April 2018 – Mike Jones: self-issued

Late-breaking changes to OAuth Token Exchange syntax

On April 24, 2018

In Claims, IETF, JSON, OAuth, Specifications

OAuth logo The syntax of two JWT claims registered by the OAuth Token Exchange specification has been changed as a result of developer feedback. Developers pointed out that the OAuth Token Introspection specification [RFC 7662] uses a “scope” string to represent scope values, whereas Token Exchange was defining an array-valued “scp” claim to represent scope values. The former also uses a “client_id” element to represent OAuth Client ID values, whereas the latter was using a “cid” claim for the same purpose.

After consulting with the working group, the OAuth Token Exchange claim names have been changed to “scope” and “client_id“. Thanks to Torsten Lodderstedt for pointing out the inconsistencies and to Brian Campbell for seeking consensus and making the updates.

The specification is available at:

https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-13

An HTML-formatted version is also available at:

https://self-issued.info/docs/draft-ietf-oauth-token-exchange-13.html

OAuth Device Flow spec addressing Area Director comments

By Mike Jones

On April 23, 2018

In IETF, OAuth, Specifications

OAuth logo The OAuth 2.0 Device Flow for Browserless and Input Constrained Devices specification has been updated to address feedback by Security Area Director Eric Rescorla about the potential of a confused deputy attack. Thanks to John Bradley for helping work out the response to Eric and to William Denniss for reviewing and publishing the changes to the draft.

The specification is available at:

https://tools.ietf.org/html/draft-ietf-oauth-device-flow-09

An HTML-formatted version is also available at:

https://self-issued.info/docs/draft-ietf-oauth-device-flow-09.html

Security Event Token (SET) spec addressing Area Director review comments

By Mike Jones

On April 17, 2018

In Claims, IETF, JSON, Specifications

The Security Event Token (SET) specification has been updated to address Area Director review comments from Benjamin Kaduk. Thanks for the thorough and useful review, as always, Ben.

The specification is available at:

https://tools.ietf.org/html/draft-ietf-secevent-token-09

An HTML-formatted version is also available at:

https://self-issued.info/docs/draft-ietf-secevent-token-09.html

Security Event Token (SET) spec addressing SecDir review comments

By Mike Jones

On April 4, 2018

In Claims, IETF, JSON, Specifications

A new draft of the Security Event Token (SET) specification has published that addresses comments from Russ Housley, who reviewed the spec for the IETF Security Directorate (SecDir). Changes were: