Archive for January, 2011

January 28, 2011
OAuth 2.0 Bearer Token Specification draft -02

OAuth logoI’ve published draft 02 of the bearer token specification. This incorporates consensus feedback received to date. It contains no normative changes relative to draft 01. Your feedback is solicited. Specific changes were:

  • Changed terminology from “token reuse” to “token capture and replay”.
  • Removed sentence “Encrypting the token contents is another alternative” from the security considerations since it was redundant and potentially confusing.
  • Corrected some references to “resource server” to be “authorization server” in the security considerations.
  • Generalized security considerations language about obtaining consent of the resource owner.
  • Broadened scope of security considerations description for recommendation “Don’t pass bearer tokens in page URLs”.
  • Removed unused reference to OAuth 1.0.
  • Updated reference to framework specification and updated David Recordon’s e-mail address.
  • Removed security considerations text on authenticating clients.
  • Registered the “OAuth2″ OAuth access token type and “oauth_token” parameter.

The draft is available at these locations:

This version is explicitly not ready for working group last call, as changes may need to be made due to the open issues in the framework spec about the removal of the Client Assertion Credentials and OAuth2 HTTP Authentication Scheme.

January 4, 2011
JSON Web Token (JWT) Draft -01

Draft -01 of the JSON Web Token (JWT) specification is now available. This version incorporates the consensus decisions reached at the Internet Identity Workshop. The remaining open issues and to-do items are documented in Section 12. As a reminder, the suggested pronunciation of JWT is the same as the English word “jot”.

The draft is available at these locations:

The decisions reached at IIW are documented here:

Thanks to all who provided the input that led to this draft! Feedback is highly welcome.