OpenID Connect

1. Session management support

The OpenID Connect work group is drafting an extension to let client applications manage end-user sessions, including logout. We intend to implement it once the specification becomes final or sufficiently stable.

2. Pairwise identifiers

The Connect2id server supports the default public identifiers for users. Pairwise identifiers is an alternative identifier type for strengthened end-user privacy.

3. Encrypted ID tokens

The Connect2id server issued signed (JWS) ID tokens. Adding encryption (JWT) to them can ensure the confidentiality of issued identity information. We don't see much demand for that at present and ID token encryption is likely to be implemented in a later release of the Connect2id server.

4. Support optional request and request_object parameters in OpenID Connect authentication requests

These can be used for prepackaged requests from client applications and also as a form of client authentication in the implicit flow.

5. Aggregated and distributed claims

Aggregated and distributed claims is an option for delivering UserInfo claims from third-party OpenID Connect providers.

OAuth 2.0

1. OAuth 2.0 Discovery

This specification in progress defines a mechanism for an OAuth 2.0 client to discover the resource owner's OAuth 2.0 authorization server and obtain information needed to interact with it, including its OAuth 2.0 endpoint locations and authorization server capabilities. See draft-jones-oauth-discovery-01.

2. OAuth 2.0 Token Exchange

This specification in progress defines a protocol for a lightweight HTTP- and JSON- based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation. See draft-ietf-oauth-token-exchange.

3. OAuth 2.0 JWT Authorization Request

This specification in progress defines the authorisation request using JWT serialisation. The request is sent by value through request parameter or by reference through request_uri parameter that points to the JWT, allowing the request to be optionally signed and encrypted. See draft-ietf-oauth-jwsreq-06.

Comments, suggestions?

Please post your comment below, or write to Connect2id support.

comments powered by Disqus