OpenID Connect Wins 2012 European Identity and Cloud Award

Published April 18, 2012
Today at the European Identity and Cloud Conference it was announced that OpenID Connect has won the 2012 European Identity and Cloud Award for “Best Innovation / New Standard”.  The OpenID Foundation and the Connect working group members want to thank Kuppinger Cole for this prestigious award and their vote of confidence in the significance of OpenID Connect. Dave Kearns of Kuppinger Cole said this about the award:
“I’m pleased that Kuppinger Cole has granted OpenID Connect the award for Best Innovation/New Standard this year.  What’s most impressive is that this elegantly simple design resulted from the cooperation of such a diverse global set of contributors.  I expect OpenID Connect to have a substantial positive impact on usable, secure identity solutions both for traditional computing platforms and mobile devices.  My congratulations to the OpenID Foundation!”
The application presented by the OpenID Foundation that resulted in the award follows.

European Identity & Cloud Awards 2012

Project company: OpenID Foundation
Award category: Best Innovation / New Standard in Information Security
1) Name of the Standard OpenID Connect 2) Brief description of the Standard OpenID Connect is a simple JSON/REST-based interoperable identity protocol built on top of the OAuth 2.0 family of specifications.  Its design philosophy is “make simple things simple and make complicated things possible”. While OAuth 2.0 is a generic access authorization delegation protocol, thus enabling the transfer of arbitrary data, it does not define ways to authenticate users or communicate information about them. OpenID Connect provides a secure, flexible, and interoperable identity layer on top of OAuth 2.0 so that digital identities can be easily used across sites and applications. While enabling a default set of common claims about the user (such as name, e-mail address, and a user identifier enabling SSO) to be easily employed, OpenID Connect also enables participants to exchange any claims relevant to their application using simple JSON-based data structures. As it is based in OAuth 2.0, OpenID Connect reaches beyond the Web. OpenID Connect brings identity interactions to “apps” and “native applications” on both smart phones and traditional computing devices, in addition to Web sites. From a security perspective, OpenID Connect was built to be able to gracefully range from the low security levels typically employed for social networks to medium security levels needed for business applications to high security requirements needed for many government applications.  OpenID Connect spans this wide range of applications by using JSON-based digital signature and encryption standards. From a privacy perspective, OpenID Connect allows the selective sharing of attributes with user consent. It also enables the use of pairwise pseudonymous identifiers, thereby avoiding correlations as appropriate. From a business perspective, OpenID Connect meets business needs for the use of claims from multiple Claims Providers in a single context (rather than a single Identity Provider being the source of all claims for any given interaction).  It enables the use of Aggregated Claims, where signed claim values can be collected and passed on by OpenID Providers and the use of Distributed Claims, where claims are passed by reference, rather than by value, and dynamically retrieved by Relying Parties. From a design perspective, OpenID Connect’s modular design enables flexible deployments. Implementations can use only the components they need, while still remaining interoperable.  For instance, “Discovery” and “Dynamic Client Registration” can used in deployments where OpenID Providers can be chosen dynamically, whereas they aren’t needed if the site or application uses only a fixed set of OpenID Providers. Unlike the previous version of OpenID, user identities can be e-mail addresses that people already have and know, rather than being URLs that most people have difficulty using. 3) Who is contributing to the standard? OpenID Connect was developed in an OpenID Foundation working group.  OpenID working groups are open to all free of charge who sign the IPR Contribution agreement. Contributors include a diverse international representation of industry and independent technology leaders:  AOL, Deutsche Telecom, Facebook, Google, Microsoft, Mitre Corporation, mixi, Nomura Research Institute, PayPal, Salesforce, Yahoo! Japan, and others. 4) When is it expected to be finalized? OpenID Connect is in the Implementer’s Draft review period. That stage is similar to the DIS (Draft International Standard) phase of the ISO process. The approval vote will complete on February 15, 2012. The OpenID Connect specifications are expected to be competed in the second half of 2012. 5) What are the key Identity management objectives?
  • Interoperability
  • Security
  • Ease of deployment
  • Flexibility
  • Wide support of devices
  • Enabling Claims Providers to be distinct from Identity Providers
6) Does the standard exceed key objectives? Yes. 7) Are there live deployments? Yes. e.g., Google, Gakunin (Japanese Universities Network), Nikkei Newspaper, etc. Mature deployments are under way by working group participants. 8) Does the deployment touch customers/consumers/citizens?  If so, what benefit(s) is the application delivering to customers/consumers/citizens?
  • More secure and familiar online interactions
  • Easier to use authentication and attribute sharing
9) Does the deployment successfully address one of more of the following identity issues? If so, please provide brief examples.
  • Help prevent/reduce identity theft?  Yes.
  • Help address ease of use issues? Yes.
  • Help meet regulatory requirement? Yes.
  • Meet unique vertical market objectives? Yes.
10) Why should this standard win the European Identity/Cloud Award?  OpenID Connect is a significant advance in digital identity that:
  1. is simple to build and deploy, being based upon existing JSON/REST standards,
  2. spans both Web and native applications, including mobile “apps”,
  3. has wide support from major cloud service providers, enterprise companies, and social networking companies,
  4. helps combat identity theft by reducing the number of passwords in use,
  5. enables new Web based services and expands existing online markets,
  6. spurs global economic growth by enabling simple and secure exchange of verified attributes from multiple sources at Internet scale.
OpenID Connect is an important contribution to a safer, privacy protecting, and easy to use computing environment that spans the cloud, the Web, enterprises, and mobile applications and has broad industry backing. For these reasons, OpenID Connect merits the 2012 European Identity/Cloud Award.