Mike Jones: self-issued

I had the distinct honor of being invited to give a keynote talk at EIC 2023. The result was Touchstones Along My Identity Journey. My talk abstract was:

In 2005, Kim Cameron excitedly told me about digital identity and set my life on a course to “Build the Internet’s missing identity layer”. In this talk I’ll tell key stories from my identity journey – stories of the people, ideas, and lessons learned along the way. I’ll speak of technology and collaboration, usability and business models, solving problems people actually have, and building new ecosystems. Come with me on this journey of exploration, trials, triumphs, and humor as I recount touchstones of the human endeavor that is digital identity.

Kuppinger Cole has posted a video of my keynote on YouTube. I was pleased with how well it went. After the first few sentences, I was in the zone! I hope many of you find the messages in the talk useful.

My slides are also available in (PowerPoint) and PDF.

Special thanks go to the OpenID Foundation for supporting my trip to EIC this year and to designer Alistair Kincaid at MATTR for helping me transcend my usual black-bulleted-text-on-a-white-background presentation style!

1 Comment » Posted under Claims & Cryptography & Events & Federation & FIDO & History & IETF & Information Cards & Interoperability & JSON & OAuth & OpenID & People & Phishing Resistance & Specifications & Windows CardSpace

Following the IETF-wide publication request, we’ve published another DPoP draft that addresses additional review comments received to date. This version is destined for the IESG Telechat on April 13, 2023.

Recent changes as described in the history log are:

• Add sec considerations sub-section about binding to client identity
• Explicitly say that nonces must be unpredictable
• Change to a numbered list in ‘Checking DPoP Proofs’
• Editorial adjustments
• Incorporated HTTP header field definition and RFC 8792 ‘\’ line wrapping suggestions by Mark Nottingham

The specification is available at:

• https://tools.ietf.org/id/draft-ietf-oauth-dpop-14.html

No Comments » Posted under IETF & OAuth & Specifications

This week Brian Campbell published an updated OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) draft addressing the Area Director review comments received. Thanks to Roman Danyliw for his useful review!

As Brian wrote, updates in this version of the specifiation were:

• Updates from Roman Danyliw’s AD review
• DPoP-Nonce now included in HTTP header field registration request
• Fixed section reference to URI Scheme-Based Normalization
• Attempt to better describe the rationale for SHA-256 only and expectations for how hash algorithm agility would be achieved if needed in the future
• Elaborate on the use of multiple WWW-Authenticate challenges by protected resources
• Fix access token request examples that were missing a client_id

The specification is available at:

• https://tools.ietf.org/id/draft-ietf-oauth-dpop-12.html

No Comments » Posted under IETF & OAuth & Specifications

Brian Campbell published an updated OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) draft addressing the shepherd review comments received. Thanks to Rifaat Shekh-Yusef for his useful review!

Following publication of this draft, Rifaat also created the shepherd write-up, obtained IPR commitments for the specification, and requested publication of the specification as an RFC. Thanks all for helping us reach this important milestone!

The specification is available at:

• https://tools.ietf.org/id/draft-ietf-oauth-dpop-11.html

No Comments » Posted under IETF & OAuth & Specifications

The JWK Thumbprint URI specification has been published as RFC 9278. Congratulations to my co-author, Kristina Yasuda, on the publication of her first RFC!

The abstract of the RFC is:

This specification registers a kind of URI that represents a JSON Web Key (JWK) Thumbprint value. JWK Thumbprints are defined in RFC 7638. This enables JWK Thumbprints to be used, for instance, as key identifiers in contexts requiring URIs.

The need for this arose during specification work in the OpenID Connect working group. In particular, JWK Thumbprint URIs are used as key identifiers that can be syntactically distinguished from other kinds of identifiers also expressed as URIs in the Self-Issued OpenID Provider v2 specification.

No Comments » Posted under Cryptography & IETF & OAuth & OpenID & Specifications

Here’s the DPoP presentation that Pieter Kasselman and I gave at the 2022 Identiverse conference:

• Bad actors are stealing your OAuth tokens, giving them control over your information – OAuth DPoP (Demonstration of Proof of Possession) is what we’re doing about it (PowerPoint) (PDF)

A few photographs that workation photographer Brian Campbell took during the presentation follow.

