Archive for September, 2015

September 13, 2015
JWS Unencoded Payload Option -02

IETF logoDraft -02 of the JWS Unencoded Payload Option specification makes these updates:

  • Required that “b64” be integrity protected.
  • Stated that if the JWS has multiple signatures and/or MACs, the “b64” Header Parameter value MUST be the same for all of them.
  • Stated that if applications use content encoding, they MUST specify whether the encoded or unencoded payload is used as the JWS Payload value.
  • Reorganized the Unencoded Payload Content Restrictions section.
  • Added an “updates” clause for RFC 7519 because this specification prohibits JWTs from using "b64":false.

Thanks for the working group feedback that resulted in these improvements.

The specification is available at:

An HTML formatted version is also available at:

September 9, 2015
OpenID Connect Back-Channel Logout Specification

OpenID logoA new back-channel OpenID Connect Logout spec has been published at This can coexist with or be used instead of the front-channel-based Session Management and HTTP-Based Logout specifications.

The abstract for the new specification states:

This specification defines a logout mechanism that uses back-channel communication between the OP and RPs being logged out; this differs from front-channel logout mechanisms, which communicate logout requests from the OP to RPs via the User Agent.

This completes publication of the three planned OpenID Connect logout mechanisms: two that communicate on the front-channel through the User Agent (browser) and this one that communicates on the back-channel, without involving the User Agent. See the Introduction for a discussion of the upsides and downsides of the different logout approaches. As much as we’d like there to be a single logout solution, both experience and extensive discussions led us to the conclusion that there isn’t a feasible one-size-fits-all approach.

Reviews of the new (and existing!) specifications are welcomed.

Thanks to John Bradley, Pedro Felix, Nat Sakimura, Brian Campbell, and Todd Lainhart for their contributions to the creation of the specification.

September 8, 2015
JSON Web Key (JWK) Thumbprint is now RFC 7638

IETF logoThe JSON Web Key (JWK) Thumbprint specification is now RFC 7638 – an IETF standard. The abstract describes the specification as follows:

This specification defines a method for computing a hash value over a JSON Web Key (JWK). It defines which fields in a JWK are used in the hash computation, the method of creating a canonical form for those fields, and how to convert the resulting Unicode string into a byte sequence to be hashed. The resulting hash value can be used for identifying or selecting the key represented by the JWK that is the subject of the thumbprint.

Thanks to James Manger, John Bradley, and Nat Sakimura, all of whom participated in security discussions that led to the creation of this specification. Thanks also to the JOSE working group members, chairs, area directors, and other IETF members who contributed to the specification.

A JWK Thumbprint is used as the “sub” (subject) claim value in OpenID Connect self-issued ID Tokens.