OpenID Connect

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the ... Skiptocontent Home»WelcometoOpenIDConnect WhatisOpenIDConnect? OpenIDConnect1.0isasimpleidentitylayerontopoftheOAuth2.0protocol.ItallowsClientstoverifytheidentityoftheEnd-UserbasedontheauthenticationperformedbyanAuthorizationServer,aswellastoobtainbasicprofileinformationabouttheEnd-UserinaninteroperableandREST-likemanner. OpenIDConnectallowsclientsofalltypes,includingWeb-based,mobile,andJavaScriptclients,torequestandreceiveinformationaboutauthenticatedsessionsandend-users.Thespecificationsuiteisextensible,allowingparticipantstouseoptionalfeaturessuchasencryptionofidentitydata,discoveryofOpenIDProviders,andsessionmanagement,whenitmakessenseforthem. Seehttps://openid.net/connect/faq/forasetofanswerstoFrequentlyAskedQuestionsaboutOpenIDConnect. HowisOpenIDConnectdifferentthanOpenID2.0? OpenIDConnectperformsmanyofthesametasksasOpenID2.0,butdoessoinawaythatisAPI-friendly,andusablebynativeandmobileapplications.OpenIDConnectdefinesoptionalmechanismsforrobustsigningandencryption.WhereasintegrationofOAuth1.0aandOpenID2.0requiredanextension,inOpenIDConnect,OAuth2.0capabilitiesareintegratedwiththeprotocolitself. SpecificationOrganization TheOpenIDConnect1.0specificationconsistsofthesedocuments: Core–DefinesthecoreOpenIDConnectfunctionality:authenticationbuiltontopofOAuth2.0andtheuseofClaimstocommunicateinformationabouttheEnd-User Discovery–(Optional)DefineshowClientsdynamicallydiscoverinformationaboutOpenIDProviders DynamicRegistration–(Optional)DefineshowclientsdynamicallyregisterwithOpenIDProviders OAuth2.0MultipleResponseTypes–DefinesseveralspecificnewOAuth2.0responsetypes OAuth2.0FormPostResponseMode–(Optional)DefineshowtoreturnOAuth2.0AuthorizationResponseparameters(includingOpenIDConnectAuthenticationResponseparameters)usingHTMLformvaluesthatareauto-submittedbytheUserAgentusingHTTPPOST RP-InitiatedLogout–(Optional)DefineshowaRelyingPartyrequeststhatanOpenIDProviderlogouttheEnd-User SessionManagement–(Optional)DefineshowtomanageOpenIDConnectsessions,includingpostMessage-basedlogoutandRP-initiatedlogoutfunctionality Front-ChannelLogout–(Optional)Definesafront-channellogoutmechanismthatdoesnotuseanOPiframeonRPpages Back-ChannelLogout–(Optional)Definesalogoutmechanismthatusesdirectback-channelcommunicationbetweentheOPandRPsbeingloggedout OpenIDConnectFederation–(Optional)DefineshowsetsofOPsandRPscanestablishtrustbyutilizingaFederationOperator Twoimplementer’sguidesarealsoavailabletoserveasself-containedreferencesforimplementersofbasicWeb-basedRelyingParties: BasicClientImplementer’sGuide–SimplesubsetoftheCorefunctionalityforaweb-basedRelyingPartyusingtheOAuthcodeflow ImplicitClientImplementer’sGuide–SimplesubsetoftheCorefunctionalityforaweb-basedRelyingPartyusingtheOAuthimplicitflow Aprotocolmigrationspecificationhasbeenfinalized: OpenID2.0toOpenIDConnectMigration1.0–DefineshowtomigratefromOpenID2.0toOpenIDConnect Finally,seetheworkinggroupstatuspageforthenewworktheOpenIDConnectworkinggroupisengagedin. TheOpenIDConnectspecificationsandimplementer’sguidestheyarebuiltuponareshowninthediagrambelow.Clickontheboxesinthediagramtoviewthespecification. ParticipationintheWorkingGroup TheeasiestwaytomonitorprogressontheOpenIDConnect1.0Specificationistojointhemailinglistathttps://lists.openid.net/mailman/listinfo/openid-specs-ab. Pleasenotethatwhileanyonecanjointhemailinglistasaread-onlyrecipient,postingtothemailinglistorcontributingtothespecificationsrequiresthesubmissionofanIPRAgreement.Moreinformationisavailableathttps://openid.net/intellectual-property.Makesuretospecifytheworkinggroupas“OpenIDAB/Connect”,becausethisgroupisamergedworkinggroupandbothnamesmustbespecified. Formoredetailsonparticipating,seetheOpenIDConnectWorkingGroupPage. Implementations TheLibrariespagelistslibrariesthatimplementOpenIDConnectandrelatedspecifications. InteropTesting InteroptestingforOpenIDConnectFederationimplementationsisunderway.Ifyouareinterestedinparticipatingintheinteropactivities,jointheOpenIDFederationInteropmailinglist. Status FinalOpenIDConnectspecificationswerelaunchedonFebruary26,2014. ThecertificationprogramforOpenIDConnectwaslaunchedonApril22,2015. FinalOAuth2.0FormPostResponseModeSpecificationwasapprovedonApril27,2015. OpenIDCertificationforRPswasmadeavailabletoallinAugust2017. SecondImplementer’sDraftofOpenIDConnectFederationSpecificationApprovedonJanuary8,2020.