OpenID Connect… Call me crazy!

1
 OpenID Connect Call me crazy!

• OpenID Connect has reached the quorum of votes
  needed for approval! Check out the launch press
  release. This under-appreciated event will have a
  profound effect on the Internet. I believe that
  it will not just be another can single sign-on
  (SSO) standard, but will be as essential an
  infrastructure for the Internet as IP, HTTP and
  DNS. Call me crazy, but here are the top ten
  reasons I think weve finally got it right
•  
• Learn more about the differences between OpenID 1
  and 2, and OpenID Connect.
•  
• 1. Easy for developers
•  
• Ease of use for developers was one of the primary
  goals. The feedback from the community is that
  OAuth2 is ok! The basic ideas are well understood
  now. And there is plenty of sample code, sessions
  at programming conferences, and tools for
  developers to use. OAuth2 is built on JSON /
  REST, so its aligned with this shift in
  development best practices.
•  
• 2. Easy for domain administrators
•  
• If you are the system administrator for your
  domain, managing an authentication service for
  internal people and customers can be a challenge

2
. Especially if multiple applications rely on
this service. System administrators have a
mantra Stay Calm and automate all the
things. In this regard, OpenID Connect
automates some of the manual work that
authentication services of times past have relied
on the admin to manage by hand. For example,
discovery and client registration enable the web
developers to do some of the legwork. Its better
for everyone the developer gets instant results
(no waiting for the XYZ team to provision the
agent). And the system admin can review and
modify as needed. With coming improvements in
inter-domain federation, many more mundane tasks
will be the target of even greater automation,
making ecosystems of partners more secure, and
saving money.   3. Supports better privacy
controls for people   The client in OpenID
Connect has a connection to the person. Connect
defines a way for the client to ask the person to
authorize the release of information to a third
party. While more work needs to be done in this
area, Connect is a good start, and paves the way
for more complex authorization flows that can be
defined in other OAuth2 profiles like UMA.  
3
4. Authentication-technology neutral   Never say
secure web access is an authentication protocol
to an OpenID Connect expert the knee jerk
response is that OpenID Connect does not define
the protocol for authentication (look to FIDO to
do this). And its true OpenID Connect defines
everything around the authentication except the
authentication itself. For example, how does the
website look up where to send the person for
authentication? And how to register with the
OpenID Provider, which is required to get
information about the person who has been
authenticated. And how to to end the persons
session so that other apps will know that they
need to re-authenticate the person. The great
thing about this is that OpenID Connect supports
any kind of authentication technology. In oxAuth,
Gluus open source OpenID Connect Provider (OP),
we support multi-step, strong authentication.
Each domain can make a decision about the best
authentication mechanisms to offer. With the
plethora of authentication hardware, software,
and SaaS services having this kind of
flexibility is awesome!   5. Extendable by
complimentary profiles   OpenID Connect does a
few things well, but its not the answer to
everything. In fact, one of the goals of the
effort was to achieve not the largest possible
standard, but the smallest. Many efforts are
underway to build on the strong foundation of
OpenID Connect
4
How devices share sessions, how OpenID Providers
and relying parties can collaborate using
multi-party federation metadata, how OpenID
Connect can be leveraged by an authorization
protocol like UMA all of these are examples of
how well OpenID Connect can address challenges
still unresolved in the industry.   6. Automates
client registration   Ive already mentioned how
great this is for domain administrators. In fact,
automating client registration is a requirement
to scale. Many organizations today have a handful
of SAML relationships. The difficulty in
provisioning new SAML clients has been one of the
barriers to adoption of SAML. 7. Provides an
easy HTTP interface for discovery   This is one
of those subtle details that might be missed.
OpenID Connect discovery is darn useful. It
enables a client to find out what URIs the
domain uses to publish the OpenID Connect
APIswhere to register and where to request
information about the person (user claims). It
also sets a clear standard for other OAuth2
profiles. For example, in UMA, we use
./well-known/uma-configuration. All I can say is
nice work its great when the simplest design is
adopted!  
5
8. Supports serious crypto   There are many trust
models between domains on the Internet. Defense
contractors need a high level of assurance. Your
local sports club needs a very low level of
assurance. It is great that OpenID Connect
supports a range of trust requirements. 9.
Supports the complexity of todays mobile / API
ecosystem   Native applicationsincluding not
only mobile, but some incredibly powerful desktop
applicationsneeded a better authentication
infrastructure than previous web-centric SSO
solutions provided. OpenID Connect has better
support for a client collecting the credentials
of a person. In some cases, if you are using a
native application, and the browser pops up and
asks you for your credentials its a weird user
experience. In some cases, the native app is
collecting biometric data, generating a key, or
providing other important contextual data that
can be used to figure out if its necessary to
authenticate the person. Interactive web
authenticationwhere the persons browser is
re-directed to the home identity provideris
great for many use cases. But thankfully, OpenID
Connect didnt stop there in its core set of
guidelines.  
6
10. People are finally ready for change   Its
very hard to change user behavior. Everyone knows
passwords are bad. A recent Verizon study
indicated that 80 of IT security breaches were
the result of bad passwords. It took 9/11 for
people to accept airline security. While
thankfully nothing as horrible in the electronic
security world has occurred, people experience
death by a thousand paper cuts. I think if we
offer a better alternative, people are finally
ready to change their behavior to take advantage
of it. Article resource-http//gluu.soup.io/pos
t/451942684/OpenID-Connect-Call-me-crazy