Microsoft has released production support for the JSON Web Token (JWT). Read about it in Alex Simons’ release announcement and Vittorio Bertocci’s blog post on the JWT support.
Category: JSON Page 11 of 14
Today marks another significant milestone towards completing the OpenID Connect standard. The OpenID Foundation has announced that the 45 day review period for the second set of proposed Implementer’s Drafts has begun. The working group believes that these are stable and complete drafts. They are being proposed as Implementer’s Drafts, rather than Final Specifications at this time, because of the dependencies on some IETF specifications that are still undergoing standardization — primarily the JSON Web Token (JWT) specification and the JSON Object Signing and Encryption (JOSE) specifications underlying it.
An Implementer’s Draft is a stable version of a specification intended for implementation and deployment that provides intellectual property protections to implementers of the specification. These updated drafts are the product of incorporating months of feedback from implementers and reviewers on earlier specification drafts, starting with the previous Implementer’s Drafts, including feedback resulting from several rounds of interop testing. Thanks to all of you who have been working towards the completion of OpenID Connect!
These specifications are available at:
- http://openid.net/specs/openid-connect-basic-1_0-28.html
- http://openid.net/specs/openid-connect-implicit-1_0-11.html
- http://openid.net/specs/openid-connect-messages-1_0-20.html
- http://openid.net/specs/openid-connect-standard-1_0-21.html
- http://openid.net/specs/openid-connect-discovery-1_0-17.html
- http://openid.net/specs/openid-connect-registration-1_0-19.html
- http://openid.net/specs/openid-connect-session-1_0-15.html
- http://openid.net/specs/oauth-v2-multiple-response-types-1_0-08.html
The -11 drafts of the JSON Object Signing and Encryption (JOSE) specifications have been released that incorporate the changes agreed to at the interim working group meeting last month. Most of the changes were to the JWS and JWE JSON Serialization representations, enabling more flexible treatment of header parameter values. Other changes included removing the Encrypted Key value from the JWE integrity calculation, saying more about key identification, adding key identification parameters to some of the examples, clarifying the use of “kid” values in JWK Sets, enabling X.509 key representations in JWKs, recommending protecting JWKs containing non-public information by encrypting them with JWE, adding “alg” values for RSASSA-PSS, registering additional MIME types, and a number of clarifications. A corresponding -08 JSON Web Token (JWT) spec was also released that updated the encrypted JWT example value to track the JWE change. Hopefully this will be the last breaking change to the encryption calculations.
The specifications are available at:
- http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-11
- http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-11
- http://tools.ietf.org/html/draft-ietf-jose-json-web-key-11
- http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-11
- http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-08
HTML formatted versions are available at:
- https://self-issued.info/docs/draft-ietf-jose-json-web-signature-11.html
- https://self-issued.info/docs/draft-ietf-jose-json-web-encryption-11.html
- https://self-issued.info/docs/draft-ietf-jose-json-web-key-11.html
- https://self-issued.info/docs/draft-ietf-jose-json-web-algorithms-11.html
- https://self-issued.info/docs/draft-ietf-oauth-json-web-token-08.html
A fourth set of release candidates for the upcoming OpenID Connect Implementer’s Drafts has been released. Changes since the third release candidates mostly consist of editorial improvements. There were only two changes that will result in changes to implementations. The first was replacing the “updated_time” claim, which used a textual date format, with the “updated_at” claim, which uses the same numeric representation as the other OpenID Connect date/time claims. The second was replacing the “PKIX” JWK key type with the “x5c” JWK key member (a change actually made this week by the JOSE working group).
These are ready for discussion at Monday’s in-person OpenID Connect working group meeting. All issues filed have been addressed.
The updated specifications are:
- http://openid.net/specs/openid-connect-basic-1_0-26.html
- http://openid.net/specs/openid-connect-implicit-1_0-09.html
- http://openid.net/specs/openid-connect-messages-1_0-18.html
- http://openid.net/specs/openid-connect-standard-1_0-19.html
- http://openid.net/specs/openid-connect-discovery-1_0-15.html
- http://openid.net/specs/openid-connect-registration-1_0-17.html
These specifications did not change:
- http://openid.net/specs/openid-connect-session-1_0-13.html
- http://openid.net/specs/oauth-v2-multiple-response-types-1_0-07.html
Thanks to all who continued reviewing and implementing the specifications, resulting in the improvements contained in this release. I’ll look forward to seeing many of you on Monday!
