1. OpenID Connect

1.1 Front and back-channel logout

In 2017 the new OpenID Connect drafts on front and back-channel logout were voted into implementer’s status:

1.2 Encrypted request objects

OpenID authentication requests can be optionally signed, or signed and encrypted, by packing their parameters in a JWT.

Support for signed OpenID authentication requests was added in v6.0 of the Connect2id server.

Encrypted OpenID authentication requests keep the request parameters confidential from the end-user and browser.

2. OAuth 2.0

2.1 OAuth 2.0 Token Exchange

The OAuth working group is drafting a protocol for a lightweight HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation. See draft-ietf-oauth-token-exchange.

2.2 OAuth 2.0 Device Flow

The OAuth working group is also developing a special flow tailored for browserless and input constrained devices, such as smart TVs, media consoles and printers. This authorisation request is performed on a secondary device, such as a smartphone. Communication between the constrained device and the user’s secondary device need not required. See draft-ietf-oauth-device-flow-05


3.1 Ed25519 digital signatures

Benchmarks with the new Curve25519 revealed that digital signing with it is 22x faster than the current ECDSA signing with P-256. Verification was also faster, at 14x. The Ed25519 JWS algorithm will speed up issue and processing of ID tokens and self-contained (JWT-encoded) access tokens.

Comments, suggestions?

Please post your comment below, or write to Connect2id support.

comments powered by Disqus