Category: OpenID Page 4 of 10

Using OpenID Connect Self-Issued to Achieve DID Auth

On October 10, 2019

In Documentation, Events, OpenID, W3C

My co-authors and I recently competed the paper Using OpenID Connect Self-Issued to Achieve DID Auth, which was created as a result of discussions at the eighth Rebooting the Web of Trust workshop. The paper’s abstract is:

Proving control of a DID requires proving ownership of a private key corresponding to a public key for the DID. Of course, this could be done with a new DID-specific protocol. However, standard protocols for proving ownership of a public/private key pair already exist.

This paper describes how to reuse the Self-Issued OpenID Connect (SIOP) specification and related protocol messages to prove control of a DID. It describes both why and how to do this. Related topics, such as release of claims, are also touched upon.

Several people came to the workshop wanting to explore how to use the OpenID Connect Self-Issued OpenID Provider functionality to prove control of a Decentralized Identifier (DID), including myself. The paper describes the approach being taken by a number of groups using DIDs, including Microsoft. The paper’s publication is timely, as the W3C DID Working Group has just formed to create a DID standard. Microsoft is an active member of the working group.

Special thanks to Dmitri Zagidulin for getting the paper over the finish line!

OpenID Presentations at September 2019 OpenID Workshop and IIW

On October 1, 2019

In Events, OpenID

I gave the following presentations at the Monday, September 30, 2019 OpenID Workshop at Verizon Media:

OpenID Connect Working Group (PowerPoint) (PDF)
OpenID Enhanced Authentication Profile (EAP) Working Group (PowerPoint) (PDF)
OpenID Certification (PowerPoint) (PDF)

I also gave the following invited “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, October 1, 2019:

Introduction to OpenID Connect (PowerPoint) (PDF)

OpenID Connect Federation Progress at TNC19

On June 25, 2019

In Events, Federation, OpenID, Specifications

Check out the post OpenID Connect Federation Progress describing the recent updates that Roland Hedberg and I made to the OpenID Connect Federation 1.0 specification. We used the TNC19 conference — a gathering of federation experts — as a venue to get together to review and refine the specification. Besides getting lots done on the spec, I also really enjoyed the TNC conference and its attendees!

Given that the syntax and semantics should now be stable, it’s my hope that early adopters will start kicking the tires — building implementations and making trial deployments. I can’t wait for the useful feedback that results!

OpenID Presentations at 2019 European Identity and Cloud (EIC) Conference

On May 16, 2019

In Events, OpenID

I gave the following presentations at the May 14, 2019 OpenID Workshop at the 2019 European Identity and Cloud (EIC) conference:

OpenID Connect Working Group (PowerPoint) (PDF)
OpenID Certification (PowerPoint) (PDF)

This deck was also prepared but not presented, due to time limitations:

OpenID Enhanced Authentication Profile (EAP) Working Group (PowerPoint) (PDF)

Azure Active Directory Achieves OpenID Certification

In Interoperability, OpenID, Software

OpenID Certified logo I’m delighted to report that Azure Active Directory (AAD) has achieved OpenID Certification. This is true both of the AAD V1 identity provider, which enables sign-in with organization identities, and the AAD V2 identity provider, which enables sign-in with both personal and organizational identities. See the certification listings and the Microsoft identity platform announcement.

While AAD has supported OpenID Connect for years, the push to achieve OpenID Certification closed a number of gaps in AAD’s feature set — mostly notably, adding support for the UserInfo Endpoint to AAD V2. This work was part of Microsoft’s commitment to utilizing widely-adopted open identity standards. Kudos to the AAD engineering team for bringing this important developer-focused work to completion!

