Musings on Digital Identity

Month: April 2012

OAuth 2.0 JWT Bearer Token Profiles Specification Draft -04

OAuth logoDraft 04 of the OAuth 2.0 JWT Bearer Token Profiles Specification has been published. This version tracks changes in the OAuth 2.0 Assertion Profile and SAML 2.0 Bearer Assertion Profiles for OAuth 2.0 specifications made in response to working group last call comments, as announced by Brian Campbell.

Changes made were:

  • Merged in changes between draft-ietf-oauth-saml2-bearer-09 and draft-ietf-oauth-saml2-bearer-11.
  • Added the optional iat (issued at) claim, which was already present in the JWT spec.

The draft is available at:

An HTML-formatted version is available at:

OAuth 2.0 Bearer Token Specification Draft -19

OAuth logoDraft 19 of the OAuth 2.0 Bearer Token Specification has been published. It addresses DISCUSS issues and COMMENTs raised for which resolutions have been agreed to. No normative changes were made. Changes made were:

  • Use ABNF from RFC 5234.
  • Added sentence “The Bearer authentication scheme is intended primarily for server authentication using the WWW-Authenticate and Authorization HTTP headers, but does not preclude its use for proxy authentication” to the introduction.
  • In the introduction, state that this document also imposes semantic requirements upon the access token.
  • Reference the scope definition in the OAuth core spec.
  • Added scope examples.
  • Reference RFC 6265 for security considerations about cookies.

The draft is available at:

An HTML-formatted version is available at:

OpenID Connect has won the 2012 European Identity Award

OpenID logoI’m thrilled to report that OpenID Connect has won the 2012 European Identity Award for Best Innovation/New Standard. I appreciate the recognition of what we’ve achieved to date with OpenID Connect and its potential to significantly change digital identity for the better. As Dave Kearns wrote in the OpenID Foundation announcement about the award:

I’m pleased that Kuppinger Cole has granted OpenID Connect the award for Best Innovation/New Standard this year. What’s most impressive is that this elegantly simple design resulted from the cooperation of such a diverse global set of contributors. I expect OpenID Connect to have a substantial positive impact on usable, secure identity solutions both for traditional computing platforms and mobile devices. My congratulations to the OpenID Foundation!

My thanks to all who have contributed to the OpenID Connect specifications to date and especially to the developers who have implemented draft versions, providing essential feedback needed to refine the specs on the road to final standards. I look forward to seeing what people will accomplish with OpenID Connect!

April 10, 2012 OpenID Connect Update Release

OpenID logoThe OpenID Connect working group has released an update to the OpenID Connect specifications that continues incorporating significant developer feedback received, while maintaining as much compatibility with the implementer’s drafts as possible. The Connect specs have also been updated to track updates to the OAuth and JOSE specs, which they use. The primary normative changes are as follows:

  • Make changes to allow path in the issuer_identifier, per issue #513
  • Add hash and hash check of access_token and code to id_token, per issue #510
  • Split encrypted response configurations into separate parameters for alg, enc, int
  • Added optional id_token to authorization request parameters, per issue #535
  • Now requested claims add to those requested with scope values, rather than replacing them, per issue #547
  • Added error interaction_required and removed user_mismatched, per issue #523
  • Changed invalid_request_redirect_uri to invalid_redirect_uri, per issue #553
  • Removed “embedded” display type, since its semantics were not well defined, per issue #514

A significant non-normative addition is:

  • Add example JS code for Basic client

Implementers are particularly encouraged to build and provide feedback on the new and modified features.

The new versions are available from http://openid.net/connect/ or at:

Powered by WordPress & Theme by Anders Norén