Archive for the 'OpenID' Category

March 6, 2015
HTTP-Based OpenID Connect Logout Spec

OpenID logoA new HTTP-Based OpenID Connect Logout spec has been published at This can coexist with or be used instead of the current HTML postMessage-based Session Management Spec.

The abstract for the new spec states:

This specification defines an HTTP-based logout mechanism that does not need an OpenID Provider iframe on Relying Party pages. Other protocols have used HTTP GETs to RP URLs that clear cookies and then return a hidden image or iframe content to achieve this. This specification does the same thing. It also reuses the RP-initiated logout functionality specified in Section 5 of OpenID Connect Session Management 1.0 (RP-Initiated Logout).

Special thanks to Brian Campbell, Torsten Lodderstedt, and John Bradley for their insights that led to some of the decisions in the spec.

February 5, 2015
2015 OpenID Foundation Board Election Results

OpenID logoThanks to those of you who re-elected me to a two-year term on the OpenID Foundation board of directors. As I wrote in my candidate statement, while OpenID is having notable successes, our work is far from done. Taking it to the next level will involve both additional specifications and strategic initiatives by the foundation. I plan to continue taking an active role in making open identity solutions even more successful, valuable, and ubiquitous. Thanks for placing your trust in me!

I’d like to also take this opportunity to congratulate my fellow board members who were also re-elected: Torsten Lodderstedt, John Bradley, and George Fletcher. See the OpenID Foundation’s announcement of the 2015 election results for more information.

November 21, 2014
A JSON-Based Identity Protocol Suite

quillMy article A JSON-Based Identity Protocol Suite has been published in the Fall 2014 issue of Information Standards Quarterly, with this citation page. This issue on Identity Management was guest-edited by Andy Dale. The article’s abstract is:

Achieving interoperable digital identity systems requires agreement on data representations and protocols among the participants. While there are several suites of successful interoperable identity data representations and protocols, including Kerberos, X.509, SAML 2.0, WS-*, and OpenID 2.0, they have used data representations that have limited or no support in browsers, mobile devices, and modern Web development environments, such as ASN.1, XML, or custom data representations. A new set of open digital identity standards have emerged that utilize JSON data representations and simple REST-based communication patterns. These protocols and data formats are intentionally designed to be easy to use in browsers, mobile devices, and modern Web development environments, which typically include native JSON support. This paper surveys a number of these open JSON-based digital identity protocols and discusses how they are being used to provide practical interoperable digital identity solutions.

This article is actually a follow-on progress report to my April 2011 position paper The Emerging JSON-Based Identity Protocol Suite. While standards can seem to progress slowly at times, comparing the two makes clear just how much has been accomplished in this time and shows that what was a prediction in 2011 is now a reality in widespread use.

September 10, 2014
General Availability of Microsoft OpenID Connect Identity Provider

Microsoft has announced that the Azure Active Directory OpenID Connect Identity Provider has reached general availability. Read about it in Alex Simons’ release announcement. The OpenID Provider supports discovery of the provider configuration information as well as session management (logout). The team participated in public OpenID Connect interop testing prior to the release. Thanks to all of you who performed interop testing with us.

August 20, 2014
Microsoft JWT and OpenID Connect RP libraries updated

This morning Microsoft released updated versions of its JSON Web Token (JWT) library and its OpenID Connect RP library as part of today’s Katana project release. See the Microsoft.Owin.Security.Jwt and Microsoft.Owin.Security.OpenIdConnect packages in the Katana project’s package list. These are .NET 4.5 code under an Apache 2.0 license.

For more background on Katana, you can see this post on Katana design principles and this post on using claims in Web applications. For more on the JWT code, see this post on the previous JWT handler release.

Thanks to Brian Campbell of Ping Identity for performing OpenID Connect interop testing with us prior to the release.

March 20, 2014
Growing list of OpenID Connect libraries available

OpenID logoAs described in today’s post, a growing list of OpenID Connect and JWT/JOSE libraries are available. Check them out at

February 26, 2014
OpenID Connect Specifications are Final!

OpenID logoThe OpenID Connect Core, OpenID Connect Discovery, OpenID Connect Dynamic Registration, and OAuth 2.0 Multiple Response Types specifications are now final! These are the result of almost four years of intensive work, both by specification writers including myself, and importantly, by developers who built, deployed, and interop tested these specifications throughout their development, significantly improving the quality of both the specs and their implementations as a result.

