Category: OpenID Page 2 of 12

OpenID Federation Interop Event at SUNET in Stockholm

On May 16, 2025

In Events, Federation, Interoperability, OpenID, People, Specifications

At the end of April, I had the privilege of gathering in Stockholm with 30 participants to perform interoperability testing among 14 different OpenID Federation implementations. Leif Johansson and SUNET were fabulous hosts for the meeting at their offices in Stockholm. People from 15 countries participated, coming from as far as Australia and New Zealand! We performed eight different classes of tests between the implementations plus tested the OpenID Certification tests being developed for OpenID Federation.

It was great to have many of the core contributors to OpenID Federation come together and meet one another, most in-person, a few virtually, many for the first time. The sense of community and shared mission in the room was palpable! Besides testing, we also took time for architectural discussions, addressing open issues, and of course, socializing over drinks and dinners.

I must say that the OpenID Foundation staff who helped organize the meeting did a bang-up job! Stephanie Meli and Gareth Narinesingh both pitched in in numerous ways, resulting in a flawless and fun event! I’d normally be the one blogging and posting to capture the essence of the event, but they already more than covered that base. Their posts are full of facts, anecdotes, and photos. Check them out…

I thought I’d add a few more photos and graphics to capture the spirit of the interop.

In-Person Participants at SUNET

Logos of Participating Organizations

Roland Hedberg

OpenID Federation Browser View of KIT Federation

Celebrating in Stockholm

So you want to use Digital Credentials? You’re now facing a myriad of choices!

In CBOR, Claims, Events, Federation, IETF, Interoperability, JSON, OpenID, Privacy, Specifications

EIC 2025 Logo I gave the keynote talk So you want to use Digital Credentials? You’re now facing a myriad of choices! at EIC 2025. I opened by describing engineering choices – credential formats (W3C VCs, ISO mDOCs, SD-JWTs, SD-CWTs, JWPs, X.509 Certificates), issuance and presentation mechanisms (bespoke and standards-based, in-person and remote), mechanisms for choosing them (query languages, user interfaces), and trust establishment mechanisms (trust lists, certificates, and federation).

I then upped the ante by talking about the criticality of usability, the challenges of building ecosystems (something Andrew Nash first explained to me most of two decades ago!), and how digital credentials are not an end in and of themselves; they’re a tool to help us solve real-world problems. And of course, I closed by coming back to my theme Standards are About Making Choices, urging us to come together and make the right choices to enable interoperable use of digital credentials in ways that benefit people worldwide.

View my slides as PowerPoint or PDF. I’ll also post a link to the video of the presentation here once Kuppinger Cole posts it.

EIC 2025 Andrew Nash

Thought Experiment on Trust Establishment

Will people be able to use it and want to?

Standards Are About Making Choices

Thank You to SIROS

Mike Jones Candid

Five Million Italian Digital Wallet Users

In Federation, OpenID, Software, Specifications

My friend Giuseppe De Marco shared the article “Documenti su IO: 5 milioni di attivazioni per IT-Wallet” with me about how five million people are now using the Italian digital wallet. It adds the information that 4.3 million health cards, 4 million driver’s licenses and 100,000 European Disability Cards have been issued to those wallets. These are significant accomplishments!

(Yes, the article is in Italian. ;-) I read it with the assistance of machine translation.)

These accomplishments are made possible through use of standards. Having just been at an OpenID Federation interop event in Stockholm, Sweden, I find it particularly timely that this is an example of five million people productively using OpenID Federation in their daily lives.

This article about the Italian Digital Wallet System is a good companion piece, providing insights into the goals of the Italian Digital Wallet project. I recommend them both!

Finishing the OpenID Connect EAP ACR Values specification

On April 9, 2025

In OpenID, Phishing Resistance, Specifications

The OpenID Connect Extended Authentication Profile (EAP) ACR Values 1.0 specification has started its 60-day review to become an OpenID Final Specification. Recent steps leading up to this were:

I added Context Class definitions to the Authentication Context Class Reference Values (“acr” values) defined by the specification, which enabled me to finally register them in the IANA “Level of Assurance (LoA) Profiles” registry. Doing so required me to create two XML Schema Description (XSD) files – something I never thought I’d have to do! Thanks to Leif Johansson for explaining to me how to do that.
A two-week Working Group Last Call (WGLC) for the specification was held in the OpenID Enhanced Authentication Profile (EAP) working group.
I added Security Considerations suggested by Andrii Deinega and Brian Campbell during the WGLC.