Based upon working group feedback on the -09 drafts, I’ve released an update to the JSON Object Signing and Encryption (JOSE) specifications that changes the processing rules for JWEs encrypted to multiple recipients. The new processing rules enable using AES GCM for multiple-recipient JWE objects. This update makes no changes to the single-recipient case.
The updated specification versions are:
- http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-10
- http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-10
- http://tools.ietf.org/html/draft-ietf-jose-json-web-key-10
- http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-10
HTML formatted versions are also available at:
New versions of the JSON Object Signing and Encryption (JOSE) specifications JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), and JSON Web Algorithms (JWA) and the JSON Web Token (JWT) specification have been released that incorporate the working group decisions made during and since IETF 86.
The primary new features in these working group drafts are:
- adding support for private and symmetric keys to JWK and JWA,
- adding support for JSON Serializations to JWS and JWE,
- replacing the custom JOSE CBC+HMAC algorithms with ones compatible with those proposed in draft-mcgrew-aead-aes-cbc-hmac-sha2,
- defining that the default action for header parameters and claims that are not understood is to ignore them, while providing a way to designate that some extension header parameters must be understood.
More details on the changes made can be found in the Document History entries.
The specifications are available at:
- http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-09
- http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-09
- http://tools.ietf.org/html/draft-ietf-jose-json-web-key-09
- http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-09
- http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-07
HTML formatted versions are also available at:
- https://self-issued.info/docs/draft-ietf-jose-json-web-signature-09.html
- https://self-issued.info/docs/draft-ietf-jose-json-web-encryption-09.html
- https://self-issued.info/docs/draft-ietf-jose-json-web-key-09.html
- https://self-issued.info/docs/draft-ietf-jose-json-web-algorithms-09.html
- https://self-issued.info/docs/draft-ietf-oauth-json-web-token-07.html
A third set of Release Candidates for the pending OpenID Connect Implementer’s Drafts have been released. Like the first set, the second set of Release Candidates, which were published earlier this month, also received thorough review, resulting in a smaller set of additional refinements. The changes primarily made some the claim definitions more precise and provided more guidance on support for multiple languages and scripts.
Were it not for a set of pending changes about to be made to the JSON Object Signing and Encryption (JOSE) specifications, this set of specifications would likely actually be the Implementer’s Drafts. However, the OpenID Connect working group made the decision to have those (non-breaking) JOSE changes be applied before we declare that the Implementer’s Drafts are done. Expect announcements about both the JOSE updates and the OpenID Connect Implementer’s Drafts soon.
The new specifications are:
- http://openid.net/specs/openid-connect-basic-1_0-25.html
- http://openid.net/specs/openid-connect-implicit-1_0-08.html
- http://openid.net/specs/openid-connect-messages-1_0-17.html
- http://openid.net/specs/openid-connect-standard-1_0-18.html
- http://openid.net/specs/openid-connect-discovery-1_0-14.html
- http://openid.net/specs/openid-connect-registration-1_0-16.html
- http://openid.net/specs/openid-connect-session-1_0-13.html
- http://openid.net/specs/oauth-v2-multiple-response-types-1_0-07.html
See the History entries in the specs for more details on the changes made.
Thanks again to all who reviewed and implemented the recent drafts!
Last week at the Japan Identity and Cloud Symposium I gave a presentation on this topic: A new set of simple, open identity protocols is emerging that utilize JSON data representations and REST-based communication patterns, including OAuth, JSON Web Token (JWT), JSON Object Signing and Encryption (JOSE), and WebFinger. I’ve posted PowerPoint and PDF versions of the presentation.
Thanks again to the organizers of JICS 2013 for a great event!
I’m pleased to announce that a second set of Release Candidates for the upcoming OpenID Connect Implementer’s Drafts have been released. The first set of Release Candidates received thorough review, resulting in quite a bit of detailed feedback. The current specs incorporate the feedback received, making them simpler, more consistent, and easier to understand.
