Update on OpenID and OAuth

| No Comments

OpenID and OAuth are undergoing a lot of work ATM, and it can be confusing to those that aren't in the thick of it to keep up w/ where things stand. Based on what I heard last week at IIW, where a lot of this work happens, I thought I'd put together an update in hopes that it helps.

After OpenID 2.0 was around for a while, Google and IINM Facebook proposed a new version of the standard called OpenID Connect. This version of the protocol uses OAuth on the front-channel to securely access an API on the back-channel to get user attributes. Around the same time, a need in Japan to provide higher levels of assurance (LOA) and secure interaction w/ Web APIs from mobile applications resulted in the creation of another derivative of the protocol called OpenID Artifact Binding (AB). Last fall at IIW, the authors of each of these vNext protocols started working to align their efforts. The combined spec was commonly referred to by the authors and other insiders as OpenID ABC (as in Artifact Binding + Connect). This harmonization was tricky though because OAuth 2, which they each depend on, wasn't done and the timeframes of the initial customer needing OpenID AB and funding its development might not allow for the work to wait till OAuth was ready.

As of last week, it looks like the stars are aligning and these two updates of OpenID will be merged. This result will be called OpenID Connect rather than OpenID 3.0, OpenID AB, or OpenID ABC. It also looks like OAuth will finish in time for OpenID Connect to normatively reference it, something that isn't allowed by the IETF (which governs that emerging standard) unless the spec has been officially ratified. If OpenID Connect finishes before OAuth 2, it will have to reference the latest draft (which hopefully won't happen). A draft of OpenID Connect is on tap for Julyish.