Mike Jones: self-issued

Musings on Digital Identity

Month: December 2012

December 27, 2012 OpenID Connect Release

By

On December 28, 2012

In Claims, JSON, OAuth, OpenID, Specifications

OpenID logoNew versions of the OpenID Connect specifications have been released resolving numerous open issues raised by the working group. The most significant change is changing the name of the “user_id” claim to “sub” (subject) so that ID Tokens conform to the OAuth JWT Bearer Profile specification, and so they can be used as OAuth assertions. (Also, see the related coordinated change to the OAuth JWT specifications.) A related enhancement was extending our use of the “aud” (audience) claim to allow ID Tokens to have multiple audiences. Also, a related addition was defining the “azp” (authorized party) claim to allow implementers to experiment with this proposed functionality. (This is a slightly more general form of the “cid” claim that Google and Nat Sakimura had proposed.)

Other updates were:

  • The “offline_access” scope value was defined to request that a refresh token be returned when using the code flow that can be used to obtain an access token granting access to the user’s UserInfo endpoint even when the user is not present.
  • A new “tos_url” registration parameter was added so that the terms of service can be specified separately from the usage policy.
  • Clarified that “jwk_url” and “jwk_encryption_url” refer to documents containing JWK Sets – not single JWK keys.

Implementers need to apply these name changes to their code:

  • user_id -> sub
  • prn -> sub
  • user_id_types_supported -> subject_types_supported
  • user_id_type -> subject_type
  • acrs_supported -> acr_values_supported
  • alg -> kty (in JWKs)

See the Document History section of each specification for more details about the changes made.

This release is part of a coordinated release of JOSE, OAuth, and OpenID Connect specifications. You can read about the other releases here: JOSE Release Notes, OAuth Release Notes.

The new specification versions are:

December 27, 2012 OAuth JWT & Assssertions Release

By

On December 28, 2012

In Claims, JSON, OAuth, Specifications

OAuth logoNew versions of the OAuth JWT, JWT Bearer Profile, and Assertions specs have been released incorporating feedback since IETF 85 in Atlanta. The primary change is changing the name of the “prn” claim to “sub” (subject) both to more closely align with SAML name usage and to use a more intuitive name for this concept. (Also, see the related coordinated change to the OpenID Connect specifications.) The definition of the “aud” (audience) claim was also extended to allow JWTs to have multiple audiences (a feature also in SAML assertions).

An explanation was added to the JWT spec about why should be signed and then encrypted.

The audience definition in the Assertions specification was relaxed so that audience values can be OAuth “client_id” values. Informative references to the SAML Bearer Profile and JWT Bearer Profile specs were also added.

This release incorporates editorial improvements suggested by Jeff Hodges, Hannes Tschofenig, and Prateek Mishra in their reviews of the JWT specification. Many of these simplified the terminology usage. See the Document History section of each specification for more details about the changes made.

This release is part of a coordinated release of JOSE, OAuth, and OpenID Connect specifications. You can read about the other releases here: JOSE Release Notes, OpenID Connect Release Notes.

The new specification versions are:

HTML formatted versions are available at:

December 27, 2012 JOSE Release

By

On December 28, 2012

In Cryptography, JSON, Specifications

IETF logoNew versions of the JOSE specs have been released incorporating feedback since IETF 85 in Atlanta. The highlight of this release is the new JSON Private and Symmetric Key spec, which extends JWKs to be able to represent private and symmetric keys. These sensitive keys can then be protected for transmission and storage by JWE encryption of their JWK representations.

One new feature added to JWK is the ability to optionally specify which specific algorithm the key is intended to be used with. (This is already existing practice for keys in X.509 format.) For instance, a symmetric key might be annotated to say that it is to be used with the “HS256” algorithm. Because the natural field name for this functionality is “alg“, the “alg” name is now used for this purpose (matching JWS and JWE) and the key type (formerly “alg“) is now denoted by the “kty” field.

This release incorporates editorial improvements suggested by Jeff Hodges and Hannes Tschofenig in their reviews of the JWT specification. Many of these simplified the terminology usage. See the Document History section of each specification for more details about the changes made.

This release is part of a coordinated release of JOSE, OAuth, and OpenID Connect specifications. You can read about the other releases here: OAuth Release Notes, OpenID Connect Release Notes.

The new specification versions are:

HTML formatted versions are available at:

2013 OpenID Board Election Announcement

By

On December 6, 2012

In OpenID, People

OpenID logoThe OpenID Foundation has announced the upcoming OpenID community board member election. Board members play an important role in safeguarding and advancing OpenID technologies and doing the work of the Foundation on a day-to-day basis. If you’re considering running, I’d be glad to discuss my experiences serving on the board with you.

Watch the OpenID blog and this space for updates on the election over the next few months.

(And yes, I plan to stand for re-election.)

Powered by WordPress & Theme by Anders Norén