OpenID Connect Federation Progress at TNC19


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




OpenID logoCheck out the post OpenID Connect Federation Progress describing the recent updates that Roland Hedberg and I made to the OpenID Connect Federation 1.0 specification. We used the TNC19 conference – a gathering of federation experts – as a venue to get together to review and refine the specification. Besides getting lots done on the spec, I also really enjoyed the TNC conference and its attendees!

Given that the syntax and semantics should now be stable, it’s my hope that early adopters will start kicking the tires – building implementations and making trial deployments. I can’t wait for the useful feedback that results!

OpenID Presentations at 2019 European Identity and Cloud (EIC) Conference


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




OpenID logoI gave the following presentations at the May 14, 2019 OpenID Workshop at the 2019 European Identity and Cloud (EIC) conference:

This deck was also prepared but not presented, due to time limitations:

Azure Active Directory Achieves OpenID Certification


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




OpenID Certified logoI’m delighted to report that Azure Active Directory (AAD) has achieved OpenID Certification. This is true both of the AAD V1 identity provider, which enables sign-in with organization identities, and the AAD V2 identity provider, which enables sign-in with both personal and organizational identities. See the certification listings and the Microsoft identity platform announcement.

While AAD has supported OpenID Connect for years, the push to achieve OpenID Certification closed a number of gaps in AAD’s feature set — mostly notably, adding support for the UserInfo Endpoint to AAD V2. This work was part of Microsoft’s commitment to utilizing widely-adopted open identity standards. Kudos to the AAD engineering team for bringing this important developer-focused work to completion!

OpenID Presentations at April 2019 OpenID Workshop and IIW


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




OpenID logoI gave the following presentations at the Monday, April 29, 2019 OpenID Workshop at Verizon Media:

I also gave the following invited “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, April 30, 2019:

Security Event Token (SET) delivery specifications updated in preparation for IETF 104


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




IETF logoThe two Security Event Token (SET) delivery specifications have been updated to address working group feedback received, in preparation for discussions at IETF 104 in Prague. The Push Delivery spec went through working group last call (WGLC). It has been updated to incorporate the WGLC comments. Changes made are summarized in the spec change log, the contents of which were also posted to the working group mailing list. Thanks to Annabelle Backman for the edits to the Push Delivery spec.

It’s worth noting that the Push Delivery spec and the Security Event Token (SET) are now being used in early Risk and Incident Sharing and Coordination (RISC) deployments, including between Google and Adobe. See the article about these deployments by Mat Honan of BuzzFeed.

Changes to the Poll Delivery spec are also summarized in that spec’s change log, which contains:

OpenID Connect Federation Specification


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




OpenID logoThe OpenID Connect Federation 1.0 specification is being developed to enable large-scale federations to be deployed using OpenID Connect. It enables trust among federation participants to be established through signed statements made by federation operators about federation participants.

The design of this specification builds upon the experiences gained in operating large-scale SAML 2.0 federations, and indeed, is authored by people having practical experience with these federations. The primary authors are Roland Hedberg and Andreas Åkre Solberg, with additional contributions by Samuel Gulliksson, John Bradley, and myself, as well as members of the OpenID Connect working group, which is the home of the specification.

A key innovation that differentiates OpenID Connect federations from most SAML 2.0 federations is that OpenID Connect federation employs heirarchal metadata, where participants directly publish statements about themselves, versus the aggregated metadata approach used by many SAML 2.0 federations, where Continue reading "OpenID Connect Federation Specification"

The core Token Binding specs are now RFCs 8471, 8472, and 8473


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




IETF logoThe IETF Token Binding working group has completed the core Token Binding specifications. These new standards are:

  • RFC 8471: The Token Binding Protocol Version 1.0
  • RFC 8472: Transport Layer Security (TLS) Extension for Token Binding Protocol Negotiation
  • RFC 8473: Token Binding over HTTP

As Alex Simons recently wrote, it’s time for token binding. Especially now that the core specs are done, now’s the time for platforms and applications to deploy Token Binding. This will enable replacing bearer tokens, which can be stolen and reused, with Token Bound tokens, which are useless if stolen. This is a huge security benefit applicable to any tokens used over TLS, including browser cookies, OAuth access tokens and refresh tokens, and OpenID Connect ID Tokens.

