What’s Happening at the OpenID Foundation?

The OpenID Foundation is a standards developing organization. They promote, protect and nurture the OpenID community and technologies. They meet twice a year in fall and spring. These are the highlights of their Fall 2016 meeting.

OpenID Connect

Right now the group is working on logout protocols. There are three approaches being considered: session management, front-channel logout, and back-channel logout.  They are also working on new forms of OpenID Connect interoperability testing. OpenID certification enables OpenID Connect implementations to be certified as meeting the requirements of defined conformance profiles.  Right now you can only certify an OpenID Connect provider, but the ability to certify OpenID RP libraries and instances is coming soon.


Why aren’t SaaS app providers federating identity management? It’s hard, and other apps don’t support it. Today federation can take hours, days, or weeks. FastFed is going to create highly prescriptive configurations for SAML, OIDC, SCIM, and OAuth so that federation can be accomplished in minutes. Ideally an IdP admin can paste in metadata, answer some questions, get redirected to the app, answer a few more questions, get redirected back to the IdP, a few tests are run, and federation is complete.


HEART is profiling OAuth, OpenID Connect, and UMA for the healthcare vertical. They are focused on patient-driven use cases. They are making two sets of specifications – mechanical specifications to enable security and interoperability, and semantic specifications that adapt each protocol to the healthcare field and specifically the FHIR standard.


MODRNA stands for Mobile Operator Discovery, Registration &  autheNticAtion.  GSMA created Mobile Connect for secure universal digital authentication leveraging OpenID Connect. MODRNA was created to support this evolution. Members include people from the OpenID community as well as mobile carriers.  They are working on three standards – MNO discovery, set up of credentials, and authentication requests.

Enhanced Authentication Profile

This working group defines how to do token-bound OpenID Connect ID Tokens. This binds the ID token to the user’s TLS session so that it cannot be replayed out of context. There is a version of OpenSSL that supports token-binding that Google is looking at open sourcing.


iGov is looking at how the HEART mechanical profiles can be used in a government context. They are also looking at hubs and proxies and how they can be used to enable and/or prevent blinding. In common-law countries, commercial IdPs are acting as identity providers for governments. In other countries, government identities are used by the private sectors. Some are a hybrid of the two.

Account Chooser

Account chooser is a user interface that allows users to easily see and choose from accounts they have logged in with before. A website can request to use account chooser, and if the user consents, the user’s existing accounts can easily be displayed without the website having any previous knowledge of the user’s external accounts. Google has proposed a re-charter to rename the project Open YOLO (you only login once). They would like to expand the scope to include a password manager interaction and actual code libraries.


RISC (Risk and Incident Sharing and Coordination) working group came about a couple of years ago after there was a big credential spill on the internet and many gmail accounts were compromised.  When an email account is compromised it can be used to reset the password any account for which it is registered as a recovery address. Email providers need a way to broadcast that an account has been compromised and shouldn’t be used elsewhere for account recovery.  There is also value in sending an event if a user resets a password or if an email account is recycled to a new user.

Financial API

Many financial data aggregators use credential replay and screen scraping. This working group is attempting to specify APIs that financial service providers can be interoperable. They are approaching this goal in two parts: part one is read-only, and part two is read/write.  Possible APIs would be accounts, customers, products, and error codes.