Mike Presenting:

Who is that masked man???

Pieter Presenting:

No Comments » Posted under Events & IETF & OAuth & Specifications

Kristina Yasuda and I have published a new JWK Thumbprint URI draft that addresses the IETF Last Call comments received. Changes made were:

• Clarified the requirement to use registered hash algorithm identifiers.
• Acknowledged IETF Last Call reviewers.

The specification is available at:

• https://www.ietf.org/archive/id/draft-ietf-oauth-jwk-thumbprint-uri-02.html

No Comments » Posted under Claims & Cryptography & IETF & OAuth & OpenID

Brian Campbell has published an updated OAuth DPoP draft addressing the Working Group Last Call (WGLC) comments received. All changes were editorial in nature. The most substantive change was further clarifying that either iat or nonce can be used alone in validating the timeliness of the proof, somewhat deemphasizing jti tracking.

As Brian reminded us during the OAuth Security Workshop today, the name DPoP was inspired by a Deutsche POP poster he saw on the S-Bahn during the March 2019 OAuth Security Workshop in Stuttgart:

He considered it an auspicious sign seeing another Deutsche PoP sign in the Vienna U-Bahn during IETF 113 the same day WGLC was requested!

The specification is available at:

• https://tools.ietf.org/id/draft-ietf-oauth-dpop-08.html

No Comments » Posted under Events & IETF & OAuth & Specifications

The editors have applied some minor updates to the OAuth DPoP specification in preparation for discussion at IETF 113 in Vienna. Updates made were:

• Renamed the always_uses_dpop client registration metadata parameter to dpop_bound_access_tokens.
• Clarified the relationships between server-provided nonce values, authorization servers, resource servers, and clients.
• Improved other descriptive wording.

The specification is available at:

• https://tools.ietf.org/id/draft-ietf-oauth-dpop-06.html

No Comments » Posted under IETF & OAuth & Specifications

A new draft of the OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) specification has been published that addresses four months’ worth of great review comments from the working group. Refinements made were:

• Added Authorization Code binding via the dpop_jkt parameter.
• Described the authorization code reuse attack and how dpop_jkt mitigates it.
• Enhanced description of DPoP proof expiration checking.
• Described nonce storage requirements and how nonce mismatches and missing nonces are self-correcting.
• Specified the use of the use_dpop_nonce error for missing and mismatched nonce values.
• Specified that authorization servers use 400 (Bad Request) errors to supply nonces and resource servers use 401 (Unauthorized) errors to do so.
• Added a bit more about ath and pre-generated proofs to the security considerations.
• Mentioned confirming the DPoP binding of the access token in the list in (#checking).
• Added the always_uses_dpop client registration metadata parameter.
• Described the relationship between DPoP and Pushed Authorization Requests (PAR).
• Updated references for drafts that are now RFCs.

I believe this brings us much closer to a final version.

The specification is available at:

• https://tools.ietf.org/id/draft-ietf-oauth-dpop-05.html

No Comments » Posted under IETF & OAuth & Specifications

Kristina Yasuda and I have published an updated JWK Thumbprint URI draft that addresses the OAuth Working Group Last Call (WGLC) comments received. Changes made were:

• Added security considerations about multiple public keys coresponding to the same private key.
• Added hash algorithm identifier after the JWK thumbprint URI prefix to make it explicit in a URI which hash algorithm is used.
• Added reference to a registry for hash algorithm identifiers.
• Added SHA-256 as a mandatory to implement hash algorithm to promote interoperability.
• Acknowledged WGLC reviewers.

The specification is available at:

• https://www.ietf.org/archive/id/draft-ietf-oauth-jwk-thumbprint-uri-01.html

No Comments » Posted under Cryptography & IETF & OAuth & OpenID & Specifications

The IETF OAuth working group has adopted the JWK Thumbprint URI specification. The abstract of the specification is:

This specification registers a kind of URI that represents a JSON Web Key (JWK) Thumbprint value. JWK Thumbprints are defined in RFC 7638. This enables JWK Thumbprints to be used, for instance, as key identifiers in contexts requiring URIs.