The specification is glue that ties together OpenID Connect, W3C Web Authentication, and FIDO Authenticators, enabling them to be seamlessly used together.

The two ACR values defined by the specification are:

phr:
Phishing-Resistant. An authentication mechanism where a party potentially under the control of the Relying Party cannot gain sufficient information to be able to successfully authenticate to the End User’s OpenID Provider as if that party were the End User. (Note that the potentially malicious Relying Party controls where the User-Agent is redirected to and thus may not send it to the End User’s actual OpenID Provider). NOTE: These semantics are the same as those specified in [OpenID.PAPE].
phrh:
Phishing-Resistant Hardware-Protected. An authentication mechanism meeting the requirements for phishing-resistant authentication above in which additionally information needed to be able to successfully authenticate to the End User’s OpenID Provider as if that party were the End User is held in a hardware-protected device or component.

The Phishing-Resistant definition dates back 2008!

For the record, the two XSD files that I wrote to get us here are:

OpenID Presentations at April 2025 OpenID Workshop and IIW

On April 9, 2025

In Events, OpenID

As has become traditional, I gave the following presentation at the Monday, April 7, 2025 OpenID Workshop at Google:

OpenID Connect Working Group Update (PowerPoint) (PDF)

I also gave this invited “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, April 8, 2025:

Introduction to OpenID Connect (PowerPoint) (PDF)

A Significant Event Without Fanfare

On April 4, 2025

In OpenID, Specifications

A significant event in digital identity occurred without fanfare today. Presentation Exchange was removed from the OpenID for Verifiable Presentations specification. It had once-upon-a-time been the only query language used for verifiable credential presentation. In October 2024, the Digital Credential Query Language (DCQL) was added alongside it. Today, after much discussion by the working group, Presentation Exchange was removed, making DCQL the only query language supported. Importantly, this was done before OpenID4VP became a final specification.

Replacing Presentation Exchange (PE) has been a multi-year journey. I’ve been advocating for its replacement for years, including leading two sets of unconference discussions titled “What does Presentation Exchange do and what parts of it do we actually need?” – one in August 2023 at the OAuth Security Workshop and one in October 2023 at the Internet Identity Workshop. These discussions were intended to create awareness of the need to replace PE and start building consensus for its removal. Others also took this position early with me, including Tobias Looker and Oliver Terbu. Daniel Fett and Brian Campbell were receptive to the possibility early as well.

Removing a feature that people had taken a dependency on is not without pain. Numerous prototype wallets and verifiers used parts of it. But that’s the rub. There was so much there in Presentation Exchange that most implementations didn’t use most of it. As a result, interoperability, while possible, was a tricky and sometimes elusive target.

Presentation Exchange was ambitious in scope. It was a Swiss Army Knife of a specification. A goal was to enable complex queries for multiple credentials based on a general-purpose query language intended to be able to be used over credentials represented in JSON in any way. You could even include attributes of credentials other just their claims in the queries, such as algorithms and formats. You could ask for 2 of this or 3 of that and one or more of the following, as long as it is in format X, Y, or Z. It didn’t follow one of my guiding standards principles: “Keep simple things simple.” As a result, negative feedback from implementers grew over time.

Now we have a purpose-built query language designed for the task and protocol at hand. Is it as simple as it could be? No. Are all the features motivated by real-world non-hypothetical use cases? Yes.

The creation of DCQL was led by Daniel Fett. A precursor query language that helped inform DCQL was created by Oliver Terbu, Tobias Looker, and myself. Discussions at the Internet Identity Workshop informed what became DCQL, as did discussions at the IDUnion hackathon in Nürnberg in 2024 that included Kristina Yasuda, Christian Bormann, and Paul Bastian.

You can see OpenID4VP when PE was the only query language, when it had both query languages, and now with only DCQL. Compare for yourself.

Let me close by saying that I respect the people who created Presentation Exchange to a person. I count many of them as friends. They took a complex multi-faceted problem and wrapped their arms around it, producing a concrete solution. Much can be said in favor of those who pick up the pen and dare to create. Much was learned from what they produced, and it helped bootstrap an emerging industry. We wouldn’t be where we are today, were it not for their pioneering efforts!

In the end, the removal happened unceremoniously, with the merge of a pull request, like so many other changes – nearly anticlimactic. But this one marks a sea change in how credentials are presented. Thanks to all who made this happen!

I didn’t want to let the moment pass without recognizing its significance.

The Cambrian Explosion of OAuth and OpenID Specifications

On February 28, 2025

In Events, IETF, OAuth, OpenID, Specifications

OAuth Security Workshop Vladimir Dzhuvinov and I led a discussion on The Cambrian Explosion of OAuth and OpenID Specifications at the 2025 OAuth Security Workshop in Reykjavík.

The abstract for the session was:

The number of OAuth and OpenID specifications continues to grow. At present there are 30 OAuth RFCs, two more in the RFC Editor queue, 13 OAuth working group drafts, and another eight individual OAuth drafts that may advance. There are nine JOSE RFCs and seven working group drafts. There are four SecEvent RFCs. On the OpenID side, there are 12 final OpenID Connect specs, three final FAPI specs, one final MODRNA spec, three final eKYC-IDA specs, and 24 Implementer’s drafts across the OpenID working groups, plus another ten working group drafts.

The number of possible combinations boggles the mind. And there’s no end in sight!

What’s a developer to do? How have people and companies gone about selecting and curating the specs to implement in an attempt to create coherent and useful open source and commercial offerings? And faced with such an array of combinations and choices, how are application developers to make sense of it all? How can interoperability be achieved in the face of continued innovation?

This session will prime the pump by discussing choices made by some existing open source and commercial offerings in the OAuth and OpenID space and lead to an open discussion of choices made by the workshop attendees and the reasoning behind them. It’s our goal that useful strategies emerge from the discussion that help people grapple with the ever-expanding sets of specifications and make informed implementation choices, while still fostering the innovation and problem-solving that these specifications represent.

The slides used to queue up the discussion session are available as PowerPoint and PDF. Also, see the list of 101 OAuth and OpenID-related specifications referenced during the discussion.

The topic seems to have touched a chord. Many people were clearly already thinking about the situation and shared their views. Some of them were:

Nobody actually expects everyone to implement everything.
Stopping things is super hard. But sometimes it’s necessary (as Brian Campbell put it, “when they’re wrong”).
Timing can be fickle. What may not be useful at one time can turn out to be useful later.
Some specs are highly related and often used together. But those relationships are not always apparent to those new to the space.
We need better on-ramps to help people new to the space wrap their arms around the plethora specs and what they’re useful for.
Well-written profiles are a way of managing the complexity. For instance, FAPI 2 limits choices, increasing both interoperability and security.
The amount of innovation happening is a sign of success!

Thanks to the organizers for a great tenth OAuth Security Workshop! And special thanks to the colleagues from Signicat who did a superb job with local arrangements in Reykjavík!

Twenty Years of Digital Identity!

On February 2, 2025

In Events, IETF, JSON, OAuth, OpenID, People

Kim Cameron first told me what Digital Identity is on February 1, 2005. He said that the Internet was created without an identity layer. He encouraged me “You should come help build it with me.” I’ve been at it ever since!

What I wrote about digital identity a decade ago remains as true today:

An interesting thing about digital identity is that, by definition, it’s not a problem that any one company can solve, no matter how great their technology is. For digital identity to be “solved”, the solution has to be broadly adopted, or else people will continue having different experiences at different sites and applications. Solving digital identity requires ubiquitously adopted identity standards. Part of the fun and the challenge is making that happen.

I’m not going to even try to list all the meaningful identity and security initiatives that I’ve had the privilege to work on with many of you. But I can’t resist saying that, in my view, OpenID Connect, JSON Web Token (JWT), and OAuth 2.0 are the ones that we knocked out of the park. I tried to distill the lessons learned from many of the initiatives, both successes and failures, during my 2023 EIC keynote Touchstones Along My Identity Journey. And there’s a fairly complete list of the consequential things I’ve gotten to work on in my Standards CV.

I’ll also call attention to 2025 marking twenty years of the Internet Identity Workshop. I attended the first one, which was held in Berkeley, California in October 2005, and all but one since. What a cast of characters I met there, many of whom I continue working with to this day!

As a personal testament to the value of IIW, it’s where many of the foundational decisions about what became JWS, JWE, JWK, JWT, and OpenID Connect were made. Particularly, see my post documenting decisions made at IIW about JWS, including the header.payload.signature representation of the JWS Compact Serialization and the decision to secure the Header Parameters. And see the posts following it on JWE decisions, naming decisions, and JWK decisions. IIW continues playing the role of enabling foundational discussions for emerging identity technologies today!

It’s been a privilege working with all of you for these two decades, and I love what we’ve accomplished together! There’s plenty of consequential work under way and I’m really looking forward to what comes next.

Images are courtesy of Doc Searls. Each photo links to the original.

Integrity Properties for Federations

On December 6, 2024

In Federation, OpenID, People, Specifications

I’m writing to highly recommend the article “How to link an application protocol to an OpenID Federation 1.0 trust layer” by Vladimir Dzhuvinov. In it, he defines two kinds of integrity for Federations, and describes how to achieve them:

Federation Integrity, which is defined as:

This ensures mutual trust between two entities is established always from a common trust anchor. Any resolved metadata and policies that govern the client application and the OpenID provider in a transaction will then fall under the rules of the same federation and thus will be aligned and consistent with one another.

Metadata Integrity, which is defined as:

It ensures the trust chains for an entity to a given trust anchor will invariably result in consistent metadata and policies. The natural way to achieve this is for the federation topology under a trust anchor to form a tree. Topologies that lead to multiple paths from a leaf entity to a trust anchor are to be avoided.

The article also explores how application protocols, such as OpenID Connect or digital wallet protocols, can achieve those properties in practice (and when they do and don’t need to).

Finally, I’ll note that, as a result of Vladimir’s and others’ thinking about the topic, we just added a section on Federation Topologies to the OpenID Federation specification, which provides concrete guidance on how to achieve Metadata Integrity.

I’ll stop here so as not to repeat all the useful content in Vladimir’s article. By all means, give it read!

Three New Specs Enhancing OpenID Federation and New Contributors

On November 30, 2024

In Federation, OpenID, People, Specifications

The OpenID Connect working group recently adopted three new specifications that build upon and provide new capabilities to OpenID Federation. But I’m not only happy about these because of the engineering benefits they bring.

I’m particularly happy because they bring new active contributors to the work, specifically Michael Fraser and Łukasz Jaromin, as well as continuing the strong work by Giuseppe De Marco, who’s become a leader in the space. They’re also supported by a few veterans: Roland Hedberg, John Bradley, and yours truly, plus now the full OpenID Connect working group.

Here’s the three new specifications, along with an abstract for each of them:

1. OpenID Federation Extended Subordinate Listing

This specification acts as an extension to OpenID Federation 1.0. It outlines methods to interact with a given Federation with a potentially large number of registered Entities, as well as mechanisms to retrieve multiple entity statements along with associated details in a single request.

2. OpenID Federation Wallet Architectures

As digital wallets become increasingly deployed for managing identity credentials, establishing an architecture for trusted communication is required to allow each participant in the ecosystem to evaluate other participants’ compliance with mutual trust frameworks and accomplish secure and trusted transactions.

This specification defines how to use OpenID Federation 1.0 to enhance the security and interoperability of wallet ecosystems, facilitating trust establishment among the parties and enabling secure metadata exchange and policy application across large scale deployments. It outlines the general architecture of a federated trust infrastructure for wallet ecosystems, identifying participant roles and describing the use of those roles.

3. OpenID Connect Relying Party Metadata Choices

This specification extends the OpenID Connect Dynamic Client Registration 1.0 specification to enable RPs to express a set of supported values for some RP metadata parameters, rather than just single values. This functionality is particularly useful when Automatic Registration, as defined in OpenID Federation 1.0, is used, since there is no registration response from the OP to tell the RP what choices were made by the OP. This gives the OP the information that it needs to make choices about how to interact with the RP in ways that work for both parties.

