November 12, 2013
JOSE -18 and JWT -13 drafts continuing to address open issues

IETF logoJSON Object Signing and Encryption (JOSE) -18 and JSON Web Token (JWT) -13 drafts have been published. The JOSE drafts contain changes to address 34 of the 43 currently open issues. The JWT draft addresses several of the working group last call (WGLC) comments. No breaking changes were made to any of the specifications. The most visible change is that all registries now include Description fields – a change that was requested in JWT WGLC.

See the Document History appendices for more details on the changes made and issues addressed.

The drafts are available at:

HTML formatted versions are also available at:

October 15, 2013
First Release Candidates for final OpenID Connect specifications

OpenID logoI’m pleased to announce that the first release candidate versions for final OpenID Connect specifications have been published. The complete set of specifications has been updated to resolve all issues that had been filed against the specs being finished.

Please review these this week, in time for the in-person working group meeting on Monday. Besides publishing the specs in the usual formats, I’ve also created a Word version of the core spec with tracked changes turned on to facilitate people marking it up with specific proposed text changes. If you’re in the working group, please download it and make any corrections or changes you’d like to propose for the final specification.

The release candidate spec versions are:

Also, two implementer’s guides are also available to serve as self-contained references for implementers of basic Web-based Relying Parties:

Thanks to Nat Sakimura for the early feedback. The structure of Core has been changed somewhat since -13 to adopt some of his suggestions.

October 13, 2013
OpenID Connect Specs Nearing Completion

OpenID logoBased on feedback from developers, the OpenID Connect working group decided to replace the OpenID Connect Messages and OpenID Connect Standard specifications with a new OpenID Connect Core specification that combines the contents from both of them before finishing OpenID Connect. The content has also been restructured to separate Authentication from other features such as Claims and to have separate Authentication sections for the different OAuth 2.0 flows. No changes to the protocol were made. The publication of this new spec is another major step towards finishing OpenID Connect.

Please review this and the other OpenID Connect specifications in the coming week. While a few local changes will still be made this week to address issues that have been identified since the approval of the Implementer’s Drafts, I fully expect that the working group will decide at the in-person working group meeting just over a week from now that it’s time to publish proposed final specifications.

Thanks to Nat Sakimura for producing a proof-of-concept document restructuring that the structure of the current OpenID Connect Core spec is based upon. And thanks to Torsten Lodderstedt for convincing us that the specs will be clearer by better separating the descriptions of logically distinct features while combining previously separate descriptions of highly interrelated functionality.

October 7, 2013
JOSE -17 and JWT -12 drafts reducing duplicated text

IETF logoJSON Object Signing and Encryption (JOSE) -17 and JSON Web Token (JWT) -12 drafts have been published with editorial changes that reduce duplicated text between the JOSE specs. Also, the “typ” and “cty” header parameters were revised to always refer to media type values. The text about which serializations are mandatory to implement was updated. Finally, thanks to Matt Miller for supplying an encryption example using PBES2.

See the Document History appendices for more details on the changes made and issues addressed.

The drafts are available at:

HTML formatted versions are also available at:

September 27, 2013
WebFinger is now RFC 7033!

IETF logoI’m pleased to announce that the WebFinger specification has now been published as an RFC – RFC 7033. WebFinger enables discovery of information about a user or resource at a host using an HTTP query to a well-known https endpoint, with the discovered information being returned in a simple JSON structure. For instance, OpenID Connect uses WebFinger to discover the location of a user’s OpenID Connect server.

Thanks particularly go to Paul Jones, who tirelessly edited the spec, ably navigating the sometimes thankless task of addressing the numerous and sometimes conflicting comments and suggestions that were made, and in the end, resolving them to everyone’s satisfaction, and in a high-quality manner. Thanks a bunch, Paul!

I’ll also take the occasion to thank Yaron Goland for inventing the Simple Web Discovery specification. I believe that the simplicity of the approved WebFinger specification is a direct result of the influence that Simple Web Discovery had upon WebFinger.

I look forward to seeing all the useful things that will be accomplished using WebFinger!

September 15, 2013
JOSE -16 drafts addressing 45 editorial and minor issues

IETF logoJSON Object Signing and Encryption (JOSE) -16 drafts have been published that address 45 editorial and minor issues. See the Document History sections for lists of the specific issues addressed. Thanks to Jim Schaad for again meeting with me in person to go over proposed text changes in my working drafts before these specifications were published.

