incorporate the working group decisions made during and since IETF 86.

The primary new features in these working group drafts are:

adding support for private and symmetric keys to JWK and JWA,
adding support for JSON Serializations to JWS and JWE,
replacing the custom JOSE CBC+HMAC algorithms with ones compatible with those proposed in draft-mcgrew-aead-aes-cbc-hmac-sha2,
defining that the default action for header parameters and claims that are not understood is to ignore them, while providing a way to designate that some extension header parameters must be understood.

More details on the changes made can be found in the Document History entries.

The specifications are available at:

HTML formatted versions are also available at:

Tim Bray on ID Tokens

Mike Jones — Wed, 10 Apr 2013 01:10:40 +0000

Tim Bray has written a post giving his take on what ID Tokens are and why they’re valuable, both for OpenID Connect and beyond. Full of geeky identity goodness…

Updated OAuth Dynamic Client Registration Draft Published

Mike Jones — Sat, 30 Mar 2013 01:47:12 +0000

Thanks to Justin Richer for publishing an updated version of the OAuth Dynamic Client Registration specification. This draft adds the internationalization support introduced in the recent OpenID Connect Dynamic Client Registration draft. Justin did the bulk of the editing and I did some editorial work at the end of the process.

The new specification is:

http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-09

An HTML formatted version is also available at:

http://self-issued.info/docs/draft-ietf-oauth-dyn-reg-09.html

Updated OAuth Assertions Drafts Published

Mike Jones — Sat, 30 Mar 2013 01:34:13 +0000

Thanks to Brian Campbell for publishing updated versions of all three OAuth Assertions specifications. These drafts address comments and “discuss” issues from the IESG review of the Assertion Framework specification as well as issues that arose in subsequent discussions and decisions made during IETF 86 in Orlando. Brian did the bulk of the heavy lifting and I added some editorial work at the end of the process.

The documents now have new titles to make the scope of these specifications more explicit. The new titles and links to the documents are:

Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants

http://tools.ietf.org/html/draft-ietf-oauth-assertions-11

SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants

http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-16

JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants

http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-05

See http://www.ietf.org/mail-archive/web/oauth/current/msg11213.html or the document History entries for more details on the changes made.

HTML formatted versions are also available at:

Third Release Candidates for OpenID Connect Implementer’s Drafts

Mike Jones — Wed, 27 Mar 2013 10:00:34 +0000

A third set of Release Candidates for the pending OpenID Connect Implementer’s Drafts have been released. Like the first set, the second set of Release Candidates, which were published earlier this month, also received thorough review, resulting in a smaller set of additional refinements. The changes primarily made some the claim definitions more precise and provided more guidance on support for multiple languages and scripts.

Were it not for a set of pending changes about to be made to the JSON Object Signing and Encryption (JOSE) specifications, this set of specifications would likely actually be the Implementer’s Drafts. However, the OpenID Connect working group made the decision to have those (non-breaking) JOSE changes be applied before we declare that the Implementer’s Drafts are done. Expect announcements about both the JOSE updates and the OpenID Connect Implementer’s Drafts soon.

The new specifications are:

See the History entries in the specs for more details on the changes made.

Thanks again to all who reviewed and implemented the recent drafts!

The Emerging JSON/REST-Based Identity Protocol Suite

Mike Jones — Sat, 16 Mar 2013 02:55:05 +0000

Last week at the Japan Identity and Cloud Symposium I gave a presentation on this topic: A new set of simple, open identity protocols is emerging that utilize JSON data representations and REST-based communication patterns, including OAuth, JSON Web Token (JWT), JSON Object Signing and Encryption (JOSE), and WebFinger. I’ve posted PowerPoint and PDF versions of the presentation.

Thanks again to the organizers of JICS 2013 for a great event!

Second Release Candidates for OpenID Connect Implementer’s Drafts

Mike Jones — Wed, 06 Mar 2013 22:19:51 +0000

I’m pleased to announce that a second set of Release Candidates for the upcoming OpenID Connect Implementer’s Drafts have been released. The first set of Release Candidates received thorough review, resulting in quite a bit of detailed feedback. The current specs incorporate the feedback received, making them simpler, more consistent, and easier to understand.

