Welcome to OpenID Connect

What is OpenID Connect?

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

OpenID Connect allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. The specification suite is extensible, allowing participants to use optional features such as encryption of identity data, discovery of OpenID Providers, and session management, when it makes sense for them.

How is OpenID Connect different than OpenID 2.0?

OpenID Connect performs many of the same tasks as OpenID 2.0, but does so in a way that is API-friendly, and usable by native and mobile applications. OpenID Connect defines optional mechanisms for robust signing and encryption. Whereas integration of OAuth 1.0a and OpenID 2.0 required an extension, in OpenID Connect, OAuth 2.0 capabilities are integrated with the protocol itself.

Specification Organization

The OpenID Connect 1.0 specification consists of eight documents:

  • Basic Client Profile – Lightweight simple self-contained specification for a web-based Relying Party using the OAuth code flow.
  • Implicit Client Profile Lightweight simple self-contained specification for a web-based Relying Party using the OAuth implicit flow.
  • Discovery – (Optional) Defines how user and provider endpoints are dynamically discovered.
  • Dynamic Registration – (Optional) Defines how clients dynamically register with OpenID Providers.
  • Messages – Defines the messages that are used in OpenID Connect in a manner that is independent of the binding used.
  • Standard – Full HTTP binding for the Messages specification, for both Relying Parties and OpenID Providers.
  • Session Management – (Optional) Defines how to manage OpenID Connect sessions, including logout functionality.
  • OAuth 2.0 Multiple Response Types – Registration document for several specific new response types, in accordance with the stipulations of the OAuth Parameters Registry.

OpenID Connect also uses a number of other specifications, which are also shown in the diagram below. Click on the boxes in the diagram to view each specification.

OpenID Connect Map

Participation

The easiest way to monitor progress on the OpenID Connect 1.0 Specification is to join the mailing list at http://lists.openid.net/mailman/listinfo/openid-specs-ab.

Please note that while anyone can join the mailing list as a read-only recipient, posting to the mailing list or contributing to the specifications requires the submission of an IPR Agreement. More information is available at http://openid.net/intellectual-property. Make sure to specify the working group as “OpenID AB/Connect”, because this group is a merged working group and both names must be specified.

The working group specification repository is kept at http://svn.openid.net/repos/specifications/connect/1.0/. In this repository, only approved sub-versions are committed. If you want to live on the edge, go to http://hg.openid.net/connect/ where we keep edit by edit commits. These edits make it into SVN once they are approved by the editors.

Interop Testing

Interop testing for OpenID Connect implementations is under way. If you are interested in participating in the interop activities, join the OpenID Connect Interop mailing list.

Developers and Early Adopters

We are working on reference endpoints for developers and early adopters to use; stay tuned for information on the provider and client samples as they become available. Implementers are already using one another’s endpoints for testing in the current OpenID Connect Interop.

Status

The OpenID Connect specifications are functionally complete. A first set of Implementer’s Drafts was approved in February, 2012. Feedback on these drafts based upon experience with implementations and deployments has been incorporated into the specifications; new Implementer’s Drafts incorporating that feedback will be published in May, 2013.

The OpenID Connect working group is currently waiting for the IETF specifications that OpenID Connect depends upon to stabilize before publishing final specifications. People are encouraged to deploy the current specifications and continue providing feedback on them.

See more details at the OpenID Connect Working Group Page.