Throughout the development of OpenID Connect, we applied the design philosophy “keep simple things simple”. While being simple, OpenID Connect is also flexible enough to enable more complex things to be done, when necessary, such as encrypting claims, but this flexibility doesn’t come at the cost of keeping simple things simple. Its simplicity is intended to make it much easier for deployers to adopt than previous identity protocols. For instance, it uses straightforward JSON/REST data structures and messages, rather than XML/SOAP or ASN.1.

I want to take this opportunity to thank several key individuals without whose enthusiastic participation and expertise OpenID Connect wouldn’t have come into being. Nat Sakimura and John Bradley were there every step of the way, both motivating the features included and providing their insights into how to make the result both highly secure and very usable. Breno de Medeiros and Chuck Mortimore were also key contributors, bringing their practical insights informed by their implementation and deployment experiences throughout the process. I want to acknowledge Don Thibeau’s leadership, foresight, wisdom, and perseverance in leading the OpenID Foundation throughout this effort, bringing us to the point where today’s completed specifications are a reality. Numerous people at Microsoft deserve credit for believing in and supporting my work on OpenID Connect. And finally, I’d like to thank all the developers who built OpenID Connect code, told us what they liked and didn’t, and verified that what was specified would actually work well for them in practice.

Of course, final specifications are really just the beginning of the next journey. I look forward to seeing how people will use them to provide the Internet’s missing identity layer, making people’s online experiences, both on the Web and on their devices, easier, safer, and more satisfying!

February 11, 2014
Vote to Approve Final OpenID Connect Specifications Under Way

OpenID logoThe vote to approve final OpenID Connect Core, OpenID Connect Discovery, OpenID Connect Dynamic Registration, and OAuth 2.0 Multiple Response Types specifications is now under way, as described at The OpenID Connect Session Management and OAuth 2.0 Form Post Response Mode specifications are also being approved as Implementer’s Drafts. Voting closes on Tuesday, February 25, 2014.

Please vote now!

February 6, 2014
Congratulations to Torsten Lodderstedt on his election to the OpenID Board

OpenID logoMy congratulations to Torsten Lodderstedt on his election to the OpenID Board on behalf of Deutsche Telekom. And my thanks to Lasse Andresen of ForgeRock and Chuck Mortimore of Salesforce for also being willing to serve. I look forward to serving on the board with Torsten and agree with Chuck’s comment that any of these candidates would do a fine job!

December 20, 2013
Public review of proposed Final OpenID Connect Specifications has begun

OpenID logoI’m thrilled that OpenID Connect is significantly closer to being done today. Proposed final specifications were published yesterday and the 60 day public review period, which leads up a membership vote to approve the specifications, began today. Unless recall-class issues are found during the review, this means we’ll have final OpenID Connect specifications on Tuesday, February 25, 2014!

My sincere thanks to all of you who so generously shared your vision, expertise, judgment, and time to get us to this point – both those of you who worked on the specs and those who implemented and deployed them and tested your code with one another. I consider myself privileged to have done this work with you and look forward to what’s to come!

December 19, 2013
Fourth and possibly last Release Candidates for final OpenID Connect specifications and Notice of 24 hour review period

OpenID logoThe fourth and possibly last set of release candidates for final OpenID Connect specifications is now available. Per the decision on today’s working group call, this message starts a 24 hour final working group review period before starting the 60 day public review period. Unless significant issues are raised during the 24 hour review period, we will announce that these specifications are being proposed as Final Specifications by the working group.

The release candidates for Final Specification status are:

Accompanying release candidates for Implementer’s Draft status are:

Accompanying Implementer’s Guides are:

December 18, 2013
Third Release Candidates for final OpenID Connect specifications

OpenID logoThe third set of release candidates for final OpenID Connect specifications is now available. The changes since the second release candidates have mostly been to incorporate review comments on the Discovery, Dynamic Registration, and Multiple Response Types specifications. All known review comments have now been applied to the specifications.

The release candidates for Final Specification status are:

Accompanying release candidates for Implementer’s Draft status are:

Accompanying Implementer’s Guides are:

December 15, 2013
Second Release Candidates for final OpenID Connect specifications

OpenID logoThe second set of release candidates for final OpenID Connect specifications is now available. The updates to these specs since the first set of release candidates are the result of the most extensive reviews that the OpenID Connect specifications have ever undergone – including 10 complete reviews of the OpenID Connect Core spec. Thanks to all of you who helped make these the clearest, easiest to use OpenID Connect specifications ever!

The release candidates for Final Specification status are:

Accompanying release candidates for Implementer’s Draft status are:

Accompanying Implementer’s Guides are:

Please do a final review of the OpenID Connect Core specification now, because the results of all review comments have now been applied to it. A small number of review comments to the other specs remain, and will be addressed in the next few days, at which point a third and hopefully final set of release candidates will be released.

