The announcement that the OpenID Foundation membership had ratified the OpenID Connect standard marks a major milestone in the evolution of digital identities.
Organizations that have been holding off on using OpenID Connect because it wasn’t yet an “official standard” should now feel comfortable with using it. OpenID Connect has been stable for a couple of years. It has been through 5 rounds of identity community interoperability testing and is being used in production by companies such as Google and Deutsche Telecom.
In a world where digital connections are becoming ubiquitous, the ability to create and evolve “networking” standards to meet new needs has become a more important skill. In creating OpenID Connect, the third generation of OpenID protocols, the OpenID foundation managed to balance having a core team that is small enough that the standard is concise and internally consistent, with being part of a community that is large enough to vet the standard and drive adoption. This in itself is a major accomplishment. Some standards organizations bring too many “cooks” into the process too soon.
OpenID Connect has been designed like the game of GO. It makes it very easy to do simple things such as enabling a website to accept OpenID Connect identities; yet also makes it possible for organizations to support more complex use cases including issuing secure (higher level of assurance (LOA)) identities. Like SAML, it supports signed and encrypted tokens, but OpenID Connect tokens are designed for today’s REST-based application development practices. It uses the new compact JSON Web Tokens (JWTs), which can be digitally signed or encrypted, for session ID tokens and OAuth access tokens. JWTs in turn, rely on the new JOSE specification (JSON Object Signing and Encryption.)
OpenID Connect leverages learnings from many identity standards that preceded it, including SAML, WS-Federation, OAuth and OpenID 2.0. It can be considered a superset profile of OAuth 2.0. So it is new, but it already has the wisdom of experience. OpenID Connect is designed to be much easier to use than SAML. But what is really wonderful about OpenID Connect is that it is good enough. Now when a group needs to work on a new identity use case (e.g. SSO for mobile) they use OpenID Connect as a starting point rather than feeling the need to start from scratch.
Kudos to the specification team and to the companies who sponsored them!
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.