Please review these this week — especially if you had submitted feedback. The working group plans to decide whether we’re ready to declare Implementer’s Drafts during the OpenID Meeting before IETF 86 on Sunday.
The new specifications are:
- http://openid.net/specs/openid-connect-basic-1_0-24.html
- http://openid.net/specs/openid-connect-implicit-1_0-07.html
- http://openid.net/specs/openid-connect-messages-1_0-16.html
- http://openid.net/specs/openid-connect-standard-1_0-17.html
- http://openid.net/specs/openid-connect-discovery-1_0-13.html
- http://openid.net/specs/openid-connect-registration-1_0-15.html
- http://openid.net/specs/openid-connect-session-1_0-12.html
See the History entries in the specs for details on the changes made.
Thanks again to all who did so much to get us to this point, including the spec writers, working group members, and especially the implementers!
I’m pleased to announce that release candidate versions of the soon-to-come OpenID Connect Implementer’s Drafts have been released. All the anticipated breaking changes to the protocol are now in place, including switching Discovery over from using Simple Web Discovery to WebFinger and aligning Registration with the OAuth Dynamic Client Registration draft. While several names changed for consistency reasons, the changes to Discovery and Registration were the only architectural changes.
Please thoroughly review these drafts this week and report any issues that you believe need to be addressed before we release the Implementer’s Draft versions.
Normative changes since the December 27th, 2012 release were:
- Use WebFinger for OpenID Provider discovery instead of Simple Web Discovery. This also means that account identifiers using e-mail address syntax are prefixed by the
acct:scheme when passed to WebFinger. - Aligned Registration parameters with OAuth Dynamic Registration draft.
- Added Implementation Considerations sections to all specifications, which specify which features are mandatory to implement.
- Removed requirement that the “
c_hash” and “at_hash” be computed using SHA-2 algorithms (for crypto agility reasons). - Refined aspects of using encrypted ID Tokens.
- Finished specifying elements of key management for self-issued OPs.
- Added “
display_values_supported“, “claim_types_supported“, “claims_supported“, and “service_documentation” discovery elements. - Defined REQUIRED, RECOMMENDED, and OPTIONAL discovery elements.
- Refined Session Management specification, including descriptions of OP and RP iframe behaviors.
- Deleted “
javascript_origin_uris“, which is no longer present in Session Management. - Added new “
session_state” parameter to the authorization response for Session Management. - Added new “
post_logout_redirect_url” registration parameter for Session Management.
Also, renamed these identifiers for naming consistency reasons:
user_jwk->sub_jwk(used in self-issued ID Tokens)token_endpoint_auth_type->token_endpoint_auth_methodtoken_endpoint_auth_types_supported->token_endpoint_auth_methods_supportedcheck_session_iframe_url->check_session_iframeend_session_endpoint_url->end_session_endpointtype->operation(in Registration)associate->register(in Registration)application_name->client_namecheck_session_endpoint->check_session_iframe
See the History entries in the specifications for more details.
The new specification versions are at:
- http://openid.net/specs/openid-connect-basic-1_0-23.html
- http://openid.net/specs/openid-connect-implicit-1_0-06.html
- http://openid.net/specs/openid-connect-messages-1_0-15.html
- http://openid.net/specs/openid-connect-standard-1_0-16.html
- http://openid.net/specs/openid-connect-discovery-1_0-12.html
- http://openid.net/specs/openid-connect-registration-1_0-14.html
- http://openid.net/specs/openid-connect-session-1_0-11.html
Thanks to all who did so much to get us to this point, including the spec writers, working group members, and implementers!
New versions of the OpenID Connect specifications have been released resolving numerous open issues raised by the working group. The most significant change is changing the name of the “user_id” claim to “sub” (subject) so that ID Tokens conform to the OAuth JWT Bearer Profile specification, and so they can be used as OAuth assertions. (Also, see the related coordinated change to the OAuth JWT specifications.) A related enhancement was extending our use of the “aud” (audience) claim to allow ID Tokens to have multiple audiences. Also, a related addition was defining the “azp” (authorized party) claim to allow implementers to experiment with this proposed functionality. (This is a slightly more general form of the “cid” claim that Google and Nat Sakimura had proposed.)
