OpenID Connect

1. Session management and logout

In 2017 the three OpenID Connect drafts for session management and logout notification were voted to become implementers drafts:

2. Encrypted request objects

OpenID authentication requests can be optionally signed, or signed and encrypted, by packing their parameters in a JWT.

Support for signed OpenID authentication requests was added in v6.0 of the Connect2id server.

Encrypted OpenID authentication requests keep the request parameters confidential from the end-user and browser.

3. Aggregated and distributed claims

Aggregated and distributed claims is an option for delivering UserInfo claims from third-party OpenID Connect providers.

OAuth 2.0

1. Client authentication with TLS / X.509 certificate

The OAuth working group is developing a new specification for letting clients authenticate with TLS / X.509 certificate to the token endpoint of an OAuth / OpenID Connect server. The issued access token includes a hash (thumbprint) that binds it to the client’s certificate, preventing misuse of the token if it’s stolen.

Open banking applications in Europe, where X.509 certificate based authentication is required by law, will find this spec indispensable.

2. OAuth 2.0 Token Exchange

The OAuth working group is drafting a protocol for a lightweight HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation. See draft-ietf-oauth-token-exchange.

Security events

Support for security event tokens will be gradually added to the Connect2id server so that login and client activity data can be fed into SIEM and other systems.

Comments, suggestions?

Please post your comment below, or write to Connect2id support.

comments powered by Disqus