Musings on Digital Identity

OAuth 2.0 RFCs Completed

OAuth logoThe OAuth 2.0 Core and Bearer specifications are now RFC 6749 and RFC 6750. This completes the journey to standardize a pair of simple identity specifications that are already in very widespread use for Web, enterprise, cloud, and mobile applications. They make things better by enabling access to resources to be granted without giving the password for the resource to the party being granted access (a pattern that used to be all too common).

I believe that the completion of these RFCs will only accelerate the momentum behind the adoption of simple REST/JSON based identity solutions. Some of the related standards that are already well under way and in use include the OAuth Assertion Framework, the OAuth SAML 2.0 Assertion Profile and OAuth JWT Assertion Profile, JSON Web Token (JWT), the JSON Object Signing and Encryption (JOSE) specs — JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), and JSON Web Algorithms (JWA), and OpenID Connect. Watch this space for future developments. Like OAuth 2.0, all of these are the product of collaboration by numerous people around the world and in many industries to build and deploy simple, usable identity solutions that solve real-world problems.

The goal of all these specs is to standardize functionality that is not only useful, but is simple enough that it will actually be used. OAuth 2.0 is an early success story in this regard. While the number of words in the spec has increased since early drafts, most of that is due to doing a more complete job of describing things not to do (adding security considerations), rather than adding bells and whistles. It doesn’t get much simpler than a couple of HTTP GETs and replies with simple request parameters and responses.

Dick Hardt deserves special thanks for his role both in starting what became OAuth 2.0 and seeing it through to completion. I recommend his post on the process that brought us the OAuth 2.0 RFCs.


Updated OAuth Assertion Specifications


JOSE and JWT specs incorporating working group decisions since IETF 84

Leave a Reply

Powered by WordPress & Theme by Anders Norén