• Basic Client Profile – Simple self-contained specification for a web-based Relying Party.  (This spec contains a subset of the information in Messages and Standard.)
• Discovery – Defines how user and provider endpoints can be dynamically discovered.
• Dynamic Registration – Defines how clients can dynamically register with OpenID Providers.
• Messages – Defines all the messages that are used in OpenID Connect.  (These messages are used by the Standard binding.)
• Standard – Complete HTTP binding of the Messages, for both Relying Parties and OpenID Providers.
• Multiple Response Type Encoding – Registers OAuth 2.0 response_type values used by OpenID Connect.

An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification.  This note starts the 45 days public review period for the specification drafts in accordance with the OpenID Foundation IPR policies and procedures.  This review period will end on Monday, February 6, 2012.

Unless issues are identified during the review that the working group believes must be addressed by revising the drafts, this review period will be followed by a seven day voting period during which OpenID Foundation members will vote on whether to approve these drafts as OpenID Implementer’s Drafts.

The specifications are posted at these locations:

• http://openid.net/specs/openid-connect-basic-1_0-15.html
• http://openid.net/specs/openid-connect-discovery-1_0-07.html
• http://openid.net/specs/openid-connect-registration-1_0-08.html
• http://openid.net/specs/openid-connect-messages-1_0-07.html
• http://openid.net/specs/openid-connect-standard-1_0-07.html
• http://openid.net/specs/oauth-v2-multiple-response-types-1_0-03.html

A description of OpenID Connect can be found at http://openid.net/connect/. The working group page is http://openid.net/wg/connect/.

Information on joining the OpenID Foundation can be found at https://openid.net/foundation/members/registration.  Foundation members will be asked to vote on approving these specifications as Implementer’s Drafts.

You can send feedback on the specifications in a way that enables the working group to act on your feedback by

1. signing the contribution agreement at http://openid.net/intellectual-property/ to join the AB+Connect working group,
2. joining the working group mailing list at http://lists.openid.net/mailman/listinfo/openid-specs-ab, and
3. sending your feedback on that list.

The biggest difference you’ll notice is that there is now only one spec to implement for “Minimal” clients (rather than previously three).  A number of people had asked that there be a single, simple, self-contained spec that basic relying parties could implement.  That spec is the OpenID Connect Basic Client Profile.  That’s all you need for a web-based relying party utilizing a pre-configured set of OpenID Providers.

For “Dynamic” configurations, where the set of OpenID Providers is not pre-configured, Discovery and Dynamic Client Registration capabilities are added to enable RPs to discover OP endpoints and to connect with the OP selected.  This functionality is needed for “open” OpenID Connect interactions.

OpenID Providers, native client applications, and clients needing more functionality than that provided by the Basic Client Profile implement the OpenID Connect Standard binding for the OpenID Connect Messages.  Finally, OPs and RPs needing session management capabilities, including logout, also implement OpenID Connect Session Management.

As you can see, the current organization remains highly modular, where implementations can build and deploy only what they need.  Now that modularity is even better reflected in the way that the specs are written – particularly that there is a single, self-contained basic client specification.

In closing, we’d like to thank developers for the valuable feedback provided to date.  Your input has both improved the technical content of OpenID Connect, and possibly even more importantly, made the specs simpler and easier to understand.

OpenID Connect uses the best practices of widely used OAuth/REST/JSON based APIs to define a standard and interoperable way to authenticate users.  Developers should care because rather than having to learn an new and slightly different version of essentially the same API every time they want to integrate with a different identity provider, they can just do it in a standard way using a consistent interface.  In the long run, OpenID Connect will make the web more interoperable, because it makes it easier for developers to integrate with multiple services.

FYI, the working group *is* planning to reorganize the specs to have the minimal set of OpenID Connect functionality be contained in a single document, although this will likely not be in place for a few weeks.  Even before that is done, we wanted to make people aware of this set of specs now so early implementation work and technical feedback can occur.  Remaining edits to the specs should consist of corrections, clarifications, and reorganization, rather than additions of significant new functionality.  For now, developers should start with the (admittedly awkwardly named) OpenID Connect HTTP Redirect Binding spec.

Let the feedback and prototyping begin! [*1]

[*1] The easiest way to do is to join the AB list at http://lists.openid.net/mailman/listinfo/openid-specs-ab, submit the contribution agreement from http://openid.net/intellectual-property/ (which you can now do online!), and then send comments to the openid-specs-ab@lists.openid.net .

We plan to take advantage of face to face discussions on the around the next version of openID.

For those attending and others I want to point to the various potions of the spec work so that people have that in hand for IIW.

One of the changes from openID 2.0 is that the new specification is more modular.

The following diagram illustrates the components and links to the specs:

(Click on the diagram to see each specifications.)

Everything is built on top of OAuth 2.0 and the Bearer Token Profile of OAuth.

We are supporting multiple OAuth Flows for different device types.

The heart of OpenID Connect is the Core spec that describes the abstract protocol.

Discovery of user identifiers such as email for URI is performed by a profile of Simple Web Discovery

Session Management is currently a separate spec, however it may be folded into Core.

Revised: Core 1.0d03 incorporates the session management endpoints and eliminates some duplication.

Outstanding Issues

We are hoping to use our face 2 face time around IIW to resolve some of the outstanding issues:

We will be producing a implementers guide to make it easier for people to build clients without having to wade through all of the separate specs.

Expect an update after IIW in May.

John B.

Specifically, the PAPE Specification enables Relying Parties to request that OpenID Providers employ specified authentication policies when authenticating users and for OpenID Providers to inform the Relying Parties which policies were actually used.  With PAPE, for instance, a Relying Party can request that the OpenID Provider employ a phishing-resistant authentication method for authenticating the user, and know whether such a method was used or not.  The specification can also be used to request multi-factor authentication and to learn what NIST level (or other levels) the authentication conforms to.

At the time of this writing, the working group is aware of at least four implementations of the specification:  PHP, Ruby, and Python development versions from OpenID Enabled and a .NET version from the DotNetOpenID project.

The PAPE working group looks forward to seeing use of the specification help make OpenID interactions more secure in the real world!

– Mike Jones, for the PAPE Working Group