An updated Security Event Token (SET) specification has published to address recent review comments received. Changes were:
The specification is available at:
An HTML-formatted version is also available at:
The syntax of two JWT claims registered by the OAuth Token Exchange specification has been changed as a result of developer feedback. Developers pointed out that the OAuth Token Introspection specification [RFC 7662] uses a “scope” string to represent scope values, whereas Token Exchange was defining an array-valued “scp” claim to represent scope values. The former also uses a “client_id” element to represent OAuth Client ID values, whereas the latter was using a “cid” claim for the same purpose.
After consulting with the working group, the OAuth Token Exchange claim names have been changed to “scope” and “client_id“. Thanks to Torsten Lodderstedt for pointing out the inconsistencies and to Brian Campbell for seeking consensus and making the updates.
The specification is available at:
An HTML-formatted version is also available at:
The Security Event Token (SET) specification has been updated to address Area Director review comments from Benjamin Kaduk. Thanks for the thorough and useful review, as always, Ben.
The specification is available at:
An HTML-formatted version is also available at:
A new draft of the Security Event Token (SET) specification has published that addresses comments from Russ Housley, who reviewed the spec for the IETF Security Directorate (SecDir). Changes were:
The specification is available at:
An HTML-formatted version is also available at:
The JSON Web Token (JWT) Best Current Practices (BCP) specification has been updated to add guidance on how to explicitly type Nested JWTs. Thanks to Brian Campbell for suggesting the addition.
The specification is available at:
An HTML-formatted version is also available at:
One more clarification to the CBOR Web Token (CWT) specification has been made to address a comment by IESG member Adam Roach. This version is being sent to the RFC Editor in preparation for its publication as an RFC. The change was:
Special thanks to Security Area Director Kathleen Moriarty for helping get this across the finish line!
The specification is available at:
An HTML-formatted version is also available at:
The CBOR Web Token (CWT) specification has been updated to address comments received from Internet Engineering Steering Group (IESG) members. Changes were:
Special thanks to Security Area Director Kathleen Moriarty for helping get this across the finish line!
The specification is available at:
An HTML-formatted version is also available at:
The CBOR Web Token (CWT) specification has been updated to address IETF last call comments received to date, including GenArt, SecDir, Area Director, and additional shepherd comments. Changes were:
The specification is available at:
An HTML-formatted version is also available at:
The OAuth Authorization Server Metadata specification has been updated to address additional IESG feedback. The only change was to clarify the meaning of “case-insensitive”, as suggested by Alexey Melnikov.
The specification is available at:
An HTML-formatted version is also available at:
A few local improvements have been made to the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification. Changes were:
Thanks to Samuel Erdtman for sharing the editing.
The specification is available at:
An HTML-formatted version is also available at:
A new draft of the Security Event Token (SET) specification has published that addresses review comments from the second Working Group Last Call and shepherd comments from Yaron Sheffer. Changes were:
iat” description, as suggested by Annabelle Backman.The specification is available at:
An HTML-formatted version is also available at:
The OAuth Authorization Server Metadata specification has been updated to address feedback received from IESG members. Changes were:
The specification is available at:
An HTML-formatted version is also available at:
The CBOR Web Token (CWT) specification has been updated to address the shepherd comments by Benjamin Kaduk. Changes were:
Thanks to Ben for his careful review of the specification!
The specification is available at:
An HTML-formatted version is also available at:
The Security Event Token (SET) specification has been updated to simplify the definitions and usage of the “iat” (issued at) and “toe” (time of event) claims. The full set of changes made was:
iat” and “toe” claims in ways suggested by Annabelle Backman.Thanks to Annabelle Backman, Marius Scurtescu, Phil Hunt, and Dick Hardt for the discussions that led to these simplifications.
The specification is available at:
An HTML-formatted version is also available at:
A new CBOR Web Token (CWT) draft has been published that applies a correction to an example. The full list of changes is:
application/cwt media type registration.Thanks to Samuel Erdtman for validating all the examples once more and finding the issue with the signed and encrypted example. Thanks to Benjamin Kaduk for pointing out additional improvements that could be applied from the second WGLC comments.
The specification is available at:
An HTML-formatted version is also available at:
A new version of the Security Event Token (SET) specification has been published that incorporates clarifications suggested by working group members in discussions since IETF 100. Changes were:
No changes to the semantics of the specification were made.
The specification is available at:
An HTML-formatted version is also available at:
A new draft of the OAuth 2.0 Token Exchange specification has been published that addresses feedback from Security Area Director Eric Rescorla. The acknowledgements were also updated. Thanks to Brian Campbell for doing the editing for this version.
The specification is available at:
An HTML-formatted version is also available at:
A new CBOR Web Token (CWT) draft has been published that addresses comments received during the second working group last call. Thanks to Hannes Tschofenig, Esko Dijk, Ludwig Seitz, Carsten Bormann, and Benjamin Kaduk for their feedback. All changes made were clarifications or formatting improvements.
The specification is available at:
An HTML-formatted version is also available at:
A new draft of the OAuth 2.0 Token Exchange specification has been published that adds token type URIs for SAML 1.1 and SAML 2.0 assertions. They were added in response to actual developer use cases. These parallel the existing token type URI for JWT tokens.
The specification is available at:
An HTML-formatted version is also available at:
The OAuth Authorization Server Metadata specification has been updated to incorporate feedback received during IETF last call. Thanks to Shwetha Bhandari, Brian Carpenter, Donald Eastlake, Dick Hardt, and Mark Nottingham for their reviews. See the Document History appendix for clarifications applied. No normative changes were made.
The specification is available at:
An HTML-formatted version is also available at:
Powered by WordPress & Theme by Anders Norén