OpenID Presentations at April 2019 OpenID Workshop and IIW

On April 30, 2019

In Events, OpenID

I gave the following presentations at the Monday, April 29, 2019 OpenID Workshop at Verizon Media:

OpenID Connect Working Group (PowerPoint) (PDF)
OpenID Enhanced Authentication Profile (EAP) Working Group (PowerPoint) (PDF)
OpenID Certification (PowerPoint) (PDF)

I also gave the following invited “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, April 30, 2019:

Introduction to OpenID Connect (PowerPoint) (PDF)

Security Event Token (SET) delivery specifications updated in preparation for IETF 104

On March 12, 2019

In IETF, OpenID, Safety, Specifications

The two Security Event Token (SET) delivery specifications have been updated to address working group feedback received, in preparation for discussions at IETF 104 in Prague. The Push Delivery spec went through working group last call (WGLC). It has been updated to incorporate the WGLC comments. Changes made are summarized in the spec change log, the contents of which were also posted to the working group mailing list. Thanks to Annabelle Backman for the edits to the Push Delivery spec.

It’s worth noting that the Push Delivery spec and the Security Event Token (SET) are now being used in early Risk and Incident Sharing and Coordination (RISC) deployments, including between Google and Adobe. See the article about these deployments by Mat Honan of BuzzFeed.

Changes to the Poll Delivery spec are also summarized in that spec’s change log, which contains:

Removed vestigial language remaining from when the push and poll delivery methods were defined in a common specification.
Replaced remaining uses of the terms Event Transmitter and Event Recipient with the correct terms SET Transmitter and SET Recipient.
Removed uses of the unnecessary term “Event Stream”.
Removed dependencies between the semantics of maxEvents and returnImmediately.
Said that PII in SETs is to be encrypted with TLS, JWE, or both.
Corrected grammar and spelling errors.

The specifications are available at:

HTML-formatted versions are also available at:

OpenID Connect Federation Specification

On December 3, 2018

In Federation, OpenID, Specifications

The OpenID Connect Federation 1.0 specification is being developed to enable large-scale federations to be deployed using OpenID Connect. It enables trust among federation participants to be established through signed statements made by federation operators about federation participants.

The design of this specification builds upon the experiences gained in operating large-scale SAML 2.0 federations, and indeed, is authored by people having practical experience with these federations. The primary authors are Roland Hedberg and Andreas Ãƒ’¦kre Solberg, with additional contributions by Samuel Gulliksson, John Bradley, and myself, as well as members of the OpenID Connect working group, which is the home of the specification.

A key innovation that differentiates OpenID Connect federations from most SAML 2.0 federations is that OpenID Connect federation employs hierarchal metadata, where participants directly publish statements about themselves, versus the aggregated metadata approach used by many SAML 2.0 federations, where the federation operator publishes a single file concatenating all the metadata for all the federation participants.

The specification was just updated so that the latest version can be discussed at a SURFnet OpenID Connect “Wisdom of the Crowd” session today.

The latest version of specification is available at:

https://openid.net/specs/openid-connect-federation-1_0-06.html

This URL always points to the latest published version:

https://openid.net/specs/openid-connect-federation-1_0.html

Please review and/or implement this important specification and send your feedback to the OpenID Connect working group!

OpenID Connect Introduction at October 2018 IIW

On October 23, 2018

In Events, OpenID

I gave the following invited “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, October 23, 2018:

Introduction to OpenID Connect (PowerPoint) (PDF)

The core Token Binding specs are now RFCs 8471, 8472, and 8473

On October 8, 2018

In IETF, OAuth, OpenID, Specifications, Token Binding

The IETF Token Binding working group has completed the core Token Binding specifications. These new standards are:

RFC 8471: The Token Binding Protocol Version 1.0
RFC 8472: Transport Layer Security (TLS) Extension for Token Binding Protocol Negotiation
RFC 8473: Token Binding over HTTP

As Alex Simons recently wrote, it’s time for token binding. Especially now that the core specs are done, now’s the time for platforms and applications to deploy Token Binding. This will enable replacing bearer tokens, which can be stolen and reused, with Token Bound tokens, which are useless if stolen. This is a huge security benefit applicable to any tokens used over TLS, including browser cookies, OAuth access tokens and refresh tokens, and OpenID Connect ID Tokens.

Congratulations especially to the editors Andrei Popov, Dirk Balfanz, Jeff Hodges, Magnus NystrÃƒÂ¶m, and Nick Harper and the chairs John Bradley and Leif Johansson for getting this done!

I likewise look forward to timely completion of related Token Binding specifications, which enable use of Token Binding with TLS 1.3, with OAuth 2.0, and with OpenID Connect.