Congratulations especially to the editors Andrei Popov, Dirk Balfanz, Jeff Hodges, Magnus Nyström, and Nick Harper and the chairs John Bradley and Leif Johansson for getting Continue reading "The core Token Binding specs are now RFCs 8471, 8472, and 8473"

Vote to update OpenID IPR Policy document now


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




A quick reminder that the vote to approve updates to the OpenID IPR Policy document is under way. If you’re an OpenID Foundation member, I encourage you to vote to approve the updates now at https://openid.net/foundation/members/polls/151.

As described in the OpenID Foundation post Proposed Revisions to OpenID IPR Policy Document, the updates enable the use of electronic signatures on contributor agreements instead of requiring on-paper signatures and simplify the descriptions of working group contributors, all without changing the IPR rights of any party.

The foundation needs 30% of the membership to vote in order for the changes to take effect, so please take a moment and vote now. Thanks!

It’s Time for Token Binding


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




IETF logoCheck out Alex Simons’ and Pamela Dingle’s blog post “It’s Time for Token Binding”. Now that the IETF Token Binding specs are essentially done, it’s time to ask those who write TLS software you use to ship Token Binding support soon, if they haven’t already done so.

Token Binding in a nutshell: When an attacker steals a bearer token sent over TLS, he can use it; when an attacker steals a Token Bound token, it’s useless to him.

Security Event Token (SET) is now RFC 8417


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




IETF logoThe Security Event Token (SET) specification is now RFC 8417. The abstract describes the specification as:

This specification defines the Security Event Token (SET) data structure. A SET describes statements of fact from the perspective of an issuer about a subject. These statements of fact represent an event that occurred directly to or about a security subject, for example, a statement about the issuance or revocation of a token on behalf of a subject. This specification is intended to enable representing security- and identity-related events. A SET is a JSON Web Token (JWT), which can be optionally signed and/or encrypted. SETs can be distributed via protocols such as HTTP.

SETs are already in use to represent OpenID Connect Back-Channel Logout tokens and to represent Risk and Incident Sharing and Coordination (RISC) events. Thanks to my co-editors, members of the IETF ID Events mailing list, and members of the IETF Security Continue reading "Security Event Token (SET) is now RFC 8417"

OpenID Connect Token Binding Specification Updated


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




OpenID logoThe OpenID Connect Token Bound Authentication specification has been updated in response to developer feedback and in anticipation of the IETF Token Binding specifications finishing. Changes were:

  • Adjusted the metadata to indicate supported confirmation method hash algorithms for Token Binding IDs in ID Tokens.
  • Updated references for draft-ietf-tokbind-protocol to -19, draft-ietf-tokbind-https to -17, draft-ietf-oauth-token-binding to -07, and draft-ietf-oauth-discovery to -10.
  • Explicitly stated that the base64url encoding of the “tbh” value doesn’t include any trailing pad characters, line breaks, whitespace, etc.

(The representation of the Token Binding ID in the ID Token is unchanged.)

Thanks to Brian Campbell for doing the editing for this draft.

The specification is available at:

OAuth 2.0 Authorization Server Metadata is now RFC 8414


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




OAuth logoThe OAuth 2.0 Authorization Server Metadata specification is now RFC 8414. The abstract describes the specification as:

This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities.

The specification defines a JSON metadata representation for OAuth 2.0 authorization servers that is compatible with OpenID Connect Discovery 1.0. This specification is a true instance of standardizing existing practice. OAuth 2.0 deployments have been using the OpenID Connect metadata format to describe their endpoints and capabilities for years. This RFC makes this existing practice a standard.

Having a standard OAuth metadata format makes it easier for OAuth clients to configure connections to OAuth authorization servers. See https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#authorization-server-metadata for the initial set of registered metadata values.

