OpenID Connect

1. Session management support

The OpenID Connect work group is drafting an extension to let client applications manage end-user sessions, including logout. We intend to implement it once the specification becomes final or sufficiently stable.

2. Pairwise identifiers

The Connect2id server supports the default public identifiers for users. Pairwise identifiers is an alternative identifier type that strengthens end-user privacy.

3. Support public client keys

OpenID Connect has an option for client applications to register public JSON Web Keys (JWKs), typically RSA, and use these instead for authentication and securing the various artifacts passed to / from the server.

4. Encrypted ID tokens

The Connect2id server issued signed (JWS) ID tokens. Adding encryption (JWT) to them can ensure the confidentiality of issued identity information. We don't see much demand for that at present and ID token encryption is likely to be implemented in a later release of the Connect2id server.

5. Support optional request and request_object parameters in OpenID Connect authentication requests

These can be used for prepackaged requests from client applications and also as a form of client authentication in the implicit flow.

6. Aggregated and distributed claims

Aggregated and distributed claims is an option for delivering UserInfo claims from third-party OpenID Connect providers.

OAuth 2.0

1. Support for assertion-based OAuth 2.0 grants

The Connect2id server implements the principal OAuth 2.0 authorisation code, implicit, refresh token, resource owner password and client credentials grants. In the next major release we're going to cover the remaining assertion grants: