Archive for March, 2011

March 31, 2011
OAuth 2.0 Bearer Token Specification draft -04

OAuth logoI’ve published draft 04 of the OAuth Bearer Token Specification. All changes were in response to working group last call feedback on draft 03. The changes in this draft were:

  • Added Bearer Token definition in Terminology section.
  • Changed parameter name “oauth_token” to “bearer_token”.
  • Added realm parameter to “WWW-Authenticate” response to comply with [RFC2617].
  • Removed “[ RWS 1#auth-param ]” from “credentials” definition since it did not comply with the ABNF in [I-D.ietf-httpbis-p7-auth].
  • Removed restriction that the “bearer_token” (formerly “oauth_token”) parameter be the last parameter in the entity-body and the HTTP request URI query.
  • Do not require WWW-Authenticate Response in a reply to a malformed request, as an HTTP 400 Bad Request response without a WWW-Authenticate header is likely the right response in some cases of malformed requests.
  • Removed OAuth Parameters registry extension.
  • Numerous editorial improvements suggested by working group members.

The draft is available at these locations:

March 30, 2011
JSON Web Token (JWT) Draft -04

Draft -04 of the JSON Web Token (JWT) specification is available. It corrects a typo found by John Bradley in -03.

The draft is available at these locations:

March 25, 2011
JSON Web Token (JWT) and JSON Web Signature (JWS) now in separate specs

As promised, I have split the contents of the JWT spec draft-jones-json-web-token-01 into two simpler specs:

These should have introduced no semantic changes from the previous spec.

I then applied the feedback that I received since JWT -01 and created revised versions of the split specs:

The only breaking change introduced was that x5t (X.509 Certificate Thumbprint) is now a SHA-1 hash of the DER-encoded certificate, rather than a SHA-256 has, as SHA-1 is the prevailing existing practice for certificate thumbprint calculations. See the Document History sections for details on each change made.

.txt and .xml versions are also available. I plan to publish these as IETF drafts once the submission window re-opens on Monday. Feedback welcome!

P.S. Yes, work on the companion encryption spec is now under way…

March 18, 2011
Join me at the Internet Identity Workshop

IIW Banner

Come be part of moving Internet identity forward! The early bird discount is available through Friday, March 25th. And as always, Microsoft will be sponsoring a workshop dinner. See you at IIW!

March 16, 2011
OAuth JWT Bearer Token Profile

OAuth logoI’ve just published an OAuth JWT Bearer Token Profile. It defines a means of using a JSON Web Token (JWT) bearer token to request an OAuth 2.0 access token. This profile is intentionally strongly based upon the SAML 2.0 Bearer Assertion Grant Type Profile for OAuth 2.0 by Brian Campbell and Chuck Mortimore; it borrows some text from the SAML profile with their permission. Thanks Brian and Chuck, for supporting the writing of this profile and for your reviews of preliminary drafts.

The profile draft is available at these locations: (will point to new versions as they are posted) (will point to new versions as they are posted) (will point to new versions as they are posted) (Subversion repository, with html, txt, and html versions available)

I will also submit this as a formal Internet draft after the IETF tool re-opens for submissions (on March 28th).