OpenID Connect

Issue/Topic: OpenIDConnect Deep Dive

Session: Tuesday 5E

Conference: IIW-11 November 2-4, Mountain View, Complete Notes Page

Convener: Breno de Medeiros/ David Recordon

Notes-taker(s): Chuck Mortimore

Tags:

OpenID Connect, OpenID Artifact Binding

Discussion notes:

Comparison and Contrasts between three proposals for a new generation of OpenID protocol based on Oauth2: The OpenID Artifact Binding (AB), The OpenID Connect proposal 1 (OIC1, by David Recordon, Facebook), and OpenID Connect proposal 2 (OIC2, by Breno de Medeiros, Google)

AB characteristics:


 * Allow to define request parameters by supplying a reference to a file containing a request descriptor, which allows for fixed URL-length requests
 * Provides bindings to all OpenID 2.0 extensions
 * Provides backward-compatibility of identifier
 * Provides a clear path to higher levels of assurance
 * Based on Oauth2 WebServer profile

OIC1/OIC2 characteristics:


 * Provides OpenID Connect flows for multiple Oauth2 profiles (Web Server, User-Agent, Assertion)
 * Support clients that are not capable to perform cryptographic operations
 * Establish a standard Oauth2-protected endpoint, called the UserInfo API endpoint
 * Binding of OpenID extensions TBD
 * Emphasis on new identifier format: binding between old and new identifiers must be provided by a defined account linking step
 * Higher levels of assurance path not described; however, because both OIC1 and OIC2 call for the user of standard JSON tokens to convey assertions, the AB security mechanisms are directly translatable in OIC1/OIC2

In addition, OIC1 describes a mechanism for session management.

Additional discussion on OIC1/OIC2:


 * Reconciled token format between OIC1 and OIC2: both now call for a signed JSON blob containing an expiration date, a user_id, and the Oauth2 access token, all signed; and additionally return the Oauth2 token separately for convenience of clients that are not crypto-savvy