Archive for June, 2018

June 29, 2018
Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec addressing WGLC comments

IETF logoA new draft of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been published that addresses the Working Group Last Call (WGLC) comments received. Changes were:

Thanks to Samuel Erdtman and Hannes Tschofenig for contributing to the editing for this version and to Jim Schaad and Roman Danyliw for their review comments.

The specification is available at:

An HTML-formatted version is also available at:

June 28, 2018
OAuth 2.0 Authorization Server Metadata is now RFC 8414

OAuth logoThe OAuth 2.0 Authorization Server Metadata specification is now RFC 8414. The abstract describes the specification as:

This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities.

The specification defines a JSON metadata representation for OAuth 2.0 authorization servers that is compatible with OpenID Connect Discovery 1.0. This specification is a true instance of standardizing existing practice. OAuth 2.0 deployments have been using the OpenID Connect metadata format to describe their endpoints and capabilities for years. This RFC makes this existing practice a standard.

Having a standard OAuth metadata format makes it easier for OAuth clients to configure connections to OAuth authorization servers. See for the initial set of registered metadata values.

Thanks to all of you who helped make this standard a reality!

June 24, 2018
OpenID Connect News, Overview, Certification, and Action Items at June 2018 Identiverse Conference

OpenID logoI gave the following presentation during the June 2018 Identiverse Conference:

News included:

Action items included:

June 1, 2018
OAuth Device Flow spec addressing initial IETF last call feedback

OAuth logoThe OAuth Device Flow specification (full name “OAuth 2.0 Device Flow for Browserless and Input Constrained Devices”) has been updated to address comments received to date from the IETF last call. Thanks to William Denniss for taking the pen for this set of revisions. Changes were:

  • Added a missing definition of access_denied for use on the token endpoint.
  • Corrected text documenting which error code should be returned for expired tokens (it’s “expired_token”, not “invalid_grant”).
  • Corrected section reference to RFC 8252 (the section numbers had changed after the initial reference was made).
  • Fixed line length of one diagram (was causing xml2rfc warnings).
  • Added line breaks so the URN grant_type is presented on an unbroken line.
  • Typos fixed and other stylistic improvements.

The specification is available at:

An HTML-formatted version is also available at: