1. Session management and logout
In 2017 the three OpenID Connect drafts for session management and logout notification were voted to become implementers drafts:
- OpenID Connect Back-Channel Logout 1.0 - draft 04
2. Encrypted request objects
OpenID authentication requests can be optionally signed, or signed and encrypted, by packing their parameters in a JWT.
Support for signed OpenID authentication requests was added in v6.0 of the Connect2id server.
Encrypted OpenID authentication requests keep the request parameters confidential from the end-user and browser.
3. Aggregated and distributed claims
Aggregated and distributed claims is an option for delivering UserInfo claims from third-party OpenID Connect providers.
1. Client authentication with TLS / X.509 certificate
The OAuth working group is developing a new specification for letting clients authenticate with TLS / X.509 certificate to the token endpoint of an OAuth / OpenID Connect server. The issued access token includes a hash (thumbprint) that binds it to the client’s certificate, preventing misuse of the token if it’s stolen.
Open banking applications in Europe, where X.509 certificate based authentication is required by law, will find this spec indispensable.
2. OAuth 2.0 Token Exchange
The OAuth working group is drafting a protocol for a lightweight HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation. See draft-ietf-oauth-token-exchange.
Please post your comment below, or write to Connect2id support.
comments powered by Disqus