Month: June 2018

Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec addressing WGLC comments

On June 29, 2018

In CBOR, Claims, Cryptography, IETF, Specifications

A new draft of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been published that addresses the Working Group Last Call (WGLC) comments received. Changes were:

Addressed review comments by Jim Schaad — see https://www.ietf.org/mail-archive/web/ace/current/msg02798.html.
Removed unnecessary sentence in the introduction regarding the use any strings that could be case-sensitive.
Clarified the terms Presenter and Recipient.
Clarified text about the confirmation claim.

Thanks to Samuel Erdtman and Hannes Tschofenig for contributing to the editing for this version and to Jim Schaad and Roman Danyliw for their review comments.

The specification is available at:

https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-03

An HTML-formatted version is also available at:

https://self-issued.info/docs/draft-ietf-ace-cwt-proof-of-possession-03.html

OAuth 2.0 Authorization Server Metadata is now RFC 8414

By Mike Jones

On June 28, 2018

In Claims, IETF, JSON, OAuth, OpenID, Specifications

OAuth logo The OAuth 2.0 Authorization Server Metadata specification is now RFC 8414. The abstract describes the specification as:

This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities.

The specification defines a JSON metadata representation for OAuth 2.0 authorization servers that is compatible with OpenID Connect Discovery 1.0. This specification is a true instance of standardizing existing practice. OAuth 2.0 deployments have been using the OpenID Connect metadata format to describe their endpoints and capabilities for years. This RFC makes this existing practice a standard.

Having a standard OAuth metadata format makes it easier for OAuth clients to configure connections to OAuth authorization servers. See https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#authorization-server-metadata for the initial set of registered metadata values.

Thanks to all of you who helped make this standard a reality!

OpenID Connect News, Overview, Certification, and Action Items at June 2018 Identiverse Conference

By Mike Jones

On June 24, 2018

In Events, OpenID, Specifications

I gave the following presentation during the June 2018 Identiverse Conference:

OpenID Connect: News, Overview, Certification, and Action Items (PowerPoint) (PDF)

News included:

contribution of the Python JWTConnect OpenID RP library to the OpenID Connect working group and
launch of the Form Post Response Mode certification profiles for OPs and RPs.

Action items included:

give the Python JWTConnect OpenID RP library a try,
test the Form Post Response Mode conformance tests and certify your implementations,
review the OpenID Connect logout specifications now before we vote them to Final status,
review the OpenID Connect Federation specification during the current Implementer’s Draft review period,
participate in the RISC Implementer’s Drafts members vote before Friday, and
join the OpenID Foundation to be able to participate in the vote.

OAuth Device Flow spec addressing initial IETF last call feedback

By Mike Jones

On June 1, 2018

In IETF, OAuth, Specifications

OAuth logo The OAuth Device Flow specification (full name “OAuth 2.0 Device Flow for Browserless and Input Constrained Devices”) has been updated to address comments received to date from the IETF last call. Thanks to William Denniss for taking the pen for this set of revisions. Changes were:

Added a missing definition of access_denied for use on the token endpoint.
Corrected text documenting which error code should be returned for expired tokens (it’s “expired_token”, not “invalid_grant”).
Corrected section reference to RFC 8252 (the section numbers had changed after the initial reference was made).
Fixed line length of one diagram (was causing xml2rfc warnings).
Added line breaks so the URN grant_type is presented on an unbroken line.
Typos fixed and other stylistic improvements.

The specification is available at:

https://tools.ietf.org/html/draft-ietf-oauth-device-flow-10

An HTML-formatted version is also available at:

https://self-issued.info/docs/draft-ietf-oauth-device-flow-10.html