Other updates were:
- The “
offline_access” scope value was defined to request that a refresh token be returned when using the code flow that can be used to obtain an access token granting access to the user’s UserInfo endpoint even when the user is not present. - A new “
tos_url” registration parameter was added so that the terms of service can be specified separately from the usage policy. - Clarified that “
jwk_url” and “jwk_encryption_url” refer to documents containing JWK Sets – not single JWK keys.
Implementers need to apply these name changes to their code:
user_id->subprn->subuser_id_types_supported->subject_types_supporteduser_id_type->subject_typeacrs_supported->acr_values_supportedalg->kty(in JWKs)
See the Document History section of each specification for more details about the changes made.
This release is part of a coordinated release of JOSE, OAuth, and OpenID Connect specifications. You can read about the other releases here: JOSE Release Notes, OAuth Release Notes.
The new specification versions are:
- http://openid.net/specs/openid-connect-basic-1_0-22.html
- http://openid.net/specs/openid-connect-implicit-1_0-05.html
- http://openid.net/specs/openid-connect-messages-1_0-14.html
- http://openid.net/specs/openid-connect-standard-1_0-15.html
- http://openid.net/specs/openid-connect-discovery-1_0-11.html
- http://openid.net/specs/openid-connect-registration-1_0-13.html
- http://openid.net/specs/openid-connect-session-1_0-10.html
New versions of the OAuth JWT, JWT Bearer Profile, and Assertions specs have been released incorporating feedback since IETF 85 in Atlanta. The primary change is changing the name of the “prn” claim to “sub” (subject) both to more closely align with SAML name usage and to use a more intuitive name for this concept. (Also, see the related coordinated change to the OpenID Connect specifications.) The definition of the “aud” (audience) claim was also extended to allow JWTs to have multiple audiences (a feature also in SAML assertions).
An explanation was added to the JWT spec about why should be signed and then encrypted.
The audience definition in the Assertions specification was relaxed so that audience values can be OAuth “client_id” values. Informative references to the SAML Bearer Profile and JWT Bearer Profile specs were also added.
This release incorporates editorial improvements suggested by Jeff Hodges, Hannes Tschofenig, and Prateek Mishra in their reviews of the JWT specification. Many of these simplified the terminology usage. See the Document History section of each specification for more details about the changes made.
This release is part of a coordinated release of JOSE, OAuth, and OpenID Connect specifications. You can read about the other releases here: JOSE Release Notes, OpenID Connect Release Notes.
The new specification versions are:
- http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-06
- http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-04
- http://tools.ietf.org/html/draft-ietf-oauth-assertions-09
HTML formatted versions are available at:
New versions of the JOSE specs have been released incorporating feedback since IETF 85 in Atlanta. The highlight of this release is the new JSON Private and Symmetric Key spec, which extends JWKs to be able to represent private and symmetric keys. These sensitive keys can then be protected for transmission and storage by JWE encryption of their JWK representations.
One new feature added to JWK is the ability to optionally specify which specific algorithm the key is intended to be used with. (This is already existing practice for keys in X.509 format.) For instance, a symmetric key might be annotated to say that it is to be used with the “HS256” algorithm. Because the natural field name for this functionality is “alg“, the “alg” name is now used for this purpose (matching JWS and JWE) and the key type (formerly “alg“) is now denoted by the “kty” field.
This release incorporates editorial improvements suggested by Jeff Hodges and Hannes Tschofenig in their reviews of the JWT specification. Many of these simplified the terminology usage. See the Document History section of each specification for more details about the changes made.
This release is part of a coordinated release of JOSE, OAuth, and OpenID Connect specifications. You can read about the other releases here: OAuth Release Notes, OpenID Connect Release Notes.
