Mike Jones: self-issued

The syntax of two JWT claims registered by the OAuth Token Exchange specification has been changed as a result of developer feedback. Developers pointed out that the OAuth Token Introspection specification [RFC 7662] uses a “scope” string to represent scope values, whereas Token Exchange was defining an array-valued “scp” claim to represent scope values. The former also uses a “client_id” element to represent OAuth Client ID values, whereas the latter was using a “cid” claim for the same purpose.

After consulting with the working group, the OAuth Token Exchange claim names have been changed to “scope” and “client_id”. Thanks to Torsten Lodderstedt for pointing out the inconsistencies and to Brian Campbell for seeking consensus and making the updates.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-13

An HTML-formatted version is also available at:

• http://self-issued.info/docs/draft-ietf-oauth-token-exchange-13.html

No Comments » Posted under Claims & IETF & JSON & OAuth & Specifications

The OAuth 2.0 Device Flow for Browserless and Input Constrained Devices specification has been updated to address feedback by Security Area Director Eric Rescorla about the potential of a confused deputy attack. Thanks to John Bradley for helping work out the response to Eric and to William Denniss for reviewing and publishing the changes to the draft.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-oauth-device-flow-09

An HTML-formatted version is also available at:

• http://self-issued.info/docs/draft-ietf-oauth-device-flow-09.html

No Comments » Posted under IETF & OAuth & Specifications

The Security Event Token (SET) specification has been updated to address Area Director review comments from Benjamin Kaduk. Thanks for the thorough and useful review, as always, Ben.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-secevent-token-09

An HTML-formatted version is also available at:

• http://self-issued.info/docs/draft-ietf-secevent-token-09.html

No Comments » Posted under Claims & IETF & JSON & Specifications

A new draft of the Security Event Token (SET) specification has published that addresses comments from Russ Housley, who reviewed the spec for the IETF Security Directorate (SecDir). Changes were:

• Incorporated wording improvements resulting from Russ Housley’s SecDir comments.
• Acknowledged individuals who made significant contributions.

The specification is available at:

• https://tools.ietf.org/html/draft-ietf-secevent-token-08

An HTML-formatted version is also available at:

• http://self-issued.info/docs/draft-ietf-secevent-token-08.html

No Comments » Posted under Claims & IETF & JSON & Specifications

I gave the following presentations at the Monday, April 2, 2018 OpenID Workshop at Oracle:

• OpenID Connect Working Group status update (PowerPoint) (PDF)
• OpenID Certification status update (PowerPoint) (PDF)

I also gave the following invited “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, April 3, 2018:

• Introduction to OpenID Connect (PowerPoint) (PDF)

No Comments » Posted under Events & OpenID