[Openid-specs-ab] Migration from OpenID 2.0 to OpenID Connect

Ryo Ito ritou.06 at gmail.com
Wed Dec 12 14:00:13 UTC 2012


I talked with some Identity Geeks about migration from OpenID 2.0 to
OpenID Connect.

This is a draft of Migration Guide.

This document assumes the situation in which OP is an existing site
which supports OpenID 2.0, and now is supporting the OpenID Connect.
OpenID 2.0 will be provided for the time being side by side.

OP may not return a common identifier for each protocols.
We suggest that OP returns an ID Token including the existing OpenID
2.0 identifier in OpenID Connect flow.

Dynamic Client Registration

OP receives following parameters.

 OPTIONAL. (require openid2_claimed_id claim): Type: Logical - If the
value is true, then the openid2_claimed_id claim in the id_token is
REQUIRED. The returned Claim Value is the Claimed Identifier of OpenID
2.0. The openid2_claimed_id claim request in the request object
overrides this setting.
 OPTIONAL. This is "openid.realm" parameter which used at OpenID 2.0
Request for realm-based PPID generation.

OpenID Request Object

If OP support the request with OpenID Request Object, RP is able to
set claims to "id_token" member.

      "auth_time": {"essential": true},
      "openid2_claimed_id": {"essential": true},
      "openid2_realm": "http://oid2rp.example.com/",
      "acr": { "values":["2"] }
   "max_age": 86400

ID Token Payload

OP includes "openid2_claimed_id" to Payload.
 "iss": "https://op.example.com",
 "user_id": "24400320",
 "aud": "s6BhdRkqt3",
 "nonce": "n-0S6_WzA2Mj",
 "exp": 1311281970,
 "iat": 1311280970,
 "openid2_claimed_id": "https://op.example.com/u/24400320",

Should these be included in specifications?


Ryo Ito
Email : ritou.06 at gmail.com

More information about the Openid-specs-ab mailing list