OpenID Connect

OpenID Connect performs many of the same tasks as OpenID 2.0, but does so in a way that is API-friendly, and usable by native and mobile applications. Skiptocontent Home»WelcometoOpenIDConnect WhatisOpenIDConnect? OpenIDConnect1.0isasimpleidentitylayerontopoftheOAuth2.0protocol.ItallowsClientstoverifytheidentityoftheEnd-UserbasedontheauthenticationperformedbyanAuthorizationServer,aswellastoobtainbasicprofileinformationabouttheEnd-UserinaninteroperableandREST-likemanner. OpenIDConnectallowsclientsofalltypes,includingWeb-based,mobile,andJavaScriptclients,torequestandreceiveinformationaboutauthenticatedsessionsandend-users.Thespecificationsuiteisextensible,allowingparticipantstouseoptionalfeaturessuchasencryptionofidentitydata,discoveryofOpenIDProviders,andsessionmanagement,whenitmakessenseforthem. Seehttps://openid.net/connect/faq/forasetofanswerstoFrequentlyAskedQuestionsaboutOpenIDConnect. HowisOpenIDConnectdifferentthanOpenID2.0? OpenIDConnectperformsmanyofthesametasksasOpenID2.0,butdoessoinawaythatisAPI-friendly,andusablebynativeandmobileapplications.OpenIDConnectdefinesoptionalmechanismsforrobustsigningandencryption.WhereasintegrationofOAuth1.0aandOpenID2.0requiredanextension,inOpenIDConnect,OAuth2.0capabilitiesareintegratedwiththeprotocolitself. SpecificationOrganization TheOpenIDConnect1.0specificationconsistsofthesedocuments: Core–DefinesthecoreOpenIDConnectfunctionality:authenticationbuiltontopofOAuth2.0andtheuseofClaimstocommunicateinformationabouttheEnd-User Discovery–(Optional)DefineshowClientsdynamicallydiscoverinformationaboutOpenIDProviders DynamicRegistration–(Optional)DefineshowclientsdynamicallyregisterwithOpenIDProviders OAuth2.0MultipleResponseTypes–DefinesseveralspecificnewOAuth2.0responsetypes OAuth2.0FormPostResponseMode–(Optional)DefineshowtoreturnOAuth2.0AuthorizationResponseparameters(includingOpenIDConnectAuthenticationResponseparameters)usingHTMLformvaluesthatareauto-submittedbytheUserAgentusingHTTPPOST RP-InitiatedLogout–(Optional)DefineshowaRelyingPartyrequeststhatanOpenIDProviderlogouttheEnd-User SessionManagement–(Optional)DefineshowtomanageOpenIDConnectsessions,includingpostMessage-basedlogoutandRP-initiatedlogoutfunctionality Front-ChannelLogout–(Optional)Definesafront-channellogoutmechanismthatdoesnotuseanOPiframeonRPpages Back-ChannelLogout–(Optional)Definesalogoutmechanismthatusesdirectback-channelcommunicationbetweentheOPandRPsbeingloggedout OpenIDConnectFederation–(Optional)DefineshowsetsofOPsandRPscanestablishtrustbyutilizingaFederationOperator InitiatingUserRegistrationviaOpenIDConnect–(Optional)Definestheprompt=createauthenticationrequestparameter Twoimplementer’sguidesarealsoavailabletoserveasself-containedreferencesforimplementersofbasicWeb-basedRelyingParties: BasicClientImplementer’sGuide–SimplesubsetoftheCorefunctionalityforaweb-basedRelyingPartyusingtheOAuthcodeflow ImplicitClientImplementer’sGuide–SimplesubsetoftheCorefunctionalityforaweb-basedRelyingPartyusingtheOAuthimplicitflow Aprotocolmigrationspecificationhasbeenfinalized: OpenID2.0toOpenIDConnectMigration1.0–DefineshowtomigratefromOpenID2.0toOpenIDConnect TheOpenIDConnectforSelf-SovereignIdentityworkincludestheseImplementer’sDrafts: Self-IssuedOpenIDProviderV2–(Optional)EnablesEnd-userstouseOpenIDProviders(OPs)thattheycontrol OpenIDConnectforVerifiablePresentations–(Optional)EnablesrequestandpresentationofW3CVerifiablePresentationsviaOpenIDConnect Finally,seetheworkinggroupstatuspageforthenewworktheOpenIDConnectworkinggroupisengagedin. TheOpenIDConnect1.0specificationsandotherspecificationstheyarebuiltuponareshowninthediagrambelow.Clickontheboxesinthediagramtoviewthespecification. ParticipationintheWorkingGroup TheeasiestwaytomonitorprogressontheOpenIDConnect1.0Specificationistojointhemailinglistathttps://lists.openid.net/mailman/listinfo/openid-specs-ab. Pleasenotethatwhileanyonecanjointhemailinglistasaread-onlyrecipient,postingtothemailinglistorcontributingtothespecificationsrequiresthesubmissionofanIPRAgreement.Moreinformationisavailableathttps://openid.net/intellectual-property.Makesuretospecifytheworkinggroupas“OpenIDAB/Connect”,becausethisgroupisamergedworkinggroupandbothnamesmustbespecified. Formoredetailsonparticipating,seetheOpenIDConnectWorkingGroupPage. Implementations TheLibrariespagelistslibrariesthatimplementOpenIDConnectandrelatedspecifications. InteropTesting InteroptestingforOpenIDConnectFederationimplementationsisunderway.Ifyouareinterestedinparticipatingintheinteropactivities,jointheOpenIDFederationInteropmailinglist. Status FinalOpenIDConnectspecificationswerelaunchedonFebruary26,2014. ThecertificationprogramforOpenIDConnectwaslaunchedonApril22,2015. FinalOAuth2.0FormPostResponseModeSpecificationwasapprovedonApril27,2015. OpenIDCertificationforRPswasmadeavailabletoallinAugust2017. SecondImplementer’sDraftofOpenIDConnectFederationSpecificationApprovedonJanuary8,2020. Thiswebsiteusescookiestoallowustoprovideyouthebestexperiencewhilevisitingourwebsite.Bycontinuingtousethesite,youareagreeingtoouruseofcookies.Youcanchangeyourcookiesettingsatanytimebutifyoudo,youmaylosesomefunctionality.MoreinformationmaybefoundinourPrivacyPolicy.Confirm