Please review these this week – especially if you had submitted feedback. The working group plans to decide whether we’re ready to declare Implementer’s Drafts during the OpenID Meeting before IETF 86 on Sunday.

The new specifications are:

See the History entries in the specs for details on the changes made.

Thanks again to all who did so much to get us to this point, including the spec writers, working group members, and especially the implementers!

An update on our war against account hijackers

Mike Jones — Wed, 20 Feb 2013 17:12:59 +0000

I recommend reading Google’s post An update on our war against account hijackers. It describes the kinds of measures taken by professionally-run Identity Providers to defend against account takeover.

A message not stated but implied is that consumers and Web sites are far better off depending upon identities provided by organizations with the resources and dedication to successfully fight takeover attempts. Sites with their own username/password login systems without these defenses are vulnerable, and would be better off using federated identities from professionally-run Identity Providers.

Thanks for Voting in the OpenID Board Election

Mike Jones — Thu, 14 Feb 2013 16:50:50 +0000

As you may have seen, the results of the 2013 OpenID Board Election have been announced. Thanks to all of you who participated and thank you for entrusting me with a seat on the board for the next two years. My congratulations to my fellow board community members as well. I intend to make the most of this opportunity to continue making people’s online interactions more seamless, secure, and valuable.

Please Vote Now in the OpenID Board Election

Mike Jones — Fri, 25 Jan 2013 18:12:30 +0000

The election for community (individual) OpenID board members is under way at https://openid.net/foundation/members/elections/14. I encourage all of you to vote now. (Don’t wait until the morning of Wednesday, February 6th!) If you’re not already an OpenID Foundation member, you can join for USD $25 at https://openid.net/foundation/members/registration and participate in the election.

I’m running for the board this time and would appreciate your vote. My candidate statement, which is also posted on the election site, follows.

OpenID has the potential to make people’s online interactions seamless, secure, and more valuable. I am already working to make that a reality.

First, a bit about my background with OpenID… I’ve been an active contributor to OpenID since early 2007, including both specification work and serving the foundation. My contributions to the specification work have included: an author and editor of the OpenID Provider Authentication Policy Extension (PAPE) specification, editor of the OAuth 2.0 bearer token specification (now RFC 6750), an author and editor of the JSON Web Token (JWT) specification and the JSON Object Signing and Encryption (JOSE) specifications, which are used by OpenID Connect, and an active member of the OpenID Connect working group.

I’ve also made substantial contributions to the foundation and its mission, including: In 2007 I worked with the community to create a legal framework for the OpenID Foundation enabling both individuals and corporations to be full participants in developing OpenID specifications and ensuring that the specifications may be freely used by all; this led to the patent non-assertion covenants that now protect implementers of OpenID specifications. I served on the board representing Microsoft in 2008 and 2009, during which time I was chosen by my fellow board members to serve as secretary; you’ve probably read some of the meeting minutes that I’ve written. I’ve served on the board as an individual since 2011. I have helped organize numerous OpenID summits and working group meetings. I chaired the election committee that developed the foundation’s election procedures and software, enabling you to vote with your OpenID. I co-chaired the local chapters committee that developed the policies governing the relationships between local OpenID chapters around the world and the OpenID Foundation. I also serve on the marketing committee and am a member of the Account Chooser working group.

I’d like to continue serving on the OpenID board, because while OpenID has had notable successes, its work is far from done. Taking it to the next level will involve both enhanced specifications and strategic initiatives by the foundation. Through OpenID Connect, we are in the process of evolving OpenID to make it much easier to use and deploy and to enable it to be used in more kinds of applications on more kinds of devices. The Account Chooser work is making it easier to use identities that you already have across sites. I’m also pleased that the Backplane Exchange work is happening in the foundation – clear evidence of the increasing value provided by the OpenID Foundation. Yet, as a foundation, we need to continue building a broader base of supporters and deployers of OpenID, especially internationally. We need to form closer working relationships with organizations and communities doing related work. And we need continue to safeguarding OpenID’s intellectual property and trademarks so they are freely available for all to use.

