Archive for January, 2017

January 25, 2017
Candidate proposed OpenID Connect logout Implementer’s Drafts

Per discussions on the OpenID Connect working group calls, I have released candidate proposed Implementer’s Drafts for the three logout specs. The new versions are:

These drafts address the issues discussed on the calls and in the issue tracker. The changelogs can be viewed at these URLs:

Note that the Back-Channel Logout spec is compatible with the working group SecEvent spec

This note starts a one-week review period of these specifications by the working group. If blocking issues aren’t raised within a week, we will proceed with the formal review period preceding an OpenID Foundation Implementer’s Draft adoption vote.

January 24, 2017
“amr” Values specification addressing IETF last call comments

OAuth logoDraft -05 of the Authentication Method Reference Values specification addresses the IETF last call comments received. Changes were:

  • Specified characters allowed in “amr” values, reusing the IANA Considerations language on this topic from RFC 7638.
  • Added several individuals to the acknowledgements.

Thanks to Linda Dunbar, Catherine Meadows, and Paul Kyzivat for their reviews.

The specification is available at:

An HTML-formatted version is also available at:

January 19, 2017
OAuth Authorization Server Metadata decoupled from OAuth Protected Resource Metadata

OAuth logoThe IETF OAuth working group decided at IETF 97 to proceed with standardizing the OAuth Authorization Server Metadata specification, which is already in widespread use, and to stop work on the OAuth Protected Resource Metadata specification, which is more speculative. Accordingly, a new version of the AS Metadata spec has been published that removes its dependencies upon the Resource Metadata spec. In particular, the “protected_resources” AS Metadata element has been removed. Its definition has been moved to the Resource Metadata spec for archival purposes. Note that the Resource Metadata specification authors intend to let it expire unless the working group decides to resume work on it at some point in the future.

The specifications are available at:

HTML-formatted versions are also available at:

January 13, 2017
Media Type registration added to CBOR Web Token (CWT)

IETF logoThe CBOR Web Token (CWT) specification now registers the “application/cwt” media type, which accompanies the existing CoAP Content-Format ID registration for this media type. The description of nested CWTs, which uses this content type, was clarified. This draft also corrected some nits identified by Ludwig Seitz.

The specification is available at:

An HTML-formatted version is also available at: