OpenID Connect: a new protocol for authentication

In a previous blog, Joost van Dijk has explained how SURFconext uses the SAML2 protocol for authentication. However, a number of other authentication procols exist, even though SURFconext currently only supports SAML2. Other well known ones are OpenID, Facebook Login and OpenID Connect. The latter, OpenID Connect, is an upcoming standard, which seems potentially interesting for SURFconext and identity federations in general.

 OpenID Connect for SURFconext?

Novay has been looking into the relevance of OpenID Connect for SURFconext, and specifically into the question whether it should be made possible to use OpenID Connect to connect services to SURFconext (instead of using SAML2). Recently, their report on this topic was published.

In the report, several usecases of OpenID Connect are explored in the conext of federations for higher education and research. Whether OpenID Connect in its current form is here to stay is not certain. However, it is based on OAuth 2.0, which is quickly becoming the de factor standard for managing delegated access to APIs from (JavaScript-based) web applications as well as smartphone clients. For services which already implement OAuth 2.0 for access to their backend APIs, implementing OpenID Connect will probably be an easier solution for implementing external authentication and connecting to SURFconext than SAML2 is.

OpenID Connect features

OpenID Connect offers similar functionality as SAML2, for the usecases in SURFconext. Support for certain features, such as asking for user consent, are built into the standard. In addition, OpenID Connect can deal with higher levels of assurance and supports IdP discovery, dynamic client registration, and session management — although some of these features are optional or under development. Even though OpenID Connect was developed with a dynamic authentication landscape in mind, static trust management is certainly possible, and standardisation for typical federation scenarios is being studied by NRENs and certain vendors.

OpenID Connect for Service Providers

The Service Provider (Client) side of OpenID Connect can be implemented relatively effortlessly, especially if the Service Provider already uses OAuth 2.0 for delegating access to its REST APIs. OpenID Connect is designed for the consumer-to-social-network scenario. Yet OpenID Connect can potentially be deployed in other environments such as the enterprise or federations for higher education and research. The OpenID Connect standard is not final at this point, yet it is stable enough that software developers are implementing it.

SAML 2.0 or OpenID Connect

Some analysts have suggested that OpenID Connect (or a similar protocol) will replace SAML 2.0 in the long run. While this remains to be seen, it is certainly possible that certain categories of Service Providers will support OpenID Connect first to allow social login and only implement SAML if there is a clear business case for enterprise and/or higher education and research customers. Google, Microsoft and other commercial parties support the OpenID Foundation in their development effort. However, SAML 2.0 will remain the protocol of choice for federations for the foreseeable future.

It is clear that OpenID Connect is an interesting technology, and SURFnet would like to experiment with it. If you run a (web) service, would like to connect to SURFconext using OpenID Connect rather than SAML2, and don’t mind starting an experimental pilot, then please contact us. Mail to: surfconext-beheer@surfnet.nl

Bas Zoetekouw (SURFnet) en Martijn Oostdijk (Novay)

Bas Zoetekouw

Bas Zoetekouw is technisch productmanager bij de afdeling Advanced Services van SURFnet. Hij is lid van het SURFconext exploitatieteam, en naast de dagelijkse taken voor de administratie van het platform, onderzoekt hij nieuwe functionaliteiten om SURFconext mee uit te breiden.
2 Comments

2 Comments op OpenID Connect: a new protocol for authentication

  1. Jaap Kuipers zegt:

    The drive to make identity management more simple is strong. Thank you SURFnet/Novay for the research.

  2. Pieter zegt:

    Do you think OpenID connect is safe for the enterprise?:

    Auth 2.0 doesn’t support signature, encryption, channel binding, or client verification. It relies completely on SSL for some degree of confidentiality and server authentication.
    OAuth 2.0 has had numerous security flaws exposed in implementations.[14] The protocol itself has been described as inherently insecure by security experts and a primary contributor to the specification stated that implementation mistakes are almost inevitable.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>