Welcome to OpenID Connect

OpenID Connect is in Implementor’s Draft Review Period

The OpenID Connect specifications (based on the OAuth 2.0 protocol) are functionally complete. They are now Implementer’s Drafts. Feedback on these drafts is occurring based upon implementations and deployments.

Current Status: Working Draft → Implementer’s Draft Review Period (Dec.24, 2011-Feb.6, 2012) → Implementer’s Draft Voting (Feb.7-13, 2012) → Implementer’s Draft (Feb. 14, 2012) → Feedback on Implementer’s Drafts → Final Review Period → Final Voting → OIDF Standard

See more detailed status etc. at the Working Group Pages.

What is OpenID Connect?

OpenID Connect is a suite of lightweight specifications that provide a framework for identity interactions via RESTful APIs. The simplest deployment of OpenID Connect allows for clients of all types including browser-based, mobile, and javascript clients, to request and receive information about identities and currently authenticated sessions. The specification suite is extensible, allowing participants to optionally also support encryption of identity data, discovery of the OpenID Provider, and advanced session management, including logout.

How is OpenID Connect different than OpenID 2.0?

OpenID Connect performs many of the same tasks as OpenID 2.0, but does so in a way that is API-friendly. OpenID Connect can also be extended to include more robust mechanisms for signing and encryption. Integration of OAuth 1.0a and OpenID 2.0 required an extension (called the OpenID/OAuth hybrid); in OpenID Connect, OAuth 2.0 capability is built into the protocol itself.

Specification Organization

The OpenID Connect 1.0 specification consists of six documents, which are listed below (click on the boxes in the diagram to view each specification). These documents are still being revised to incorporate additional feedback from early developers; see the mailing list for notifications of new revisions.

  • Basic Client Profile – Light-weight simple self-contained specification for a web-based Relying Party.
  • Discovery – (Optional) Defines how user and provider endpoints are dynamically discovered.
  • Dynamic Registration – (Optional) Defines how clients dynamically register with OpenID Providers.
  • Standard – Full HTTP binding specification, for both clients and OpenID Providers; references Messages.
  • Messages – Lists all the messages that are used in OpenID Connect. You can use this to create additional bindings for Connect, such as an OpenID Connect binding for XMPP.
  • Session Management – (Optional) Defines how to manage OpenID Connect sessions.
  • OAuth 2.0 Multiple Response Type Encoding Practices – Registration document for several specific new response types, in accordance with the stipulations of the OAuth Parameters Registry.

OpenID Connect Map

Participation

The easiest way to monitor progress on the OpenID Connect 1.0 Specification is to join the mailing list at http://lists.openid.net/mailman/listinfo/openid-specs-ab.

Please note that while anyone can join the mailing list as a read-only recipient, posting to the mailing list or actively contributing to the specification itself requires the submission of an IPR Agreement. More information is available at http://openid.net/intellectual-property. Make sure to specify the working group as “OpenID AB/Connect”, because this group is a merged working group and both names must be specified.

The working group specification repository is kept at http://svn.openid.net/repos/specifications/connect/1.0/ . In this repository, only approved sub-versions are committed. If you want to live on the edge, go to http://hg.openid.net/connect/ where we keep edit by edit commits. These edits make it into SVN once they are approved by the editors.

Interop Testing

Interop testing for OpenID Connect implementations is under way. If you are interested in participating in the interop activities, join the OpenID Connect Interop mailing list.

Developers and Early Adopters

We are working on reference endpoints for developers and early adopters to use; stay tuned for information on the provider and client samples as they become available. Implementers are already using one another’s endpoints for testing in the current OpenID Connect Interop.