1. OpenID Connect

1.1 Encrypted request objects

OpenID authentication requests can be optionally signed, or signed and encrypted, by packing their parameters in a JWT.

Support for signed OpenID authentication requests was added in v6.0 of the Connect2id server.

Encrypted OpenID authentication requests keep the request parameters confidential from the end-user and browser.

2. OAuth 2.0

2.1 JWT-secured Authorisation Response Mode for OAuth 2.0

This is a new draft that has come out of the FAPI working group, to enable OAuth 2.0 authorisation responses to be packaged in a signed and optionally encrypted JWT.

2.2 OAuth Incremental Authorisation

OAuth 2.0 authorisation requests that include every scope the client might ever need can result in over-scoped authorisation and a bad end-user consent experience. The draft-ietf-oauth-incremental-authz spec enhances the OAuth 2.0 authorisation protocol by adding incremental authorisation, the ability to request specific authorization scopes as needed, when they're needed, removing the requirement to request every possible scope that might be needed upfront.

2.3 OAuth 2.0 Token Exchange

The OAuth working group is drafting a protocol for a lightweight HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation. See draft-ietf-oauth-token-exchange.

2.4 OAuth 2.0 Device Authorisation Grant

Commonly known as the device flow, this OAuth grant is for designed for browserless and input constrained devices / contexts, such as smart TVs, consoles and printers. This user authorises the client on secondary device, such their smartphone or personal computer. See draft-ietf-oauth-device-flow-15


3.1 Ed25519 digital signatures

Benchmarks with the new Curve25519 revealed that digital signing with it is 22x faster than the current ECDSA signing with P-256. Verification was also faster, at 14x. The Ed25519 JWS algorithm will speed up issue and processing of ID tokens and self-contained (JWT-encoded) access tokens.

Comments, suggestions?

Please post your comment below, or write to Connect2id support.

comments powered by Disqus