I have a demonstrated track record of serving OpenID and producing results. I want to continue being part of making open identity solutions even more successful and ubiquitous. That’s why I’m running for a community board seat in 2013.

Mike Jones
mbj@microsoft.com
http://self-issued.info/

Release Candidates for OpenID Connect Implementer’s Drafts

Mike Jones — Wed, 23 Jan 2013 16:42:57 +0000

I’m pleased to announce that release candidate versions of the soon-to-come OpenID Connect Implementer’s Drafts have been released. All the anticipated breaking changes to the protocol are now in place, including switching Discovery over from using Simple Web Discovery to WebFinger and aligning Registration with the OAuth Dynamic Client Registration draft. While several names changed for consistency reasons, the changes to Discovery and Registration were the only architectural changes.

Please thoroughly review these drafts this week and report any issues that you believe need to be addressed before we release the Implementer’s Draft versions.

Normative changes since the December 27th, 2012 release were:

Use WebFinger for OpenID Provider discovery instead of Simple Web Discovery. This also means that account identifiers using e-mail address syntax are prefixed by the acct: scheme when passed to WebFinger.
Aligned Registration parameters with OAuth Dynamic Registration draft.
Added Implementation Considerations sections to all specifications, which specify which features are mandatory to implement.
Removed requirement that the “c_hash” and “at_hash” be computed using SHA-2 algorithms (for crypto agility reasons).
Refined aspects of using encrypted ID Tokens.
Finished specifying elements of key management for self-issued OPs.
Added “display_values_supported”, “claim_types_supported”, “claims_supported”, and “service_documentation” discovery elements.
Defined REQUIRED, RECOMMENDED, and OPTIONAL discovery elements.
Refined Session Management specification, including descriptions of OP and RP iframe behaviors.
Deleted “javascript_origin_uris”, which is no longer present in Session Management.
Added new “session_state” parameter to the authorization response for Session Management.
Added new “post_logout_redirect_url” registration parameter for Session Management.

Also, renamed these identifiers for naming consistency reasons:

user_jwk -> sub_jwk (used in self-issued ID Tokens)
token_endpoint_auth_type -> token_endpoint_auth_method
token_endpoint_auth_types_supported -> token_endpoint_auth_methods_supported
check_session_iframe_url -> check_session_iframe
end_session_endpoint_url -> end_session_endpoint
type -> operation (in Registration)
associate -> register (in Registration)
application_name -> client_name
check_session_endpoint -> check_session_iframe

See the History entries in the specifications for more details.

The new specification versions are at:

Thanks to all who did so much to get us to this point, including the spec writers, working group members, and implementers!

OAuth Assertion Framework draft -10

Mike Jones — Sat, 19 Jan 2013 21:55:51 +0000

Draft 10 of the Assertion Framework for OAuth 2.0 has been published. It contains non-normative changes that add the “Interoperability Considerations” section, rename “Principal” to “Subject” to use the same terminology as the SAML Assertion Profile and JWT Assertion Profile specs, and apply Shawn Emery’s comments from the security directorate review.

The draft is available at:

http://tools.ietf.org/html/draft-ietf-oauth-assertions-10

An HTML formatted version is available at:

http://self-issued.info/docs/draft-ietf-oauth-assertions-10.html

OAuth 2.0 and Sign-In

Mike Jones — Wed, 02 Jan 2013 18:06:23 +0000

I highly recommend a piece that my friend Vittorio Bertocci wrote on the relationship between OAuth 2.0 and sign-in/federation protocols. While OAuth 2.0 can be used to sign in users and the term “OAuth” is often bandied about in identity contexts, as he points out, there’s a lot of details to fill in to make that possible. That’s because OAuth 2.0 is a resource authorization protocol – not an authentication protocol.

Read his post for a better understanding of how OAuth 2.0 relates to sign-in protocols, including a useful discussion of how OpenID Connect fills in the gaps to enable people to sign in with OAuth 2.0 in an interoperable manner.

