The OpenID Foundation and the Open Identity Exchange co-hosted an Open Banking Workshop on Tuesday, January 30, 2018 in London. This presentation is an and overview of the OpenID Foundation and provides updates on the OpenID Connect standard and OpenID Certification Program that was presented by Mike Jones (Microsoft), OpenID Foundation Secretary.
3. OpenID Foundation
• Authors of OAuth, JWT, JWS, OpenID Connect, trust frameworks,
and certification methods and marks. Expertise
• Intellectual Property Rights regime ensures royalty free, mutual
non-assertion covenant of use by everyone. Open
• Industry sustaining sponsorship by Google, KDDI, Microsoft, NRI,
Oracle, PayPal, PingIdentity, Symantec, Verizon and more… Ecosystem
The OpenID Foundation is a non-profit international standard organization of individuals and
companies committed to enabling, promoting, and protecting OpenID technologies. Since
2007, the foundation has served as a public trust in representing the open community of
developers, vendors, and users.
7. What is OpenID Connect?
§ Simple identity layer on top of OAuth 2.0
§ Enables relying parties to verify identity of end-user
§ Enables relying parties to obtain basic profile info
§ REST/JSON interfaces → low barrier to entry
§ See http://openid.net/connect/
8. You’re Probably Already Using OpenID Connect!
§ If you log in at AOL, Deutsche Telekom, France Connect,
Google, Microsoft, mixi, NEC, NTT, Salesforce, Softbank,
Symantec, Verizon, or Yahoo! Japan or have an Android phone,
you’re already using OpenID Connect
o Many other sites and apps large and small also use it
9. OpenID Connect Range
§ Spans use cases, scenarios
o Internet, Enterprise, Mobile, Cloud
§ Spans security & privacy requirements
o From non-sensitive information to highly secure
§ Spans sophistication of claims usage
o From basic default claims to specific requested claims to collecting
claims from multiple sources
§ Maximizes simplicity of implementations
o Uses existing IETF specs: OAuth 2.0, JWT, etc.
o Lets you build only the pieces you need
14. More OpenID Connect Specifications
§ OAuth 2.0 Form Post Response Mode
o Defines how to return OAuth 2.0 Authorization Response parameters
(including OpenID Connect Authentication Response parameters)
using HTML form values that are auto-submitted by the User Agent
using HTTP POST
o A “form post” binding, like SAML and WS-Federation
• An alternative to fragment encoding
o http://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html
o Completed April 2015
o In production use by Microsoft, Ping Identity, others
15. OpenID Connect Federation (work in progress)
§ OpenID Connect Federation specification
o http://openid.net/specs/openid-connect-federation-1_0.html
o Created by federation expert Roland Hedberg
§ Enables establishment and maintenance of multi-party
federations using OpenID Connect
§ Defines hierarchical JSON-based metadata structures for
federation participants
§ Being prototyped by European federations, including NORDUnet
16. Session Management / Logout (work in progress)
§ Three approaches being pursued by the working group:
o Session Management
• http://openid.net/specs/openid-connect-session-1_0.html
• Uses HTML5 postMessage to send state changes between OP and RP iframes
o Front-Channel Logout
• http://openid.net/specs/openid-connect-frontchannel-1_0.html
• Uses HTTP GET to load image or iframe, triggering logout
• Similar to options in SAML, WS-Federation
o Back-Channel Logout
• http://openid.net/specs/openid-connect-backchannel-1_0.html
• Server-to-communication not using the browser
• Can be used by native applications, which have no active browser
§ All support multiple logged-in sessions from OP at RP
§ Unfortunately, no one approach best for all use cases
§ All became Implementer’s Drafts in March 2017
17. Related Work in Other Working Groups
§ International Government Profile (iGov) Working Group
o Developing OpenID Connect profile for government & high-value
commercial applications
§ Enhanced Authentication Profile (EAP) Working Group
o Enables Token Bound ID Tokens
o Enables integration with FIDO and other phishing-resistant
authentication solutions
§ Financial API (FAPI) Working Group
o Defining JSON schemas, security and privacy recommendations, and
protocols to:
• enable applications to utilize the data stored in the financial account,
• enable applications to interact with the financial account, and
• enable users to control the security and privacy settings.
18. What is OpenID Certification?
§ OpenID Certification enables OpenID Connect implementations
to be certified as meeting the requirements of defined
conformance profiles
§ An OpenID Certification has two components:
o Technical evidence of conformance resulting from testing
o Legal statement of conformance
§ Certified implementations can
use the “OpenID Certified” logo
19. What value does certification provide?
§ Technical:
o Certification testing gives confidence that things will “just work”
o No custom code required to integrate with implementation
o Better for all parties
o Relying parties explicitly asking identity providers to get certified
§ Business:
o Enhances reputation of organization and implementation
o Shows that organization is taking interop seriously
o Customers may choose certified implementations over others
20. Current Conformance Profiles
§ Five conformance profiles of OpenID Providers:
o Basic OpenID Provider
o Implicit OpenID Provider
o Hybrid OpenID Provider
o OpenID Provider Publishing Configuration Information
o Dynamic OpenID Provider
§ Five corresponding conformance profiles of OpenID RPs:
o Basic Relying Party
o Implicit Relying Party
o Hybrid Relying Party
o Relying Party Publishing Configuration Information
o Dynamic Relying Party
21. Who has achieved OP Certification?
• OpenID Provider certifications at
http://openid.net/certification/
#OPs
• 174 profiles certified for
57 implementations by
49 organizations
• Recent additions:
• Auth0, CA, Classmethod,
Cloudentity, Connect2id, Curity,
Hanscan, Identity Automation,
KSIGN, Library of Congress, Mvine,
NRI, NTT, OpenAthens, Optimal Idm,
ProSiebenSat.1, Michael Schwartz,
Filip Skokan, WSO2
• Each entry link to zip file with test
logs and signed legal statement
• Test results available for public
inspection
22. Who has achieved RP Certification?
• Relying Party certifications at
http://openid.net/certification/#RPs
• 44 profiles certified for
18 implementations by
16 organizations
• Recent additions:
• Brock Allen, Damien Bowden,
F5 Networks, Janrain, Karlsruher
Institut für Technologie, Tom
Jones, KSIGN, Manfred Steyer,
NRI, ZmartZone IAM
23. How does OpenID Certification work?
§ Organization decides what profiles it wants to certify to
o For instance, “Basic OP”, “Config OP”, and “Dynamic OP”
§ Runs conformance tests publicly available at
http://op.certification.openid.net/ or
http://rp.certification.openid.net/
§ Once all tests for a profile pass, organization submits
certification request to OpenID Foundation containing:
o Logs from all tests for the profile
o Signed legal declaration that implementation conforms to the profile
§ Organization pays certification fee (for profiles not in pilot
mode)
§ OIDF verifies application is complete and grants certification
§ OIDF lists certification at http://openid.net/certification/ and
registers it in OIXnet at http://oixnet.org/openid-certifications/
24. What does certification cost?
§ Not a profit center for the OpenID Foundation
o Fees there to help cover costs of operating certification program
§ Member price
o $200 per new deployment
§ Non-member price
o $999 per new deployment
o $499 per new deployment of an already-certified implementation
§ Covers as many profiles as you submit within calendar year
§ New profiles in pilot mode are available to members for free
§ Costs described at http://openid.net/certification/fees/
25. What’s next for OpenID Certification?
§ Additional OpenID Connect profiles being developed:
o Form Post Response Mode
o Refresh Token Behaviors
o Session Management, Front-Channel Logout, Back-Channel Logout
o OP-Initiated Login
§ Additional documentation being produced
o By Roland Hedberg and Hans Zandbelt
§ Certification for additional specifications is anticipated:
o E.g., HEART, MODRNA, iGov, EAP, FAPI, etc.
26. OpenID Certification Call to Action
§ Certify your OpenID Connect implementations
§ Help us test the soon-to-come new profiles
§ Join the OpenID Foundation
§ Join the OpenID Connect and other working groups
27. OpenID Connect & Certification Resources
§ OpenID Connect
o http://openid.net/connect/
§ Frequently Asked Questions
o http://openid.net/connect/faq/
§ Working Group Mailing List
o http://lists.openid.net/mailman/listinfo/openid-specs-ab
§ OpenID Certification Program
o http://openid.net/certification/
§ Certified OpenID Connect Implementations Featured for Developers
o http://openid.net/developers/certified/
§ Mike Jones’, Nat Sakimura’s, and John Bradley’s Blogs
o http://self-issued.info/
o http://nat.sakimura.org/
o http://www.thread-safe.com/
28. Discussion
§ How are you using OpenID specifications?
§ What would you like the OpenID Foundation and its working
groups to know?
30. ID Token
§ JWT representing logged-in session
§ Claims:
o iss – Issuer
o sub – Identifier for subject (user)
o aud – Audience for ID Token
o iat – Time token was issued
o exp – Expiration time
o nonce – Mitigates replay attacks
31. Claims Requests
§ Basic requests made using OAuth scopes:
o openid – Declares request is for OpenID Connect
o profile – Requests default profile info
o email – Requests email address & verification status
o address – Requests postal address
o phone – Requests phone number & verification status
o offline_access – Requests Refresh Token issuance
§ Requests for individual claims can be made using JSON
“claims” request parameter
35. Certification of Conformance
• Legal statement by certifier
stating:
• Who is certifying
• What software
• When tested
• Profile tested
• Commits reputation of
certifying organization to
validity of results