Mike Jones: self-issued

Musings on Digital Identity

Category: Federation Page 1 of 4

The Journey to OpenID Federation 1.0 is Complete

By

On February 17, 2026

In Federation, OpenID, People, Specifications

OpenID logoThe final OpenID Federation 1.0 specification was published today. This marks the end of a nearly decade-long journey and the beginning of new ones.

At the 2016 TNC conference, Lucy Lynch challenged Roland Hedberg, saying “If there is someone who should be able to bring the eduGAIN identity federation into the new world of OpenID Connect, it is you.” That was the starting point for the work.

Originally, the specification was titled “OpenID Connect Federation 1.0” and the mission was exactly that – to enable multi-lateral federation when using OpenID Connect. Over time, we realized that the core trust establishment framework defined by the specification could be applied to any protocol and the spec was therefore renamed to “OpenID Federation 1.0”. Indeed, for a while, people had been clamoring to separate the protocol-independent trust establishment framework from the protocol-specific features for OpenID Connect and OAuth 2.0. I made that split after OpenID Federation 1.0 entered final review, and the resulting OpenID Federation 1.1 specifications also entered review for final status today.

Like OpenID Connect, OpenID Federation benefited from multiple rounds of interop testing while it was being developed. Interops were held at NORDUnet 2017, SURFnet 2018, TNC/REFEDS 2019, Internet2/REFEDS 2019, three virtual interops in 2020, SUNET in 2025, and TIIME in 2026. Each time, we listened to the developer feedback and used it to improve the specification.

The early and enthusiastic support from the Research and Education community was foundational. They already knew what a multilateral federation is and why it’s useful. They patiently explained what they needed and why they needed it.

Many people contributed to the journey, but I want to call out the contributions of my co-authors in particular. Andreas Åkre Solberg was an early contributor and the inventor of Automatic Registration, which greatly simplifies deployments. John Bradley brought his practical security and deployment insights to the work. Giuseppe De Marco spearheaded production deployment for multiple Italian national federations and the Italian EUDI Wallet, informing the specification with real-world experience – particularly with the use of Trust Marks. Vladimir Dzhuvinov was an early implementer and brought his rigorous thinking about metadata operators and establishing trust to the effort.

Feedback from early implementations was critical to shaping the protocol. They included those by Authlete, Connect2ID, Raidiam, SimpleSamlPHP, DIGG, Sphereon, SPID/CIE in Italy, Shibboleth, GÉANT, SUNET, SURF, GRNET, eduGAIN/GARR, and of course Roland’s own implementation.

Demand for using OpenID Federation for protocols other than OpenID Connect and OAuth 2.0 informed our thinking as the specification developed. It is used for open finance in Australia. It is used for digital wallets in Italy. It is used for healthcare and national identity in Sweden. Each deployment brought insights to the effort that shaped the result for the better.

A team of security researchers at the University of Stuttgart performed a security analysis of the last implementer’s draft in 2024. They found an actionable security vulnerability applying to multiple protocols that we promptly fixed. Thanks to Dr. Ralf Küsters, Tim Würtele, and Pedram Hosseyni for their substantial contributions both to OpenID Federation and also to OpenID Connect, FAPI, and OAuth 2.0.

Multiple organizations played important roles in supporting this work. Special thanks to GÉANT, Connect2ID, and the SIROS Foundation for their significant financial support and encouragement. Multiple organizations hosted meetings at which significant discussions occurred, including NORDUnet, SUNET, SURF, GÉANT, and Internet2.

While this is the end of the journey for OpenID Federation 1.0, it is equally a step in important journeys under way. Multiple extensions to OpenID Federation are being developed, including OpenID Federation for Wallet Architectures 1.0 and OpenID Federation Extended Subordinate Listing 1.0. These provide important enhancements to the federation framework defined by the core specification needed for particular use cases.

Ecosystem building, adoption, and deployment is always a long journey and one we’re in the midst of. National use cases in Europe and Australia are leading the way.

I am confident that the inherent benefits of the scalable and modular OpenID Federation approach will continue to win adherents the world over. For instance, it is scalable and easily managed in a way that large-scale PKI trust bridges will never be.

