[Openid-specs-ab] May 25, 2012 OpenID Connect Update Release

Mike Jones Michael.Jones at microsoft.com
Sat May 26 06:13:40 UTC 2012

The AB/Connect working group has released an update to the OpenID Connect specifications that incorporates the decisions made at the in-person working group meeting<http://apr30-oidf-wg.eventbrite.com/> at Yahoo! on April 30th, other than the self-issued changes, which we will be doing as a separate release.  As discussed at the working group meeting, these changes are mostly simplifications, many thanks to the issues that Torsten Lodderstedt filed.  Implementers are encouraged to build and provide feedback on the new and modified features.

The primary normative changes are as follows:

  *   Use "code" response_type instead of "token id_token" in Basic Client Profile, per issue #567
  *   Created a new Implicit Client Profile, also per issue #567
  *   Added scope value claims_in_id_token as a switch to indicate that the UserInfo claims should be returned in the ID Token, per issue #561
  *   Removed Check ID Endpoint, per issue #570
  *   Changed verified to email_verified, per issue #564
  *   Removed requirement for ID Token signature validation from Basic Profile, per issue #568
  *   Removed use of nonce from Basic Profile, per issue #569
  *   Removed optional claim request parameter and replaced it with essential claim request parameter, per issue #577. We changed terminology from "optional" to "voluntary" and "required" to "essential" to better match privacy policy requirements.
  *   Added "id_token" response type as being MTI for OpenID Providers
  *   Specified that parameters present in both the OpenID Request Object and the OAuth 2.0 Authorization Request MUST exactly match, per issue #575
  *   Changed OpenID Request Object from being specified as a JWT to being specified as a JWS signed base64url encoded JSON object, per issue #592
  *   Changed default ID Token signing algorithm to RS256, per issue #571
  *   Changed default OpenID Request Object signing algorithm to RS256, per issue #571
  *   Made use of the nonce REQUIRED when using the implicit flow and OPTIONAL when using the code flow, per issue #569
  *   Added method of calculating signing and encryption keys for symmetric algorithms, per issue #578
  *   Made rotate_secret a separate registration request type and stop client secret changing with every response, per issue #363
  *   Added text for authz to the registration endpoint, per issue #587

The Connect specs have also been updated to track updates to the OAuth and JOSE specs, including now using the standards-track version of JWT.

The new versions are available from http://openid.net/connect/ or at:

*        http://openid.net/specs/openid-connect-basic-1_0-18.html

*        http://openid.net/specs/openid-connect-implicit-1_0.html

*        http://openid.net/specs/openid-connect-discovery-1_0-09.html

*        http://openid.net/specs/openid-connect-registration-1_0-11.html

*        http://openid.net/specs/openid-connect-messages-1_0-10.html

*        http://openid.net/specs/openid-connect-standard-1_0-10.html

*        http://openid.net/specs/openid-connect-session-1_0-07.html

*        http://openid.net/specs/oauth-v2-multiple-response-types-1_0-05.html

                                             For the working group,
                                                            -- Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120526/11241205/attachment.html>

More information about the Openid-specs-ab mailing list