2026-05-27 –, Arena
University of Stuttgart security researchers discovered an actionable security vulnerability in mid-2024 in the audience values used for JWT Client Authentication. This presentation will delve into the details of what happened next and why.
The fourth and final Implementer’s Draft of the OpenID Federation specification was completed on May 31, 2024. Security researchers at the University of Stuttgart conducted a security analysis of it for the OpenID Foundation in mid-2024 and discovered an actionable security vulnerability. The vulnerability was due to recommendations about the audience values of Client Authentication JWTs, and affected many OAuth and OpenID specifications. This vulnerability was reported to the OpenID Foundation on September 20, 2024.
This presentation will go into the details of what happened after that and why things unfolded the way they did (and in some cases, still are), and what we can learn as a result. Topics I’ll discuss include:
- the OpenID Foundation notifying FAPI ecosystems that we determined were vulnerable and the actions they took as a result,
- the invitation-only meeting of spec authors and OAuth chairs at the November 2024 IETF meeting in Dublin to discuss the vulnerability, and the conclusions reached there,
- the semi-private disclosure of the vulnerability at an OAuth interim meeting on January 27, 2025,
- the public disclosure of the vulnerability by the OpenID Foundation on February 25, 2025,
- the effect that the vulnerability had on the OpenID Federation specification,
- the effect that the vulnerability had on the FAPI 2 specification,
- the resulting errata work on the OpenID Core, OpenID CIBA Core, and FAPI 1 specifications,
- the updates being made to RFC 7523 (JWT Client Authentication and Authorization Grants), RFC 7521 (Generic OAuth 2.0 Client Authentication and Authorization Grants), RFC 7522 (SAML Client Authentication and Authorization Grants), and RFC 9126 (Pushed Authorization Requests),
- the updates not made to RFC 9101 (JAR),
- the updates not made to RFC 9700 (OAuth Security BCP),
- the status of rfc7523bis and draft-wuertele-oauth-security-topics-update (which are updating the affected OAuth specifications),
- what remains to do,
- thoughts on why this has all taken as long as it has, and
- what lessons we can learn.
Dr. Michael B. Jones
Building the Internet's Missing Identity Layer
Self-Issued Consulting
Michael B. Jones is on a quest to build the Internet's missing identity layer. He is an editor of the OpenID Connect specifications, IETF OAuth specifications, including JSON Web Token (JWT) and DPoP, the IETF JSON Object Signing and Encryption (JOSE) specifications, FIDO 2.0, and W3C Web Authentication. In the Digital Credentials space, he is an editor of the W3C Verifiable Credentials specs, the JSON Web Proofs (JWP) specs, and a contributor to the OpenID4VC specs. He co-chairs the IETF COSE working group, which is doing post-quantum algorithms work for COSE and JOSE. Michael was recognized as a Distinguished Engineer by the OpenID Foundation and was granted a lifetime achievement award by Kuppinger Cole for creating simple, secure, ubiquitous, interoperable digital identity solutions since 2005. As a long-time member of the OpenID Board of Directors, he architected the award-winning and globally adopted OpenID Certification program. Michael's Ph.D. in Computer Science from Carnegie Mellon University led to a lifelong career in digital identity, computer security, privacy, and networking. He is passionate about mentoring the next generation of identity leaders. His professional Web site is https://self-issued.consulting/ and he blogs at https://self-issued.info/.