One breaking change was made: When doing ECDH-ES key agreement, the AlgorithmID value used in the KDF computation now has a length prefix. So for instance, the representation of the “enc” value “A128GCM” is now prefixed by the number 7, represented as a 32-bit big-endian value, when used as the AlgorithmID value. (Such prefixes were already in place for the other variable-length KDF parameters.)

The drafts are available at:

HTML formatted versions are also available at:

September 3, 2013
JOSE -15 drafts addressing 37 editorial and minor issues

IETF logoJSON Object Signing and Encryption (JOSE) -15 drafts have been published that address 37 editorial and minor issues filed by Jim Schaad. See the Document History sections for lists of the specific issues addressed. Thanks to Jim for meeting with me in person to go over proposed text changes in my working drafts before these specifications were published. We also agreed on a number of additional proposed resolutions that will be addressed in the next set of drafts published.

The one substantive change worth noting is that when multiple signatures or encryption recipients are present, it is now up to the application whether to reject the entire JWS or JWE when some, but not all of the signature or encryption validations fail. (Previously, if any validation failed, the entire JWS or JWE was always rejected.)

The drafts are available at:

HTML formatted versions are also available at:

August 26, 2013
WebFinger Specification Ready for RFC Editor

IETF logoThe WebFinger specification enables discovery of information about a user or resource at a host using an HTTP query to a well-known https endpoint, with the discovered information being returned in a simple JSON structure. For instance, OpenID Connect uses WebFinger to discover the location of a user’s OpenID Connect server.

I’m pleased to report that WebFinger has now completed working group last call, IETF last call, and IESG review. The next step is for the draft to be sent to the RFC Editor for publication as an RFC. The current draft is available at:

Those of you who have been following WebFinger probably realize that I have been an active contributor in moving WebFinger forward as a standard and keeping it simple. WebFinger, as it exists today, was directly influenced by the Simple Web Discovery spec that Yaron Goland and I wrote earlier. I have reviewed every IETF draft and provided comments as well as specific text to the authors. I am grateful to authors Paul Jones and Gonzalo Salgueiro for deciding to add me as a co-author, in recognition of my participation as a de-facto co-author behind the scenes.

July 31, 2013
Second OpenID Connect Implementer’s Drafts Approved

OpenID logoThe OpenID Foundation members have voted to approve a second set of OpenID Connect Implementer’s Drafts. The working group intends for the final specifications to be compatible with these Implementer’s Drafts.

Implementer’s Drafts are stable versions of specifications intended for trial implementations and deployments that provide specific IPR protections to those using them. Implementers and deployers are encouraged to continue providing feedback to the working group on these specifications based upon their experiences using them.

July 30, 2013
OpenID Connect Server in a Nutshell

OpenID logoNat Sakimura has written a valuable post describing how to write an OpenID Connect server in three simple steps. It shows by example how simple it is for OAuth servers to add OpenID Connect functionality. This post is a companion to his previous post OpenID Connect in a Nutshell, which described how simple it is to build OpenID Connect clients. If you’re involved in OpenID Connect in any way, or are considering becoming involved, these posts are well worth reading.

July 29, 2013
JOSE -14 and JWT -11 drafts with additional algorithms and examples published

IETF logoJSON Object Signing and Encryption (JOSE) -14 drafts have been published that incorporate minor updates requested by the working group since the last working group call. The primary change was adding algorithm identifiers for AES algorithms using 192 bit keys; supporting these algorithms is optional. The only breaking changes were to the password-based encryption algorithm parameter representation. This version adds an example ECDH-ES Key Agreement computation.

The JSON Web Token (JWT) -11 draft adds a Nested JWT example – in which the claims are first signed, and then encrypted.

The drafts are available at:

HTML formatted versions are also available at:

July 28, 2013
OpenID Connect Presentation at IETF 87

OpenID logoI’ve posted the OpenID Connect presentation that I gave at the OpenID Workshop at IETF 87. Besides giving an overview of the specification status, unsurprisingly given the setting at IETF 87, it also talks about the relationship between OpenID Connect and the IETF specifications that it depends upon. It’s available as PowerPoint and PDF.