Vote to update OpenID IPR Policy document now

On September 29, 2018

A quick reminder that the vote to approve updates to the OpenID IPR Policy document is under way. If you’re an OpenID Foundation member, I encourage you to vote to approve the updates now at https://openid.net/foundation/members/polls/151.

As described in the OpenID Foundation post Proposed Revisions to OpenID IPR Policy Document, the updates enable the use of electronic signatures on contributor agreements instead of requiring on-paper signatures and simplify the descriptions of working group contributors, all without changing the IPR rights of any party.

The foundation needs 30% of the membership to vote in order for the changes to take effect, so please take a moment and vote now. Thanks!

It’s Time for Token Binding

On August 21, 2018

In IETF, OAuth, OpenID, Specifications, Token Binding

Check out Alex Simons‘ and Pamela Dingle‘s blog post “It’s Time for Token Binding“. Now that the IETF Token Binding specs are essentially done, it’s time to ask those who write TLS software you use to ship Token Binding support soon, if they haven’t already done so.

Token Binding in a nutshell: When an attacker steals a bearer token sent over TLS, he can use it; when an attacker steals a Token Bound token, it’s useless to him.

Security Event Token (SET) is now RFC 8417

On July 10, 2018

In Claims, IETF, JSON, OpenID, Specifications

The Security Event Token (SET) specification is now RFC 8417. The abstract describes the specification as:

This specification defines the Security Event Token (SET) data structure. A SET describes statements of fact from the perspective of an issuer about a subject. These statements of fact represent an event that occurred directly to or about a security subject, for example, a statement about the issuance or revocation of a token on behalf of a subject. This specification is intended to enable representing security- and identity-related events. A SET is a JSON Web Token (JWT), which can be optionally signed and/or encrypted. SETs can be distributed via protocols such as HTTP.

SETs are already in use to represent OpenID Connect Back-Channel Logout tokens and to represent Risk and Incident Sharing and Coordination (RISC) events. Thanks to my co-editors, members of the IETF ID Events mailing list, and members of the IETF Security Events working group for making this standard a reality!

OpenID Connect Token Binding Specification Updated

On July 1, 2018

In Cryptography, OpenID, Specifications

The OpenID Connect Token Bound Authentication specification has been updated in response to developer feedback and in anticipation of the IETF Token Binding specifications finishing. Changes were:

Adjusted the metadata to indicate supported confirmation method hash algorithms for Token Binding IDs in ID Tokens.
Updated references for draft-ietf-tokbind-protocol to -19, draft-ietf-tokbind-https to -17, draft-ietf-oauth-token-binding to -07, and draft-ietf-oauth-discovery to -10.
Explicitly stated that the base64url encoding of the “tbh” value doesn’t include any trailing pad characters, line breaks, whitespace, etc.

(The representation of the Token Binding ID in the ID Token is unchanged.)

Thanks to Brian Campbell for doing the editing for this draft.

The specification is available at:

http://openid.net/specs/openid-connect-token-bound-authentication-1_0-03.html

OAuth 2.0 Authorization Server Metadata is now RFC 8414

On June 28, 2018

In Claims, IETF, JSON, OAuth, OpenID, Specifications

OAuth logo The OAuth 2.0 Authorization Server Metadata specification is now RFC 8414. The abstract describes the specification as:

This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities.

The specification defines a JSON metadata representation for OAuth 2.0 authorization servers that is compatible with OpenID Connect Discovery 1.0. This specification is a true instance of standardizing existing practice. OAuth 2.0 deployments have been using the OpenID Connect metadata format to describe their endpoints and capabilities for years. This RFC makes this existing practice a standard.

Having a standard OAuth metadata format makes it easier for OAuth clients to configure connections to OAuth authorization servers. See https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#authorization-server-metadata for the initial set of registered metadata values.

Thanks to all of you who helped make this standard a reality!

