OAuth 2.0 Bearer Token Specification Draft -16
Draft 16 of the OAuth 2.0 Bearer Token Specification has been published. This version contains a proposed resolution to the auth-param syntax issue that has been reviewed by Julian Reschke, Mark Nottingham, and the OAuth WG chairs. It also addresses the Gen-ART review comments by Alexey Melnikov. It contains the following changes: Use the HTTPbis...
OpenID Connect in a Nutshell
Nat Sakimura has written a valuable post describing OpenID Connect in a nutshell. It shows by example how simple it is for relying parties to use basic OpenID Connect functionality. If you’re involved in OpenID Connect in any way, or are considering ...
Initial IETF JOSE Specs: JWS, JWE, JWK, JWA
The initial versions of the IETF JSON Object Signing and Encryption (JOSE) specifications are now available. They are: JSON Web Signature (JWS) – Digital signature/HMAC specification JSON Web Encryption (JWE) – Encryption specification JSON Web Key (JWK) – Public key specification JSON Web Algorithms (JWA) – Algorithms and identifiers specification They are refactored from the...
OpenID Connect Implementer’s Draft Review
OpenID Connect is a simple identity layer built on top of OAuth 2.0. It enables clients to verify the identity of and to obtain basic profile information about an end-user. It uses RESTful protocols and JSON data structures to provide a low barrier to entry. The design philosophy behind OpenID Connect is “make simple things...
OAuth 2.0 Bearer Token Specification Draft -15
Draft 15 of the OAuth 2.0 Bearer Token Specification has been published. It contains the following changes: Clarified that form-encoded content must consist entirely of ASCII characters. Added TLS version requirements. Applied editorial improvements suggested by Mark Nottingham during the APPS area review. The draft is available at: http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-15 An HTML-formatted version is available at:...
OAuth 2.0 Bearer Token Specification Draft -15
Draft 15 of the OAuth 2.0 Bearer Token Specification has been published. It contains the following changes: Clarified that form-encoded content must consist entirely of ASCII characters. Added TLS version requirements. Applied editorial improvements suggested by Mark Nottingham during the APPS area review. The draft is available at: http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-15 An HTML-formatted version is available at:...
SWD, JWT, JWS, JWE, JWK, and OAuth JWT Profile specs updated
New versions of the SWD, JWT, JWS, JWE, JWK, and OAuth JWT Profile specs have been posted. They address a number of comments received on the JOSE list and at the JOSE WG meeting in Taipei and make a number of clarifications, corrections, and editorial improvements. The only breaking change made was to use short...
OAuth 2.0 JWT Bearer Token Profiles Specification Draft -02
Draft 02 of the OAuth 2.0 JWT Bearer Token Profiles Specification has been published. It contains the following changes: Removed remaining vestiges of normative text talking about SAML that remained from the SAML Profile draft. Replaced all references where the reference is used as if it were part of the sentence (such as “defined by...
OAuth 2.0 Bearer Token Specification Draft -14
Draft 14 of the OAuth 2.0 Bearer Token Specification has been published. It contains the following changes: Changes made in response to review comments by Security Area Director Stephen Farrell. Specifically: Strengthened warnings about passing an access token as a query parameter and more precisely described the limitations placed upon the use of this method....
OAuth 2.0 Bearer Token Specification Draft -14
Draft 14 of the OAuth 2.0 Bearer Token Specification has been published. It contains the following changes: Changes made in response to review comments by Security Area Director Stephen Farrell. Specifically: Strengthened warnings about passing an access token as a query parameter and more precisely described the limitations placed upon the use of this method....
Updated OAuth JWT Bearer Token Profile and OAuth Assertion Profile specs
I updated the OAuth JWT Bearer Token Profile spec to track the changes made in the OAuth SAML Bearer Token Profile spec. Changes were: draft-jones-oauth-jwt-bearer-01: Merged in changes from draft-ietf-oauth-saml2-bearer-09. In particular, this draft now uses draft-ietf-oauth-assertions, rather than being standalone. It also now defines how to use JWT bearer tokens both for Authorization Grants...
Updated versions of JWT, JWS, JWE, and JWK specs
I’ve posted updated versions of the JSON Web Token (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) specifications. No changes should be required to any existing deployments as a result of these updates. The primary thrust of these changes was updating the JWT spec to describe how to create...
