1. OpenID Connect
1.1 Front and back-channel logout
In 2017 the new OpenID Connect drafts on front and back-channel logout were voted into implementer’s status:
- OpenID Connect Back-Channel Logout 1.0 - draft 04
1.2 Encrypted request objects
OpenID authentication requests can be optionally signed, or signed and encrypted, by packing their parameters in a JWT.
Support for signed OpenID authentication requests was added in v6.0 of the Connect2id server.
Encrypted OpenID authentication requests keep the request parameters confidential from the end-user and browser.
2. OAuth 2.0
2.1 Customising the JSON of self-contained access tokens
Self-contained access tokens issued by the Connect2id server are JWT-encoded, using a mix of standard (e.g. "sub", "exp") and non-standard (e.g. "cid" for client ID, or "scp" for scope) claims.
2.2 OAuth 2.0 Token Exchange
The OAuth working group is drafting a protocol for a lightweight HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation. See draft-ietf-oauth-token-exchange.
2.3 OAuth 2.0 Device Flow
The OAuth working group is also developing a special flow tailored for browserless and input constrained devices, such as smart TVs, media consoles and printers. This authorisation request is performed on a secondary device, such as a smartphone. Communication between the constrained device and the user’s secondary device need not required. See draft-ietf-oauth-device-flow-05
3. JOSE / JWT
3.1 Ed25519 digital signatures
Benchmarks with the new Curve25519 revealed that digital signing with it is 22x faster than the current ECDSA signing with P-256. Verification was also faster, at 14x. The Ed25519 JWS algorithm will speed up issue and processing of ID tokens and self-contained (JWT-encoded) access tokens.
4. Security events
Please post your comment below, or write to Connect2id support.
comments powered by Disqus