July 1, 2014
JOSE -30 and JWT -24 drafts incorporating AD feedback on fifth spec of five

IETF logoJOSE -30 and JWT -24 drafts have been posted incorporating improvements resulting from Kathleen Moriarty’s JWE review. At this point, actions requested in her reviews of the JWS, JWE, JWK, JWA, and JWT specifications have all been incorporated. All changes in this release were strictly editorial in nature.

The specifications are available at:

HTML formatted versions are available at:

June 20, 2014
JOSE -29 and JWT -23 drafts coalescing duplicative terminology definitions

IETF logoSurprise! For the first time ever, I’ve released two sets of JOSE and JWT drafts in one day! I wanted to separate the changes addressing recent AD comments from this set of changes that reduces duplication in the drafts.

These drafts replaced the terms JWS Header, JWE Header, and JWT Header with a single JOSE Header term defined in the JWS specification. This also enabled a single Header Parameter definition to be used and reduced other areas of duplication between the specifications. No normative changes were made.

The specifications are available at:

HTML formatted versions are available at:

June 20, 2014
JOSE -28 and JWT -22 drafts incorporating additional AD feedback

IETF logoUpdated JOSE and JWT drafts have been released that incorporate additional wording improvements in places suggested by Kathleen Moriarty. Most of the changes were rewording and reorganization of the Security Considerations sections. An explanation of when applications typically would and would not use the typ and cty header parameters was added. The one normative change was to specify the use of PKCS #7 padding with AES CBC, rather than PKCS #5 – a correction pointed out by Shaun Cooley. (PKCS #7 is a superset of PKCS #5, and is appropriate for the 16 octet blocks used by AES CBC.) No breaking changes were made.

The specifications are available at:

HTML formatted versions are available at:

June 10, 2014
JOSE -27 and JWT -21 drafts incorporating area director feedback

IETF logoThe -27 drafts of the JOSE specs (JWS, JWE, JWK, & JWA) and the -21 draft of the JWT spec have been posted that incorporate feedback received from our security area director, Kathleen Moriarty. The one normative change was to add certificate thumbprint parameters using SHA-256 as the hash function. There were no breaking changes. A number of additional security considerations were added across the drafts. An example JWK was added early in the JWK draft (paralleling the early examples in the JWS, JWE, and JWT drafts). Several algorithm cross-reference entries were updated in the JWA draft. A number of other editorial improvements were also applied.

The specifications are available at:

HTML formatted versions are available at:

Thanks for the detailed feedback, Kathleen.

May 22, 2014
Merged OAuth Dynamic Client Registration Spec

OAuth logoA new version of the OAuth Dynamic Client Registration specification has been published that folds the client metadata definitions back into the core registration specification, as requested by the working group. The updated spec is clear that the use of each of the defined client metadata fields is optional. The related registration management specification remains separate.

The updated specifications are available at:

HTML formatted versions are also available at:

May 14, 2014
JWT and JOSE have won a Special European Identity Award

IETF logoToday the JSON Web Token (JWT) and JSON Object Signing and Encryption (JOSE) specifications were granted a Special European Identity Award for Best Innovation for Security in the API Economy. I was honored to accept the award, along with Nat Sakimura and John Bradley, on behalf of the contributors to and implementers of these specifications at the European Identity and Cloud Conference.

It’s great to see this recognition for the impact that these specs are having by making it easy to use simple JSON-based security tokens and other Web-friendly cryptographically protected data structures. Special thanks are due to all of you have built and deployed implementations and provided feedback on the specs throughout their development; they significantly benefitted from your active involvement!

These specifications are:

The authors are:

Dirk Balfanz, Yaron Goland, John Panzer, and Eric Rescorla also deserve thanks for their significant contributions to creating these specifications.

May 8, 2014
Publication requested for JSON Web Token (JWT), OAuth Assertions, and JOSE specifications

IETF logoToday, the OAuth Working Group requested publication of four specifications as proposed standards:

This follows on the JOSE Working Group likewise requesting publication of the JSON Object Signing and Encryption specifications last month:

This means that the working groups have sent the specifications to the IESG for review, which is the next step towards them becoming IETF Standards – RFCs.

