Blog post

One Small Step for OpenID Connect, a Giant Leap for the Evolution of Identity Management

By Mary Ruddy | February 28, 2014 | 0 Comments

The announcement that the OpenID Foundation membership had ratified the OpenID Connect standard marks a major milestone in the evolution of digital identities.

Organizations that have been holding off on using OpenID Connect because it wasn’t yet an “official standard” should now feel comfortable with using it. OpenID Connect has been stable for a couple of years. It has been through 5 rounds of identity community interoperability testing and is being used in production by companies such as Google and Deutsche Telecom.

In a world where digital connections are becoming ubiquitous, the ability to create and evolve “networking” standards to meet new needs has become a more important skill. In creating OpenID Connect, the third generation of OpenID protocols, the OpenID foundation managed to balance having a core team that is small enough that the standard is concise and internally consistent, with being part of a community that is large enough to vet the standard and drive adoption. This in itself is a major accomplishment. Some standards organizations bring too many “cooks” into the process too soon.

OpenID Connect has been designed like the game of GO. It makes it very easy to do simple things such as enabling a website to accept OpenID Connect identities; yet also makes it possible for organizations to support more complex use cases including issuing secure (higher level of assurance (LOA)) identities. Like SAML, it supports signed and encrypted tokens, but OpenID Connect tokens are designed for today’s REST-based application development practices. It uses the new compact JSON Web Tokens (JWTs), which can be digitally signed or encrypted, for session ID tokens and OAuth access tokens. JWTs in turn, rely on the new JOSE specification (JSON Object Signing and Encryption.)

OpenID Connect leverages learnings from many identity standards that preceded it, including SAML, WS-Federation, OAuth and OpenID 2.0. It can be considered a superset profile of OAuth 2.0. So it is new, but it already has the wisdom of experience. OpenID Connect is designed to be much easier to use than SAML. But what is really wonderful about OpenID Connect is that it is good enough. Now when a group needs to work on a new identity use case (e.g. SSO for mobile) they use OpenID Connect as a starting point rather than feeling the need to start from scratch.

Kudos to the specification team and to the companies who sponsored them!

Comments are closed