Category: OpenID Page 8 of 11

The vote to approve final OpenID Connect Core, OpenID Connect Discovery, OpenID Connect Dynamic Registration, and OAuth 2.0 Multiple Response Types specifications is now under way, as described at http://openid.net/2014/02/11/vote-for-final-openid-connect-specifications-and-implementers-drafts-is-open/. The OpenID Connect Session Management and OAuth 2.0 Form Post Response Mode specifications are also being approved as Implementer’s Drafts. Voting closes on Tuesday, February 25, 2014.

Please vote now!

I’m thrilled that OpenID Connect is significantly closer to being done today. Proposed final specifications were published yesterday and the 60 day public review period, which leads up a membership vote to approve the specifications, began today. Unless recall-class issues are found during the review, this means we’ll have final OpenID Connect specifications on Tuesday, February 25, 2014!

My sincere thanks to all of you who so generously shared your vision, expertise, judgment, and time to get us to this point — both those of you who worked on the specs and those who implemented and deployed them and tested your code with one another. I consider myself privileged to have done this work with you and look forward to what’s to come!

The fourth and possibly last set of release candidates for final OpenID Connect specifications is now available. Per the decision on today’s working group call, this message starts a 24 hour final working group review period before starting the 60 day public review period. Unless significant issues are raised during the 24 hour review period, we will announce that these specifications are being proposed as Final Specifications by the working group.

The release candidates for Final Specification status are:

• http://openid.net/specs/openid-connect-core-1_0-17.html
• http://openid.net/specs/openid-connect-discovery-1_0-21.html
• http://openid.net/specs/openid-connect-registration-1_0-23.html
• http://openid.net/specs/oauth-v2-multiple-response-types-1_0-11.html

Accompanying release candidates for Implementer’s Draft status are:

• http://openid.net/specs/openid-connect-session-1_0-18.html
• http://openid.net/specs/oauth-v2-form-post-response-mode-1_0-02.html

Accompanying Implementer’s Guides are:

• http://openid.net/specs/openid-connect-basic-1_0-32.html
• http://openid.net/specs/openid-connect-implicit-1_0-14.html

The third set of release candidates for final OpenID Connect specifications is now available. The changes since the second release candidates have mostly been to incorporate review comments on the Discovery, Dynamic Registration, and Multiple Response Types specifications. All known review comments have now been applied to the specifications.

The release candidates for Final Specification status are:

• http://openid.net/specs/openid-connect-core-1_0-16.html
• http://openid.net/specs/openid-connect-discovery-1_0-20.html
• http://openid.net/specs/openid-connect-registration-1_0-22.html
• http://openid.net/specs/oauth-v2-multiple-response-types-1_0-11.html

Accompanying release candidates for Implementer’s Draft status are:

• http://openid.net/specs/openid-connect-session-1_0-18.html
• http://openid.net/specs/oauth-v2-form-post-response-mode-1_0-02.html

Accompanying Implementer’s Guides are:

• http://openid.net/specs/openid-connect-basic-1_0-31.html
• http://openid.net/specs/openid-connect-implicit-1_0-14.html

The second set of release candidates for final OpenID Connect specifications is now available. The updates to these specs since the first set of release candidates are the result of the most extensive reviews that the OpenID Connect specifications have ever undergone — including 10 complete reviews of the OpenID Connect Core spec. Thanks to all of you who helped make these the clearest, easiest to use OpenID Connect specifications ever!

The release candidates for Final Specification status are:

• http://openid.net/specs/openid-connect-core-1_0-15.html
• http://openid.net/specs/openid-connect-discovery-1_0-19.html
• http://openid.net/specs/openid-connect-registration-1_0-21.html
• http://openid.net/specs/oauth-v2-multiple-response-types-1_0-10.html

Accompanying release candidates for Implementer’s Draft status are:

• http://openid.net/specs/openid-connect-session-1_0-17.html
• http://openid.net/specs/oauth-v2-form-post-response-mode-1_0-01.html

Accompanying Implementer’s Guides are:

• http://openid.net/specs/openid-connect-basic-1_0-30.html
• http://openid.net/specs/openid-connect-implicit-1_0-13.html

Please do a final review of the OpenID Connect Core specification now, because the results of all review comments have now been applied to it. A small number of review comments to the other specs remain, and will be addressed in the next few days, at which point a third and hopefully final set of release candidates will be released.

I’m pleased to announce that the first release candidate versions for final OpenID Connect specifications have been published. The complete set of specifications has been updated to resolve all issues that had been filed against the specs being finished.

Please review these this week, in time for the in-person working group meeting on Monday. Besides publishing the specs in the usual formats, I’ve also created a Word version of the core spec with tracked changes turned on to facilitate people marking it up with specific proposed text changes. If you’re in the working group, please download it and make any corrections or changes you’d like to propose for the final specification.

The release candidate spec versions are:

• http://openid.net/specs/openid-connect-core-1_0-14.html
• http://openid.net/specs/openid-connect-discovery-1_0-18.html
• http://openid.net/specs/openid-connect-registration-1_0-20.html
• http://openid.net/specs/openid-connect-session-1_0-16.html
• http://openid.net/specs/oauth-v2-multiple-response-types-1_0-09.html

Also, two implementer’s guides are also available to serve as self-contained references for implementers of basic Web-based Relying Parties:

• http://openid.net/specs/openid-connect-basic-1_0-29.html
• http://openid.net/specs/openid-connect-implicit-1_0-12.html

Thanks to Nat Sakimura for the early feedback. The structure of Core has been changed somewhat since -13 to adopt some of his suggestions.

Based on feedback from developers, the OpenID Connect working group decided to replace the OpenID Connect Messages and OpenID Connect Standard specifications with a new OpenID Connect Core specification that combines the contents from both of them before finishing OpenID Connect. The content has also been restructured to separate Authentication from other features such as Claims and to have separate Authentication sections for the different OAuth 2.0 flows. No changes to the protocol were made. The publication of this new spec is another major step towards finishing OpenID Connect.

Please review this and the other OpenID Connect specifications in the coming week. While a few local changes will still be made this week to address issues that have been identified since the approval of the Implementer’s Drafts, I fully expect that the working group will decide at the in-person working group meeting just over a week from now that it’s time to publish proposed final specifications.

Thanks to Nat Sakimura for producing a proof-of-concept document restructuring that the structure of the current OpenID Connect Core spec is based upon. And thanks to Torsten Lodderstedt for convincing us that the specs will be clearer by better separating the descriptions of logically distinct features while combining previously separate descriptions of highly interrelated functionality.

Today marks another significant milestone towards completing the OpenID Connect standard. The OpenID Foundation has announced that the 45 day review period for the second set of proposed Implementer’s Drafts has begun. The working group believes that these are stable and complete drafts. They are being proposed as Implementer’s Drafts, rather than Final Specifications at this time, because of the dependencies on some IETF specifications that are still undergoing standardization — primarily the JSON Web Token (JWT) specification and the JSON Object Signing and Encryption (JOSE) specifications underlying it.

An Implementer’s Draft is a stable version of a specification intended for implementation and deployment that provides intellectual property protections to implementers of the specification. These updated drafts are the product of incorporating months of feedback from implementers and reviewers on earlier specification drafts, starting with the previous Implementer’s Drafts, including feedback resulting from several rounds of interop testing. Thanks to all of you who have been working towards the completion of OpenID Connect!

These specifications are available at:

• http://openid.net/specs/openid-connect-basic-1_0-28.html
• http://openid.net/specs/openid-connect-implicit-1_0-11.html
• http://openid.net/specs/openid-connect-messages-1_0-20.html
• http://openid.net/specs/openid-connect-standard-1_0-21.html
• http://openid.net/specs/openid-connect-discovery-1_0-17.html
• http://openid.net/specs/openid-connect-registration-1_0-19.html
• http://openid.net/specs/openid-connect-session-1_0-15.html
• http://openid.net/specs/oauth-v2-multiple-response-types-1_0-08.html

A third set of Release Candidates for the pending OpenID Connect Implementer’s Drafts have been released. Like the first set, the second set of Release Candidates, which were published earlier this month, also received thorough review, resulting in a smaller set of additional refinements. The changes primarily made some the claim definitions more precise and provided more guidance on support for multiple languages and scripts.

Were it not for a set of pending changes about to be made to the JSON Object Signing and Encryption (JOSE) specifications, this set of specifications would likely actually be the Implementer’s Drafts. However, the OpenID Connect working group made the decision to have those (non-breaking) JOSE changes be applied before we declare that the Implementer’s Drafts are done. Expect announcements about both the JOSE updates and the OpenID Connect Implementer’s Drafts soon.

The new specifications are:

• http://openid.net/specs/openid-connect-basic-1_0-25.html
• http://openid.net/specs/openid-connect-implicit-1_0-08.html
• http://openid.net/specs/openid-connect-messages-1_0-17.html
• http://openid.net/specs/openid-connect-standard-1_0-18.html
• http://openid.net/specs/openid-connect-discovery-1_0-14.html
• http://openid.net/specs/openid-connect-registration-1_0-16.html
• http://openid.net/specs/openid-connect-session-1_0-13.html
• http://openid.net/specs/oauth-v2-multiple-response-types-1_0-07.html

See the History entries in the specs for more details on the changes made.

Thanks again to all who reviewed and implemented the recent drafts!

I’m pleased to announce that a second set of Release Candidates for the upcoming OpenID Connect Implementer’s Drafts have been released. The first set of Release Candidates received thorough review, resulting in quite a bit of detailed feedback. The current specs incorporate the feedback received, making them simpler, more consistent, and easier to understand.

Please review these this week — especially if you had submitted feedback. The working group plans to decide whether we’re ready to declare Implementer’s Drafts during the OpenID Meeting before IETF 86 on Sunday.

The new specifications are:

• http://openid.net/specs/openid-connect-basic-1_0-24.html
• http://openid.net/specs/openid-connect-implicit-1_0-07.html
• http://openid.net/specs/openid-connect-messages-1_0-16.html
• http://openid.net/specs/openid-connect-standard-1_0-17.html
• http://openid.net/specs/openid-connect-discovery-1_0-13.html
• http://openid.net/specs/openid-connect-registration-1_0-15.html
• http://openid.net/specs/openid-connect-session-1_0-12.html

See the History entries in the specs for details on the changes made.

Thanks again to all who did so much to get us to this point, including the spec writers, working group members, and especially the implementers!