.Nat Zone

Digital Identity et al.

「 OAuth 」 一覧

JWS, JWT, and others now RFC!

  2015/05/20    identity, OAuth , , , ,

It has taken soooo long [1], but JSON Web Signature (JWS), JSON Web Token (JWT) , together with other JW* suite finally are Standard Track RFC[2] now. They are [RFC7515] and [RFC7519] respectively. For those of you who are not familiar with JWS and …

Review Comments for draft-ietf-oauth-proof-of-possession-02

  2015/03/26    OAuth

Proof-Of-Possession Semantics for JSON Web Tokens (JWTs) draft 02  has been under WGLC till yesterday (March 24, 2015). During the OAuth WG meeting at IETF 92 on Monday, I was asked to do a review of the document (See the minutes). …

Public Review of UMA 0.9 is going on

  2014/06/25    identity, OAuth, privacy, security

June 24: The three main UMA Version 0.9 specifications – UMA Core , OAuth Resource Set Registration , and UMA Claim Profiles  – are out for a45-day public review period ending September 6 at 17:00 Pacific time. This review is in preparation for advancement of these specs as Kantara Initiative …

no image

Covert Redirect is not new but.. A risk analysis and recommendations

So, there has been a flurry of worries induced by the CNET and other articles [1] about “Covert Redirect”. Like Leandro Boffi wrote in his blog post [2], this is not a new attack. It is an attack that has been …

OpenID Connect is here! – An Identity Layer on the internet

Celebrate! OpenID Connect 1.0 Final is here! After four and half years, or six years if we include the time needed to start the working group, finally, OpenID Connect is released as final. Like I have been explaining many times …

Write an OpenID Connect server in three simple steps

An OpenID Connect server is just an OAuth 2.0 server on steroids. What it does it to return the ID Token, which contains information about the authentication event for the user at the door, in addition to the Access Token. …

Identity, Authentication + OAuth = OpenID Connect

  2013/07/05    identity, OAuth, OpenID Connect, privacy

Explicit Consent – Turning Internet Dog into Pavlov’s Dog

People like me who is working on internet identity space is trying to solve so called “Internet Dog Problem.” You surely must have seen this picture — InternetDog.jpg : On the internet, nobody knows you’re a dog. This is a …

no image

Alice to Bob resource sharing

  2013/03/01    identity, OAuth, OpenID Connect

So I was in UMA call today and that reminded me of this use case. How does Alice share her protected resources (like medical test result) to Bob? I may have bloged in the past, but here is another try. …

no image

Re: Limitations of the OAuth 2.0 definition of “Client”

  2012/12/30    OAuth

Thomas Hardjono has a very good blog entry <<Limitations of the OAuth 2.0 definition of “Client”>>. The essence of the entry is that, the definition of “client” in OAuth 2.0 (RFC6749) is too limiting and does not fit with many current …