Certified OpenID Connect provider server

Posted 2017-01-09

Last week the Connect2id server received certification for all standard OpenID Connect provider profiles, which also extends to the optional advanced security features that we implemented in 2016:

  • JWT client authentication — Offers a number of security advantages over the common HTTP basic authentication, such as preventing credential leakage if the HTTP request is sent in the plain by accident.
  • Client keys — Clients and relying parties can bring their own assymetric keys (RSA and EC), in order to authenticate with a JWT, or to receive encrypted ID tokens and UserInfo.
  • Encryption — ID token and UserInfo encryption, using a public RSA or EC key registered by the client, or an AES key derived from the client’s secret.
  • Signed authorisation requests — authenticate and integrity-protect the initial OpenID authentication and OAuth 2.0 authorisation requests. Work nicely with public / native clients, regardless of the nature of their registration, to ensure the important parameters get "locked down", and cannot be modified by the end-user or app.
  • Pairwise identifiers — Method (to be used in conjunction with others) that makes it harder for relying parties to correlate the identity of logged in users.

Other organisations that received OpenID provider certification during the same period are Yahoo! Japan and Verizon.

Many thanks to Roland Hedberg, who manages the certification suite at OpenID, for assisting us with the tests, even though it was holiday time, and he probably had better things to do.

We would also like to thank Mike Jones, secretary of the OpenID foundation, for his recognition of Connect2id’s service to the OpenID Foundation and the OpenID community since 2012.


comments powered by Disqus