Difference between revisions of "OpenID Connect"

Revision as of 13:21, 30 July 2018

Full Title or Meme

An extension of OAuth 2.0 to give a Relying Party access to User Information. (Other uses of this protocol are possible, but not of interest for Identity Management.

Context

The OAuth 2.0 protocol gave access to User Resources, but without authentication, it was fraught with may vulnerabilities.
The OpenID Connect protocol is always among three parties: the User (called subject), the Relying Party (called client for OAuth compatibility) and the Identifier or Attribute Provider (called OpenID Provider).
There are always three Identifiers: the subject id (sid), the client id (client_id)

Problems

The Subject ID may be ephemeral.
The Subject ID may be shared among all of the clients that use the same OP.

Solutions

These are additional limitations that need to be provided to the OpenID Connect implementation to meet existing legislation for the 3 party problem.

The Subject ID must be persistent and not used for different users for at least one year after it use is no longer used for its original Subject.
The Subject ID must not be shared with different clients by implementing pair-wise identifiers.

References

@@ Line 13: / Line 13: @@
 ==Solutions==
 These are additional limitations that need to be provided to the [[OpenID Connect]] implementation to meet existing legislation for the 3 party problem.
-#The [[Subject]] ID must be persistent.
+#The [[Subject]] ID must be persistent and not used for different users for at least one year after it use is no longer used for its original [[Subject]].
 #The [[Subject]] ID must not be shared with different clients by implementing pair-wise identifiers.

Difference between revisions of "OpenID Connect"

Revision as of 13:21, 30 July 2018

Contents

Full Title or Meme

Context

Problems

Solutions

References

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools

Sidebar Links