General Availability of Microsoft OpenID Connect Identity Provider

Microsoft has announced the general availability of the Azure Active Directory OpenID Connect Identity Provider.  It supports the discovery of provider information as well as session management (logout).  On this occasion, the OpenID Foundation wants to recognize Microsoft for its contributions to the development of the OpenID Connect specifications and congratulate them on the general availability of their [...]


Review of Proposed Errata to OpenID Connect Specifications

The OpenID Connect Working Group recommends the approval of Errata to the following specifications: OpenID Connect Core 1.0 – Defines the core OpenID Connect functionality: authentication built on top of OAuth 2.0 and the use of Claims to communicate information about the End-User OpenID Connect Discovery 1.0 – Defines how Relying Parties dynamically discover information [...]


Review of Proposed Implementer’s Draft of OpenID 2.0 to OpenID Connect Migration Specification

The OpenID Connect Working Group recommends approval of the following specification as an OpenID Implementer’s Draft: OpenID 2.0 to OpenID Connect Migration 1.0 – Defines how to migrate from OpenID 2.0 to OpenID Connect An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification. This note [...]


The Economics of Identity 3

Those of us working on Internet identity issues have lots of conferences to attend when it comes to technology and privacy. Less attention has been paid to how to make money, how value is created, and how business models and monetization works across sectors. Meanwhile governments and companies are reorganizing to better address Internet identity [...]


Covert Redirect

“Covert Redirect”, publicized in May, 2014, is an instance of attackers using open redirectors – a well-known threat, with well-known means of prevention. The OpenID Connect protocol mandates strict measures that preclude open redirectors to prevent this vulnerability. Please see Section 4.2.4 of RFC 6819 (http://tools.ietf.org/html/rfc6819#section-4.2.4) for more information on open redirector threats and their [...]


More Momentum: OpenID Connect Adoption 6

In my last blog, I noted, “it’s time to build out the final elements of OpenID Connect and move to mobile.” We’ll soon announce the official working group with the GSMA focused on a OpenID Connect mobile profile. Foundation members, partners and independent developers continue to integrate OpenID Connect in robust and interoperable identity services [...]


Growing list of OpenID Connect libraries available 4

The list of publicly available OpenID Connect libraries is growing, with implementations available for numerous development platforms and environments, including Drupal, Java, PHP, Python, and Ruby. See the Libraries page for a list of OpenID Connect libraries, as well as libraries implementing the related JSON Web Token (JWT) and JSON Object Signing and Encryption (JOSE) [...]


Last Call on the Launch and the Move to Mobile

This is my first blog after a successful OpenID Connect launch in San Francisco, Barcelona and Japan on February 26th. The launch generated global buzz and coverage. Below are a few links to my previous posts highlighting statements of support and press coverage: Statements of Support Additional Statements of Support OpenID Connect Press Coverage Congratulations [...]


No Oscars, But OpenID Connect Launch Receives International Raves

This past Wednesday, February 26th, the OpenID Foundation, it’s members and the OpenID Connect Working Group successfully launched the OpenID Connect standard in the US, Europe and Japan. The launch generated press coverage at RSA in San Francisco and the Mobile World Congress in Barcelona. This was made possible by you; our members, contributors. Thanks [...]