Thanks to all of Continue reading "OAuth 2.0 Authorization Server Metadata is now RFC 8414"

OpenID Connect News, Overview, Certification, and Action Items at June 2018 Identiverse Conference


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




OpenID logoI gave the following presentation during the June 2018 Identiverse Conference:

News included:

Action items included:

Ongoing recognition for the impact of OpenID Connect and OpenID Certification


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




OpenID logoThis week the OpenID Certification program won the 2018 European Identity and Cloud Award for Best Innovation at the European Identity and Cloud (EIC) conference. This is actually the second award for the OpenID Certification program this year and only the latest in a series awards recognizing the value and impact of OpenID Connect and certification of its implementations.

On this occasion, I thought I’d take the opportunity to recount the awards that OpenID Connect, the specifications underlying it, and its certification program have been granted. To date, they are:

My

Alex Simons 92% OpenID Connect
Continue reading "Ongoing recognition for the impact of OpenID Connect and OpenID Certification"

OpenID Certification wins 2018 European Identity and Cloud Award


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




OpenID Certified logoThe OpenID Certification program won the 2018 European Identity and Cloud Award for Best Innovation at the European Identity and Cloud (EIC) conference. See the award announcement by the OpenID Foundation for more details. This is actually the second award this year for the OpenID Certification program.

The award recognizes that the OpenID Certification program has become a significant global force promoting high-quality, secure, interoperable OpenID Connect implementations. Its innovative use of self-certification using freely available online tools has made testing the quality of OpenID Connect implementations simple, effective, and commonplace. Thanks to Kuppinger Cole for recognizing the impact of the OpenID Certification program!

EIC 2018 Award EIC 2018 Award Certificate EIC 2018 Award John Bradley, Mike Jones, Nat Sakimura EIC 2018 Award Don Thibeau EIC 2018 Award State EIC 2018 Award Don Thibeau, George Fletcher, Mike Jones, John Bradley, Nat Sakimura

OpenID Presentations at May 2018 European Identity and Cloud Conference (EIC)


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




OpenID logoI gave the following presentations during the OpenID workshop at the May 2018 European Identity and Cloud Conference (EIC):

OpenID Presentations at April 2018 OpenID Workshop and IIW


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




OpenID logoI gave the following presentations at the Monday, April 2, 2018 OpenID Workshop at Oracle:

I also gave the following invited “101” session presentation at the Internet Identity Workshop (IIW) on Tuesday, April 3, 2018:

OpenID Certification wins the 2018 Identity Innovation Award


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




OpenID Certified logoI’m thrilled that the OpenID Certification program has won the 2018 Identity Innovation Award at the IDnext conference. See the award announcement by the OpenID Foundation for more details.

The award recognizes that the OpenID Certification program has become a significant global force promoting high-quality, secure, interoperable OpenID Connect implementations. Its innovative use of self-certification using freely available online tools has made testing the quality of OpenID Connect implementations simple, effective, and commonplace. Thanks to IDnext for recognizing the impact of the OpenID Certification program!

Identity Innovation Award

Identity Innovation Award Presentation

What Does Logout Mean?


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




OAuth logoDigital identity systems almost universally support end-users logging into applications and many also support logging out of them. But while login is reasonable well understood, there are many different kinds of semantics for “logout” in different use cases and a wide variety of mechanisms for effecting logouts.

I led a discussion on the topic “What Does Logout Mean?” at the 2018 OAuth Security Workshop in Trento, Italy, which was held the week before IETF 101, to explore this topic. The session was intentionally a highly interactive conversation, gathering information from the experts at the workshop to expand our collective understanding of the topic. Brock Allen – a practicing application security architect (and MVP for ASP.NET/IIS) – significantly contributed to the materials used to seed the discussion. And Nat Sakimura took detailed notes to record what we learned during the discussion.

Feedback on the discussion was uniformly positive. Continue reading "What Does Logout Mean?"