OpenID Connect

1. Session management support

The OpenID Connect working group is drafting an extension to let client applications manage end-user sessions, including logout. We intend to implement it once the specification becomes final or sufficiently stable.

2. Pairwise identifiers

The Connect2id server supports the default public identifiers for users. Pairwise identifiers is an alternative identifier type for strengthened end-user privacy. Scheduled for Connect2id server v6.

3. Encrypted ID tokens

The Connect2id server issued signed (JWS) ID tokens. Adding encryption (JWT) to them can ensure the confidentiality of issued identity information. We don't see much demand for that at present and ID token encryption is likely to be implemented in a later release of the Connect2id server.

4. Support optional request and request_object parameters in OpenID Connect authentication requests

These can be used for prepackaged requests from client applications and also as a form of client authentication in the implicit flow. Scheduled for Connect2id server v6.

5. Aggregated and distributed claims

Aggregated and distributed claims is an option for delivering UserInfo claims from third-party OpenID Connect providers.

OAuth 2.0

1. OAuth 2.0 Token Exchange

The OAuth working group is drafting a protocol for a lightweight HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation. See draft-ietf-oauth-token-exchange.

2. OAuth 2.0 JWT Authorization Request

Another specification draft that defines an authorisation request using JWT serialisation. The request is sent by value through request parameter or by reference through request_uri parameter that points to the JWT, allowing the request to be optionally signed and encrypted. See draft-ietf-oauth-jwsreq-06.

New storage backends

1. Support for other databases

Currently the Connect2id server requires an LDAP directory to persist its own data, i.e. client registrations and long-lived authorisations (note that this is separate and not related to the user authentication and user data connectors). Version 6 will support additional backends:

  • Local file-based storage (based on Infinispan's single-file store and soft-index store).

  • Amazon DynamoDB

  • Relational (SQL) databases (via a JDBC driver).

2. Infinispan server mode

We are also considering support for Infinispan server mode (via the Hot Rod wire protocol), so that the cache / in-memory layer can be scaled and managed independently from the Connect2id server nodes.

Big data

We are also working on a big data extension to enable plugin of advanced analytics and BI tools. Scheduled for Q3 2016.

Comments, suggestions?

Please post your comment below, or write to Connect2id support.

comments powered by Disqus