Thanks to the members of the OpenID Connect working group who helped refine them before adoption, and are now working on progressing them in the working group.

OpenID Presentations at October 2024 OpenID Workshop and IIW plus New Specifications

On October 29, 2024

In Events, OpenID, Specifications

I gave the following presentation on work in the OpenID Connect working group at the Monday, October 28, 2024 OpenID Workshop at Microsoft:

OpenID Connect Working Group Update (PowerPoint) (PDF)

I also gave this invited “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, October 29, 2024:

Introduction to OpenID Connect (PowerPoint) (PDF)

There’s more happening in the OpenID Connect working group than at any other time since we started the OpenID Connect work. In fact, two new specifications were adopted today!

Thanks to all who helped us get there!

OpenID Connect specifications published as ISO standards

On October 1, 2024

In ISO, OpenID, Specifications

I’m thrilled to report that the OpenID Connect specifications have now been published as ISO/IEC standards. They are:

I submitted the OpenID Connect specifications for publication by ISO as Publicly Available Specifications (PAS) for the OpenID Foundation in December 2023. Following the ISO approval vote, they are now published. This should foster even broader adoption of OpenID Connect by enabling deployments in jurisdictions around the world that have legal requirements to use specifications from standards bodies recognized by international treaties, of which ISO is one.

Before submitting the specifications, the OpenID Connect working group diligently worked through the process of applying errata corrections to the specifications, so that the ISO versions would have all known corrections incorporated.

Having successfully gone through the ISO PAS submission process once, the OpenID Foundation now plans to submit additional families of final specifications for publication by ISO. These include the FAPI 1.0 specifications, and once they’re final, the eKYC-IDA specifications and FAPI 2.0 specifications.

Thanks to all who helped us achieve this significant accomplishment!

Fourth and Likely Last Implementer’s Draft of OpenID Federation Specification

On July 25, 2024

In Claims, Federation, OAuth, OpenID, Specifications

The OpenID Foundation has approved the Fourth Implementer’s Draft of the OpenID Federation Specification. This is a major step towards having the specification become final.

The previous Implementer’s Draft was in 2021. A lot has happened since then, largely motivated by feedback from actual implementations and deployments. Some highlights of progress made in the spec since then are:

Changed name from OpenID Connect Federation to OpenID Federation, since Federation can be used for trust establishment for any protocol (including OpenID Connect).
Introduced distinct Federation endpoints.
Clearly defined and consistently used the terms Entity Statement, Entity Configuration, and Subordinate Statement.
Clearly defined which claims can occur in which kinds of Entity Statements.
Clearly defined Entity Types and the Federation Entity entity type.
Enhanced description of Trust Mark issuance and usage.
Defined relationship between metadata and metadata policy.
Clearly defined interactions between policy operators.
Defined where constraints may occur.
Tightened descriptions of Automatic Registration and Explicit Registration.
Added Historical Keys.
Defined and used trust_chain JWS Header Parameter.
Allowed Trust Chains to start with non-Trust Anchors.
Clarified use of client authentication.
Used OAuth Protected Resource Metadata.
Consistent error handling.
Added General-Purpose JWT Claims section.
Comprehensive use of content types and media types.
IANA registration of parameters, claims, and media types.
Added and improved many diagrams.
Substantial rewrites for increased consistency and clarity.
Added Giuseppe De Marco and Vladimir Dzhuvinov as editors.

As a preview of coming attractions, I’ll note that profiles of OpenID Federation are being written describing how it being used in wallet ecosystems and how it is being used in open finance ecosystems. And we’re creating a list of implementations. Watch this space for future announcements.

Special thanks to all the implementers and deployers who provided feedback to get us to this point!

Celebrating Ten Years of OpenID Connect at Identiverse and EIC

On June 11, 2024

In Claims, Events, Federation, History, JSON, OAuth, OpenID, Specifications

EIC 2024 Logo Identiverse Logo We held the second and third of the three planned tenth anniversary celebrations for the completion of OpenID Connect at the 2024 Identiverse conference and European Identity and Cloud Conference. That concludes celebrations in Asia, the Americas, and Europe!