October 15, 2013
First Release Candidates for final OpenID Connect specifications

OpenID logoI’m pleased to announce that the first release candidate versions for final OpenID Connect specifications have been published. The complete set of specifications has been updated to resolve all issues that had been filed against the specs being finished.

Please review these this week, in time for the in-person working group meeting on Monday. Besides publishing the specs in the usual formats, I’ve also created a Word version of the core spec with tracked changes turned on to facilitate people marking it up with specific proposed text changes. If you’re in the working group, please download it and make any corrections or changes you’d like to propose for the final specification.

The release candidate spec versions are:

Also, two implementer’s guides are also available to serve as self-contained references for implementers of basic Web-based Relying Parties:

Thanks to Nat Sakimura for the early feedback. The structure of Core has been changed somewhat since -13 to adopt some of his suggestions.

October 13, 2013
OpenID Connect Specs Nearing Completion

OpenID logoBased on feedback from developers, the OpenID Connect working group decided to replace the OpenID Connect Messages and OpenID Connect Standard specifications with a new OpenID Connect Core specification that combines the contents from both of them before finishing OpenID Connect. The content has also been restructured to separate Authentication from other features such as Claims and to have separate Authentication sections for the different OAuth 2.0 flows. No changes to the protocol were made. The publication of this new spec is another major step towards finishing OpenID Connect.

Please review this and the other OpenID Connect specifications in the coming week. While a few local changes will still be made this week to address issues that have been identified since the approval of the Implementer’s Drafts, I fully expect that the working group will decide at the in-person working group meeting just over a week from now that it’s time to publish proposed final specifications.

Thanks to Nat Sakimura for producing a proof-of-concept document restructuring that the structure of the current OpenID Connect Core spec is based upon. And thanks to Torsten Lodderstedt for convincing us that the specs will be clearer by better separating the descriptions of logically distinct features while combining previously separate descriptions of highly interrelated functionality.

July 31, 2013
Second OpenID Connect Implementer’s Drafts Approved

OpenID logoThe OpenID Foundation members have voted to approve a second set of OpenID Connect Implementer’s Drafts. The working group intends for the final specifications to be compatible with these Implementer’s Drafts.

Implementer’s Drafts are stable versions of specifications intended for trial implementations and deployments that provide specific IPR protections to those using them. Implementers and deployers are encouraged to continue providing feedback to the working group on these specifications based upon their experiences using them.

July 30, 2013
OpenID Connect Server in a Nutshell

OpenID logoNat Sakimura has written a valuable post describing how to write an OpenID Connect server in three simple steps. It shows by example how simple it is for OAuth servers to add OpenID Connect functionality. This post is a companion to his previous post OpenID Connect in a Nutshell, which described how simple it is to build OpenID Connect clients. If you’re involved in OpenID Connect in any way, or are considering becoming involved, these posts are well worth reading.

July 28, 2013
OpenID Connect Presentation at IETF 87

OpenID logoI’ve posted the OpenID Connect presentation that I gave at the OpenID Workshop at IETF 87. Besides giving an overview of the specification status, unsurprisingly given the setting at IETF 87, it also talks about the relationship between OpenID Connect and the IETF specifications that it depends upon. It’s available as PowerPoint and PDF.

July 8, 2013
OpenID Connect Update Presentation at CIS 2013

OpenID logoI’ve posted the OpenID Connect Update presentation that I gave today during the OpenID Workshop at the Cloud Identity Summit 2013. I’ve trimmed down the presentation to be lighter on the “how” and focus more on the “what” and “why”, relative to the one I gave at EIC in May. It’s available in PowerPoint and PDF formats.

June 7, 2013
Proposed Second OpenID Connect Implementer’s Drafts Published

OpenID logoToday marks another significant milestone towards completing the OpenID Connect standard. The OpenID Foundation has announced that the 45 day review period for the second set of proposed Implementer’s Drafts has begun. The working group believes that these are stable and complete drafts. They are being proposed as Implementer’s Drafts, rather than Final Specifications at this time, because of the dependencies on some IETF specifications that are still undergoing standardization – primarily the JSON Web Token (JWT) specification and the JSON Object Signing and Encryption (JOSE) specifications underlying it.

An Implementer’s Draft is a stable version of a specification intended for implementation and deployment that provides intellectual property protections to implementers of the specification. These updated drafts are the product of incorporating months of feedback from implementers and reviewers on earlier specification drafts, starting with the previous Implementer’s Drafts, including feedback resulting from several rounds of interop testing. Thanks to all of you who have been working towards the completion of OpenID Connect!

These specifications are available at:

Next »