What’s New in the Shared Signals Framework?

Published November 3, 2023

Authors: Atul Tulshibagwale (SGNL), Apoorva Deshpande (Okta), and Shayne Miel (Cisco Duo).

A new draft of the Shared Signals Framework has been released for public review. Here’s how it is different from the previous version.

The OpenID Shared Signals Working Group (SSWG) has made important changes to the Shared Signals Framework (SSF) from the first implementer’s draft that was published in June 2021. The new draft entered the 45-day public review period on October 13, 2023.


Changes Summary

The new draft is available for review here. Here are the main areas of changes:


Specification Name

The draft is now called the “Shared Signals Framework” (SSF), instead of the previous name - “Shared Signals and Events Framework”.


Subjects

  • Top-level sub_id claim. The draft now complies with the SubIds recommendation of using sub_id as the subject name and places it at the top-level of the SET. Existing events continue to have the subject member within the event, but new event types need not have this subject
  • Format in complex subjects: The complex subject types now have the following field in them:
"format": "complex"


Transmitter Metadata

  • Well Known URL: The well-known URL of the Transmitter is now at
/.well-known/ssf-configuration

Instead of the previous location which was: /.well-known/sse-configuration

  • Spec Version: A Spec version field is now added to the Transmitter Configuration Metadata (TCM). This is set to the implementer’s draft spec version or the final spec version of the document that the Transmitter supports.
  • Authorization Scheme: An authorization scheme has been added to the TCM to specify how the Transmitter authorizes Receivers.
  • Optional jwks_url: jwks_url is now optional


Streams

  • Multi-Stream Support: The draft now supports multiple streams between the same Transmitter and Receiver. The API has been modified to support creating such streams. The draft still allows a Transmitter to support a single stream per Receiver. However, in either case (single-stream or multi-stream Transmitters), the stream needs to be created. Earlier, Receivers only needed to Update the stream configuration in order to establish communication. It is recommended that the endpoint_url is unique
  • Poll Delivery URL: The draft clarifies that the Transmitter must supply the endpoint_url field in the stream creation process. It also defines how the Transmitter can specify the poll URL.
  • Status Restriction: The stream status methods now do not allow subjects to be included in Stream Status methods.
  • Receiver Supplied Description: The Stream now includes a receiver supplied description
  • “Control Plane” Events Always Included: Clarified language the control plane events (Verification and Stream Updated) are always delivered in the stream regardless of the stream configuration
  • Events Delivered: The draft specifies that events_delivered is a subset (not necessarily a proper subset) of the intersection of events_supported and events_requested. Earlier, it was required to be the intersection.
  • Reason in Status: The stream status now includes an optional reason string


Stream Events

  • No Subjects in SSF “Control Plane” Events: The Stream Verification and Stream Updated events restrict the subject in these events to only reference the stream as a whole.


Security Considerations

  • Authorization: The draft no longer recommends using OAuth 2.0 or the client credentials grant flow
  • Audience: Events are no longer recommended to have the OAuth 2.0 Client ID as the audience


Feedback

We welcome your feedback on this draft. Please write to Atul Tulshibagwale, co-chair of the SSWG with your feedback before the review period ends on November 27, 2023.


About OpenID Foundation

The OpenID Foundation’s vision is to help people assert their identity wherever they choose. And our mission is to lead the global community in creating identity standards that are secure, interoperable, and privacy-preserving. 

Founded in 2007, the OpenID Foundation (OIDF) is a non-profit open standards body developing identity and security specifications that serve billions of consumers across millions of applications.

Learn more here: https://openid.net/foundation/

Tagged