The need for this arose during specification work in the OpenID Connect working group. In particular, JWK Thumbprint URIs are used as key identifiers that can be syntactically distinguished from other kinds of identifiers also expressed as URIs in the Self-Issued OpenID Provider v2 specification.

Given that the specification does only one simple thing in a straightforward manner, we believe that it is ready for working group last call.

The specification is available at:

• https://www.ietf.org/archive/id/draft-ietf-oauth-jwk-thumbprint-uri-00.html

No Comments » Posted under Cryptography & IETF & OAuth & OpenID & Specifications

As requested by the chairs during today’s OAuth Virtual Office Hours call, Kristina Yasuda and I have updated the JWK Thumbprint URI specification to enhance the description of the motivations for the specification. In particular, it now describes using JWK Thumbprint URIs as key identifiers that can be syntactically distinguished from other kinds of identifiers also expressed as URIs. It is used this way in the Self-Issued OpenID Provider v2 specification, for instance. No normative changes were made.

As discussed on the call, we are requesting that that the chairs use this new draft as the basis for a call for working group adoption.

The specification is available at:

• https://www.ietf.org/archive/id/draft-jones-oauth-jwk-thumbprint-uri-01.html

No Comments » Posted under Cryptography & IETF & OAuth & OpenID & Specifications

The JSON Web Key (JWK) Thumbprint specification [RFC 7638] defines a method for computing a hash value over a JSON Web Key (JWK) [RFC 7517] and encoding that hash in a URL-safe manner. Kristina Yasuda and I have just created the JWK Thumbprint URI specification, which defines how to represent JWK Thumbprints as URIs. This enables JWK Thumbprints to be communicated in contexts requiring URIs, including in specific JSON Web Token (JWT) [RFC 7519] claims.

Use cases for this specification were developed in the OpenID Connect Working Group of the OpenID Foundation. Specifically, its use is planned in future versions of the Self-Issued OpenID Provider v2 specification.

The specification is available at:

• https://www.ietf.org/archive/id/draft-jones-oauth-jwk-thumbprint-uri-00.html

No Comments » Posted under Cryptography & IETF & OAuth & OpenID & Specifications

The latest version of the “OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)” specification adds an option for servers to supply a nonce value to be included in the DPoP proof. Both authorization servers and resource servers can provide nonce values to clients.

As described in the updated Security Considerations, the nonce prevents a malicious party in control of the client (who might be a legitimate end-user) from pre-generating DPoP proofs to be used in the future and exfiltrating them to a machine without the DPoP private key. When server-provided nonces are used, actual possession of the proof-of-possession key is being demonstrated — not just possession of a DPoP proof.

The specification is available at:

• https://tools.ietf.org/id/draft-ietf-oauth-dpop-04.html

No Comments » Posted under IETF & OAuth & Specifications

The OAuth 2.0 JWT-Secured Authorization Request (JAR) specification has been published as RFC 9101. Among other applications, this specification is used by the OpenID Financial-grade API (FAPI). This is another in the series of RFCs bringing OpenID Connect-defined functionality to OAuth 2.0. Previous such RFCs included “OAuth 2.0 Dynamic Client Registration Protocol” [RFC 7591] and “OAuth 2.0 Authorization Server Metadata” [RFC 8414].

The abstract of the RFC is:

The authorization request in OAuth 2.0 described in RFC 6749 utilizes query parameter serialization, which means that authorization request parameters are encoded in the URI of the request and sent through user agents such as web browsers. While it is easy to implement, it means that a) the communication through the user agents is not integrity protected and thus, the parameters can be tainted, b) the source of the communication is not authenticated, and c) the communication through the user agents can be monitored. Because of these weaknesses, several attacks to the protocol have now been put forward.

