RFC 8707 Resource Indicators for OAuth 2.0 (published in February, 2021) introduced the
resource parameter in order to tie “resources” to an access token as audience.
Grant Management for OAuth 2.0 (whose first implementer’s draft was published in July, 2021) assumes that “scopes” and “resources” are managed combinedly.
This article explains technical details of Open Banking Brasil (OBB), especially differences between OBB extensions and global standard specifications.
July 24, 2021: I greatly appreciate Carol Morais and Skalena translating this article into Portuguese and publishing it at “Notas de um implementador sobre Open Banking Brasil”.
OBB published “Open Banking…
This article is an implementer’s note about a technical specification called “JAR”, RFC 9101 The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR).
There exist some conflicts between OpenID Connect Core 1.0 (OIDC Core) and JAR. The OAuth community had a long dispute about the breaking changes because they affect…
This article explains X.509 certificate.
To read this article, knowledge about digital signature is needed. That is, this article assumes that you understand “By verifying signature with the public key which is paired with the private key used to generate the signature, you can confirm that the target data has…
What happens if ID tokens issued by external OpenID providers (IdP) are used for API protection? The following diagram is my understanding.
audclaim holds the ID of the client (i.e., the
audclaim cannot be used to restrict accessible resources as RFC 8707 proposes), possible options for API protection are just “all allowed” or “all denied”.
If I’m missing something, please correct me.
This article explains a specification called “DPoP”, OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer.
The specification defines a mechanism to prevent illegal API calls from succeeding only with a stolen access token.
In the traditional mechanism, API access is allowed only if the access token presented by the…
This article explains RFC 8628 (OAuth 2.0 Device Authorization Grant), a.k.a. “Device Flow”.
Device Flow is another way to issue an access token as well as the flows defined in RFC 6749 (The OAuth 2.0 Authorization Framework).
The reason for developing the new flow is described at the top of…
[Additional note on Sep. 16, 2021]: PAR was promoted to RFC 9126.
1️⃣ There is a client application and an authorization server.
2️⃣ The client application has a…
Act on Prevention of Transfer of Criminal Proceeds was revised in Japan on November 30, 2018. The revision has added methods to verify identities of natural persons only through online and is now regarded as the legal basis for eKYC (electronic Know Your Customer).