Specifications and Implementer’s Guides

Final Specifications

• OpenID Connect Core – Defines the core OpenID Connect functionality: authentication built on top of OAuth 2.0 and the use of claims to communicate information about the End-User
• OpenID Connect Discovery – (Optional) Defines how clients dynamically discover information about OpenID Providers
• OpenID Connect Dynamic Registration – (Optional) Defines how clients dynamically register with OpenID Providers
• OAuth 2.0 Multiple Response Types – Defines several specific new OAuth 2.0 response types
• OAuth 2.0 Form Post Response Mode – (Optional) Defines how to return OAuth 2.0 Authorization Response parameters (including OpenID Connect Authentication Response parameters) using HTML form values that are auto-submitted by the User Agent using HTTP POST
• OpenID 2.0 to OpenID Connect Migration 1.0 – (Optional) Defines how to migrate from OpenID 2.0 to OpenID Connect

Implementer’s Drafts

• Session Management – (Optional) Defines how to manage OpenID Connect sessions, including postMessage-based logout and RP-initiated logout functionality
• Front-Channel Logout – (Optional) Defines a front-channel logout mechanism that does not use an OP iframe on RP pages
• Back-Channel Logout – (Optional) Defines a logout mechanism that uses direct back-channel communication between the OP and RPs being logged out
• OpenID Connect Federation – (Optional) Defines how sets of OPs and RPs can establish trust by utilizing a Federation Operator
• Initiating User Registration via OpenID Connect – (Optional) Defines the prompt=create authentication request parameter
• Self-Issued OpenID Provider V2 – Enables End-users to use OpenID Providers (OPs) that they control
• OpenID for Verifiable Presentations – This specification defines a mechanism on top of OAuth 2.0 to allow presentation of claims in the form of verifiable credentials as part of the protocol flow.

Drafts

• OpenID Connect RP-Initiated Logout – (Optional) Defines how a Relying Party requests that an OpenID Provider log out the End-User
• OpenID Connect Core Error Code unmet_authentication_requirements – (Optional) Defines the unmet_authentication_requirements authentication response error code
• OpenID Connect Native SSO for Mobile Apps – (Optional) Enables native applications by the same vendor to share login information
• OpenID Connect Profile for SCIM Services – (Inactive) Defines how to use SCIM with OpenID Connect
• OpenID Connect Claims Aggregation – (Optional) Enables RPs to request and Claims Providers to return aggregated claims through OPs
• OpenID for Verifiable Credential Issuance – This specification defines an API and corresponding OAuth-based authorization mechanisms for issuance of verifiable credentials.

Implementer’s Guides

Two implementer’s guides are also available to serve as self-contained references for implementers of basic Web-based Relying Parties:

• Basic Client Implementer’s Guide – Simple subset of the Core functionality for a web-based Relying Party using the OAuth code flow
• Implicit Client Implementer’s Guide – Simple subset of the Core functionality for a web-based Relying Party using the OAuth implicit flow

Moved to the eKYC-IDA working group

• OpenID Connect for Identity Assurance – (Optional) Defines an OpenID Connect extension for Identity Assurance

Repository and Editor’s Drafts

• Official Repository
• HTML editor’s drafts corresponding to the repository contents

Active Members (past and present)

• Nat Sakimura (nat@nat.consulting), NAT.Consulting – Chair
• Mike Jones (mbj@microsoft.com), Microsoft – Co-Chair
• John Bradley (ve7jtb@ve7jtb.com), Yubico – Co-Chair

• Adam Lemmon (adam@trybe.id), TrybeID
• Anthony Nadalin (nadalin@prodigy.net), Independent
• Andreas Åkre Solberg (andreas.solberg@uninett.no), UNINET
• Axel Nennker (axel.nennker@telekom.de), Deutsche Telekom
• Breno de Medeiros (breno@gmail.com), Google
• Brian Campbell (bcampbell@pingidentity.com), Ping Identity
• Bjorn Hjelm (Bjorn.Hjelm@verizonwireless.com), Verizon Wireless
• Casper Biering (cb@peercraft.com), Peercraft
• Chuck Mortimore (charliemortimore@gmail.com), VISA
• David Recordon (recordond@gmail.com), Independent
• David Waite (dwaite@pingidentity.com), Ping Identity
• Edmund Jay (ejay@mgi1.com), Illumila
• Filip Skokan (panva.ip@gmail.com), Auth0
• George Fletcher (gffletch@aol.com), Capital One
• Hans Zandbelt (hans.zandbelt@zmartzone.eu), ZmartZone
• Hideki Nara (hideki.nara@gmail.com), Takt Communications
• Jeremie Miller (jmiller@pingidentity.com), Ping Identity
• Johnny Bufu (johnny.bufu@gmail.com), Independent
• John Bradley (ve7jtb@ve7jtb.com), Yubico
• Joseph Heenan (joseph@authlete.com), Authlete
• Justin Richer (justin@bspk.io), Bespoke Engineering
• Kim Cameron <kim@identityblog.com>, Independent
• Kristina Yasuda (Kristina.Yasuda@microsoft.com), Microsoft
• Luke Shepard (luke@lukeshepard.com), Independent
• Michael B. Jones (mbj@microsoft.com), Microsoft
• Nat Sakimura (nat@nat.consulting), NAT.Consulting
• Nov Matake (nov@matake.jp), Independent
• Oliver Terbu (oliver.terbu@mesh.xyz), ConsenSys Mesh
• Pamela Dingle (Pamela.Dingle@microsoft.com), Microsoft
• Paul Tarjan (paul@paultarjan.com), Independent
• Phil Hunt (phil.hunt@independentid.com), Independent
• Rich Levinson (rich.levinson@oracle.com), Oracle
• Roland Hedberg (roland@catalogix.se), Independent
• Ryo Ito (ryo.ito@mixi.co.jp), mixi, Inc.
• Tim Cappalli (Tim.Cappalli@microsoft.com), Microsoft
• Tobias Looker (tobias.looker@mattr.global), Mattr
• Tom Jones (thomasclinganjones@gmail.com), Independent
• Torsten Lodderstedt (torsten@lodderstedt.net), yes.com
• Vittorio Bertocci (vittorio.bertocci@auth0.com), Auth0
• Vladimir Dzhuvinov (vladimir@connect2id.com), Connect2id