1. OpenID Connect

1.1 Front and back-channel logout

In 2017 the new OpenID Connect drafts on front and back-channel logout were voted into implementer’s status:

1.2 Encrypted request objects

OpenID authentication requests can be optionally signed, or signed and encrypted, by packing their parameters in a JWT.

Support for signed OpenID authentication requests was added in v6.0 of the Connect2id server.

Encrypted OpenID authentication requests keep the request parameters confidential from the end-user and browser.

2. OAuth 2.0

2.1 OAuth 2.0 Token Exchange

The OAuth working group is drafting a protocol for a lightweight HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation. See draft-ietf-oauth-token-exchange.

2.2 OAuth 2.0 Device Flow

The OAuth working group is also developing a special flow tailored for browserless and input constrained devices, such as smart TVs, media consoles and printers. This authorisation request is performed on a secondary device, such as a smartphone. Communication between the constrained device and the user’s secondary device need not required. See draft-ietf-oauth-device-flow-05


3.1 Ed25519 digital signatures

Benchmarks with the new Curve25519 revealed that digital signing with it is 22x faster than the current ECDSA signing with P-256. Verification was also faster, at 14x. The Ed25519 JWS algorithm will speed up issue and processing of ID tokens and self-contained (JWT-encoded) access tokens.

4. Security events

Support for security event tokens will be gradually added to the Connect2id server so that login and client activity data can be fed into SIEM and other systems.

5. Backend databases

5.1 DynamoDB

At present the Connect2id server can persist its own data, such as client registrations and authorisations, to an SQL store (MySQL, PostgreSQL) or an LDAP directory, with optional use of Redis as primary in-memory store / cache.

Support for DynamoDB will be added in Q4 of 2017 to enable simple and highly-scalable deployments of the Connect2id server in the AWS cloud.

Comments, suggestions?

Please post your comment below, or write to Connect2id support.

comments powered by Disqus