OpenID Connect
From IIW
Issue/Topic: OpenIDConnect Deep Dive
Session: Tuesday 5E
Conference: IIW-11 November 2-4, Mountain View, Complete Notes Page
Convener: Breno de Medeiros/ David Recordon
Notes-taker(s): Chuck Mortimore
Tags:
OpenID Connect, OpenID Artifact Binding
Discussion notes:
Comparison and Contrasts between three proposals for a new generation of OpenID protocol based on Oauth2: The OpenID Artifact Binding (AB), The OpenID Connect proposal 1 (OIC1, by David Recordon, Facebook), and OpenID Connect proposal 2 (OIC2, by Breno de Medeiros, Google)
AB characteristics:
- Allow to define request parameters by supplying a reference to a file containing a request descriptor, which allows for fixed URL-length requests
- Provides bindings to all OpenID 2.0 extensions
- Provides backward-compatibility of identifier
- Provides a clear path to higher levels of assurance
- Based on Oauth2 WebServer profile
OIC1/OIC2 characteristics:
- Provides OpenID Connect flows for multiple Oauth2 profiles (Web Server, User-Agent, Assertion)
- Support clients that are not capable to perform cryptographic operations
- Establish a standard Oauth2-protected endpoint, called the UserInfo API endpoint
- Binding of OpenID extensions TBD
- Emphasis on new identifier format: binding between old and new identifiers must be provided by a defined account linking step
- Higher levels of assurance path not described; however, because both OIC1 and OIC2 call for the user of standard JSON tokens to convey assertions, the AB security mechanisms are directly translatable in OIC1/OIC2
In addition, OIC1 describes a mechanism for session management.
Additional discussion on OIC1/OIC2:
- Reconciled token format between OIC1 and OIC2: both now call for a signed JSON blob containing an expiration date, a user_id, and the Oauth2 access token, all signed; and additionally return the Oauth2 token separately for convenience of clients that are not crypto-savvy