Insights from OpenID Connect Success

 
Lessons Learned from OpenID Connect
 
 
Torsten Lodderstedt
SPRIND, OWF
 
What can people in standardization learn
from the success of OpenID Connect?
 
Easy to use - for developers but also for users
However, OpenID Connect can also be used for complex scenarios - up to
LOA High, FAPI
Cooperation - OpenID Connect was built on top of OAuth and JWT ( IETF)
Amazing interoperability
Connect OP: 575, Connect RP: 112
conformance testing is standard now at OIDF
Outstanding security through formal security analysis
Systematic and formal security analysis are standard now at OIDF
Open Standard
Approachable community
 
Celebrating Ten Years of OpenID Connect
 
June 7, 2024
Michael B. Jones
Self-Issued Consulting
 
Looking Back and Looking Forward
 
OpenID Connect became final in February 2014
 
Today I’ll briefly share my thoughts on
How we created OpenID Connect
What we achieved together
Lessons learned
 
In the Beginning
 
Artifact Binding for OpenID 2.0 started in 2010
Hence the 
openid-specs-ab@lists.openid.net
 mailing list name
But developers were choosing JSON/REST over XML/SOAP
Pivoted to instead create JSON/REST protocol over OAuth 2.0
Result branded “OpenID Connect” at IIW in May 2011
Five rounds of interop testing between 2011 and 2013!
Specifications refined after each round of interop testing
Early developer feedback was priceless
 
Design Philosophy
 
Keep simple things simple
Make complex things possible
 
The Nov Matake Test
 
As we considered new
features, we’d ask ourselves:
Would Nov want to add it to
his implementation?
Is it simple enough that he
could build it in a few hours?
 
Broad Participation
 
OpenID Connect
 
 
 
Learning from the Past
 
Architects had extensive SAML and OpenID 2.0 experience
Borrowed ideas that already worked well
Metadata
Authentication Contexts
Added useful things that were previously hard or missing
Support for native applications
Encrypted claims
Signed requests
 
Extensible by Design
 
Successful systems have to adapt and grow
Always specified that “additional values may be used”
And specified that not-understood values don’t cause errors
Enables adding things without breaking existing deployments
 
Indeed, many successful Connect (and OAuth) extensions have
been created and deployed
Including logout and identity assurance
 
Built using Modular Components
 
Created components and features we needed in parallel
JSON Web Signature (JWS)
JSON Web Encryption (JWE)
JSON Web Key (JWK)
JSON Web Token (JWT)
WebFinger
ID Token
 
What We Achieved
 
Most used identity protocol
Thousands of interoperable
implementations
In every conceivable language
Certification Program making
interop a reality
ISO accepted our submission
for republication
 
Innumerable OpenID Connect Deployments
 
Android, AOL, Apple, AT&T, Auth0, Deutsche Telekom,
ForgeRock, Google, GrabTaxi, GSMA Mobile Connect, IBM,
KDDI, Microsoft, NEC, NRI, NTT, Okta, Oracle, Orange, Ping
Identity, Red Hat, Salesforce, Softbank, Symantec, 
Telefónica
,
Verizon, Yahoo, Yahoo! Japan, all use OpenID Connect
And many MANY more!
 
Lessons Learned
 
Developers choose things that are simple
Developer choice critical to adoption
Interoperability and security require rigorous testing
OpenID Certification program was essential to Connect’s success
Extensibility is critical to long-term success
Deployments have to be easy to use (or they won’t be used)
Most RPs limited IdP choice as a simplification
Even though Connect was designed to give users complete choice
Not everything works out the way you planned
Developer and deployer feedback is gold!
 
O
h, 
I
ts 
D
amn 
C
omplex?!
 
 
Nat Sakimura
NAT Consulting ETC
 
_
nat
 
https://youtube.com/@
NatSakimura
 
https://www.linkedin.com/in/natsakimura
 
https://
www
.sakimura.org
 
_
nat
_en
 
https://
nat
.sakimura.org
O
p
e
n
I
D
 
C
o
n
n
e
c
t
:
O
n
l
i
n
e
 
S
e
l
e
c
t
i
v
e
 
C
l
a
i
m
s
D
i
s
c
l
o
s
u
r
e
 
P
r
o
t
o
c
o
l
Which also forms 
Basis for ABAC.
Claims
on-the-fly
(Source) Based on https://www.namirial.com/en/news/state-of-play-on-
adoption-of-digital-identity-in-italy-2023-all-roads-lead-to-the-wallets/
U
s
e
d
 
i
n
 
w
i
d
e
 
a
r
r
a
y
 
o
f
 
u
s
e
 
c
a
s
e
s
acct:
openid://
 
OpenID Authentication 2.0
(key=value)
David Recordon
  et al.
 
