1. OpenID Connect

1.1 Front and back-channel logout

In 2017 the new OpenID Connect drafts on front and back-channel logout were voted into implementer's status:

1.2 Encrypted request objects

OpenID authentication requests can be optionally signed, or signed and encrypted, by packing their parameters in a JWT.

Support for signed OpenID authentication requests was added in v6.0 of the Connect2id server.

Encrypted OpenID authentication requests keep the request parameters confidential from the end-user and browser.

2. OAuth 2.0

2.1 Customising the JSON of self-contained access tokens

Self-contained access tokens issued by the Connect2id server are JWT-encoded, using a mix of standard (e.g. "sub", "exp") and non-standard (e.g. "cid" for client ID, or "scp" for scope) claims.

Deployments where the resource servers expect the JWT claims to be in a particular format, for example that of RFC 7662, will be able to configure JOLT transform specs in the Connect2id server.

2.2 OAuth 2.0 Token Exchange

The OAuth working group is drafting a protocol for a lightweight HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation. See draft-ietf-oauth-token-exchange.

2.3 OAuth 2.0 Device Flow

The OAuth working group is also developing a special flow tailored for browserless and input constrained devices, such as smart TVs, media consoles and printers. This authorisation request is performed on a secondary device, such as a smartphone. Communication between the constrained device and the user's secondary device need not required. See draft-ietf-oauth-device-flow-05


3.1 Ed25519 digital signatures

Benchmarks with the new Curve25519 revealed that digital signing with it is 22x faster than the current ECDSA signing with P-256. Verification was also faster, at 14x. The Ed25519 JWS algorithm will speed up issue and processing of ID tokens and self-contained (JWT-encoded) access tokens.

4. Security events

Support for security event tokens will be gradually added to the Connect2id server so that login and client activity data can be fed into SIEM and other systems.

Comments, suggestions?

Please post your comment below, or write to Connect2id support.

comments powered by Disqus