Watch this space from more stories from these journeys as they develop!

Finally, my most significant thanks go to my friend and collaborator Roland Hedberg. He did the very hard thing – starting from a blank sheet of paper and on it creating a new, useful, and elegant invention. My sincerest congratulations, Roland! It’s been a privilege to be on this journey with you!

Roland Hedberg

OpenID Federation Interop Event at TIIME 2026 in Amsterdam

By

On February 16, 2026

In Events, Federation, Interoperability, OpenID, People, Software, Specifications

OpenID logoImplementers of OpenID Federation gathered at the 2026 Trust and Internet Identity Meeting Europe (TIIME) unconference in Amsterdam on Friday, February 13, 2026 to test their implementations with one another. 12 people with 9 implementations and from 9 countries performed interop tests together. Participants were from Croatia, Finland, Greece, Italy, Netherlands, Poland, Serbia, Sweden, and the US.

The interop was organized by Niels van Dijk of SURF and Davide Vaghetti of GARR. Davide ran the interop, including assembing the test federation with the participants. Giuseppe De Marco’s OpenID Federation Browser was a useful tool for visualizing and understanding the test federation. The test federation remains assembled and I’ve observed that some participants have continued to test with one another in the days since the in-person interop at TIIME.

Here’s some photos and graphics to capture the spirit of the interop.

Davide Running TIIME Interop

OpenID Federation Browser View of GARR Federation

TIIME 2026 Interop Participants

SURF Trust Anchor

Davide Presenting Trust Mark Request

OpenID Federation Presentation at 2026 TIIME Unconference

By

On February 13, 2026

In Events, Federation, OpenID, Specifications

OpenID logoI had the pleasure of presenting an overview of OpenID Federation during the 2026 Trust and Internet Identity Meeting Europe (TIIME) unconference in Amsterdam. It was the opening talk in a day dedicated to OpenID Federation – Friday, February 13, 2026. There were ~90 practitioners in attendance. They asked great practical questions, including about how to decide what Federations to trust and the use of Trust Marks.

See the deck I used titled “OpenID Federation Overview” (pptx) (pdf).

I’m really looking forward to what I’ll learn during the discussions today. Many deployments are being described, including the GÉANT eduGAIN OpenID Federation pilot. Plus, there’s a “TechHUB” interop event today during which people will test their OpenID Federation implementations with one another.

My Federation Keynote at TIIME 2026

Initial Drafts of 1.1 OpenID Federation Specs

By

On January 2, 2026

In Federation, OpenID, Specifications

OpenID logoThe OpenID Federation 1.0 specification contains two kinds of functionality:

  1. Protocol-independent federation functionality used for establishing trust and applying policies in multilateral federations, and
  2. Protocol-specific federation functionality that can be used by OpenID Connect and OAuth 2.0 deployments to apply the protocol-independent federation functionality.

At the urging of implementers and working group members, I’ve created new specifications splitting the two kinds of functionality apart. I’m pleased to announce that initial editor’s drafts of both split specifications are now available for your reviewing pleasure. They are:

  1. OpenID Federation 1.1 (protocol-independent)
  2. OpenID Federation for OpenID Connect 1.1 (protocol-specific)

Together, they are equivalent to OpenID Federation 1.0, by design. No functionality is added or removed from that present in 1.0. Rather, it’s factored into protocol-independent and protocol-specific specifications.

Reading every line of the 1.0 spec to perform the split had the additional benefit of identifying editorial improvements to apply to the 1.0 spec before it becomes final. I intentionally started the split while 1.0 is still in the 60-day review to become final exactly so improvements identified could be applied both to the original and the split specs.

As background for this work, several people had suggested splitting the two apart into separate specifications – particularly once the core federation functionality started being used with protocols other than OpenID Connect, such as with digital credentials. There was a discussion about this possibility at the Internet Identity Workshop in the Fall of 2024. During the April 2025 Federation Interop event at SUNET, there was consensus to do the split after finishing OpenID Federation 1.0. Starting the work to perform the split was proposed to both Pacific-friendly and Atlantic-friendly OpenID Connect working group calls in December 2025 after the 60-day review had started, with no opposition to proceeding.

