(This article is a partial reprint of the article “OAuth 2.0 Step-up Authentication Challenge Protocol” on the Authlete website.) Overview OAuth 2.0 Step-up Authentication Challenge Protocol “introduces a mechanism for a resource server to signal to a client that the authentication event associated with the access token of the current request…

Overview Section 2.1. Using JWTs as Authorization Grants of RFC 7523 JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants defines another flow for access token issuance which is different from OAuth 2.0 standard flows defined in RFC 6749. We call it JWT Authorization Grant flow. In…

Introduction RFC 8693 OAuth 2.0 Token Exchange is a technical specification that defines a way to get a new token by presenting an existing token and optionally one more existing token at the token endpoint. …

This short article shows command lines to generate a key pair in PEM format and a JWK representing a self-signed certificate for the key pair with the x5c claim. 1. Create a private key openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 > private_key.pem NOTE: Be sure that openssl is from OpenSSL, not LibreSSL. 2. Extract the public key from the private key openssl pkey -pubout…

Introduction OpenID Connect for Identity Assurance 1.0 (OIDC4IDA or IDA) is a technical specification that the eKYC-IDA Working Group of OpenID Foundation has developed. It uses OAuth 2.0 and OpenID Connect (OIDC) as its base and defines a JSON structure that conveys verified claims of a natural person. “Claim” here is…

Based on information in the “Authorizing OAuth Apps” page on GitHub Docs. The Japanese version is here. Spec Violations The response_type request parameter of authorization request is missing. The parameter is mandatory. See RFC 6749 (The OAuth 2.0 Authorization Framework) Section 4.1.1 (Authorization Request). The default format of token response seems application/x-www-form-urlencoded…

(If you are looking for information about “OpenID Connect Federation 1.0”, please read the article “OpenID Connect Federation 1.0” instead.) Flow of Identity Federation Step 1 A user accesses the login page of a web service with a web browser. Step 2 The web service generates the login page and returns it to the web browser. If the…

Introduction This article is about “Loopback Interface Redirection” which is written in the Section 7.3. Loopback Interface Redirection of RFC 8252 OAuth 2.0 for Native Apps. Specification The specification requires an authorization server to treat the port number component of redirection URIs as variable when the host component is a loopback IP…

Introduction Grant Management for OAuth 2.0 is a technical specification that enables to manage privileges granted to client applications in a finer-grained way than pre-existing standard specifications. A reason to pay attention to the specification is that it is positioned as a part of Financial-grade API 2.0, the successor of Financial-grade…