April 30, 2014
JOSE -26 and JWT -20 drafts addressing editorial issues

IETF logoThe JOSE -26 and JWT -20 drafts address a few editorial issues recently identified by reviewers, hopefully further clarifying these aspects of the specifications. No normative changes were made.

See the Document History entries for details on the specific changes made.

The specifications are available at:

HTML formatted versions are also available at:

April 10, 2014
JSON Web Key (JWK) Thumbprint Specification

IETF logoI created a new simple spec that defines a way to create a thumbprint of an arbitrary key, based upon its JWK representation. The abstract of the spec is:

This specification defines a means of computing a thumbprint value (a.k.a. digest) of JSON Web Key (JWK) objects analogous to the x5t (X.509 Certificate SHA-1 Thumbprint) value defined for X.509 certificate objects. This specification also registers the new JSON Web Signature (JWS) and JSON Web Encryption (JWE) Header Parameters and the new JSON Web Key (JWK) member name jkt (JWK SHA-256 Thumbprint) for holding these values.

The desire for this came up in an OpenID Connect context, but it’s of general applicability, so I decided to submit the spec to the JOSE working group. Thanks to James Manger, John Bradley, and Nat Sakimura for the discussions that led up to this spec.

The specification is available at:

An HTML formatted version is also available at:

April 1, 2014
Proof-Of-Possession Semantics for JSON Web Tokens (JWTs)

OAuth logoI’ve written a concise Internet-Draft on proof-of-possession for JWTs with John Bradley and Hannes Tschofenig. Quoting from the abstract:

This specification defines how to express a declaration in a JSON Web Token (JWT) that the presenter of the JWT possesses a particular key and that the recipient can cryptographically confirm proof-of-possession of the key by the presenter. This property is also sometimes described as the presenter being a holder-of-key.

This specification intentionally does not specify the means of communicating the proof-of-possession JWT, nor the messages used to exercise the proof key, as these are necessarily application-specific. Rather, this specification defines a proof-of-possession JWT data structure to be used by other specifications that do define those things.

The specification is available at:

An HTML formatted version is available at:

March 31, 2014
JOSE -25 drafts fixing typos and updating references

IETF logoJOSE -25 drafts have been released that fix a few typos and update the WebCrypto reference to refer to the W3C Last Call draft.

The specifications are available at:

HTML formatted versions are also available at:

Thanks to Antonio Sanso for bringing the typos to our attention.

March 20, 2014
Growing list of OpenID Connect libraries available

OpenID logoAs described in today’s openid.net post, a growing list of OpenID Connect and JWT/JOSE libraries are available. Check them out at http://openid.net/developers/libraries/.

March 19, 2014
OAuth Assertions drafts updating spec references

OAuth logoI’ve released updated versions of the OAuth Assertions, OAuth SAML Assertion Profile, and OAuth JWT Assertion Profile specs that use current citations for the other specs they reference, including the JSON, JWT, OAuth Dynamic Registration, and OpenID Connect specs. I also improved the formatting of hanging lists. There were no content changes.

The specifications are available at:

HTML formatted versions are also available at:

March 18, 2014
JOSE -24 and JWT -19 drafts fixing errors found in examples

IETF logoJOSE -24 drafts have been released that fix two errors found in example values. The JWT -19 draft clarifies that support for Nested JWTs is optional. The JSON reference was also updated to RFC 7159 in all drafts.

The specifications are available at:

HTML formatted versions are also available at:

Thanks to Edmund Jay and Hideki Nara for finding the bugs in the examples.

March 3, 2014
JWT -18 addressing remaining WGLC comments

IETF logoDraft -18 of the JSON Web Token (JWT) spec has been released, which addresses the few remaining outstanding comments from Working Group Last Call (WGLC). All edits were clarifications, rather than normative changes. See the Document History appendix for a description of the changes made.

New -23 versions of the JSON Object Signing and Encryption (JOSE) specs were also released since one clarification made to JWT also applied to JWS.

The specifications are available at:

HTML formatted versions are also available at:

March 2, 2014
JOSE -22 drafts fixing requirements language nits

IETF logoUpdated JOSE and JWT drafts have been published that fix a few instances of incorrect uses of RFC 2119 requirements language, such as changing an occurrence of “MUST not” to “MUST NOT”. These drafts also reference the newly completed JSON specification – RFC 7158.