At both Identiverse and EIC, panelists included Nat Sakimura, John Bradley, and myself. Chuck Mortimore joined us at Identiverse. And Torsten Lodderstedt added his perspectives at EIC. We shared our perspectives on what led to OpenID Connect, why it succeeded, and what lessons we learned along the way.

The most common refrain throughout our descriptions was the design philosophy to “Keep simple things simple”. This was followed closely by the importance of early feedback from developers and deployers.

Chuck reached back in time to his OpenID slides from 2011. He reflected on what he was thinking at the time versus what actually happened (and why). Torsten pointed out the importance of cooperation, certification, security analysis, open standards, and an approachable community. At Identiverse, Nat reached back 25 years, examining the intellectual underpinnings and history of OpenID. And at EIC, Nat tackled assertions that OpenID Connect can be complex. John concluded by observing that the OpenID idea is greater than any particular specification.

Our recent OpenID Connect 10th anniversary sessions were:

Identiverse: Panel PowerPoint PDF
EIC: Panel PowerPoint PDF

They build upon the celebration at the OpenID Summit Tokyo 2024.

Thanks to the organizers of all these events for sponsoring the celebrations!

Standards are About Making Choices

On June 9, 2024

In CBOR, Claims, Cryptography, Events, FIDO, IETF, Interoperability, JSON, OAuth, OpenID, Phishing Resistance, Specifications, W3C

EIC 2024 Logo I was honored to give the keynote presentation Standards are About Making Choices at the 2024 European Identity and Cloud Conference (EIC) (PowerPoint) (PDF). The abstract was:

When building machines, we take for granted being able to use nuts, bolts, wires, light bulbs, and countless other parts made to industry standards. Standards contain choices about dimensions of screw threads, nut sizes, etc., enabling a marketplace of interoperable parts from multiple suppliers. Without these choices, every part would be custom manufactured. The same is true of the identity and security standards we use to build identity systems.

However, the identity and security standards at our disposal differ wildly in the degree to which they do and don’t make choices. Some consistently define ONE way to do things, resulting in everyone doing it that way (interoperability!). Others leave critical choices unmade, passing the buck to implementers and applications (your mileage may vary).

In this talk, I’ll name names and take prisoners, critiquing existing and emerging standards through the lens of the choices they made and failed to make. Hold on to your hats as we examine the pros and cons of the choices made by OAuth, SAML, X.509, OpenID Connect, Verifiable Credentials, DIDs, WebCrypto, JOSE, COSE, and many others through this lens!

I believe you’ll agree with me that making choices matters.

The conference keynote description includes a recording of the presentation.

Thanks to MATTR for providing a designer to work with me on the presentation, enabling the visual design to transcend my usual black-text-on-white-background design style!

Using Standards: Some Assembly Required

On May 30, 2024

In CBOR, Claims, Cryptography, Events, FIDO, IETF, Interoperability, JSON, OAuth, OpenID, Phishing Resistance, Specifications, W3C

Identiverse Logo I gave the following presentation in the session Using Standards: Some Assembly Required at the 2024 Identiverse conference (PowerPoint) (PDF). The abstract was:

Standards are about making choices. When building machines, we take for granted being able to use nuts, bolts, wires, light bulbs, and countless other parts made to industry standards. Standards contain choices about dimensions of screw threads, nut sizes, etc., enabling a marketplace of interoperable parts from multiple suppliers. Without these choices, every part would be custom-manufactured. The same is true of the identity and security standards we use to build the Identity Engine. However, the identity and security standards at our disposal differ wildly in the degree to which they do and don’t make choices. Some consistently define ONE way to do things, resulting in everyone doing it that way (interoperability!). Others leave critical choices unmade, passing the buck to implementers and applications (your mileage may vary). In this talk, I’ll name names and take prisoners, critiquing existing and emerging standards through the lens of the choices they made and failed to make. Hold on to your hats as we examine the pros and cons of the choices made by OAuth, SAML, X.509, OpenID Connect, Verifiable Credentials, DIDs, WebCrypto, JOSE, COSE, and many others through this lens! I believe you’ll agree with me that making choices matters.