The new specification versions are:
- http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-08
- http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-08
- http://tools.ietf.org/html/draft-ietf-jose-json-web-key-08
- http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-08
- http://tools.ietf.org/html/draft-jones-jose-jws-json-serialization-04
- http://tools.ietf.org/html/draft-jones-jose-jwe-json-serialization-04
- http://tools.ietf.org/html/draft-jones-jose-json-private-and-symmetric-key-00
HTML formatted versions are available at:
- https://self-issued.info/docs/draft-ietf-jose-json-web-signature-08.html
- https://self-issued.info/docs/draft-ietf-jose-json-web-encryption-08.html
- https://self-issued.info/docs/draft-ietf-jose-json-web-key-08.html
- https://self-issued.info/docs/draft-ietf-jose-json-web-algorithms-08.html
- https://self-issued.info/docs/draft-jones-jose-jws-json-serialization-04.html
- https://self-issued.info/docs/draft-jones-jose-jwe-json-serialization-04.html
- https://self-issued.info/docs/draft-jones-jose-json-private-and-symmetric-key-00.html
Vittorio Bertocci just wrote about a developer preview release of JWT support for the Windows Identity Framework (WIF). Among other things, his catalog of places that JWT is already in production use is worth taking note of. I encourage those of you who are using JWTs to download it and give it a spin. Any feedback you could provide on how it works for your use cases would be very valuable.
I’ve made a small set of updates to the JSON Object Signing and Encryption (JOSE) and JSON Web Token (JWT) specs in preparation for the JOSE and OAuth working group meetings at IETF 85. These updates incorporate resolutions to issues that have been discussed by the working groups since publication of the previous drafts.
Normative changes to the working group specs were to add length fields for PartyUInfo and PartyVInfo values for key derivation calculations and to change the JWK field identifiers for RSA keys from (mod, xpo) to (n, e). Fields for representing the RSA private key values needed for Chinese Remainder Theorem (CRT) calculations were added to the JSON Private Key specification.
The updated specs are available at:
-
http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-07
http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-07
http://tools.ietf.org/html/draft-ietf-jose-json-web-key-07
http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-07
http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-05
http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-03
http://tools.ietf.org/html/draft-jones-jose-jws-json-serialization-03
http://tools.ietf.org/html/draft-jones-jose-jwe-json-serialization-03
http://tools.ietf.org/html/draft-jones-jose-json-private-key-01
HTML formatted versions are available at:
-
https://self-issued.info/docs/draft-ietf-jose-json-web-signature-07.html
https://self-issued.info/docs/draft-ietf-jose-json-web-encryption-07.html
https://self-issued.info/docs/draft-ietf-jose-json-web-key-07.html
https://self-issued.info/docs/draft-ietf-jose-json-web-algorithms-07.html
https://self-issued.info/docs/draft-ietf-oauth-json-web-token-05.html
https://self-issued.info/docs/draft-ietf-oauth-jwt-bearer-03.html
https://self-issued.info/docs/draft-jones-jose-jws-json-serialization-03.html
https://self-issued.info/docs/draft-jones-jose-jwe-json-serialization-03.html
https://self-issued.info/docs/draft-jones-jose-json-private-key-01.html
See the history entries in the specs for detailed change descriptions.
I’ve updated the Simple Web Discovery (SWD) specification to incorporate a means of performing discovery on domains for which it may not be possible to create a .well-known endpoint. This can often be the case for hosted domains, where it is common for e-mail to be provided but no web server. This solution was developed in discussions by the OpenID Connect working group.
This draft is being published now to facilitate discussions of the need to enable discovery for hosted domains and possible solutions for doing so at the IETF Applications Area working group meeting at IETF 85 in Atlanta.
The updated specification is available at:
Changes made were:
- Specified that the SWD server for a domain may be located at the
simple-web-discoverysubdomain of the domain and that SWD clients must first try the endpoint at the domain and then the endpoint at the subdomain. - Removed the
SWD_service_redirectresponse, since redirection can be accomplished by pointing thesimple-web-discoverysubdomain to a different location than the domain’s host. - Removed
mailto:from examples in favor of bare e-mail address syntax. - Specified that SWD servers may also be run on ports other than 443, provided they use TLS on those ports.
An HTML formatted version is available at:
In preparation for discussions at the JOSE working group meeting at IETF 84 in Vancouver, BC, I did some investigation into the state of support for the JWA algorithms in common Web development platforms. This table contains the data gathered. It was also discussed at the July 2012 W3C WebCrypto F2F Meeting. I’m posting it now because I’d recently received a request for it and because it may be useful at the upcoming WebCrypto meeting at TPAC in Lyon and at IETF 85 in Atlanta.
