101 Session / Open ID Connect

From IIW

OpenID primer

Tuesday 2B Convener: Mike Jones Notes-taker(s): Vicky Risk

Tags for the session - technology discussed/ideas considered:

OpenID Connect based on OAuth 2.0, more specific OpenID 2.0 obsoleted ~2015 question about multifactor authentication – not covered in the presentation – from Mark Rank of Cirrus Identity (mark.rank@cirrusidentity.com)

OpenID scope Implementer’s Draft for session management/logout; there are 3 separate methods, appropriate for different use cases (Session Management, Front-Channel Logout, Back-Channel logout)

Federation specification (InComon, nordunet, etc used in academic and research settings) OpenID Connect Federation specification enables establishment and maintenance of mlti-party federations using OpenID Connect. Defines hierarchical JSON metadata for federation participants How does DD relate to OpenID? You could define a DID which triggers an OpenID login

OpenID Certification program

Technical evidence of conformance resulting from testing
Legal statement of conformance

Call to action to get your OpenID implementations certified, and to give feedback on the additional tests being defined now. Invitation to join the mailing list (lists.openID.net/…/opened-specs-ab

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Question: how do you know when you’re done testing for security vulnerabilities, given that new attacks are being developed all the time Good question. Some of the most important tests are negative tests. For example, one of the most important tests for a relying party is, ‘Are you checking signatures at all?’ We are trying to cover all the MUSTS I the spec

Are there periodic updates to the certification process? Yes – there are version identifiers that tie to version s of the certification test software version

http://self-issued.info/?p=1812