OpenID Connect – The Intro

From IIW

OpenID Connect (T2B)

Convener: Pam Dingle & Justin Richer

Notes-taker(s): Paul Madsen

Tags for the session - technology discussed/ideas considered:

Elevator pitch – protocol framework based on OAuth – adds an identity layer to bare bones OAuth 2.0

The features of OpenID Connect can be divided into

a) those features required for a full platform (e.g. discovery & client registration)

b) standardization of identity pieces (e.g. UserInfo endpoint, id_token)

Note: some of the features defined in OpenID Connect are being fed back into the OAuth WG working on evolution of OAuth 2.0

Difference between a client & relying party? A relying party makes a decision based on a token/assertion it receives from elsewhere (an Idp). A client simply uses the token on an API call.

Justin went through the 3-party flow

                                                  User



                     RP                                                           OP                    
 (consumes tokens & attributes)                                                (issued tokens)

OpenID 2.0 – focused on front-channel

OAuth 2.0 – focused on back-channel

OpenID Connect – closer to OAuth 2.0


OP returns

  • id_token
    • JWT carries issuer, userid etc
    • Logically similar to SAML assertion
  • access token
    • Used on API call to UserInfo to retrieve attributes
    • Theoretically also used on calls to arbitrary APIs

Pam makes the point that OAuth & OpenID Connect makes different assumptions about how to apportion complexity between the OP/IdP & RP/SP than does SAML.

Question – what is the diff between the info in the id_token and that returned by the UserInfo? The former is bound to a session, with a small set of claims, the latter more long-lived.

OpenID Request Object allows relying party to describe its conditions

Phil Hunt asks about live deployments. Mike replied with description of ongoing interop tests at http://osis.idcommons.net