OpenID Connect News, Overview, Certification, and Action Items at June 2018 Identiverse Conference

On June 24, 2018

In Events, OpenID, Specifications

I gave the following presentation during the June 2018 Identiverse Conference:

OpenID Connect: News, Overview, Certification, and Action Items (PowerPoint) (PDF)

News included:

contribution of the Python JWTConnect OpenID RP library to the OpenID Connect working group and
launch of the Form Post Response Mode certification profiles for OPs and RPs.

Action items included:

give the Python JWTConnect OpenID RP library a try,
test the Form Post Response Mode conformance tests and certify your implementations,
review the OpenID Connect logout specifications now before we vote them to Final status,
review the OpenID Connect Federation specification during the current Implementer’s Draft review period,
participate in the RISC Implementer’s Drafts members vote before Friday, and
join the OpenID Foundation to be able to participate in the vote.

Ongoing recognition for the impact of OpenID Connect and OpenID Certification

On May 18, 2018

In Events, Interoperability, OpenID, People, Software, Specifications

This week the OpenID Certification program won the 2018 European Identity and Cloud Award for Best Innovation at the European Identity and Cloud (EIC) conference. This is actually the second award for the OpenID Certification program this year and only the latest in a series awards recognizing the value and impact of OpenID Connect and certification of its implementations.

On this occasion, I thought I’d take the opportunity to recount the awards that OpenID Connect, the specifications underlying it, and its certification program have been granted. To date, they are:

OpenID Connect: 2012 European Identity Award for Best Innovation/New Standard
OAuth 2.0: 2013 European Identity Award for Best Innovation/New Standard
JSON Web Token (JWT) and JSON Object Signing and Encryption (JOSE): 2014 Special European Identity Award for Best Innovation
OpenID Certification program: 2018 Identity Innovation Award
OpenID Certification program: 2018 European Identity and Cloud Award for Best Innovation

My sincere thanks to Kuppinger Cole for their early recognition of potential of OpenID Connect, for calling out the value of OAuth 2.0, JWT, and JOSE, and to both IDnext and Kuppinger Cole for recognizing the importance and global impact of OpenID Certification!

Speaking of impact, I can’t help but end this note with data that Alex Simons presented at EIC this week. 92% of Azure Active Directory (AAD) authentications use OpenID Connect. There’s no better demonstration of impact than widespread deployment. Very cool!

Alex Simons 92% OpenID Connect

OpenID Certification wins 2018 European Identity and Cloud Award

On May 17, 2018

In Events, Interoperability, OpenID, People, Software

OpenID Certified logo The OpenID Certification program won the 2018 European Identity and Cloud Award for Best Innovation at the European Identity and Cloud (EIC) conference. See the award announcement by the OpenID Foundation for more details. This is actually the second award this year for the OpenID Certification program.

The award recognizes that the OpenID Certification program has become a significant global force promoting high-quality, secure, interoperable OpenID Connect implementations. Its innovative use of self-certification using freely available online tools has made testing the quality of OpenID Connect implementations simple, effective, and commonplace. Thanks to Kuppinger Cole for recognizing the impact of the OpenID Certification program!

EIC 2018 Award EIC 2018 Award Certificate EIC 2018 Award John Bradley, Mike Jones, Nat Sakimura EIC 2018 Award Don Thibeau EIC 2018 Award State EIC 2018 Award Don Thibeau, George Fletcher, Mike Jones, John Bradley, Nat Sakimura

OpenID Presentations at May 2018 European Identity and Cloud Conference (EIC)

On May 16, 2018

In Events, OpenID

I gave the following presentations during the OpenID workshop at the May 2018 European Identity and Cloud Conference (EIC):

OpenID Connect Working Group status update (PowerPoint) (PDF)
OpenID Certification status update (PowerPoint) (PDF)
OpenID EAP Working Group status update (PowerPoint) (PDF)

OpenID Presentations at April 2018 OpenID Workshop and IIW

On April 3, 2018

In Events, OpenID

I gave the following presentations at the Monday, April 2, 2018 OpenID Workshop at Oracle:

OpenID Connect Working Group status update (PowerPoint) (PDF)
OpenID Certification status update (PowerPoint) (PDF)

I also gave the following invited “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, April 3, 2018:

Introduction to OpenID Connect (PowerPoint) (PDF)

Powered by WordPress & Theme by Anders Norén