OpenID Connect

From IIW

Issue/Topic: OpenIDConnect Deep Dive

Session: Tuesday 5E

Conference: IIW-11 November 2-4, Mountain View, Complete Notes Page

Convener: Breno de Medeiros/ David Recordon

Notes-taker(s): Chuck Mortimore

Tags:

OpenID Connect, OpenID Artifact Binding

Discussion notes:


Comparison and Contrasts between three proposals for a new generation of OpenID protocol based on Oauth2: The OpenID Artifact Binding (AB), The OpenID Connect proposal 1 (OIC1, by David Recordon, Facebook), and OpenID Connect proposal 2 (OIC2, by Breno de Medeiros, Google)

AB characteristics:

  • Allow to define request parameters by supplying a reference to a file containing a request descriptor, which allows for fixed URL-length requests
  • Provides bindings to all OpenID 2.0 extensions
  • Provides backward-compatibility of identifier
  • Provides a clear path to higher levels of assurance
  • Based on Oauth2 WebServer profile

OIC1/OIC2 characteristics:

  • Provides OpenID Connect flows for multiple Oauth2 profiles (Web Server, User-Agent, Assertion)
  • Support clients that are not capable to perform cryptographic operations
  • Establish a standard Oauth2-protected endpoint, called the UserInfo API endpoint
  • Binding of OpenID extensions TBD
  • Emphasis on new identifier format: binding between old and new identifiers must be provided by a defined account linking step
  • Higher levels of assurance path not described; however, because both OIC1 and OIC2 call for the user of standard JSON tokens to convey assertions, the AB security mechanisms are directly translatable in OIC1/OIC2

In addition, OIC1 describes a mechanism for session management.


Additional discussion on OIC1/OIC2:

  • Reconciled token format between OIC1 and OIC2: both now call for a signed JSON blob containing an expiration date, a user_id, and the Oauth2 access token, all signed; and additionally return the Oauth2 token separately for convenience of clients that are not crypto-savvy