The specifications are available at:

HTML formatted versions are also available at:

February 26, 2014
OpenID Connect Specifications are Final!

OpenID logoThe OpenID Connect Core, OpenID Connect Discovery, OpenID Connect Dynamic Registration, and OAuth 2.0 Multiple Response Types specifications are now final! These are the result of almost four years of intensive work, both by specification writers including myself, and importantly, by developers who built, deployed, and interop tested these specifications throughout their development, significantly improving the quality of both the specs and their implementations as a result.

Throughout the development of OpenID Connect, we applied the design philosophy “keep simple things simple”. While being simple, OpenID Connect is also flexible enough to enable more complex things to be done, when necessary, such as encrypting claims, but this flexibility doesn’t come at the cost of keeping simple things simple. Its simplicity is intended to make it much easier for deployers to adopt than previous identity protocols. For instance, it uses straightforward JSON/REST data structures and messages, rather than XML/SOAP or ASN.1.

I want to take this opportunity to thank several key individuals without whose enthusiastic participation and expertise OpenID Connect wouldn’t have come into being. Nat Sakimura and John Bradley were there every step of the way, both motivating the features included and providing their insights into how to make the result both highly secure and very usable. Breno de Medeiros and Chuck Mortimore were also key contributors, bringing their practical insights informed by their implementation and deployment experiences throughout the process. I want to acknowledge Don Thibeau’s leadership, foresight, wisdom, and perseverance in leading the OpenID Foundation throughout this effort, bringing us to the point where today’s completed specifications are a reality. Numerous people at Microsoft deserve credit for believing in and supporting my work on OpenID Connect. And finally, I’d like to thank all the developers who built OpenID Connect code, told us what they liked and didn’t, and verified that what was specified would actually work well for them in practice.

Of course, final specifications are really just the beginning of the next journey. I look forward to seeing how people will use them to provide the Internet’s missing identity layer, making people’s online experiences, both on the Web and on their devices, easier, safer, and more satisfying!

February 14, 2014
JOSE -21 drafts incorporating WGLC feedback

IETF logoJSON Object Signing and Encryption (JOSE) drafts have been published that address the feedback received during Working Group Last Call (WGLC) on the specifications, which ran from January 22 to February 13, 2014. Two breaking (but very local) changes were made as a result of working group discussions:

  • Replaced the JWK key_ops values wrap and unwrap with wrapKey and unwrapKey to match the KeyUsage values defined in the current Web Cryptography API editor’s draft.
  • Compute the PBES2 salt parameter as (UTF8(Alg) || 0x00 || Salt Input), where the p2s Header Parameter encodes the Salt Input value and Alg is the alg Header Parameter value.

A few editorial changes were also made to improve readability. See the Document History sections for the issues addressed by these changes. One parallel editorial change was also made to the JSON Web Token (JWT) specification.

The specifications are available at:

HTML formatted versions are also available at:

Thanks to those of you who provided feedback on the specs during Working Group Last Call.

February 11, 2014
Vote to Approve Final OpenID Connect Specifications Under Way

OpenID logoThe vote to approve final OpenID Connect Core, OpenID Connect Discovery, OpenID Connect Dynamic Registration, and OAuth 2.0 Multiple Response Types specifications is now under way, as described at http://openid.net/2014/02/11/vote-for-final-openid-connect-specifications-and-implementers-drafts-is-open/. The OpenID Connect Session Management and OAuth 2.0 Form Post Response Mode specifications are also being approved as Implementer’s Drafts. Voting closes on Tuesday, February 25, 2014.

Please vote now!

February 7, 2014
Working Group Versions of Refactored OAuth Dynamic Client Registration Specs

OAuth logo
There are now OAuth working group versions of the refactored OAuth Dynamic Client Registration specifications:

  • OAuth 2.0 Dynamic Client Registration Core Protocol
  • OAuth 2.0 Dynamic Client Registration Metadata
  • OAuth 2.0 Dynamic Client Registration Management Protocol

These versions address review comments by Phil Hunt and Tony Nadalin. Phil is now also an author. The data structures and messages used are the same as the previous versions.

The drafts are available at:

HTML formatted versions are also available at:

« Prev - Next »