Skip to Content.
Sympa Menu

oidc-survey - heart profile, an example of requiring security ....

Subject: OIDC Survey Working Group

List archive

heart profile, an example of requiring security ....


Chronological Thread 
  • From: Steven Carmody <>
  • To:
  • Subject: heart profile, an example of requiring security ....
  • Date: Fri, 13 Jan 2017 15:40:59 -0500
  • Ironport-phdr: 9a23:wMAEGR8lchLEvv9uRHKM819IXTAuvvDOBiVQ1KB20e8cTK2v8tzYMVDF4r011RmSDNmdsKgP0rGJ+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZPebgFHiTanb75+Mhq6oRjfu8QUnIBvNrs/xhzVr3VSZu9Y33loJVWdnxb94se/4ptu+DlOtvwi6sBNT7z0c7w3QrJEAjsmNXs15NDwuhnYUQSP/HocXX4InRdOHgPI8Qv1Xpb1siv9q+p9xCyXNtD4QLwoRTiv6bpgRxj0hSoJNTM0/njbhtB/galGpB6spwBzz4vSbYqINvRxY7ndcMsaS2RfQ8hfVCJPDY2zYIQTAOQMJvpYoovnqlcSsRezCwuhCeXywTFInH/22qg63vw8HwHawgMgAcwBsHLJp9jrLqgSS+W1zK7VwjTDcvhb3iz96JTWfRA/v/6MW6p/ftbLxkk1EgPFiUifqIz+MjyOzOQNtGaa7+x6We2xlmEnthh8rz6yzckijYnJg5gaylHC9Shh24k1JMG4R1VmYdG4E5tfqT2aO5FxQsM4TGFlvjsxxL4euZOjYiQHyYgryhzaZvyJcIWH+Q7vWeOeLDtkmH5qZbeyiAqu/Ue9z+DxU9e43EhEriZdj9XBuHMA2wbO5sWGUPdx40Ws1DeV2wzO5exIP0Y5nrfBJZE72L4/jJ8TvFzDHiDonEX2i7ebdkA+9eip7+Tre6zmpoOAO4NthQDyLLoimsKlDeQ3NQgOWGeb+eCi27H54UL5R7BKguU3kqnfrp/aOdwWqrC4DgNJ0Isu7hi/AjS939gEmHQKI05JdA6agIXsJ17CPO33APK6jliyjjtryejKPrj7DZXMKnjDnq3hfbF460NE0woz0c5Q54xKBbEHOP38RlX+tMbdDh8+LgO1w/3qB85n1oMZV2OPBLWVP73Pvl+V/u4vOfWDZJcJuDbhLPgo///ujXklll8aeKmp2JwXaHaiEvRhOUWZbmPggtAAEWgXogUyVffqiECYUT5NeXmzX7kx5jU6CIK9EYfDXZ6hjKaA3Ce9Ap1ZeHpGClaSHnf0aYmIQekDZz+PIpwprjtRUrmtQMo6yAuwuR7SyrxsKe/R/Stesojsh/Zv4OiGrg0/6zFyR++UyWSKQ3A8yngUSiE72pd0qFZ4zVuS+aJihONeU9Ff+qUaAU8BKZfAwrkiWJjJUQXbc4LUEFs=
Hi,

I took a quick look at this profile:

http://openid.bitbucket.org/HEART/openid-heart-oauth2.html

and saw this text:

3.2.1. JWT Bearer Tokens

In order to facilitate interoperability with multiple protected
resources, all HEART-compliant authorization servers issue
cryptographically signed tokens in the JSON Web Token (JWT) format.

I'd note that many OAuth2 deployers cite "its easier to implement than SAML" as a reason for using OAuth2; they routinely point to the SAML crypto stuff as "too hard for most developers". sigh.

and I *really* like this requirement, in the same section:

The server MUST issue tokens as JWTs with, at minimum, the following claims:

iss
The issuer URL of the server that issued the token
azp
The client id of the client to whom this token was issued

I also saw that the author of the Heart profile is Justin Richer, the primary developer of the MITERD OIDC/OAuth implementation.

  • heart profile, an example of requiring security ...., Steven Carmody, 01/13/2017

Archive powered by MHonArc 2.6.19.

Top of Page