[Openid-specs-ab] Why was OpenID 2.0 obsoleted in favor of a whole new protocol?

Kim, William G wkim at mitre.org
Tue May 19 15:54:44 UTC 2015

Apologies if this is not the right forum for this question. Is there a short answer for this? If not, is there any literature online or some threads on the mailing list that you can point me to regarding why OpenID 2.0 was obsoleted/deprecated in favor of a whole new protocol?

AFAIK, I would surmise that it was due to practical reasons that people were doing OAuth 2.0 for authentication instead anyways, so OIDC was born to standardize that process. But I've also heard that OpenID 2.0 was ditched due to irreconcilable security issues in the protocol itself. If the latter is true, I can't seem to find any reasonable explanations online for what they are and why, except for all the hubbub about covert redirects which I know is not a problem specific to OAuth or OpenID.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150519/1b559f7e/attachment.html>

More information about the Openid-specs-ab mailing list