July 15, 2013
JOSE -13 drafts

IETF logoThe JSON Object Signing and Encryption (JOSE) -13 drafts are now available, which incorporate issue resolutions agreed to on today’s JOSE working group call. The only breaking change was to the JWS JSON Serialization, by making all header parameters be per-signature (which is actually a simplification and makes it more parallel to the JWS Compact Serialization). Algorithms were added to JWA for key encryption with AES GCM and for password-based encryption. An optional “aad” (Additional Authenticated Data) member was added to the JWE JSON Serialization.

Thanks to Matt Miller for the password-based encryption write-up, which is based on draft-miller-jose-jwe-protected-jwk-02.

The drafts are available at:

HTML formatted versions are also available at:

July 15, 2013
OAuth assertions drafts improving interop characteristics

IETF logoUpdated OAuth assertions drafts have been posted that improve their interoperability characteristics in a manner suggested during IESG review: they now state that issuer and audience values should be compared using the Simple String Comparison method defined in Section 6.2.1 of RFC 3986 unless otherwise specified by the application.

The drafts are available at:

HTML formatted versions are available at:

July 14, 2013
JWT draft -10

IETF logoJSON Web Token (JWT) draft -10 allows Claims to be replicated as Header Parameters in encrypted JWTs as needed by applications that require an unencrypted representation of specific Claims. This draft is available at http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-10, with an HTML formatted version also available at http://self-issued.info/docs/draft-ietf-oauth-json-web-token-10.html.

July 14, 2013
AES GCM Key Wrapping draft -01

IETF logoI’ve updated the AES GCM Key Wrapping draft to represent the Initialization Vector and Authentication Tag values used as header parameter values so as to be more parallel with their treatment when using AES GCM for content encryption, per working group request. This draft is now available as http://tools.ietf.org/html/draft-jones-jose-aes-gcm-key-wrap-01. It is also available in HTML format at http://self-issued.info/docs/draft-jones-jose-aes-gcm-key-wrap-01.html.

July 14, 2013
JOSE -12 and JWT -09 drafts released

IETF logoThe -12 JSON Object Signing and Encryption (JOSE) drafts have been released incorporating issue resolutions agreed to on the July 1, 2013 working group call and on the mailing list. Most of the changes were editorial improvements suggested by Jim Schaad and Richard Barnes. Changes included clarifying that the “typ” and “cty” header parameters are for use by applications and don’t affect JOSE processing, replacing the MIME types application/jws, application/jwe, application/jws+json, and application/jwe+json with application/jose and application/jose+json, and relaxing language on JSON parsing when duplicate member names are encountered to allow use of ECMAScript JSON parsers. See the history entries for the full set of changes.

Corresponding changes to the JSON Web Token (JWT) spec were also published in draft -09.

The drafts are available at:

HTML formatted versions are also available at:

July 8, 2013
OpenID Connect Update Presentation at CIS 2013

OpenID logoI’ve posted the OpenID Connect Update presentation that I gave today during the OpenID Workshop at the Cloud Identity Summit 2013. I’ve trimmed down the presentation to be lighter on the “how” and focus more on the “what” and “why”, relative to the one I gave at EIC in May. It’s available in PowerPoint and PDF formats.

June 13, 2013
Production Release of Microsoft JWT Support

Microsoft has released production support for the JSON Web Token (JWT). Read about it in Alex Simons’ release announcement and Vittorio Bertocci’s blog post on the JWT support.

June 7, 2013
Proposed Second OpenID Connect Implementer’s Drafts Published

OpenID logoToday marks another significant milestone towards completing the OpenID Connect standard. The OpenID Foundation has announced that the 45 day review period for the second set of proposed Implementer’s Drafts has begun. The working group believes that these are stable and complete drafts. They are being proposed as Implementer’s Drafts, rather than Final Specifications at this time, because of the dependencies on some IETF specifications that are still undergoing standardization – primarily the JSON Web Token (JWT) specification and the JSON Object Signing and Encryption (JOSE) specifications underlying it.

An Implementer’s Draft is a stable version of a specification intended for implementation and deployment that provides intellectual property protections to implementers of the specification. These updated drafts are the product of incorporating months of feedback from implementers and reviewers on earlier specification drafts, starting with the previous Implementer’s Drafts, including feedback resulting from several rounds of interop testing. Thanks to all of you who have been working towards the completion of OpenID Connect!

These specifications are available at:

« Prev - Next »