On the 14th and 15th of July, we had the OAuth Security Workshop 2016 at the University of Trier. Further, we had a IETF 96 side meeting on OAuth security at 18:20 in the beautiful Café am Neuen See to further discuss it. Below is the summery of what I got as the take away of these meetings. […]
It has taken soooo long [1], but JSON Web Signature (JWS), JSON Web Token (JWT) , together with other JW* suite finally are Standard Track RFC[2] now. They are [RFC7515] and [RFC7519] respectively. For those of you who are not familiar with JWS and JWT: JWS is a digital signature standard for JSON, a JSON version of XML Signature […]
So, ID Token in OpenID connect is audience restricted to the client while the OAuth bearer access token is audience restricted to the protected resource. It is a bearer. It can be used by anybody. It is a common model in the real world. Cash and many train tickets are such an examples. Other example […]
So it seems there is a little bit of confusion around what needs to be returned from which endpoint among the readers of OpenID Connect specification. It actually is pretty clear if you understand what OAuth 2.0 response_type parameter is, but since it is not spelled out clearly in the OAuth 2.0 spec, people seem […]
When you read the OpenID Connect Specifications, you might feel a little bit intimidated. That’s because they are written in “spec language” and they deal with corner cases, etc. Yet when you translate them into normal English and just concentrate on a “simple case”, it becomes quite simple. So, here we go! (OK, much of the text is the same […]
The call for nominations for the 2011 IDDY (IDentity Deployment of the Year) Awards is now open! Kantara Initiative is excited to continue this awards program for the fifth year. We encourage you to refer partners and organizations that could be good candidates for the award program.
Today, we had the 7th Identity Conference (aka IdCon #7) at Yahoo! Japan. It started at 7pm Japan Time. Detail of the conference is here. (Sorry – only Japanese) and hash tag was #idcon7. You can see the tweets here. (Again, sorry for being only in Japanese.) We had talks on OAuth 2.0(=ritou), OpenID/AB(=nat), Twitter […]
“OpenID TechNight vol.6”, a technical seminar hosted by OpenID Foundation Japan (OIDF-J) took place on May 28, 2010 at NRI. Here is the summary: Introduction – Tatsuya Katsuhara (NRI) Some introduction to Identity and Web Identity Technology, the history of OpenID and OAuth etc. http://www.slideshare.net/kthrtty/open-id-technightvol6kthrttyslidesharever OpenID Sessions OpenID and Extensions: Nobu Matake, Chair, OIDF-J Translation/Education […]
In February, I have posted an article about oauth_wrap mobile webapp profile. Now that it is unified to OAuth 2.0 drafts, here is another shot: I have further simplified the flow by talking to Breno and John. Here it is: (Fig. XX) How is that?! The major difference between