Based on information in the “Authorizing OAuth Apps” page on GitHub Docs. The Japanese version is here. Spec Violations The response_type request parameter of authorization request is missing. The parameter is mandatory. See RFC 6749 (The OAuth 2.0 Authorization Framework) Section 4.1.1 (Authorization Request). The default format of token response seems application/x-www-form-urlencoded…

Flow of Identity Federation Step 1 A user accesses the login page of a web service with a web browser. Step 2 The web service generates the login page and returns it to the web browser. If the web service supports identity federation with external identity providers (IdP), the login page will include links that initiate identity federation.

Introduction This article is about “Loopback Interface Redirection” which is written in the Section 7.3. Loopback Interface Redirection of RFC 8252 OAuth 2.0 for Native Apps. Specification The specification requires an authorization server to treat the port number component of redirection URIs as variable when the host component is a loopback IP…

Introduction Grant Management for OAuth 2.0 is a technical specification that enables to manage privileges granted to client applications in a finer-grained way than pre-existing standard specifications. A reason to pay attention to the specification is that it is positioned as a part of Financial-grade API 2.0, the successor of Financial-grade…

Self-contained access tokens, typically JWT access tokens, contain associated data in themselves. If the following conditions meet, as a logical consequence, personal information leaks directly from such access tokens. Personal information is contained Nonencrypted Stateless Stolen by unintended parties “Stateless” here means that an access token does not have any…

Introduction RFC 8707 Resource Indicators for OAuth 2.0 (published in February, 2021) introduced the resource parameter in order to tie “resources” to an access token as audience. Grant Management for OAuth 2.0 (whose first implementer’s draft was published in July, 2021) assumes that “scopes” and “resources” are managed combinedly. These specifications…

Both JWS (JSON Web Signature) and JWE (JSON Web Encryption) have two methods of serialization; “JSON” and “Compact”. JWT (JSON Web Token) is either JWS or JWE. In either case, its serialization is “Compact” because the specification defines so. By definition, ID Token is signed. Therefore, its format is either…

This article explains technical details of Open Banking Brasil (OBB), especially differences between OBB extensions and global standard specifications. July 24, 2021: I greatly appreciate Carol Morais and Skalena translating this article into Portuguese and publishing it at “Notas de um implementador sobre Open Banking Brasil”. OBB Financial-grade API Security Profile Specification Stack OBB published “Open Banking…

Introduction This article is an implementer’s note about a technical specification called “JAR”, RFC 9101 The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR). There exist some conflicts between OpenID Connect Core 1.0 (OIDC Core) and JAR. The OAuth community had a long dispute about the breaking changes because they affect…