December 27, 2012 OpenID Connect Release

Mike Jones — Sat, 29 Dec 2012 00:50:36 +0000

New versions of the OpenID Connect specifications have been released resolving numerous open issues raised by the working group. The most significant change is changing the name of the “user_id” claim to “sub” (subject) so that ID Tokens conform to the OAuth JWT Bearer Profile specification, and so they can be used as OAuth assertions. (Also, see the related coordinated change to the OAuth JWT specifications.) A related enhancement was extending our use of the “aud” (audience) claim to allow ID Tokens to have multiple audiences. Also, a related addition was defining the “azp” (authorized party) claim to allow implementers to experiment with this proposed functionality. (This is a slightly more general form of the “cid” claim that Google and Nat Sakimura had proposed.)

Other updates were:

The “offline_access” scope value was defined to request that a refresh token be returned when using the code flow that can be used to obtain an access token granting access to the user’s UserInfo endpoint even when the user is not present.
A new “tos_url” registration parameter was added so that the terms of service can be specified separately from the usage policy.
Clarified that “jwk_url” and “jwk_encryption_url” refer to documents containing JWK Sets – not single JWK keys.

Implementers need to apply these name changes to their code:

user_id -> sub
prn -> sub
user_id_types_supported -> subject_types_supported
user_id_type -> subject_type
acrs_supported -> acr_values_supported
alg -> kty (in JWKs)

See the Document History section of each specification for more details about the changes made.

This release is part of a coordinated release of JOSE, OAuth, and OpenID Connect specifications. You can read about the other releases here: JOSE Release Notes, OAuth Release Notes.

The new specification versions are:

December 27, 2012 OAuth JWT & Assssertions Release

Mike Jones — Sat, 29 Dec 2012 00:50:14 +0000

New versions of the OAuth JWT, JWT Bearer Profile, and Assertions specs have been released incorporating feedback since IETF 85 in Atlanta. The primary change is changing the name of the “prn” claim to “sub” (subject) both to more closely align with SAML name usage and to use a more intuitive name for this concept. (Also, see the related coordinated change to the OpenID Connect specifications.) The definition of the “aud” (audience) claim was also extended to allow JWTs to have multiple audiences (a feature also in SAML assertions).

An explanation was added to the JWT spec about why should be signed and then encrypted.

The audience definition in the Assertions specification was relaxed so that audience values can be OAuth “client_id” values. Informative references to the SAML Bearer Profile and JWT Bearer Profile specs were also added.

This release incorporates editorial improvements suggested by Jeff Hodges, Hannes Tschofenig, and Prateek Mishra in their reviews of the JWT specification. Many of these simplified the terminology usage. See the Document History section of each specification for more details about the changes made.

This release is part of a coordinated release of JOSE, OAuth, and OpenID Connect specifications. You can read about the other releases here: JOSE Release Notes, OpenID Connect Release Notes.

The new specification versions are:

HTML formatted versions are available at:

December 27, 2012 JOSE Release

Mike Jones — Sat, 29 Dec 2012 00:49:49 +0000

New versions of the JOSE specs have been released incorporating feedback since IETF 85 in Atlanta. The highlight of this release is the new JSON Private and Symmetric Key spec, which extends JWKs to be able to represent private and symmetric keys. These sensitive keys can then be protected for transmission and storage by JWE encryption of their JWK representations.

One new feature added to JWK is the ability to optionally specify which specific algorithm the key is intended to be used with. (This is already existing practice for keys in X.509 format.) For instance, a symmetric key might be annotated to say that it is to be used with the “HS256” algorithm. Because the natural field name for this functionality is “alg”, the “alg” name is now used for this purpose (matching JWS and JWE) and the key type (formerly “alg”) is now denoted by the “kty” field.

This release incorporates editorial improvements suggested by Jeff Hodges and Hannes Tschofenig in their reviews of the JWT specification. Many of these simplified the terminology usage. See the Document History section of each specification for more details about the changes made.

This release is part of a coordinated release of JOSE, OAuth, and OpenID Connect specifications. You can read about the other releases here: OAuth Release Notes, OpenID Connect Release Notes.

The new specification versions are:

HTML formatted versions are available at: