Disclaimer This is a copy (with some editorial adjustments) of the interim report about GAIN PoC I submitted to the GAIN PoC Community Group on March 26, 2023. Please note that while the report was well received by the group, it is not an officially endorsed document. Preface GAIN (Global Assured Identity…

(This article is a partial reprint of the article “OpenID Connect Federation 1.0” on the Authlete website.) Overview OpenID Connect Federation 1.0 defines a mechanism where an identity provider / authorization server and a relying party (client) that have no direct relationship trust each other based on trust chains and the…

(This article is a partial reprint of the article “OAuth 2.0 Step-up Authentication Challenge Protocol” on the Authlete website.) Overview OAuth 2.0 Step-up Authentication Challenge Protocol “introduces a mechanism for a resource server to signal to a client that the authentication event associated with the access token of the current request…

Overview Section 2.1. Using JWTs as Authorization Grants of RFC 7523 JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants defines another flow for access token issuance which is different from OAuth 2.0 standard flows defined in RFC 6749. We call it JWT Authorization Grant flow. In…

Introduction RFC 8693 OAuth 2.0 Token Exchange is a technical specification that defines a way to get a new token by presenting an existing token and optionally one more existing token at the token endpoint. …

This short article shows command lines to generate a key pair in PEM format and a JWK representing a self-signed certificate for the key pair with the x5c claim. 1. Create a private key openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 > private_key.pem NOTE: Be sure that openssl is from OpenSSL, not LibreSSL. 2. Extract the public key from the private key openssl pkey -pubout…

Introduction OpenID Connect for Identity Assurance 1.0 (OIDC4IDA or IDA) is a technical specification that the eKYC-IDA Working Group of OpenID Foundation has developed. It uses OAuth 2.0 and OpenID Connect (OIDC) as its base and defines a JSON structure that conveys verified claims of a natural person. “Claim” here is…

Based on information in the “Authorizing OAuth Apps” page on GitHub Docs. The Japanese version is here. Spec Violations The response_type request parameter of authorization request is missing. The parameter is mandatory. See RFC 6749 (The OAuth 2.0 Authorization Framework) Section 4.1.1 (Authorization Request). The default format of token response seems application/x-www-form-urlencoded…

(If you are looking for information about “OpenID Connect Federation 1.0”, please read the article “OpenID Connect Federation 1.0” instead.) Flow of Identity Federation Step 1 A user accesses the login page of a web service with a web browser. Step 2 The web service generates the login page and returns it to the web browser. If the…