Archive for September, 2012

September 18, 2012
Updated OAuth Assertion Specifications

OAuth logoUpdated drafts of all three OAuth Assertion specifications have been published. These specs define how to use assertions/security tokens as OAuth 2.0 authorization grants and for client authentication. They are: Assertion Framework for OAuth 2.0, SAML 2.0 Bearer Assertion Profiles for OAuth 2.0, and JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0.

Language was added to all three explicitly clarifying that an assertion grant type can be used with or without client authentication via an assertion and that client authentication using an assertion is nothing more than an alternative way for a client to authenticate to the token endpoint. Two new examples were added to the SAML and JWT profile drafts to illustrate the use of assertions/security tokens in both cases. Thanks to Brian Campbell for making these updates.

The authors believe that draft-ietf-oauth-assertions and draft-ietf-oauth-saml2-bearer are now ready for Working Group Last Call.

The drafts are available at:

HTML-formatted versions are available at:

September 18, 2012
W3C WebCrypto API First Public Working Draft

W3C logoAs many of you know, the W3C Web Cryptography Working Group is developing a WebIDL/JavaScript API for cryptography operations. They recently published their First Public Working Draft. One of their use cases is being able to use the WebCrypto API to implement the IETF JOSE specifications.

I encourage those of you who are interested to review the draft API specification. Comments can be sent to The latest public version of the specification can always be found at

Also see the post by Virginie Galindo, the working group chair.

September 10, 2012
OAuth Assertion Framework draft -05

OAuth logoDraft 05 of the Assertion Framework for OAuth 2.0 has been published. It contains non-normative editorial changes to improve readability.

The draft is available at:

An HTML-formatted version is available at: