Musings on Digital Identity

Month: July 2013

Second OpenID Connect Implementer’s Drafts Approved

OpenID logoThe OpenID Foundation members have voted to approve a second set of OpenID Connect Implementer’s Drafts. The working group intends for the final specifications to be compatible with these Implementer’s Drafts.

Implementer’s Drafts are stable versions of specifications intended for trial implementations and deployments that provide specific IPR protections to those using them. Implementers and deployers are encouraged to continue providing feedback to the working group on these specifications based upon their experiences using them.

OpenID Connect Server in a Nutshell

OpenID logoNat Sakimura has written a valuable post describing how to write an OpenID Connect server in three simple steps. It shows by example how simple it is for OAuth servers to add OpenID Connect functionality. This post is a companion to his previous post OpenID Connect in a Nutshell, which described how simple it is to build OpenID Connect clients. If you’re involved in OpenID Connect in any way, or are considering becoming involved, these posts are well worth reading.

JOSE -14 and JWT -11 drafts with additional algorithms and examples published

IETF logoJSON Object Signing and Encryption (JOSE) -14 drafts have been published that incorporate minor updates requested by the working group since the last working group call. The primary change was adding algorithm identifiers for AES algorithms using 192 bit keys; supporting these algorithms is optional. The only breaking changes were to the password-based encryption algorithm parameter representation. This version adds an example ECDH-ES Key Agreement computation.

The JSON Web Token (JWT) -11 draft adds a Nested JWT example — in which the claims are first signed, and then encrypted.

The drafts are available at:

HTML formatted versions are also available at:

OpenID Connect Presentation at IETF 87

OpenID logoI’ve posted the OpenID Connect presentation that I gave at the OpenID Workshop at IETF 87. Besides giving an overview of the specification status, unsurprisingly given the setting at IETF 87, it also talks about the relationship between OpenID Connect and the IETF specifications that it depends upon. It’s available as PowerPoint and PDF.

JOSE -13 drafts

IETF logoThe JSON Object Signing and Encryption (JOSE) -13 drafts are now available, which incorporate issue resolutions agreed to on today’s JOSE working group call. The only breaking change was to the JWS JSON Serialization, by making all header parameters be per-signature (which is actually a simplification and makes it more parallel to the JWS Compact Serialization). Algorithms were added to JWA for key encryption with AES GCM and for password-based encryption. An optional “aad” (Additional Authenticated Data) member was added to the JWE JSON Serialization.

Thanks to Matt Miller for the password-based encryption write-up, which is based on draft-miller-jose-jwe-protected-jwk-02.

The drafts are available at:

HTML formatted versions are also available at:

OAuth assertions drafts improving interop characteristics

IETF logoUpdated OAuth assertions drafts have been posted that improve their interoperability characteristics in a manner suggested during IESG review: they now state that issuer and audience values should be compared using the Simple String Comparison method defined in Section 6.2.1 of RFC 3986 unless otherwise specified by the application.

The drafts are available at:

HTML formatted versions are available at:

JWT draft -10

IETF logoJSON Web Token (JWT) draft -10 allows Claims to be replicated as Header Parameters in encrypted JWTs as needed by applications that require an unencrypted representation of specific Claims. This draft is available at, with an HTML formatted version also available at

AES GCM Key Wrapping draft -01

IETF logoI’ve updated the AES GCM Key Wrapping draft to represent the Initialization Vector and Authentication Tag values used as header parameter values so as to be more parallel with their treatment when using AES GCM for content encryption, per working group request. This draft is now available as It is also available in HTML format at

JOSE -12 and JWT -09 drafts released

IETF logoThe -12 JSON Object Signing and Encryption (JOSE) drafts have been released incorporating issue resolutions agreed to on the July 1, 2013 working group call and on the mailing list. Most of the changes were editorial improvements suggested by Jim Schaad and Richard Barnes. Changes included clarifying that the “typ” and “cty” header parameters are for use by applications and don’t affect JOSE processing, replacing the MIME types application/jws, application/jwe, application/jws+json, and application/jwe+json with application/jose and application/jose+json, and relaxing language on JSON parsing when duplicate member names are encountered to allow use of ECMAScript JSON parsers. See the history entries for the full set of changes.

Corresponding changes to the JSON Web Token (JWT) spec were also published in draft -09.

The drafts are available at:

HTML formatted versions are also available at:

OpenID Connect Update Presentation at CIS 2013

OpenID logoI’ve posted the OpenID Connect Update presentation that I gave today during the OpenID Workshop at the Cloud Identity Summit 2013. I’ve trimmed down the presentation to be lighter on the “how” and focus more on the “what” and “why”, relative to the one I gave at EIC in May. It’s available in PowerPoint and PDF formats.

Powered by WordPress & Theme by Anders Norén