OpenID’s Second Act: OpenID Connect 2


Many in the open standards community have a “what have you done for me lately” chip implanted deep in their programming souls. It’s logical to want the evolution of OpenID technology to keep up with the rate of its adoption. We all want the pace of technology improvement to map onto the promise of what has become the most popular decentralized single-sign-on protocol on the web. Some of the most impatient include members of the Board of the OpenID Foundation who aren’t satisfied with hanging an “over a billion served” on the OpenID Foundation website.

The “co-evolution” of OAuth and OpenID

Late last year, the members of the OpenID Artifact Binding and OpenID Connect Working Groups joined forces to develop a simple, common specification. The result had been informally referred to as “OpenID Artifact Binding/Connect” or “OpenID ABC”. Key contributors from both working groups have been working on a core specification ever since. Weekly specification calls have methodically focused on identifying and closing open issues. A key milestone was reached at IIW earlier this month: the remaining open issues were identified, tradeoffs debated, and all issues closed – with consensus decisions recorded in the Artifact Binding mailing list archives. The working group is now refining the specifications to reflect those decisions, as well as tracking the evolution of closely related specifications like OAuth 2.0.

Having passed this gate, the OpenID board decided to brand the result “OpenID Connect” and solicit as wide and diverse feedback as possible. The OpenID Retail Summit at PayPal, the “Security” Summit at Symantec, and last week’s OpenID Summit in Munich at the European Identity Conference all featured detailed briefings and feedback on OpenID Connect. While still a work in progress, OpenID Connect has achieved the levels of participation and consensus needed to advance to the next phase: interoperability testing for multiple use cases in several venues worldwide. We’ll continue to engage developers and potential deployers about OpenID Connect at upcoming OpenID Summits, including the next summit on July 19 in Colorado sponsored by Ping Identity, in to better understand, critique, refine, test, and ready OpenID Connect for prime time.

A look under the hood of OpenID Connect:

– web and developer friendly, building upon OAuth 2.0 and JSON
– simple site registration functionality (the “Connect” part)
– works well on mobile phones (the “Artifact Binding” part)
– simple JSON-based claims model
– reuses claims definitions from existing Portable Contacts specification
– can achieve a range of security characteristics, spanning use cases from social networks to those needing higher levels of assurance
– modular specifications, so deployers need only implement the functionality their applications need.

The strength of the open standards is the ongoing scrutiny from a global community of supporters and skeptics. Progress depends on those with the “courage of the first draft.” Our special thanks go to OpenID Board members Mike Jones, Nat Sakimura, and John Bradley, together with Breno de Medeiros from Google and Chuck Mortimore from Salesforce: working group participants whose dedication and perspectives were critical to building consensus, closing the open issues, and setting the stage for OpenID’s next act.

Don Thibeau
Executive Director


Leave a comment

Your email address will not be published. Required fields are marked *

2 thoughts on “OpenID’s Second Act: OpenID Connect

  • Stefano

    Hi,
    This OpenID concept is awesome. At least it works on many sites. I tried to log in with my ID to launchpad (to report some ubuntu bugs) and they did ask me to create another OpenID-like account on launchpad to use the advantages of an unique authentication method on many sites. What? If I have an OpenID acc, why I am not able to use it also on launchpad site and why I need to create another for the same purpose? I am totally confused. Maybe I missed something. Help me out!
    Regards,
    Stef.

  • mercuryjtb

    myopenid is one of a kind and is giving security to a member in the web but i felt my privacy is a bit encroached when my anti-phishing software submitted my credentials to openid.net.