[Openid-specs-ab] Why was OpenID 2.0 obsoleted in favor of a whole new protocol?

John Bradley ve7jtb at ve7jtb.com
Mon May 25 17:29:44 UTC 2015

There is no particular security problem with OpenID 2.

It wasn’t designed to support mobile applications, but is still fine for server based authentication.

Mostly the issue is people wanting to do OAuth for other reasons.

We did have a openID 2/OAuth hybrid flow but it was not efficient or pretty.

Connect also has some additional security features that are useful to secure plain OAuth.

In terms of security Connect can support LoA 3 by default and openID 2 was LoA 2 (modulo some politics) capable.

The main difference between 2 and 3  is not really a security one, but has to do with supporting a asymmetric signature for non repudiation of transactions.(a policy reason)

Nat and I started out trying to modify openID 2 to add artifact binding and asymmetric signatures, and basically the group opinion was that it was best to start clean with OAuth 2 as a base.

John B.

> On May 19, 2015, at 12:54 PM, Kim, William G <wkim at mitre.org> wrote:
> Apologies if this is not the right forum for this question. Is there a short answer for this? If not, is there any literature online or some threads on the mailing list that you can point me to regarding why OpenID 2.0 was obsoleted/deprecated in favor of a whole new protocol?
> AFAIK, I would surmise that it was due to practical reasons that people were doing OAuth 2.0 for authentication instead anyways, so OIDC was born to standardize that process. But I've also heard that OpenID 2.0 was ditched due to irreconcilable security issues in the protocol itself. If the latter is true, I can't seem to find any reasonable explanations online for what they are and why, except for all the hubbub about covert redirects which I know is not a problem specific to OAuth or OpenID.
> Thanks,
> William
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150525/6b86661d/attachment.html>

More information about the Openid-specs-ab mailing list