This document introduces the ability to send request parameters in a JSON Web Token (JWT) instead, which allows the request to be signed with JSON Web Signature (JWS) and encrypted with JSON Web Encryption (JWE) so that the integrity, source authentication, and confidentiality properties of the authorization request are attained. The request can be sent by value or by reference.

Thanks to Nat Sakimura and John Bradley for persisting in finishing this RFC!

No Comments » Posted under Claims & IETF & JSON & OAuth & OpenID & Specifications

As described in my last post about OAuth JAR, after it was first sent to the RFC Editor, the IESG requested an additional round of IETF feedback. I’m happy to report that, having addressed this feedback, the spec has now been sent back to the RFC Editor.

As a reminder, this specification takes the JWT Request Object from Section 6 of OpenID Connect Core (Passing Request Parameters as JWTs) and makes this functionality available for pure OAuth 2.0 applications – and does so without introducing breaking changes. This is one of a series of specifications bringing functionality originally developed for OpenID Connect to the OAuth 2.0 ecosystem. Other such specifications included OAuth 2.0 Dynamic Client Registration Protocol [RFC 7591] and OAuth 2.0 Authorization Server Metadata [RFC 8414].

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-33

An HTML-formatted version is also available at:

• https://self-issued.info/docs/draft-ietf-oauth-jwsreq-33.html

No Comments » Posted under Claims & IETF & JSON & OAuth & OpenID & Specifications

After the OAuth 2.0 JWT Secured Authorization Request (JAR) specification was sent to the RFC Editor, the IESG requested an additional round of IETF feedback. We’ve published an updated draft addressing the remaining review comments, specifically, SecDir comments from Watson Ladd. The only normative change made since the 28 was to change the MIME Type from “oauth.authz.req+jwt” to “oauth-authz-req+jwt”, per advice from the designated experts.

As a reminder, this specification takes the JWT Request Object from Section 6 of OpenID Connect Core (Passing Request Parameters as JWTs) and makes this functionality available for pure OAuth 2.0 applications – and does so without introducing breaking changes. This is one of a series of specifications bringing functionality originally developed for OpenID Connect to the OAuth 2.0 ecosystem. Other such specifications included OAuth 2.0 Dynamic Client Registration Protocol [RFC 7591] and OAuth 2.0 Authorization Server Metadata [RFC 8414].

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-31

An HTML-formatted version is also available at:

• https://self-issued.info/docs/draft-ietf-oauth-jwsreq-31.html

No Comments » Posted under Claims & IETF & JSON & OAuth & OpenID & Specifications

Congratulations to Nat Sakimura and John Bradley for progressing the OAuth 2.0 JWT Secured Authorization Request (JAR) specification from the working group through the IESG to the RFC Editor. This specification takes the JWT Request Object from Section 6 of OpenID Connect Core (Passing Request Parameters as JWTs) and makes this functionality available for pure OAuth 2.0 applications – and intentionally does so without introducing breaking changes.

This is one of a series of specifications bringing functionality originally developed for OpenID Connect to the OAuth 2.0 ecosystem. Other such specifications included OAuth 2.0 Dynamic Client Registration Protocol [RFC 7591] and OAuth 2.0 Authorization Server Metadata [RFC 8414].

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-28

An HTML-formatted version is also available at:

• https://self-issued.info/docs/draft-ietf-oauth-jwsreq-28.html

Again, congratulations to Nat and John and the OAuth Working Group for this achievement!

No Comments » Posted under Claims & IETF & JSON & OAuth & OpenID & Specifications

A number of refinements have been applied to the DPoP specification. As recorded in the History entries, they are:

• Editorial updates
• Attempt to more formally define the DPoP Authorization header scheme
• Define the 401/WWW-Authenticate challenge
• Added invalid_dpop_proof error code for DPoP errors in token request
• Fixed up and added to the IANA section
• Added dpop_signing_alg_values_supported authorization server metadata
• Moved the Acknowledgements into an Appendix and added a bunch of names (best effort)

Thanks to Brian Campbell for doing the editing for this round.

The specification is available at:

• https://tools.ietf.org/id/draft-ietf-oauth-dpop-01.html

No Comments » Posted under IETF & OAuth & Specifications