The audience was highly engaged by the process of giving existing and emerging standards letter grades based on the choices they made (or failed to make)!

Proposed Implementer’s Draft of OpenID Federation

On May 21, 2024

In Federation, OpenID, Specifications

The OpenID Connect working group has started working group last call (WGLC) for a proposed Implementer’s Draft of the OpenID Federation specification. As described in the WGLC message:

OpenID Federation -35 has been published at https://openid.net/specs/openid-federation-1_0-35.html and https://openid.net/specs/openid-federation-1_0.html. This draft is being proposed as the fourth (and hopefully final) Implementer’s Draft of the specification.

An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification. The two-week working group last call ends on Friday, May 31, 2024. Unless reasons are identified during the last call to substantially revise the specification, the 45-day OpenID Foundation-wide review of the specification for approval as an OpenID Implementer’s Draft will shortly follow.

Special thanks to all the implementers and deployers who provided feedback to get us to this point!

OpenID Federation Session at April 2024 IIW

On April 18, 2024

In Events, Federation, OpenID

John Bradley and I convened a session on Trust Establishment with OpenID Federation at the Internet Identity Workshop (IIW) on Thursday, April 18, 2024. The material used to drive the discussion was:

Trust Establishment with OpenID Federation (PowerPoint) (PDF)

The session was well attended and the discussion lively. Numerous people with trust establishment problems to solve contributed, including experts from the SAML federation world, people involved in digital wallet projects, and several people already using or considering using OpenID Federation. Thanks to all who participated!

OpenID Presentations at April 2024 OpenID Workshop and IIW

On April 16, 2024

In Events, OpenID

As has become traditional, I gave the following presentation at the Monday, April 15, 2024 OpenID Workshop at Google:

OpenID Connect Working Group Update (PowerPoint) (PDF)

I also gave this invited “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, April 16, 2024:

Introduction to OpenID Connect (PowerPoint) (PDF)

Continued refinement: OpenID Federation draft 33 published

On February 23, 2024

In Federation, OpenID, Specifications

OpenID Federation draft 33 has been published at https://openid.net/specs/openid-federation-1_0-33.html and https://openid.net/specs/openid-federation-1_0.html. The working group continues refining the specification to make it more consistent and easier to read and implement.

We published draft 33 now to get these improvements out to implementers. Per the history entries at https://openid.net/specs/openid-federation-1_0-33.html#name-document-history, a summary of changes made in -32 and -33 is:

-33:

Addressed #2111: The metadata_policy_crit claim MAY only appear in Subordinate Statements and its values apply to all metadata_policies found in the Trust Chain.
Fixed #2096: Authorization Signed Request Object may contain trust_chain in its payload and should not in its JWS header parameters.
Strengthen language requiring client verification with automatic registration.
Fixed #2076: Promoted Trust Marks to be a top-level section.
Added General-Purpose JWT Claims section.
Moved Federation Endpoints section before Obtaining Federation Entity Configuration Information section.
Fixed #2110: Explanation text when multiple entity_type parameters are provided in the Subordinate Listing endpoint.
Fixed #2112, #2113, and #2114: Defined that client authentication is not used by default and that the default client authentication method, when used, is private_key_jwt. Specified that requests using client authentication use HTTP POST.
Fixed #2104: Allow trust marks in Subordinate Statements for implementation profiles that might want this.
Fixed #2103: Addressed ambiguities in the definition of constraints.

-32:

Tightened OpenID Connect Client Registration section.
Tightened appendix examples.
Fixed #2075: Trust Mark endpoint for the provisioning of the Trust Marks.
Fixed #2085: Trust Marked Entities Listing, added sub URL query parameter.
Made fetch issuer unambiguous by making the iss parameter REQUIRED.
Introduced the term “Subordinate Statement” and applied it throughout the specification. Also consistently use the term “registration Entity Statement” for Explicit Client Registration results.
Clarified where Entity Statement claims can and cannot occur.
Renamed policy_language_crit to metadata_policy_crit.
Fixed #2093: Numbered the list defining the order policy operators are applied in.

Special thanks to Stefan Santesson for his thorough review of the specification in the context of the Swedish Federation deployment!

Powered by WordPress & Theme by Anders Norén