Month: July 2024

Fourth and Likely Last Implementer’s Draft of OpenID Federation Specification

On July 25, 2024

In Claims, Federation, OAuth, OpenID, Specifications

The OpenID Foundation has approved the Fourth Implementer’s Draft of the OpenID Federation Specification. This is a major step towards having the specification become final.

The previous Implementer’s Draft was in 2021. A lot has happened since then, largely motivated by feedback from actual implementations and deployments. Some highlights of progress made in the spec since then are:

Changed name from OpenID Connect Federation to OpenID Federation, since Federation can be used for trust establishment for any protocol (including OpenID Connect).
Introduced distinct Federation endpoints.
Clearly defined and consistently used the terms Entity Statement, Entity Configuration, and Subordinate Statement.
Clearly defined which claims can occur in which kinds of Entity Statements.
Clearly defined Entity Types and the Federation Entity entity type.
Enhanced description of Trust Mark issuance and usage.
Defined relationship between metadata and metadata policy.
Clearly defined interactions between policy operators.
Defined where constraints may occur.
Tightened descriptions of Automatic Registration and Explicit Registration.
Added Historical Keys.
Defined and used trust_chain JWS Header Parameter.
Allowed Trust Chains to start with non-Trust Anchors.
Clarified use of client authentication.
Used OAuth Protected Resource Metadata.
Consistent error handling.
Added General-Purpose JWT Claims section.
Comprehensive use of content types and media types.
IANA registration of parameters, claims, and media types.
Added and improved many diagrams.
Substantial rewrites for increased consistency and clarity.
Added Giuseppe De Marco and Vladimir Dzhuvinov as editors.

As a preview of coming attractions, I’ll note that profiles of OpenID Federation are being written describing how it being used in wallet ecosystems and how it is being used in open finance ecosystems. And we’re creating a list of implementations. Watch this space for future announcements.

Special thanks to all the implementers and deployers who provided feedback to get us to this point!

Fully-Specified Algorithms Specification Addressing Working Group Last Call Comments

By Mike Jones

On July 11, 2024

In CBOR, Cryptography, IETF, JSON, Specifications

Orie Steele and I have updated the “Fully-Specified Algorithms for JOSE and COSE” specification to incorporate working group last call (WGLC) feedback. Thanks to all who took the time to comment on the draft. Your feedback was exceptionally actionable and helped to substantially improve the specification. Responses to each WGLC comment thread were sent on the IETF JOSE working group mailing list.

The updated draft attempts to discuss the full range of the problems created by polymorphic algorithm identifiers. Guided by working group feedback, it strikes an engineering balance between which of these problems to fix immediately in the specification and which to describe how future specifications can fix later as the need arises.

I look forward to discussing next steps for the specification at IETF 120 in Vancouver.

The specification is available at:

https://www.ietf.org/archive/id/draft-ietf-jose-fully-specified-algorithms-03.html

OAuth 2.0 Protected Resource Metadata draft addressing shepherd comments

By Mike Jones

On July 10, 2024

In IETF, OAuth, Specifications

OAuth logo The “OAuth 2.0 Protected Resource Metadata” specification has been updated to address feedback from our document shepherd Rifaat Shekh-Yusef in advance of IETF 120 in Vancouver. All changes were strictly editorial.

The specification is available at:

https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-06.html