Introduction RFC 8693 OAuth 2.0 Token Exchange is a technical specification that defines a way to get a new token by presenting an existing token and optionally one more existing token at the token endpoint. …

This short article shows command lines to generate a key pair in PEM format and a JWK representing a self-signed certificate for the key pair with the x5c claim. 1. Create a private key openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 > private_key.pem NOTE: Be sure that openssl is from OpenSSL, not LibreSSL. 2. Extract the public key from the private key openssl pkey -pubout…

Introduction OpenID Connect for Identity Assurance 1.0 (OIDC4IDA or IDA) is a technical specification that the eKYC-IDA Working Group of OpenID Foundation has developed. It uses OAuth 2.0 and OpenID Connect (OIDC) as its base and defines a JSON structure that conveys verified claims of a natural person. “Claim” here is…

Based on information in the “Authorizing OAuth Apps” page on GitHub Docs. The Japanese version is here. Spec Violations The response_type request parameter of authorization request is missing. The parameter is mandatory. See RFC 6749 (The OAuth 2.0 Authorization Framework) Section 4.1.1 (Authorization Request). The default format of token response seems application/x-www-form-urlencoded…

Flow of Identity Federation Step 1 A user accesses the login page of a web service with a web browser. Step 2 The web service generates the login page and returns it to the web browser. If the web service supports identity federation with external identity providers (IdP), the login page will include links that initiate identity federation.

Introduction This article is about “Loopback Interface Redirection” which is written in the Section 7.3. Loopback Interface Redirection of RFC 8252 OAuth 2.0 for Native Apps. Specification The specification requires an authorization server to treat the port number component of redirection URIs as variable when the host component is a loopback IP…

Introduction Grant Management for OAuth 2.0 is a technical specification that enables to manage privileges granted to client applications in a finer-grained way than pre-existing standard specifications. A reason to pay attention to the specification is that it is positioned as a part of Financial-grade API 2.0, the successor of Financial-grade…

Self-contained access tokens, typically JWT access tokens, contain associated data in themselves. If the following conditions meet, as a logical consequence, personal information leaks directly from such access tokens. Personal information is contained Nonencrypted Stateless Stolen by unintended parties “Stateless” here means that an access token does not have any…

Introduction RFC 8707 Resource Indicators for OAuth 2.0 (published in February, 2021) introduced the resource parameter in order to tie “resources” to an access token as audience. Grant Management for OAuth 2.0 (whose first implementer’s draft was published in July, 2021) assumes that “scopes” and “resources” are managed combinedly. These specifications…