MITREid Connect was, at one time, one of the top open source implementations of OpenID Connect and OAuth 2.0. Written in Java and targeted for enterprise systems in the days before cloud services, it fit a niche and did it well. Where is it today and where is it going? How It Started …

At the recent IETF 113 meeting in Vienna, Austria, we put the GNAP protocol to the test by submitting it as a Hackathon project. Over the course of the weekend, we built out GNAP components and pointed them at each other to see what stuck. Here’s what we learned. Our Goals GNAP…

There’s a new draft in the HTTP working group that deals with signing HTTP messages of all types. Why is it here, and what does that give us? HTTP is irrefutably a fundamental building block of most of today’s software systems. Yet security and identity need to be layered alongside…

About a year ago I wrote an article arguing for creating the next generation of the OAuth protocol. That article, and some of the other writing around it, has been picked up recently, and so people have been asking me what’s the deal with XYZ, TxAuth, OAuth 3.0, and anything…

This article is part of a series about XYZ and how it works, also including articles on Why?, Handles, Interaction, and Compatibility. OAuth 2 loves its bearer tokens. They’re a really useful construct because they are simple: if you have the token, you can do whatever the token is good…

This article is part of a series about XYZ and how it works, also including articles on Why?, Handles, Compatibility, and Cryptographic Agility. When OAuth 1 was first invented, it primarily sought to solve the problem of one website talking to another website’s API. It could also be used with…

This article is part of a series about XYZ and how it works, also including articles on Why?, Handles, Interaction, and Cryptographic Agility. XYZ is a novel protocol, and one of its goals is to move beyond what OAuth 2 enables in any easy fashion. …

This article is part of a series about XYZ and how it works, also including articles on Why?, Interaction, Compatibility, and Cryptographic Agility. One comment I’ve gotten from several people when reading the XYZ spec text and surrounding documentation is about one of its core innovations. …

This article is part of a series about XYZ and how it works, also including articles on Handles, Interaction, Compatibility, and Cryptographic Agility. It’s been about a year and a half since I started in earnest on the XYZ project. I’ve talked with a variety of different people and companies…