2002
 
2005
 
2014
 
2012
 
SAML 2.0
(XML,
XML DSIG,
SOAP)
 
SAML 1.0
 
2007
 
OAuth 1.0
(Key=value)
E. Hammer-Lahav
 
2001
 
OpenID.net
David Lehn
 
OpenID 1.0
Brad Fitzpatrick
 
OpenID AX
Dick Hardt
 
2008
 
OpenID TX/CX Proposal
Nishitani/Sakimura
 
1999
 
XNS.org
Drummond
Reed
 
2009
 
2010
 
OpenID AB WG
(Key=value?)
 
OAuth 2.0
(Key=value)
Dick Hardt
 
OpenID Connect
1.0
 
Learning from the history
E
a
r
l
y
 
d
e
s
i
g
n
 
d
e
c
i
s
i
o
n
s
:
 
1.
No Canonicalization
2.
ASCII Armoring
3.
REST
4.
JSON
 
E
a
r
l
y
 
d
e
s
i
g
n
 
d
e
c
i
s
i
o
n
s
:
 
1.
No Canonicalization
2.
ASCII Armoring
3.
REST
4.
JSON
5.
JWx
E
a
r
l
y
 
d
e
s
i
g
n
 
d
e
c
i
s
i
o
n
s
:
1.
No Canonicalization
2.
ASCII Armoring
3.
REST
4.
JSON
5.
JWx
6.
Base on OAuth WRAP
Dick Hardt
 
F
e
a
t
u
r
e
s
 
n
o
t
 
w
i
d
e
l
y
 
u
s
e
d
 
o
r
 
s
e
e
n
 
1.
Aggregated and Distributed Claims
2.
Granular Claims Request
3.
Essential/Optional Claims
4.
AcctURI
5.
policy_url
6.
Request Object (Started to see this
only after FAPI)
 
O
h,
I
t’s
D
amn
C
omplex
 
W
h
a
t
 
l
e
s
s
o
n
s
 
w
e
 
l
e
a
r
n
e
d
 
t
h
a
t
 
c
o
u
l
d
 
a
p
p
l
y
 
t
o
 
o
t
h
e
r
i
n
i
t
i
a
t
i
v
e
s
 
Be persistent - till you succeed
Learn from history
Fix what was not done well
Find the developer pain and solve it
Make it simple to read, simple to implement
for the minimum viable case
 
OpenID:  There is no spoon
 
John Bradley
Principal Architect, Yubico
a.k.a. Mercenary
 
OpenID is more than a single
specification or Idea
 
Insert insightful comment….
Slide Note
Embed
Share

Explore the key takeaways from the success of OpenID Connect, such as its ease of use for developers and users, applicability to complex scenarios, cooperation with standards like OAuth and JWT, exceptional interoperability, security measures, and community-driven development process. Insights on standardization, security analysis, and community engagement are highlighted.

  • OpenID Connect
  • Standardization
  • Security Analysis
  • Interoperability
  • Community Engagement

Uploaded on Jul 02, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Lessons Learned from OpenID Connect Torsten Lodderstedt SPRIND, OWF

  2. What can people in standardization learn from the success of OpenID Connect? Easy to use - for developers but also for users However, OpenID Connect can also be used for complex scenarios - up to LOA High, FAPI Cooperation - OpenID Connect was built on top of OAuth and JWT ( IETF) Amazing interoperability Connect OP: 575, Connect RP: 112 conformance testing is standard now at OIDF Outstanding security through formal security analysis Systematic and formal security analysis are standard now at OIDF Open Standard Approachable community

  3. Celebrating Ten Years of OpenID Connect June 7, 2024 Michael B. Jones Self-Issued Consulting

  4. Looking Back and Looking Forward OpenID Connect became final in February 2014 Today I ll briefly share my thoughts on How we created OpenID Connect What we achieved together Lessons learned

  5. In the Beginning Artifact Binding for OpenID 2.0 started in 2010 Hence the openid-specs-ab@lists.openid.net mailing list name But developers were choosing JSON/REST over XML/SOAP Pivoted to instead create JSON/REST protocol over OAuth 2.0 Result branded OpenID Connect at IIW in May 2011 Five rounds of interop testing between 2011 and 2013! Specifications refined after each round of interop testing Early developer feedback was priceless

  6. Design Philosophy Keep simple things simple Make complex things possible

  7. The Nov Matake Test As we considered new features, we d ask ourselves: Would Nov want to add it to his implementation? Is it simple enough that he could build it in a few hours?

  8. Broad Participation OpenID Connect

  9. Learning from the Past Architects had extensive SAML and OpenID 2.0 experience Borrowed ideas that already worked well Metadata Authentication Contexts Added useful things that were previously hard or missing Support for native applications Encrypted claims Signed requests

  10. Extensible by Design Successful systems have to adapt and grow Always specified that additional values may be used And specified that not-understood values don t cause errors Enables adding things without breaking existing deployments Indeed, many successful Connect (and OAuth) extensions have been created and deployed Including logout and identity assurance

  11. Built using Modular Components Created components and features we needed in parallel JSON Web Signature (JWS) JSON Web Encryption (JWE) JSON Web Key (JWK) JSON Web Token (JWT) WebFinger ID Token

  12. What We Achieved Most used identity protocol Thousands of interoperable implementations In every conceivable language Certification Program making interop a reality ISO accepted our submission for republication

  13. Innumerable OpenID Connect Deployments Android, AOL, Apple, AT&T, Auth0, Deutsche Telekom, ForgeRock, Google, GrabTaxi, GSMA Mobile Connect, IBM, KDDI, Microsoft, NEC, NRI, NTT, Okta, Oracle, Orange, Ping Identity, Red Hat, Salesforce, Softbank, Symantec, Telef nica, Verizon, Yahoo, Yahoo! Japan, all use OpenID Connect And many MANY more!

  14. Lessons Learned Developers choose things that are simple Developer choice critical to adoption Interoperability and security require rigorous testing OpenID Certification program was essential to Connect s success Extensibility is critical to long-term success Deployments have to be easy to use (or they won t be used) Most RPs limited IdP choice as a simplification Even though Connect was designed to give users complete choice Not everything works out the way you planned Developer and deployer feedback is gold!

  15. Oh, Its Damn Complex?! https://www.sakimura.org https://nat.sakimura.org _nat _nat_en Nat Sakimura https://youtube.com/@NatSakimura NAT Consulting ETC https://www.linkedin.com/in/natsakimura

  16. OpenID Connect: Online Selective Claims Disclosure Protocol Claims on-the-fly 1. Me User AuthN Grant (Consent) Claims Claims on-the-fly Which also forms Basis for ABAC. ID Token Claims AT/RT Etc. Static Claims RP OP/SIOP Claim Sources

  17. Used in wide array of use cases acct: openid:// (Source) Based on https://www.namirial.com/en/news/state-of-play-on- adoption-of-digital-identity-in-italy-2023-all-roads-lead-to-the-wallets/

  18. Learning from the history OpenID Authentication 2.0 (key=value) David Recordon et al. OpenID AB WG (Key=value?) XNS.org Drummond Reed OpenID Connect 1.0 OpenID AX Dick Hardt SAML 1.0 OpenID 1.0 Brad Fitzpatrick 2014 2012 2005 2007 2008 2009 2010 1999 2001 2002 SAML 2.0 (XML, XML DSIG, SOAP) OpenID.net David Lehn OAuth 1.0 (Key=value) E. Hammer-Lahav OAuth 2.0 (Key=value) Dick Hardt OpenID TX/CX Proposal Nishitani/Sakimura

  19. Early design decisions: Early design decisions: 1. No Canonicalization 2. ASCII Armoring 3. REST 4. JSON

  20. Early design decisions: Early design decisions: 1. No Canonicalization 2. ASCII Armoring 3. REST 4. JSON 5. JWx

  21. Early design decisions: Early design decisions: 1. No Canonicalization 2. ASCII Armoring 3. REST 4. JSON 5. JWx 6. Base on OAuth WRAP Dick Hardt 2.0

  22. Features not widely used or seen Features not widely used or seen Oh, It s Damn Complex 1. Aggregated and Distributed Claims 2. Granular Claims Request 3. Essential/Optional Claims 4. AcctURI 5. policy_url 6. Request Object (Started to see this only after FAPI)

  23. What lessons we learned that could apply to other What lessons we learned that could apply to other initiatives initiatives Be persistent - till you succeed Learn from history Fix what was not done well Find the developer pain and solve it Make it simple to read, simple to implement for the minimum viable case

  24. OpenID: There is no spoon John Bradley Principal Architect, Yubico a.k.a. Mercenary

  25. OpenID is more than a single specification or Idea Insert insightful comment .

More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#