[Openid-specs-ab] Migration from OpenID 2.0 to OpenID Connect
Ryo Ito
ritou.06 at gmail.com
Wed Dec 12 14:00:13 UTC 2012
Hi,
I talked with some Identity Geeks about migration from OpenID 2.0 to
OpenID Connect.
This is a draft of Migration Guide.
https://github.com/ritou/r-weblife/wiki/Openid2-to-openidconnect
This document assumes the situation in which OP is an existing site
which supports OpenID 2.0, and now is supporting the OpenID Connect.
OpenID 2.0 will be provided for the time being side by side.
OP may not return a common identifier for each protocols.
We suggest that OP returns an ID Token including the existing OpenID
2.0 identifier in OpenID Connect flow.
===
Dynamic Client Registration
OP receives following parameters.
require_openid2_claimed_id
OPTIONAL. (require openid2_claimed_id claim): Type: Logical - If the
value is true, then the openid2_claimed_id claim in the id_token is
REQUIRED. The returned Claim Value is the Claimed Identifier of OpenID
2.0. The openid2_claimed_id claim request in the request object
overrides this setting.
openid2_realm
OPTIONAL. This is "openid.realm" parameter which used at OpenID 2.0
Request for realm-based PPID generation.
===
===
OpenID Request Object
If OP support the request with OpenID Request Object, RP is able to
set claims to "id_token" member.
"id_token":
{
"claims":
{
"auth_time": {"essential": true},
...
"openid2_claimed_id": {"essential": true},
"openid2_realm": "http://oid2rp.example.com/",
"acr": { "values":["2"] }
},
"max_age": 86400
}
===
===
ID Token Payload
OP includes "openid2_claimed_id" to Payload.
{
"iss": "https://op.example.com",
"user_id": "24400320",
"aud": "s6BhdRkqt3",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970,
"openid2_claimed_id": "https://op.example.com/u/24400320",
...
}
===
Should these be included in specifications?
regards,
Ryo.
--
====================
Ryo Ito
Email : ritou.06 at gmail.com
====================
More information about the Openid-specs-ab
mailing list