Thanks to Roland Hedberg, Axel Nennker, Emmanuel Raviart, Nov Matake, Justin Richer, Edmund Jay, Wan-Teh Chang, Christopher Kula, and Ryan Sleevi for the data they provided. If you have more data that I should add, or believe that there are additional columns or rows we should track, please let me know.
New versions of the JSON WEB {Signature,Encryption,Key,Algorithms,Token} (JWS, JWE, JWK, JWA, JWT) specifications have been released. These versions incorporate the decisions made by the JOSE working group during and since IETF 84.
The primary change was revising the JWE format to always use AEAD encryption algorithms. The companion change was defining two new composite AEAD algorithms “A128CBC+HS256” and “A256CBC+HS512” that use AES CBC to perform encryption and matching HMAC SHA-2 algorithms to perform an integrity check on the ciphertext and the parameters used to create it.
Other than that, all changes were local in scope, with no changes to JWS — other than changing the format of the “x5c” (X.509 Certificate Chain) from a string containing a list of certificate values to an array of strings containing certificate values. Likewise, the only changes to JWT were to track changes made in the specs that it uses.
Having addressed all the open issues with resolutions with apparent working group consensus, it’s my hope that the working group will decide to send these specifications to working group last call at IETF 85.
The companion JWS JSON Serialization and JWE JSON Serialization specs were also updated.
The working group specifications are available at:
- http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-06
- http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-06
- http://tools.ietf.org/html/draft-ietf-jose-json-web-key-06
- http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-06
- http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-04
The individual submission specifications are available at:
- http://tools.ietf.org/html/draft-jones-jose-jws-json-serialization-02
- http://tools.ietf.org/html/draft-jones-jose-jwe-json-serialization-02
The document history entries (also in the specifications) are as follows:
http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-06
- Changed
x5c(X.509 Certificate Chain) representation from being a single string to being an array of strings, each containing a single base64 encoded DER certificate value, representing elements of the certificate chain. - Applied changes made by the RFC Editor to RFC 6749’s registry language to this specification.
http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-06
- Removed the
intandkdfparameters and defined the new composite AEAD algorithmsA128CBC+HS256andA256CBC+HS512to replace the former uses of AES CBC, which required the use of separate integrity and key derivation functions. - Included additional values in the Concat KDF calculation — the desired output size and the algorithm value, and optionally PartyUInfo and PartyVInfo values. Added the optional header parameters
apu(agreement PartyUInfo),apv(agreement PartyVInfo),epu(encryption PartyUInfo), andepv(encryption PartyVInfo). Updated the KDF examples accordingly. - Promoted Initialization Vector from being a header parameter to being a top-level JWE element. This saves approximately 16 bytes in the compact serialization, which is a significant savings for some use cases. Promoting the Initialization Vector out of the header also avoids repeating this shared value in the JSON serialization.
- Changed
x5c(X.509 Certificate Chain) representation from being a single string to being an array of strings, each containing a single base64 encoded DER certificate value, representing elements of the certificate chain. - Added an AES Key Wrap example.
- Reordered the encryption steps so CMK creation is first, when required.
- Correct statements in examples about which algorithms produce reproducible results.
http://tools.ietf.org/html/draft-ietf-jose-json-web-key-06
- Changed the name of the JWK RSA exponent parameter from
exptoxposo as to allow the potential use of the nameexpfor a future extension that might define an expiration parameter for keys. (Theexpname is already used for this purpose in the JWT specification.) - Clarify that the
alg(algorithm family) member is REQUIRED. - Correct an instance of “JWK” that should have been “JWK Set”.
- Applied changes made by the RFC Editor to RFC 6749’s registry language to this specification.
http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-06
- Removed the
intandkdfparameters and defined the new composite AEAD algorithmsA128CBC+HS256andA256CBC+HS512to replace the former uses of AES CBC, which required the use of separate integrity and key derivation functions. - Included additional values in the Concat KDF calculation — the desired output size and the algorithm value, and optionally PartyUInfo and PartyVInfo values. Added the optional header parameters
apu(agreement PartyUInfo),apv(agreement PartyVInfo),epu(encryption PartyUInfo), andepv(encryption PartyVInfo). - Changed the name of the JWK RSA exponent parameter from
exptoxposo as to allow the potential use of the nameexpfor a future extension that might define an expiration parameter for keys. (Theexpname is already used for this purpose in the JWT specification.) - Applied changes made by the RFC Editor to RFC 6749’s registry language to this specification.
http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-04
- Promoted Initialization Vector from being a header parameter to being a top-level JWE element. This saves approximately 16 bytes in the compact serialization, which is a significant savings for some use cases. Promoting the Initialization Vector out of the header also avoids repeating this shared value in the JSON serialization.
