Archive for January, 2013

January 25, 2013
Please Vote Now in the OpenID Board Election

OpenID logoThe election for community (individual) OpenID board members is under way at https://openid.net/foundation/members/elections/14. I encourage all of you to vote now. (Don’t wait until the morning of Wednesday, February 6th!) If you’re not already an OpenID Foundation member, you can join for USD $25 at https://openid.net/foundation/members/registration and participate in the election.

I’m running for the board this time and would appreciate your vote. My candidate statement, which is also posted on the election site, follows.


OpenID has the potential to make people’s online interactions seamless, secure, and more valuable. I am already working to make that a reality.

First, a bit about my background with OpenID… I’ve been an active contributor to OpenID since early 2007, including both specification work and serving the foundation. My contributions to the specification work have included: an author and editor of the OpenID Provider Authentication Policy Extension (PAPE) specification, editor of the OAuth 2.0 bearer token specification (now RFC 6750), an author and editor of the JSON Web Token (JWT) specification and the JSON Object Signing and Encryption (JOSE) specifications, which are used by OpenID Connect, and an active member of the OpenID Connect working group.

I’ve also made substantial contributions to the foundation and its mission, including: In 2007 I worked with the community to create a legal framework for the OpenID Foundation enabling both individuals and corporations to be full participants in developing OpenID specifications and ensuring that the specifications may be freely used by all; this led to the patent non-assertion covenants that now protect implementers of OpenID specifications. I served on the board representing Microsoft in 2008 and 2009, during which time I was chosen by my fellow board members to serve as secretary; you’ve probably read some of the meeting minutes that I’ve written. I’ve served on the board as an individual since 2011. I have helped organize numerous OpenID summits and working group meetings. I chaired the election committee that developed the foundation’s election procedures and software, enabling you to vote with your OpenID. I co-chaired the local chapters committee that developed the policies governing the relationships between local OpenID chapters around the world and the OpenID Foundation. I also serve on the marketing committee and am a member of the Account Chooser working group.

I’d like to continue serving on the OpenID board, because while OpenID has had notable successes, its work is far from done. Taking it to the next level will involve both enhanced specifications and strategic initiatives by the foundation. Through OpenID Connect, we are in the process of evolving OpenID to make it much easier to use and deploy and to enable it to be used in more kinds of applications on more kinds of devices. The Account Chooser work is making it easier to use identities that you already have across sites. I’m also pleased that the Backplane Exchange work is happening in the foundation – clear evidence of the increasing value provided by the OpenID Foundation. Yet, as a foundation, we need to continue building a broader base of supporters and deployers of OpenID, especially internationally. We need to form closer working relationships with organizations and communities doing related work. And we need continue to safeguarding OpenID’s intellectual property and trademarks so they are freely available for all to use.

I have a demonstrated track record of serving OpenID and producing results. I want to continue being part of making open identity solutions even more successful and ubiquitous. That’s why I’m running for a community board seat in 2013.

Mike Jones
mbj@microsoft.com
http://self-issued.info/

January 23, 2013
Release Candidates for OpenID Connect Implementer’s Drafts

OpenID logoI’m pleased to announce that release candidate versions of the soon-to-come OpenID Connect Implementer’s Drafts have been released. All the anticipated breaking changes to the protocol are now in place, including switching Discovery over from using Simple Web Discovery to WebFinger and aligning Registration with the OAuth Dynamic Client Registration draft. While several names changed for consistency reasons, the changes to Discovery and Registration were the only architectural changes.

Please thoroughly review these drafts this week and report any issues that you believe need to be addressed before we release the Implementer’s Draft versions.

Normative changes since the December 27th, 2012 release were:

  • Use WebFinger for OpenID Provider discovery instead of Simple Web Discovery. This also means that account identifiers using e-mail address syntax are prefixed by the acct: scheme when passed to WebFinger.
  • Aligned Registration parameters with OAuth Dynamic Registration draft.
  • Added Implementation Considerations sections to all specifications, which specify which features are mandatory to implement.
  • Removed requirement that the “c_hash” and “at_hash” be computed using SHA-2 algorithms (for crypto agility reasons).
  • Refined aspects of using encrypted ID Tokens.
  • Finished specifying elements of key management for self-issued OPs.
  • Added “display_values_supported”, “claim_types_supported”, “claims_supported”, and “service_documentation” discovery elements.
  • Defined REQUIRED, RECOMMENDED, and OPTIONAL discovery elements.
  • Refined Session Management specification, including descriptions of OP and RP iframe behaviors.
  • Deleted “javascript_origin_uris”, which is no longer present in Session Management.
  • Added new “session_state” parameter to the authorization response for Session Management.
  • Added new “post_logout_redirect_url” registration parameter for Session Management.

Also, renamed these identifiers for naming consistency reasons:

  • user_jwk -> sub_jwk (used in self-issued ID Tokens)
  • token_endpoint_auth_type -> token_endpoint_auth_method
  • token_endpoint_auth_types_supported -> token_endpoint_auth_methods_supported
  • check_session_iframe_url -> check_session_iframe
  • end_session_endpoint_url -> end_session_endpoint
  • type -> operation (in Registration)
  • associate -> register (in Registration)
  • application_name -> client_name
  • check_session_endpoint -> check_session_iframe

See the History entries in the specifications for more details.

The new specification versions are at:

Thanks to all who did so much to get us to this point, including the spec writers, working group members, and implementers!

January 19, 2013
OAuth Assertion Framework draft -10

OAuth logoDraft 10 of the Assertion Framework for OAuth 2.0 has been published. It contains non-normative changes that add the “Interoperability Considerations” section, rename “Principal” to “Subject” to use the same terminology as the SAML Assertion Profile and JWT Assertion Profile specs, and apply Shawn Emery’s comments from the security directorate review.

The draft is available at:

An HTML formatted version is available at:

January 2, 2013
OAuth 2.0 and Sign-In

OAuth logoI highly recommend a piece that my friend Vittorio Bertocci wrote on the relationship between OAuth 2.0 and sign-in/federation protocols. While OAuth 2.0 can be used to sign in users and the term “OAuth” is often bandied about in identity contexts, as he points out, there’s a lot of details to fill in to make that possible. That’s because OAuth 2.0 is a resource authorization protocolnot an authentication protocol.

Read his post for a better understanding of how OAuth 2.0 relates to sign-in protocols, including a useful discussion of how OpenID Connect fills in the gaps to enable people to sign in with OAuth 2.0 in an interoperable manner.