Skip to content
Connect2id

Roadmap

1. OpenID Connect

1.1 OpenID Connect Client Initiated Backchannel Authentication Flow (CIBA)

CIBA is a new flow for decoupled authorisation of transactions, typically taking place on the user’s smartphone.

At the 2022 OAuth Security Workshop in Trondheim, Norway, several attacks on CIBA based applications were reported, which prompted the development of a 40+ page Cross Device Flows: Best Current Practices (BCP) document, lead by Pieter Kasselman. At the 2023 OAuth Security Workshop in London further types of attacks were reported and the BCP will likely evolve.

Connect2id is currently working on a hardened implementation of CIBA and planning to support a more secure CIBA flow where the end-user is given the possibility to pre-approve the flow by a signal to the Connect2id server.

If you are considering CIBA, contact our technical support to briefly explain your use case and requirements. This information will be fed into the design of the CIBA integration API of the Connect2id server.

2. OAuth 2.0

2.1 OAuth 2.0 for first-party applications

In October 2024 the OAuth working group adopted a new draft to develop an alternative to the password grant, with a flexible flow that would enable the Connect2id server to use arbitrary authentication factors when signing users into mobile and desktop apps.

The new OAuth 2.0 grant for first-party apps will complement the available device SSO capability.

2.2 OAuth Incremental Authorisation

OAuth 2.0 authorisation requests from public clients that include every scope the client might ever need can result in over-scoped authorisation and a bad end-user consent experience.
draft-ietf-oauth-incremental-authz adds support for incremental authorisation, the ability to request specific authorization scopes as needed, when they’re needed, removing the requirement to request every possible scope that might be needed upfront.

2.3 OAuth 2.0 Device Authorisation Grant

Commonly known as the device flow, this OAuth grant is for designed for browserless and input constrained devices / contexts, such as smart TVs, consoles and printers. This user authorises the client on secondary device, such their smartphone or personal computer. See RFC 8628.

The CIBA considerations apply here as as well.

2.4 Support for Resource Server specific access token profiles

The Connect2id server supports a number of access token profiles, including the definition of custom profiles, there however cannot be bound to specific resources at present.

2.5 Support device session creation in the password grant

This will enable the native applications that use the resource owner password credentials grant to create device sessions for OpenID Connect native SSO.

3. Key management

3.1 New key store with online key rotation

Connect2id server 17.0 is going to receive a new key store web API enabling online rotation of the software keys. The key store is also going to give deployments the possibility to store the server keys in the database, encrypted with a secret AES key.

The possibility to pass the server keys as configuration property at Connect2id server startup is going to remain.

4. Performance and scaling

4.1 Stateless authorisation sessions

Optional configuration to enable stateless authorisation sessions, to encrypt the session data into the session identifier. Can be used to save database traffic and costs in large deployments.

4. PKCS#11 / HSM

5.1 HMAC HSM key support

Support for storing the hmac Connect2id server key in a PKCS#11 compliant store.

6. Monitoring

6.1 Tracing support

Tracing with Micrometer.io will be added on paths involving OpenID claims retrieval and the most widely used Connect2id server integration APIs.

Comments, suggestions?

Write to Connect2id support.