[WG-UMA] OAuth signature state-of-the-art

Eve Maler eve at xmlgrrl.com
Wed Jul 7 15:59:03 EDT 2010

One of my action items from May to was to forward info on the proposed OAuth signature solution.  Dirk Balfanz posted the following message on June 21, occasioning a large discussion thread -- mostly positive, suggesting mostly tweaks.  Signing no longer appears in the core OAuth2 spec (note that comments on draft 09 are due tomorrow!), but would layer on top of that spec.


Below is the meat of Dirk's message, to get all the relevant links conveniently into your hands.  If you have comments, whether motivated by UMA-specific needs or wider needs, feel free to comment here -- but your best bet if you're seeking changes is to contribute directly to the IETF OAuth conversation as well.


I wrote something down that liberally borrows ideas from Magic Signatures, SWT, and (even the name from) JSON Web Tokens. 

Here is a short document (called "JSON Tokens") that just explains how to sign something and verify the signature:

Here is an extension of JSON Tokens that can be used for signed OAuth tokens:

Here is a different extension of JSON Tokens that can be used for 2-legged flows. The idea is that this could be used as a drop-in replacement for SAML assertions in the OAuth2 assertion flow:

I also have started to write some code to implement this as a proof-of-concept. 

Eve Maler

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-uma/attachments/20100707/5afa772f/attachment.html 

More information about the WG-UMA mailing list