- Applied changes made by the RFC Editor to RFC 6749’s registry language to this specification.
- Reference RFC 6755 — An IETF URN Sub-Namespace for OAuth.
http://tools.ietf.org/html/draft-jones-jose-jws-json-serialization-02
- Changed to use an array of structures for per-recipient values, rather than a set of parallel arrays.
http://tools.ietf.org/html/draft-jones-jose-jwe-json-serialization-02
- Changed to use an array of structures for per-recipient values, rather than a set of parallel arrays.
- Promoted Initialization Vector from being a header parameter to being a top-level JWE element. This saves approximately 16 bytes in the compact serialization, which is a significant savings for some use cases. Promoting the Initialization Vector out of the header also avoids repeating this shared value in the JSON serialization.
HTML formatted versions are available at:
- https://self-issued.info/docs/draft-ietf-jose-json-web-signature-06.html
- https://self-issued.info/docs/draft-ietf-jose-json-web-encryption-06.html
- https://self-issued.info/docs/draft-ietf-jose-json-web-key-06.html
- https://self-issued.info/docs/draft-ietf-jose-json-web-algorithms-06.html
- https://self-issued.info/docs/draft-ietf-oauth-json-web-token-04.html
- https://self-issued.info/docs/draft-jones-jose-jws-json-serialization-02.html
- https://self-issued.info/docs/draft-jones-jose-jwe-json-serialization-02.html
The OAuth 2.0 Core and Bearer specifications are now RFC 6749 and RFC 6750. This completes the journey to standardize a pair of simple identity specifications that are already in very widespread use for Web, enterprise, cloud, and mobile applications. They make things better by enabling access to resources to be granted without giving the password for the resource to the party being granted access (a pattern that used to be all too common).
I believe that the completion of these RFCs will only accelerate the momentum behind the adoption of simple REST/JSON based identity solutions. Some of the related standards that are already well under way and in use include the OAuth Assertion Framework, the OAuth SAML 2.0 Assertion Profile and OAuth JWT Assertion Profile, JSON Web Token (JWT), the JSON Object Signing and Encryption (JOSE) specs — JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), and JSON Web Algorithms (JWA), and OpenID Connect. Watch this space for future developments. Like OAuth 2.0, all of these are the product of collaboration by numerous people around the world and in many industries to build and deploy simple, usable identity solutions that solve real-world problems.
The goal of all these specs is to standardize functionality that is not only useful, but is simple enough that it will actually be used. OAuth 2.0 is an early success story in this regard. While the number of words in the spec has increased since early drafts, most of that is due to doing a more complete job of describing things not to do (adding security considerations), rather than adding bells and whistles. It doesn’t get much simpler than a couple of HTTP GETs and replies with simple request parameters and responses.
Dick Hardt deserves special thanks for his role both in starting what became OAuth 2.0 and seeing it through to completion. I recommend his post on the process that brought us the OAuth 2.0 RFCs.
Updated drafts of all three OAuth Assertion specifications have been published. These specs define how to use assertions/security tokens as OAuth 2.0 authorization grants and for client authentication. They are: Assertion Framework for OAuth 2.0, SAML 2.0 Bearer Assertion Profiles for OAuth 2.0, and JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0.
Language was added to all three explicitly clarifying that an assertion grant type can be used with or without client authentication via an assertion and that client authentication using an assertion is nothing more than an alternative way for a client to authenticate to the token endpoint. Two new examples were added to the SAML and JWT profile drafts to illustrate the use of assertions/security tokens in both cases. Thanks to Brian Campbell for making these updates.
The authors believe that draft-ietf-oauth-assertions and draft-ietf-oauth-saml2-bearer are now ready for Working Group Last Call.
The drafts are available at:
- http://tools.ietf.org/html/draft-ietf-oauth-assertions-06
- http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-14
- http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-02
HTML-formatted versions are available at: