Lifelog

Top 5 artists this week

Sun, 06 May 2012 12:00:00 GMT

Top 5 artists this week

Sun, 29 Apr 2012 12:00:00 GMT

Top 5 artists this week

Sun, 22 Apr 2012 12:00:00 GMT

Top 5 artists this week

Sun, 15 Apr 2012 12:00:00 GMT

Top 5 artists this week

Sun, 08 Apr 2012 12:00:00 GMT

Top 5 artists this week

Sun, 01 Apr 2012 12:00:00 GMT

Top 5 artists this week

Sun, 25 Mar 2012 12:00:00 GMT

Top 5 artists this week

Sun, 18 Mar 2012 12:00:00 GMT

Top 5 artists this week

Sun, 11 Mar 2012 12:00:00 GMT

Top 5 artists this week

Sun, 04 Mar 2012 12:00:00 GMT

Top 5 artists this week

Sun, 26 Feb 2012 12:00:00 GMT

Cross-origin resource sharing - Wikipedia, the free encyclopedia

Mon, 20 Feb 2012 21:21:48 GMT

Cross-origin resource sharing (CORS) is a web browser technology specification, which defines ways for a web server to allow its resources to be accessed by a web page from a different domain.^[1] Such access would otherwise be forbidden by the same origin policy.

via en.wikipedia.org

https://bitbucket.org/openid/connect/issue/550

Posted via email from Notes for Digital Identities and Computing in the Cloud | Comment »

Handling the Response : Using OAuth 2.0 for Client-side Applications - Authentication and Authorization for Google APIs - Google Code

Mon, 20 Feb 2012 16:46:41 GMT

Handling the Response

Google returns an access token to your application if the user grants your application the permissions it requested. The access token is returned to your application in the fragment as part of the access_token parameter. Since a fragment is not returned to the server, client-side script must parse the fragment and extract the value of the access_token parameter.

Other parameters included in the response include expires_in and token_type. These parameters describe the lifetime of the token in seconds, and the kind of token that is being returned. If the state parameter was included in the request, then it is also included in the response.

An example User Agent flow response is shown below:
https://oauth2-login-demo.appspot.com/oauthcallback#access_token=1/fFBGRNJru1FQd44AzqT3Zg&token_type=Bearer&expires_in=3600
Other fields may be included in the response. Your application should allow additional fields to be returned in the response. The set shown above is the minimum set.

Below is a Javascript snippet that parses the response and returns the parameters to the server. This code is hosted at the https://oauth2-login-demo.appspot.com/oauthcallback URL.
// First, parse the query string var params = {}, queryString = location.hash.substring(1), regex = /([^&=]+)=([^&]*)/g, m; while (m = regex.exec(queryString)) { params[decodeURIComponent(m[1])] = decodeURIComponent(m[2]); }  // And send the token over to the server var req = new XMLHttpRequest(); // consider using POST so query isn't logged req.open('GET', 'https://' + window.location.host + '/catchtoken?' + queryString, true);  req.onreadystatechange = function (e) { if (req.readyState == 4) { if(req.status == 200){ window.location = params['state'] } else if(req.status == 400) { alert('There was an error processing the token.') } else { alert('something else other than 200 was returned') } } }; req.send(null);
This code sends the parameters received on the fragment to the server using XMLHttpRequest and writes the access token to local storage in the browser. The latter is an optional step, and depends on whether or not the application requires other Javascript code to make calls to a Google API. Also note that this code sends the parameters to the /accepttoken endpoint, and they are sent over an HTTPs channel.

Error Response

The Google Authorization Server returns an error if the user did not grant your application the permissions it requested. The error is returned in the fragment.

An example error response is shown below:
https://oauth2-login-demo.appspot.com/oauthcallback#error=access_denied

via code.google.com

Posted via email from Notes for Digital Identities and Computing in the Cloud | Comment »

UMA Core: 3.1.3. Requester Presents a Valid Access Token

Mon, 20 Feb 2012 00:03:26 GMT

From Evernote:

UMA Core: 3.1.3. Requester Presents a Valid Access Token

Clipped from: http://tools.ietf.org/id/draft-hardjono-oauth-umacore-03.txt#

3.1.3. Requester Presents a Valid Access Token If the requester presents an access token with its request, and the token is valid (see Section 3.3), the host examines the token status description. 3.1.3.1. Requester's Token Has Insufficient Permission If the token status is not associated with any currently valid permission that applies to the scope of access attempted by the requester, the Host SHOULD register a permission with the AM (see Section 3.4) that would suffice for that scope of access, and then respond to the requester with the HTTP 403 (Forbidden) status code, along with providing the AM's URI in the header of the message and the permission ticket it just received from the AM in the body of the JSON form. For example: HTTP/1.1 403 Forbidden WWW-Authenticate: UMA realm="example", host_id="photoz.example.com", am_uri="http://am.example.com" { "ticket": "016f84e8-f9b9-11e0-bd6f-0021cc6004de" }

Posted via email from Notes for Digital Identities and Computing in the Cloud | Comment »

Top 5 artists this week

Sun, 19 Feb 2012 12:00:00 GMT

User-Managed Access (UMA) Core Protocol

Mon, 13 Feb 2012 08:24:20 GMT

via op.deb

Posted via email from Notes for Digital Identities and Computing in the Cloud | Comment »

User-Managed Access (UMA) Core Protocol — accounts 1.0 documentation

Mon, 13 Feb 2012 08:20:49 GMT

via op.deb

Posted via email from Notes for Digital Identities and Computing in the Cloud | Comment »

Top 5 artists this week

Sun, 12 Feb 2012 12:00:00 GMT

Top 5 artists this week

Sun, 05 Feb 2012 12:00:00 GMT

Frozen

Sat, 04 Feb 2012 16:44:41 GMT

Friday : Frozen, TEPIA, a photo by hidelafoglia on Flickr.

先週ぐらいからすごく寒くなって、降った雪がなかなか消えないで残っています。通学路で残って雪で２人でアシでアイスホッケーしながら駅までがブームです。

今朝は特に寒くてTEPIAの池の氷が一番広かった。

今のところインフルエンザにもなっていないので、このまま春休みまで病気無しで行きたいですね。

Birthday Party

Fri, 03 Feb 2012 16:52:57 GMT

Saturday : My Birthday Party, a photo by hidelafoglia on Flickr.

今日はRiは学校。 Miは親交のある会社の主催の就職活動セミナーで、学生さんの前でパネルディスカッションで秋葉原で一日すごしました。

とてもいいイベントで、学生さんも喜んでいたようです。企画した社長はすばらしいです。Miも一緒にディスカッションした食品会社の社長や、外資系企業のマーケティングディレクターのお話に感銘したりで、誕生日に良い体験をしたと思っています。

打ち上げに参加して、運営企画の人から基調な体験を伺ったりでいつの間にか時間に。お先に外させていただきタクシーで急いで返りました。

今年は、カットした果物にHAPPY BIRTHDAYのローソクでした。Riさんは板チョコのデコレーションと、前から書いていた絵を仕上げてくれました。ありがとう！

ローストビーフはRiが全て平らげてしまいました。w

良い一年になりそうです。

[Openid-specs-ab] FW: Initial Versions of JOSE Specs submitted

Wed, 01 Feb 2012 09:11:23 GMT

From Evernote:

[Openid-specs-ab] FW: Initial Versions of JOSE Specs submitted

Clipped from: http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20120116/001437.html

I've submitted initial IETF versions of the JOSE<http://datatracker.ietf.org/wg/jose/> specs. Once the postings are approved by the chairs, they'll appear as IETF -00 drafts. These specs are: * JSON Web Signature (JWS) - Digital signature/HMAC specification * JSON Web Encryption (JWE) - Encryption specification * JSON Web Key (JWK) - Public key specification * JSON Web Algorithms (JWA) - Algorithms and identifiers specification They are refactored from the previous individual submission versions to move algorithms and identifiers into a separate specification, per the working group charter<http://datatracker.ietf.org/wg/jose/charter/>. Also, per the working group's input, the terminology usage has been changed to no longer call both digital signatures and HMACs "signatures". The JOSE versions contain no normative changes from the individual submission versions. I've also posted submitted drafts at these locations: * http://self-issued.info/docs/draft-ietf-jose-json-web-signature-00.html * http://self-issued.info/docs/draft-ietf-jose-json-web-encryption-00.html * http://self-issued.info/docs/draft-ietf-jose-json-web-key-00.html * http://self-issued.info/docs/draft-ietf-jose-json-web-algorithms-00.html

Posted via email from Notes for Digital Identities and Computing in the Cloud | Comment »

Top 5 artists this week

Sun, 29 Jan 2012 12:00:00 GMT

Guide to Running a User Account System (Google)

Fri, 27 Jan 2012 16:40:49 GMT

Introduction: User Account Systems
The hack that makes Internet Identity possible
Which face are you presenting to the world?
Human -> Emails -> Local IDs -> Passwords
The Weakest link
So what happened in 2008?
Secure mashups
Chapter 1: Account Chooser
Requirements
The Account Chooser Experience
Central Account Chooser
Local Account Chooser
Local + Central
Email providers and Account Choosers
Passwords and Account Choosers
Chapter 2: Mobile/Desktop Apps
Chapter 3: What is an Identity Provider?
Chapter 4: Baby steps to passwordless login
Chapter 5: Identity Providers and Email Providers
Account Chooser without passwords
The Email Attribute
Full Rollout
Login with a button
Session Lifetime
Persistent or Session Cookies
Cookie lifetime
Single Sign Out
Chapter 6: Popular Identity Providers and Social Login
The good, the bad, and the ugly
Account Chooser and Popular Identity Providers
Login with a button
Account Linking Wizard
Chosen account has no IDP
IDPs that do not assert Email address
Per-RP IDs
Chapter 7: Consuming APIs
Chapter 8: Local Social Graph
Chapter 9: Certification of Providers
Chapter 10: Exposing APIs
Chapter 11: Relationship Managers
What are the advantages?
Examples
Chapter 12: Relationship Guides
Chapter 13: Identity Verification and Attribute Providers
Chapter 14: Stronger authentication for users
Phishing protection
Mixed Strong Authentication
Economics of consumer strong authentication
Chapter 15: Stronger authentication for robots
Robots and Dynamic Registration
Chapter 16: Conclusion

via docs.google.com

Posted via email from Notes for Digital Identities and Computing in the Cloud | Comment »

Top 5 artists this week

Sun, 22 Jan 2012 12:00:00 GMT

Costco Party

Fri, 20 Jan 2012 16:37:34 GMT

Saturday : Draemon, a photo by hidelafoglia on Flickr.

今年最初のCOSTCOパーティ。今日はNeとMay ママだけでひるから買い出しなので、ランチはRiと２人でパスタ食べに行きました。
夕方まで２人で遊んでいましたが、Miがうとうと。。。Mayちゃんが夕方までバレーなのでそれまで待ち遠しいようです。

夕方、我が家に全員集合でパーティ。保育園時代とは打って変わって、本を読み出したりとかお姉さんな遊びかたになってびっくり。

学校は違うけど、今年もMayちゃんとは遊ぶだろうな。Best Friendなので。

Connect Client Credentials Flow with JWT Assertion : #512 - Standard : 2.2 : "two main paths" means other flow can be used , or not ? — Bitbucket

Fri, 20 Jan 2012 01:43:50 GMT

John Bradley / ve7jtb
written 2 hours ago

Yes the idea is that other flows like “JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0” can be used.

A extension document probably needs to be written for each additional flow.

via bitbucket.org

Posted via email from Notes for Digital Identities and Computing in the Cloud | Comment »

Assertion Flow in Connect ? ( Draft: OpenID Connect Standard 1.0 - draft 07 )

Thu, 19 Jan 2012 16:35:42 GMT

Authorization Requests follow two main paths to obtain Access Tokens and ID Tokens, the Implicit Flow and the Authorization Code Flow.

via openid.bitbucket.org

Looks no. Draft should be slightly changed ?

Posted via email from Notes for Digital Identities and Computing in the Cloud | Comment »

Mike Jones: self-issued » SWD, JWT, JWS, JWE, JWK, and OAuth JWT Profile specs updated

Tue, 17 Jan 2012 01:21:45 GMT

This checkin is intended to be the last set of individual submissions of the JWS, JWE, and JWK drafts before they are refactored and submitted to the JOSE WG as working group drafts. The primary changes requested by the JOSE WG but not yet done are to break the algorithm profiles and identifiers out into a new spec and to rework the terminology in the signature spec to use different terms for digital signature and HMAC integrity operations.

See the Document History sections of each document for a detailed description of the changes made. These documents are available at:

http://tools.ietf.org/html/draft-jones-simple-web-discovery-02

http://tools.ietf.org/html/draft-jones-json-web-token-07

http://tools.ietf.org/html/draft-jones-json-web-signature-04

http://tools.ietf.org/html/draft-jones-json-web-encryption-02

http://tools.ietf.org/html/draft-jones-json-web-key-03

http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-03

HTML-formatted versions are available at:

http://self-issued.info/docs/draft-jones-simple-web-discovery-02.html

http://self-issued.info/docs/draft-jones-json-web-token-07.html

http://self-issued.info/docs/draft-jones-json-web-signature-04.html

http://self-issued.info/docs/draft-jones-json-web-encryption-02.html

http://self-issued.info/docs/draft-jones-json-web-key-03.html

http://self-issued.info/docs/draft-jones-oauth-jwt-bearer-03.html

via self-issued.info

Posted via email from Notes for Digital Identities and Computing in the Cloud | Comment »

JOSE: [woes] Proposed charter, post-Quebec edition

Tue, 17 Jan 2012 01:12:44 GMT

From Evernote:

JOSE: [woes] Proposed charter, post-Quebec edition

Clipped from: http://www.ietf.org/mail-archive/web/woes/current/msg00160.html#

Here is a proposal for the charter based on the discussion in the BoF last week and later discussion with Sean Turner. Comments, praise, scorn, etc., are welcome. --Paul and Richard Javascript Object Signing and Encrypting (jose) =============================================== Background ---------- Javascript Object Notation (JSON) is a text format for the serialization of structured data described in RFC 4627. The JSON format is often used for serializing and transmitting structured data over a network connection. With the increased usage of JSON in protocols in the IETF and elsewhere, there is now a desire to offer security services such as encryption and digital signatures for data that is being carried in JSON format. Different proposals for providing such security services have already been defined and implemented. This Working Group's task is to standardize two security services, encrypting and digitally signing, in order to increase interoperability of security features between protocols that use JSON. The Working Group will base its work on well-known message security primitives (e.g., CMS), and will solicit input from the rest of the IETF Security Area to be sure that the security functionality in the JSON format is correct. This group is chartered to work on four documents: 1) A Standards Track document specifying how to apply a JSON-structured digital signature to data, including (but not limited to) JSON data structures. "Digital signature" is defined as a hash operation followed by a signature operation using asymmetric keys. 2) A Standards Track document specifying how to apply a JSON-structured encryption to data, including (but not limited to) JSON data structures. 3) A Standards Track document specifying how to encode public keys as JSON-structured objects. 4) A Standards Track document specifying mandatory-to-implement algorithms for the other three documents. The working group may decide to address one or more of these goals in a single document, in which case the concrete milestones for signing/encryption below will both be satisfied by the single document. Goals and Milestones -------------------- Aug 2011 Submit JSON object signing document as a WG item. Aug 2011 Submit JSON object encryption document as a WG item. Aug 2011 Submit JSON key format document as a WG item. Aug 2011 Submit JSON algoritm document as a WG item. Jan 2012 Start Working Group Last Call on JSON object signing document. Jan 2012 Start Working Group Last Call on JSON object encryption document. Jan 2012 Start Working Group Last Call on JSON key format document. Jan 2012 Start Working Group Last Call on JSON algorithm document. Feb 2012 Submit JSON object signing document to IESG for consideration as Standards Track document. Feb 2012 Submit JSON object encryption document to IESG for consideration as Standards Track document. Feb 2012 Submit JSON key format document to IESG for consideration as Standards Track document. Feb 2012 Submit JSON algorithm document to IESG for consideration as Standards Track document.

Posted via email from Notes for Digital Identities and Computing in the Cloud | Comment »

Top 5 artists this week

Sun, 15 Jan 2012 12:00:00 GMT

New Year Wishes

Sat, 14 Jan 2012 00:28:15 GMT

Saturday : Todoroki Fudo Son Shrine, a photo by hidelafoglia on Flickr.

初詣は青山熊野神社でおまいりしたのですが、機会があったので等々力不動尊でもおまいりしました。ことしも東急にはお世話になるので。無事事故の無い一年を送れたらいいですね。

市川で元旦を過ごして翌日はNeのおばさんの家に遊びに行きました。以前から遊びに来てね、といわれていたのになかなか顔を出す事ができなかったのか心に残っていたので良い機会だったので。

これまでRiさんは他のおばさんと区別できなかったようですが、楽しく優しくしてもらってとても楽しかったようで、次回はちゃんと名前言えると思います。

成人の日の三連休も過ぎてようやく新年本番な感じです。ミュージカルの春の発表のディズニーの英語の歌もだいぶ覚えたようで良いスタートを切れたのかな。

Top 5 artists this week

Sun, 08 Jan 2012 12:00:00 GMT

Top 5 artists this week

Sun, 01 Jan 2012 12:00:00 GMT

今年もありがとうございました。

Fri, 30 Dec 2011 11:22:54 GMT

Friday : Cleaning Stadium St., a photo by hidelafoglia on Flickr.

年の最後に通学路の掃除をしました。
Riさんは掃除が大好きで、夕方Miが帰宅すると掃除を手伝わされたりします。
前からどうしても道端の枯れ葉掃除をしたかったらしく、東急ハンズで清掃道具を買ってきました。
先週に引き続き、今週も掃除。年末なので、たばこの吸い殻を沢山やっつけました。
来年もいい年になりますように。

Top 5 artists this week

Sun, 25 Dec 2011 12:00:00 GMT

Ad Hoc OAuth server

Thu, 22 Dec 2011 01:03:01 GMT

From Evernote:

Ad Hoc OAuth server

A RP can be a OAuth server for the other RP(client).

With providing kinda “License Token” to a RP, the RP can be securely provide End-User’s protected resource to the other RP.

(1) OAuth ”code” is delivered to a Client RP

(2) Request an access token.

(3) Issue an access token if the Client RP, code and other conditions are valid.

(1)-(3) are can be omitted if OAuth flow is implicit.

OP embeds “license code” as a claim of the access token, which is a kinda access code for the Server RP in a particular authorization.

A specific Server RP is selected when the End-User grants the authorization.

(4) The Client RP request the resource for the access token. That’s an OAuth.

(5) The Server RP request the “license token” for the license code in the access token requested by the Client RP.

(6) Issue the license token for the access token if the license code, the Server RP and other conditions are valid.

In license code, PPID for the Server RP of the End-User and other claims are included to response the End-User’s protected resource.

(7) Load resource for the license token if the relationship with access token and other conditions are valid.

(8) Publish protected resource to the Client RP.

Point:

- The Client RP is just a OAuth client. It doesn’t know what special are going on underneath.

- The Server RP doesn’t have to implement OAuth Authorization Server process.

- PPID can be used. Client and Server don’t have to share the End-User’s identifier.

- Licence Code and Token can be easily implemented at the Authorization Server(OP) in mostly same way as access token.

Posted via email from Notes for Digital Identities and Computing in the Cloud | Comment »

Ad Hoc OAuth server

Thu, 22 Dec 2011 01:02:39 GMT

From Evernote:

Ad Hoc OAuth server

A RP can be a OAuth server for the other RP(client).

With providing kinda “License Token” to a RP, the RP can be securely provide End-User’s protected resource to the other RP.

(1) OAuth ”code” is delivered to a Client RP

(2) Request an access token.

(3) Issue an access token if the Client RP, code and other conditions are valid.

(1)-(3) are can be omitted if OAuth flow is implicit.

OP embeds “license code” as a claim of the access token, which is a kinda access code for the Server RP in a particular authorization.

A specific Server RP is selected when the End-User grants the authorization.

(4) The Client RP request the resource for the access token. That’s an OAuth.

(5) The Server RP request the “license token” for the license code in the access token requested by the Client RP.

(6) Issue the license token for the access token if the license code, the Server RP and other conditions are valid.

In license code, PPID for the Server RP of the End-User and other claims are included to response the End-User’s protected resource.

(7) Load resource for the license token if the relationship with access token and other conditions are valid.

(8) Publish protected resource to the Client RP.

Point:

- The Client RP is just a OAuth client. It doesn’t know what special are going on underneath.

- The Server RP doesn’t have to implement OAuth authorization process.

- PPID can be used. Client and Server don’t have to share the End-User’s identifier.

- Licence Code and Token can be easily implemented at the Authorization Server(OP) in mostly same way as access token.

Posted via email from Notes for Digital Identities and Computing in the Cloud | Comment »

Top 5 artists this week

Sun, 18 Dec 2011 12:00:00 GMT

Connect/OAuth: Credentials

Fri, 16 Dec 2011 01:52:33 GMT

Posted via email from Notes for Digital Identities and Computing in the Cloud | Comment »