OpenID Foundation Connect Working Group update presented by Michael Jones (Microsoft) at the OpenID Foundation Workshop at VMware on Monday, October 22, 2018.
3. Youâre Probably Already
Using OpenID Connect!
âą If you have an Android phone or log in at AOL,
Deutsche Telekom, Google, Microsoft, NEC,
NTT, Salesforce, Softbank, Symantec, Verizon,
or Yahoo! Japan, youâre already using OpenID
Connect
â Many other sites and apps large and small also
use OpenID Connect
5. Numerous Awards
âą OpenID Connect won 2012 European Identity
Award for Best Innovation/New Standard
â http://openid.net/2012/04/18/openid-connect-
wins-2012-european-identity-and-cloud-award/
âą OAuth 2.0 won in 2013
âą JWT/JOSE won in 2014
âą OpenID Certification program won
2018 Identity Innovation Award
7. Federation Specification
âą Roland Hedberg created OpenID Connect
Federation specification
â http://openid.net/specs/openid-connect-
federation-1_0.html
âą Enables establishment and maintenance of
multi-party federations using OpenID Connect
âą Defines hierarchical JSON-based metadata
structures for federation participants
âą Prototype implementations being tested
8. Session Management /
Logout
âą Three approaches being pursued by the working group:
â Session Management
âą http://openid.net/specs/openid-connect-session-1_0.html
âą Uses HTML5 postMessage to communicate state change messages
between OP and RP iframes
â Front-Channel Logout
âą http://openid.net/specs/openid-connect-frontchannel-1_0.html
âą Uses HTTP GET to load image or iframe, triggering logout
âą Similar to options in SAML, WS-Federation
â Back-Channel Logout
âą http://openid.net/specs/openid-connect-backchannel-1_0.html
âą Server-to-communication not using the browser
âą Can be used by native applications, which have no active browser
âą All support multiple logged in sessions from OP at RP
âą Unfortunately, no one approach best for all use cases
âą Is it time to move to Final Specifications?
9. Second Errata Set
âą Errata process corrects typos, etc. discovered
â Makes no normative changes
âą Edits under way for second errata set
âą See http://openid.net/specs/openid-connect-
core-1_0-23.html for current Core errata draft
âą Waiting for OAuth AS metadata spec draft-ietf-
oauth-discovery to finish
â So we can register OpenID Discovery metadata values
â Spec just progressed to the RFC Editor
âą I plan to do the remaining edits during IIW
10. Current Related Work
âą International Government Profile (iGov)
Working Group
â Developing OpenID Connect profile for
government & high-value commercial applications
âą Enhanced Authentication Profile (EAP)
Working Group
â Enables Token Bound ID Tokens
â Enables integration with FIDO and other phishing-
resistant authentication solutions
11. OpenID Certification
âą OpenID Certification enables OpenID Connect
implementations to be certified as meeting
requirements of defined conformance profiles
âą Now OP and RP certification profiles for:
â Basic OP and Basic RP
â Implicit OP and Implicit RP
â Hybrid OP and Hybrid RP
â OP Publishing and RP Using Configuration Information
â Dynamic OP and Dynamic RP
âą See http://openid.net/certification/ and
http://openid.net/certification/faq/
â And accompanying certification presentation!
12. Open Conversation
âą How are you using OpenID Connect?
âą What would you like the working group to
know and do?