1. OpenID Connect
1.1 Front and back-channel logout
In 2017 the new OpenID Connect drafts on front and back-channel logout were voted into implementer’s status:
- OpenID Connect Back-Channel Logout 1.0 - draft 04
1.2 Encrypted request objects
OpenID authentication requests can be optionally signed, or signed and encrypted, by packing their parameters in a JWT.
Support for signed OpenID authentication requests was added in v6.0 of the Connect2id server.
Encrypted OpenID authentication requests keep the request parameters confidential from the end-user and browser.
2. OAuth 2.0
2.1 OAuth 2.0 Token Exchange
The OAuth working group is drafting a protocol for a lightweight HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation. See draft-ietf-oauth-token-exchange.
2.2 OAuth 2.0 Device Flow
The OAuth working group is also developing a special flow tailored for browserless and input constrained devices, such as smart TVs, media consoles and printers. This authorisation request is performed on a secondary device, such as a smartphone. Communication between the constrained device and the user’s secondary device need not required. See draft-ietf-oauth-device-flow-05
3. JOSE / JWT
3.1 Ed25519 digital signatures
Benchmarks with the new Curve25519 revealed that digital signing with it is 22x faster than the current ECDSA signing with P-256. Verification was also faster, at 14x. The Ed25519 JWS algorithm will speed up issue and processing of ID tokens and self-contained (JWT-encoded) access tokens.
4. Security events
5. Backend databases
At present the Connect2id server can persist its own data, such as client registrations and authorisations, to an SQL store (MySQL, PostgreSQL) or an LDAP directory, with optional use of Redis as primary in-memory store / cache.
Support for DynamoDB will be added in Q4 of 2017 to enable simple and highly-scalable deployments of the Connect2id server in the AWS cloud.
Please post your comment below, or write to Connect2id support.
comments powered by Disqus