Now it’s your turn! Please review both OpenID Federation 1.0 and the OpenID Federation 1.1 and OpenID Federation for OpenID Connect 1.1 specifications derived from it. Please send any issues found to the OpenID Connect Working Group mailing list, or file GitHub issues in the respective repositories: OpenID Federation 1.0 repository, OpenID Federation 1.1 repository, and OpenID Federation for OpenID Connect 1.1 repository. Please review for both the readability and correctness of the specs and whether you believe aspects of the split should have been done differently. In particular, please consider the examples in Appendix A, which contain both protocol-independent and protocol-specific content.

Hopefully this split will make the OpenID Federation content easier to navigate and understand for those using it and considering it. Happy New Year 2026!

Note: I updated this post on January 20, 2026 to link to the now-released versions of the 1.1 specs, rather than the editors’ drafts. Also, since the initial post, OpenID Connect Federation 1.1 was renamed to OpenID Federation for OpenID Connect 1.1.

OpenID Federation Discussion at 2025 TechEx

By

On December 12, 2025

In Events, Federation, OpenID, Specifications

OpenID logoI was encouraged by Pål Axelsson to hold an unconference discussion giving an overview of OpenID Federation during the 2025 Internet2 Technology Exchange conference in Denver. So I did so with a receptive and engaged group of participants yesterday, Thursday, December 11, 2025. See the notes from the Thursday session by Phil Smart, which include links to multiple Federation pilots.

Afterwards, several people told me that they were sorry to have missed it. So I reprised the discussion today, Friday, December 12, 2025, with a second equally engaged and mostly non-overlapping set of participants. See the notes from the Friday session by James Cramton, which captures both the breadth of participation and some of the key points made. Mihály Héder from Hungary is prototyping and was particularly engaged.

See the deck I used to queue up discussion points titled “OpenID Federation Overview” (pptx) (pdf).

The participants were some of the world’s experts in multi-lateral federation. It was great spending time with them and learning from them!

Finishing the OpenID Federation 1.0 Specification

By

On December 4, 2025

In Federation, OpenID, Specifications

OpenID logoThe OpenID Federation 1.0 specification has started its 60-day review to become an OpenID Final Specification. Draft 46 of the specification, which was published today, is the target of the 60-day review.

Thanks to all who participated in the Working Group Last Call (WGLC) review, which was based on Draft 45. Your feedback resulted in a number of clarifications and editorial improvements. The changes made in -46 are detailed in the Document History section.

Almost there!

Working Group Last Call for OpenID Federation

By

On November 20, 2025

In Federation, OpenID, Specifications

OpenID logoToday the OpenID Connect Working Group started a two-week Working Group Last Call (WGLC) for the OpenID Federation 1.0 specification. During the two weeks ending on December 4, 2025, working group members will identify any issues that they believe should be addressed before it becomes final. Of course, responses of the form “It’s ready to go as it is” are welcome too!

Draft 45 of the OpenID Federation specification, which was published today, is the target of the WGLC review. It adds two features motivated by the security analysis of the last Implementer’s Draft. They are:

  • peer_trust_chain header parameter: This enables an RP to provide a Trust Chain from the OP it is establishing trust with to the Trust Anchor that it selected at registration time. This works with both Automatic Registration and Explicit Registration and can be used in other trust establishment regimes. When a Trust Chain is also provided from the RP to the same Trust Anchor, together these enable a property called Federation Integrity, which is described in How to link an application protocol to an OpenID Federation 1.0 trust layer.
  • trust_anchor_hints claim: This enables Entities to publish the Trust Anchors that they are configured to trust. This can facilitate determining what Trust Anchors are shared between parties.

It also contains several important editorial improvements, including organizing the Entity Statement claims by where they may and may not appear. The changes made in -45 are detailed in the Document History section.

Thanks to all who helped us reach this point! Nearly done…

OpenID Federation draft 44 Incorporating Features Motivated by Swedish Government Use Cases

By

On October 16, 2025

In Federation, OpenID, Specifications

OpenID logoDraft 44 of the OpenID Federation specification has been published. The draft contains improved descriptions of a number of features. The one breaking change made is that Trust Mark Status responses are now signed.

Some of the changes made are intended to facilitate implementation of features needed for some Swedish government use cases. In particular, extension points were added to make it easier to use OpenID Federation for trust establishment for systems where existing entities may already be deployed, and may not be able to be modified.

The changes made in -44 are detailed in the Document History section.

Thanks all for the continued progress towards finishing the specification!

OpenID Connect RP Metadata Choices is an Implementer’s Draft

By

On July 9, 2025

In Federation, JSON, OpenID, Specifications

OpenID logoI’m happy to report that the OpenID Connect Relying Party Metadata Choices specification has been approved by the OpenID Foundation membership as an Implementer’s Draft. An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification.

The need for this was independently identified by Roland Hedberg and Stefan Santesson while implementing OpenID Federation. The contents of the specification were also validated by Filip Skokan, who implemented it. Filip has been added as an author.

The abstract of the specification is:

This specification extends the OpenID Connect Dynamic Client Registration 1.0 specification to enable RPs to express a set of supported values for some RP metadata parameters, rather than just single values. This functionality is particularly useful when Automatic Registration, as defined in OpenID Federation 1.0, is used, since there is no registration response from the OP to tell the RP what choices were made by the OP. This gives the OP the information that it needs to make choices about how to interact with the RP in ways that work for both parties.

Thanks to all who contributed to reaching this milestone!

OpenID Federation draft 43 Incorporating Feedback from Interop Event

By

On June 3, 2025

In Federation, Interoperability, OpenID, Specifications

OpenID logoDraft 43 of the OpenID Federation specification has been published. A number of features in draft 42 were discussed during the recent OpenID Federation interop event and the changes made in draft 43 are largely a result of conclusions reached there and resulting discussions that followed.

Before the interop, there were 40 open issues. As a result of the progress made at SUNET, and the ongoing engagement of interop participants since then, we’re now down to 17 open issues. And 9 of those propose extension specifications, post-final work, or reviewing the text.

The changes made in -43 are detailed in the Document History section.

Thanks all for the significant progress towards finishing the specification!

OpenID Federation Interop Event at SUNET in Stockholm

By

On May 16, 2025

In Events, Federation, Interoperability, OpenID, People, Specifications

OpenID logoAt the end of April, I had the privilege of gathering in Stockholm with 30 participants to perform interoperability testing among 14 different OpenID Federation implementations. Leif Johansson and SUNET were fabulous hosts for the meeting at their offices in Stockholm. People from 15 countries participated, coming from as far as Australia and New Zealand! We performed eight different classes of tests between the implementations plus tested the OpenID Certification tests being developed for OpenID Federation.

It was great to have many of the core contributors to OpenID Federation come together and meet one another, most in-person, a few virtually, many for the first time. The sense of community and shared mission in the room was palpable! Besides testing, we also took time for architectural discussions, addressing open issues, and of course, socializing over drinks and dinners.

I must say that the OpenID Foundation staff who helped organize the meeting did a bang-up job! Stephanie Meli and Gareth Narinesingh both pitched in in numerous ways, resulting in a flawless and fun event! I’d normally be the one blogging and posting to capture the essence of the event, but they already more than covered that base. Their posts are full of facts, anecdotes, and photos. Check them out…

I thought I’d add a few more photos and graphics to capture the spirit of the interop.

In-Person Participants at SUNET

Logos of Participating Organizations

Roland Hedberg

OpenID Federation Browser View of KIT Federation

Celebrating in Stockholm

So you want to use Digital Credentials? You’re now facing a myriad of choices!

By

On May 9, 2025

In CBOR, Claims, Events, Federation, IETF, Interoperability, JSON, OpenID, Privacy, Specifications

EIC 2025 LogoI gave the keynote talk So you want to use Digital Credentials? You’re now facing a myriad of choices! at EIC 2025. I opened by describing engineering choices – credential formats (W3C VCs, ISO mDOCs, SD-JWTs, SD-CWTs, JWPs, X.509 Certificates), issuance and presentation mechanisms (bespoke and standards-based, in-person and remote), mechanisms for choosing them (query languages, user interfaces), and trust establishment mechanisms (trust lists, certificates, and federation).

I then upped the ante by talking about the criticality of usability, the challenges of building ecosystems (something Andrew Nash first explained to me most of two decades ago!), and how digital credentials are not an end in and of themselves; they’re a tool to help us solve real-world problems. And of course, I closed by coming back to my theme Standards are About Making Choices, urging us to come together and make the right choices to enable interoperable use of digital credentials in ways that benefit people worldwide.

View my slides as PowerPoint or PDF. I’ll also post a link to the video of the presentation here once Kuppinger Cole posts it.

EIC 2025 Andrew Nash

Thought Experiment on Trust Establishment

Will people be able to use it and want to?

Standards Are About Making Choices

Thank You to SIROS

Mike Jones Candid

Five Million Italian Digital Wallet Users

By

On May 1, 2025

In Federation, OpenID, Software, Specifications

OpenID logoMy friend Giuseppe De Marco shared the article “Documenti su IO: 5 milioni di attivazioni per IT-Wallet” with me about how five million people are now using the Italian digital wallet. It adds the information that 4.3 million health cards, 4 million driver’s licenses and 100,000 European Disability Cards have been issued to those wallets. These are significant accomplishments!

(Yes, the article is in Italian. ;-) I read it with the assistance of machine translation.)

These accomplishments are made possible through use of standards. Having just been at an OpenID Federation interop event in Stockholm, Sweden, I find it particularly timely that this is an example of five million people productively using OpenID Federation in their daily lives.

This article about the Italian Digital Wallet System is a good companion piece, providing insights into the goals of the Italian Digital Wallet project. I recommend them both!

Integrity Properties for Federations

By

On December 6, 2024

In Federation, OpenID, People, Specifications

OpenID logoI’m writing to highly recommend the article “How to link an application protocol to an OpenID Federation 1.0 trust layer” by Vladimir Dzhuvinov. In it, he defines two kinds of integrity for Federations, and describes how to achieve them:

  • Federation Integrity, which is defined as:

    • This ensures mutual trust between two entities is established always from a common trust anchor. Any resolved metadata and policies that govern the client application and the OpenID provider in a transaction will then fall under the rules of the same federation and thus will be aligned and consistent with one another.

  • Metadata Integrity, which is defined as:

    • It ensures the trust chains for an entity to a given trust anchor will invariably result in consistent metadata and policies. The natural way to achieve this is for the federation topology under a trust anchor to form a tree. Topologies that lead to multiple paths from a leaf entity to a trust anchor are to be avoided.

The article also explores how application protocols, such as OpenID Connect or digital wallet protocols, can achieve those properties in practice (and when they do and don’t need to).

Finally, I’ll note that, as a result of Vladimir’s and others’ thinking about the topic, we just added a section on Federation Topologies to the OpenID Federation specification, which provides concrete guidance on how to achieve Metadata Integrity.

I’ll stop here so as not to repeat all the useful content in Vladimir’s article. By all means, give it read!

Three New Specs Enhancing OpenID Federation and New Contributors

By

On November 30, 2024

In Federation, OpenID, People, Specifications

OpenID logoThe OpenID Connect working group recently adopted three new specifications that build upon and provide new capabilities to OpenID Federation. But I’m not only happy about these because of the engineering benefits they bring.

I’m particularly happy because they bring new active contributors to the work, specifically Michael Fraser and Łukasz Jaromin, as well as continuing the strong work by Giuseppe De Marco, who’s become a leader in the space. They’re also supported by a few veterans: Roland Hedberg, John Bradley, and yours truly, plus now the full OpenID Connect working group.

Here’s the three new specifications, along with an abstract for each of them:

1. OpenID Federation Extended Subordinate Listing

This specification acts as an extension to OpenID Federation 1.0. It outlines methods to interact with a given Federation with a potentially large number of registered Entities, as well as mechanisms to retrieve multiple entity statements along with associated details in a single request.

2. OpenID Federation Wallet Architectures

As digital wallets become increasingly deployed for managing identity credentials, establishing an architecture for trusted communication is required to allow each participant in the ecosystem to evaluate other participants’ compliance with mutual trust frameworks and accomplish secure and trusted transactions.

This specification defines how to use OpenID Federation 1.0 to enhance the security and interoperability of wallet ecosystems, facilitating trust establishment among the parties and enabling secure metadata exchange and policy application across large scale deployments. It outlines the general architecture of a federated trust infrastructure for wallet ecosystems, identifying participant roles and describing the use of those roles.

3. OpenID Connect Relying Party Metadata Choices

This specification extends the OpenID Connect Dynamic Client Registration 1.0 specification to enable RPs to express a set of supported values for some RP metadata parameters, rather than just single values. This functionality is particularly useful when Automatic Registration, as defined in OpenID Federation 1.0, is used, since there is no registration response from the OP to tell the RP what choices were made by the OP. This gives the OP the information that it needs to make choices about how to interact with the RP in ways that work for both parties.

Thanks to the members of the OpenID Connect working group who helped refine them before adoption, and are now working on progressing them in the working group.

Fourth and Likely Last Implementer’s Draft of OpenID Federation Specification

By

On July 25, 2024

In Claims, Federation, OAuth, OpenID, Specifications

OpenID logoThe OpenID Foundation has approved the Fourth Implementer’s Draft of the OpenID Federation Specification. This is a major step towards having the specification become final.

The previous Implementer’s Draft was in 2021. A lot has happened since then, largely motivated by feedback from actual implementations and deployments. Some highlights of progress made in the spec since then are:

  • Changed name from OpenID Connect Federation to OpenID Federation, since Federation can be used for trust establishment for any protocol (including OpenID Connect).
  • Introduced distinct Federation endpoints.
  • Clearly defined and consistently used the terms Entity Statement, Entity Configuration, and Subordinate Statement.
  • Clearly defined which claims can occur in which kinds of Entity Statements.
  • Clearly defined Entity Types and the Federation Entity entity type.
  • Enhanced description of Trust Mark issuance and usage.
  • Defined relationship between metadata and metadata policy.
  • Clearly defined interactions between policy operators.
  • Defined where constraints may occur.
  • Tightened descriptions of Automatic Registration and Explicit Registration.
  • Added Historical Keys.
  • Defined and used trust_chain JWS Header Parameter.
  • Allowed Trust Chains to start with non-Trust Anchors.
  • Clarified use of client authentication.
  • Used OAuth Protected Resource Metadata.
  • Consistent error handling.
  • Added General-Purpose JWT Claims section.
  • Comprehensive use of content types and media types.
  • IANA registration of parameters, claims, and media types.
  • Added and improved many diagrams.
  • Substantial rewrites for increased consistency and clarity.
  • Added Giuseppe De Marco and Vladimir Dzhuvinov as editors.

As a preview of coming attractions, I’ll note that profiles of OpenID Federation are being written describing how it being used in wallet ecosystems and how it is being used in open finance ecosystems. And we’re creating a list of implementations. Watch this space for future announcements.

Special thanks to all the implementers and deployers who provided feedback to get us to this point!

Celebrating Ten Years of OpenID Connect at Identiverse and EIC

By

On June 11, 2024

In Claims, Events, Federation, History, JSON, OAuth, OpenID, Specifications

EIC 2024 LogoIdentiverse LogoWe held the second and third of the three planned tenth anniversary celebrations for the completion of OpenID Connect at the 2024 Identiverse conference and European Identity and Cloud Conference. That concludes celebrations in Asia, the Americas, and Europe!

At both Identiverse and EIC, panelists included Nat Sakimura, John Bradley, and myself. Chuck Mortimore joined us at Identiverse. And Torsten Lodderstedt added his perspectives at EIC. We shared our perspectives on what led to OpenID Connect, why it succeeded, and what lessons we learned along the way.

The most common refrain throughout our descriptions was the design philosophy to “Keep simple things simple”. This was followed closely by the importance of early feedback from developers and deployers.

Chuck reached back in time to his OpenID slides from 2011. He reflected on what he was thinking at the time versus what actually happened (and why). Torsten pointed out the importance of cooperation, certification, security analysis, open standards, and an approachable community. At Identiverse, Nat reached back 25 years, examining the intellectual underpinnings and history of OpenID. And at EIC, Nat tackled assertions that OpenID Connect can be complex. John concluded by observing that the OpenID idea is greater than any particular specification.

Our recent OpenID Connect 10th anniversary sessions were:

They build upon the celebration at the OpenID Summit Tokyo 2024.

Thanks to the organizers of all these events for sponsoring the celebrations!

Proposed Implementer’s Draft of OpenID Federation

By

On May 21, 2024

In Federation, OpenID, Specifications

OpenID logoThe OpenID Connect working group has started working group last call (WGLC) for a proposed Implementer’s Draft of the OpenID Federation specification. As described in the WGLC message:

OpenID Federation -35 has been published at https://openid.net/specs/openid-federation-1_0-35.html and https://openid.net/specs/openid-federation-1_0.html. This draft is being proposed as the fourth (and hopefully final) Implementer’s Draft of the specification.

An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification. The two-week working group last call ends on Friday, May 31, 2024. Unless reasons are identified during the last call to substantially revise the specification, the 45-day OpenID Foundation-wide review of the specification for approval as an OpenID Implementer’s Draft will shortly follow.

Special thanks to all the implementers and deployers who provided feedback to get us to this point!

OpenID Federation Session at April 2024 IIW

By

On April 18, 2024

In Events, Federation, OpenID

OpenID logoJohn Bradley and I convened a session on Trust Establishment with OpenID Federation at the Internet Identity Workshop (IIW) on Thursday, April 18, 2024. The material used to drive the discussion was:

The session was well attended and the discussion lively. Numerous people with trust establishment problems to solve contributed, including experts from the SAML federation world, people involved in digital wallet projects, and several people already using or considering using OpenID Federation. Thanks to all who participated!

Continued refinement: OpenID Federation draft 33 published

By

On February 23, 2024

In Federation, OpenID, Specifications

OpenID logoOpenID Federation draft 33 has been published at https://openid.net/specs/openid-federation-1_0-33.html and https://openid.net/specs/openid-federation-1_0.html. The working group continues refining the specification to make it more consistent and easier to read and implement.

We published draft 33 now to get these improvements out to implementers. Per the history entries at https://openid.net/specs/openid-federation-1_0-33.html#name-document-history, a summary of changes made in -32 and -33 is:

-33:

  • Addressed #2111: The metadata_policy_crit claim MAY only appear in Subordinate Statements and its values apply to all metadata_policies found in the Trust Chain.
  • Fixed #2096: Authorization Signed Request Object may contain trust_chain in its payload and should not in its JWS header parameters.
  • Strengthen language requiring client verification with automatic registration.
  • Fixed #2076: Promoted Trust Marks to be a top-level section.
  • Added General-Purpose JWT Claims section.
  • Moved Federation Endpoints section before Obtaining Federation Entity Configuration Information section.
  • Fixed #2110: Explanation text when multiple entity_type parameters are provided in the Subordinate Listing endpoint.
  • Fixed #2112, #2113, and #2114: Defined that client authentication is not used by default and that the default client authentication method, when used, is private_key_jwt. Specified that requests using client authentication use HTTP POST.
  • Fixed #2104: Allow trust marks in Subordinate Statements for implementation profiles that might want this.
  • Fixed #2103: Addressed ambiguities in the definition of constraints.

-32:

  • Tightened OpenID Connect Client Registration section.
  • Tightened appendix examples.
  • Fixed #2075: Trust Mark endpoint for the provisioning of the Trust Marks.
  • Fixed #2085: Trust Marked Entities Listing, added sub URL query parameter.
  • Made fetch issuer unambiguous by making the iss parameter REQUIRED.
  • Introduced the term “Subordinate Statement” and applied it throughout the specification. Also consistently use the term “registration Entity Statement” for Explicit Client Registration results.
  • Clarified where Entity Statement claims can and cannot occur.
  • Renamed policy_language_crit to metadata_policy_crit.
  • Fixed #2093: Numbered the list defining the order policy operators are applied in.

Special thanks to Stefan Santesson for his thorough review of the specification in the context of the Swedish Federation deployment!

Page 1 of 4

Next

Powered by WordPress & Theme by Anders Norén