Mike Jones: self-issued

Musings on Digital Identity

Month: February 2025

The Cambrian Explosion of OAuth and OpenID Specifications

By

On February 28, 2025

In Events, IETF, OAuth, OpenID, Specifications

OAuth Security WorkshopVladimir Dzhuvinov and I led a discussion on The Cambrian Explosion of OAuth and OpenID Specifications at the 2025 OAuth Security Workshop in Reykjavík.

The abstract for the session was:

The number of OAuth and OpenID specifications continues to grow. At present there are 30 OAuth RFCs, two more in the RFC Editor queue, 13 OAuth working group drafts, and another eight individual OAuth drafts that may advance. There are nine JOSE RFCs and seven working group drafts. There are four SecEvent RFCs. On the OpenID side, there are 12 final OpenID Connect specs, three final FAPI specs, one final MODRNA spec, three final eKYC-IDA specs, and 24 Implementer’s drafts across the OpenID working groups, plus another ten working group drafts.

The number of possible combinations boggles the mind. And there’s no end in sight!

What’s a developer to do? How have people and companies gone about selecting and curating the specs to implement in an attempt to create coherent and useful open source and commercial offerings? And faced with such an array of combinations and choices, how are application developers to make sense of it all? How can interoperability be achieved in the face of continued innovation?

This session will prime the pump by discussing choices made by some existing open source and commercial offerings in the OAuth and OpenID space and lead to an open discussion of choices made by the workshop attendees and the reasoning behind them. It’s our goal that useful strategies emerge from the discussion that help people grapple with the ever-expanding sets of specifications and make informed implementation choices, while still fostering the innovation and problem-solving that these specifications represent.

The slides used to queue up the discussion session are available as PowerPoint and PDF. Also, see the list of 101 OAuth and OpenID-related specifications referenced during the discussion.

The topic seems to have touched a chord. Many people were clearly already thinking about the situation and shared their views. Some of them were:

  • Nobody actually expects everyone to implement everything.
  • Stopping things is super hard. But sometimes it’s necessary (as Brian Campbell put it, “when they’re wrong”).
  • Timing can be fickle. What may not be useful at one time can turn out to be useful later.
  • Some specs are highly related and often used together. But those relationships are not always apparent to those new to the space.
  • We need better on-ramps to help people new to the space wrap their arms around the plethora specs and what they’re useful for.
  • Well-written profiles are a way of managing the complexity. For instance, FAPI 2 limits choices, increasing both interoperability and security.
  • The amount of innovation happening is a sign of success!

Thanks to the organizers for a great tenth OAuth Security Workshop! And special thanks to the colleagues from Signicat who did a superb job with local arrangements in Reykjavík!

Proposed Candidate Recommendation for Controlled Identifiers

By

On February 4, 2025

In Cryptography, JSON, Specifications, W3C

W3C logoThe W3C Verifiable Credentials Working Group has published a Snapshot Candidate Recommendation of the Controlled Identifiers specification. This follows the five Candidate Recommendation Snapshots published by the working group in December 2024. Two of these specifications, including Securing Verifiable Credentials using JOSE and COSE, depend upon the Controlled Identifiers spec. The planned update to the W3C DID specification also plans to take a dependency upon it.

A W3C Candidate Recommendation Snapshot is intended to become a W3C Candidate Recommendation after required review and approval steps.

Thanks to my co-editor Manu Sporny and working group chair Brent Zundel for their work enabling us to reach this point.

Twenty Years of Digital Identity!

By

On February 2, 2025

In Events, IETF, JSON, OAuth, OpenID, People

Kim Cameron first told me what Digital Identity is on February 1, 2005. He said that the Internet was created without an identity layer. He encouraged me “You should come help build it with me.” I’ve been at it ever since!

What I wrote about digital identity a decade ago remains as true today:

An interesting thing about digital identity is that, by definition, it’s not a problem that any one company can solve, no matter how great their technology is. For digital identity to be “solved”, the solution has to be broadly adopted, or else people will continue having different experiences at different sites and applications. Solving digital identity requires ubiquitously adopted identity standards. Part of the fun and the challenge is making that happen.

I’m not going to even try to list all the meaningful identity and security initiatives that I’ve had the privilege to work on with many of you. But I can’t resist saying that, in my view, OpenID Connect, JSON Web Token (JWT), and OAuth 2.0 are the ones that we knocked out of the park. I tried to distill the lessons learned from many of the initiatives, both successes and failures, during my 2023 EIC keynote Touchstones Along My Identity Journey. And there’s a fairly complete list of the consequential things I’ve gotten to work on in my Standards CV.

I’ll also call attention to 2025 marking twenty years of the Internet Identity Workshop. I attended the first one, which was held in Berkeley, California in October 2005, and all but one since. What a cast of characters I met there, many of whom I continue working with to this day!

As a personal testament to the value of IIW, it’s where many of the foundational decisions about what became JWS, JWE, JWK, JWT, and OpenID Connect were made. Particularly, see my post documenting decisions made at IIW about JWS, including the header.payload.signature representation of the JWS Compact Serialization and the decision to secure the Header Parameters. And see the posts following it on JWE decisions, naming decisions, and JWK decisions. IIW continues playing the role of enabling foundational discussions for emerging identity technologies today!

It’s been a privilege working with all of you for these two decades, and I love what we’ve accomplished together! There’s plenty of consequential work under way and I’m really looking forward to what comes next.

Mike Jones Kim with Coffee

Images are courtesy of Doc Searls. Each photo links to the original.

Powered by WordPress & Theme by Anders Norén