Archive for July, 2015

July 23, 2015
JWS Signing Input Options initial working group draft

IETF logoThe initial working group version of JWS Signing Input Options has been posted. It contains no normative changes from draft-jones-jose-jws-signing-input-options-00.

Let the working group discussions begin! I particularly call your attention to Martin Thomson’s review at http://www.ietf.org/mail-archive/web/jose/current/msg05158.html, Nat Sakimura’s review at http://www.ietf.org/mail-archive/web/jose/current/msg05189.html, and Matias Woloski’s review at http://www.ietf.org/mail-archive/web/jose/current/msg05191.html to start things off.

The specification is available at:

An HTML formatted version is also available at:

July 22, 2015
Authentication Method Reference Values Specification

OAuth logoPhil Hunt and I have posted a new draft that defines some values used with the “amr” (Authentication Methods References) claim and establishes a registry for Authentication Method Reference values. These values include commonly used authentication methods like “pwd” (password) and “otp” (one time password). It also defines a parameter for requesting that specific authentication methods be used in the authentication.

The specification is available at:

An HTML formatted version is also available at:

July 21, 2015
Lots of great data about JWT and OpenID Connect adoption!

JWT logoCheck out the post Json Web Token (JWT) gets a logo, new website and more by Matias Woloski of Auth0. I particularly love the data in the “Numbers speak for themselves” section and the graph showing the number of searches for “JSON Web Token” crossing over the number of searches for “SAML Token”.

Also, be sure to check out http://jwt.io/, where you can interactively decode, verify, and generate JWTs. Very cool!

July 13, 2015
JWK Thumbprint -08 approved by IESG

IETF logoThe IESG has approved JWK Thumbprint draft -08, meaning that it will now progress to the RFC Editor. Draft -08 added IANA instructions in response to an IESG comment by Barry Leiba.

The specification is available at:

An HTML formatted version is also available at:

July 9, 2015
OAuth 2.0 Dynamic Client Registration Protocol is now RFC 7591

OAuth logoThe OAuth 2.0 Dynamic Client Registration Protocol specification is now RFC 7591 – an IETF standard. The abstract describes it as follows:

This specification defines mechanisms for dynamically registering OAuth 2.0 clients with authorization servers. Registration requests send a set of desired client metadata values to the authorization server. The resulting registration responses return a client identifier to use at the authorization server and the client metadata values registered for the client. The client can then use this registration information to communicate with the authorization server using the OAuth 2.0 protocol. This specification also defines a set of common client metadata fields and values for clients to use during registration.

This specification extracts the subset of the dynamic client registration functionality defined by OpenID Connect Dynamic Client Registration 1.0 that is applicable to any OAuth 2.0 deployment. It is intentionally completely compatible with the OpenID Connect registration spec, yet is also now usable as a basis for dynamic client registration by other OAuth 2.0 profiles.

My personal thanks to Justin Richer, John Bradley, Maciej Machulak, Phil Hunt, and Nat Sakimura for their work on this specification and its precursors. Thanks also to members of the OpenID Connect working group and members of the OAuth working group, as well as its chairs, area directors, and other IETF members who contributed to this specification.

July 7, 2015
OAuth 2.0 Token Exchange -02 enabling use of any token type

OAuth logoDraft -02 of the OAuth 2.0 Token Exchange specification has been published, making the functionality token type independent. Formerly, only JSON Web Tokens (JWTs) could be used in some contexts. This was a change requested by working group participants during IETF 92 in Dallas.

The specification is available at:

An HTML formatted version is also available at:

July 7, 2015
JWK Thumbprint -07 draft addressing Gen-ART review comment

IETF logoJWK Thumbprint draft -07 has been published, addressing a Gen-ART review comment by Joel Halpern. Beyond updating the acknowledgements, the only change was replacing this sentence:

“Only if multiple parties will be reproducing the JWK Thumbprint calculation for some reason, will parties other than the original producer of the JWK Thumbprint need to know which hash function was used.”

with these two:

“However, in some cases, multiple parties will be reproducing the JWK Thumbprint calculation and comparing the results. In these cases, the parties will need to know which hash function was used and use the same one.”

The specification is available at:

An HTML formatted version is also available at:

July 7, 2015
Proof-of-Possession Key Semantics for JWTs spec addressing WGLC comments

OAuth logoThe editors have published draft-ietf-oauth-proof-of-possession-03, which addresses the working group last call comments received. Thanks to all of you who provided feedback. The changes were:

  • Separated the jwk and jwe confirmation members; the former represents a public key as a JWK and the latter represents a symmetric key as a JWE encrypted JWK.
  • Changed the title to indicate that a proof-of-possession key is being communicated.
  • Updated language that formerly assumed that the issuer was an OAuth 2.0 authorization server.
  • Described ways that applications can choose to identify the presenter, including use of the iss, sub, and azp claims.
  • Harmonized the registry language with that used in JWT [RFC 7519].
  • Addressed other issues identified during working group last call.
  • Referenced the JWT and JOSE RFCs.

The updated specification is available at:

An HTML formatted version is also available at: