Brian Campbell, Senior Researcher, Ping Identity
OpenID Connect, OAuth, JOSE and JWT may be the new kids on the block, but many experts and visionaries have already anointed them to replace SAML. Is the wheel being needlessly reinvented or is genuine progress on the horizon?
7. • OpenID Connect
• simple JSON/REST-based interoperable identity protocol built on top of the OAuth
2.0 family of specifications.
• design philosophy: “make simple things simple and make complicated things
possible.”
• Wins 2012 European Identity and Cloud Award
• “OpenID Connect the award[ed] Best Innovation/New Standard this year. What’s
most impressive is that this elegantly simple design resulted from the cooperation
of such a diverse global set of contributors. I expect OpenID Connect to have a
substantial positive impact on usable, secure identity solutions both for traditional
computing platforms and mobile devices. My congratulations to the OpenID
Foundation!” - Dave Kearns
• “spurs global economic growth by enabling simple and secure exchange of verified
attributes from multiple sources at Internet scale.”
http://openid.net/2012/04/18/openid-connect-wins-2012-european-identity-and-cloud-award/
8. May, 2010:
Conceptual
Debut of
Connect
time elapses
February,
2012: 1st
Implementer’s
Drafts
March 2012 time elapses
May, 2013: 2nd
Implementer’s
Drafts
…?
https://twitter.com/__b_c/status/181884679513833473
three nerds holding a blurry piece of paper...
*Disclaimer: this
guy also ‘works’ for
Ping
And I know these guys reasonably
well from various initiatives
http://www.thread-safe.com/2012/04/openid-connect-wins-2012-european.html
“The OpenID Connect
specifications are
expected to be
completed in the second
half of 2012.”
@selfissued
@_nat_en @ve7jtb
14. Discovery
Client
Relying Party
Resource
Server
Get an access token
& an ID Token (JWT)
Use an access token
Authorization
Server
Identity Provider or
IDP or
OpenID Provider or
OP
Authorization
Endpoint
Token
Endpoint
Important Stuff
Userinfo
Endpoint
Registration
Endpoint
JWKS
Endpoint
JWKS
Endpoint
Validate
(JWT)
ID Token
/.well-known
/webfinger
/openid-configuration
Check Session IFrame
End Session Endpoint