Musings on Digital Identity

Month: February 2017

AMR Values specification addressing IESG comments

OAuth logoThe Authentication Method Reference Values specification has been updated to address feedback from the IESG. Identifiers are now restricted to using only printable JSON-friendly ASCII characters. All the “amr” value definitions now include specification references.

Thanks to Stephen Farrell, Alexey Melnikov, Ben Campbell, and Jari Arkko for their reviews.

The specification is available at:

An HTML-formatted version is also available at:

OAuth Device Flow specification nearly done

OAuth logoThe OAuth 2.0 Device Flow specification has been updated to flesh out some of the parts that were formerly missing or incomplete. Updates made were:

  • Updated the title to “OAuth 2.0 Device Flow for Browserless and Input Constrained Devices” to reflect the specificity of devices that use this flow.
  • User Instruction section expanded.
  • Security Considerations section added.
  • Usability Considerations section added.
  • Added OAuth 2.0 Authorization Server Metadata definition for the device authorization endpoint.

It’s my sense that this specification is now nearly done. I highly encourage those of you with device flow implementations to review this version with an eye towards ensuring that all the functionality needed for your use cases is present. For instance, I’d suggest comparing the error code definitions to your usage.

Thanks to William Denniss for producing these updates.

The specification is available at:

An HTML-formatted version is also available at:

OpenID Connect Relying Party Certification Launched

OpenID logoThanks to all who contributed to the launch of OpenID Connect Relying Party Certification! This is a major step in continuing to improve the interoperability and security of OpenID Connect implementations.

Roland Hedberg deserves huge credit for writing and deploying the testing tools. Roland eagerly interacted with developers as they “tested the tests”, promptly answering questions and iteratively developing the software to address issues that arose during the testing.

Hans Zandbelt and Edmund Jay also deserve huge thanks for being the earliest Relying Party testers. Because of their early feedback and perseverance, the process is now much easier for those that followed them.

As Don Thibeau wrote in the launch announcement, we were surprised by the speed of RP Certification adoption once we began the pilot phase – happening much more quickly than OpenID Provider certification did. I loved the feedback from developers, who told us that they understand the protocol better and have more secure implementations because of their certification participation. Let’s have more of that!

Powered by WordPress & Theme by Anders Norén