The OpenID Foundation membership has approved the following AuthZEN specifications as an OpenID Implementer’s Draft:

• Authorization API 1.0 Implementer’s Draft: https://openid.net/specs/authorization-api-1_0-01.html

An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification. This Implementer’s Draft is a product of the AuthZEN Working Group.

The voting results were:

• Approve – 82 votes
• Object – 2 votes
• Abstain – 22 votes

Total votes: 106 (out of 391 members = 27% > 20% quorum requirement)

Marie Jordan – OpenID Foundation Secretary

The post AuthZEN Authorization API 1.0 Implementer’s Draft Approved first appeared on OpenID Foundation.

We recently shared some exciting news about a new Working Group, Interoperability Profiling for Secure Identity in the Enterprise (IPSIE). However, there have been some misunderstandings in the media coverage that followed the OpenID Foundation’s announcement. The OIDF is keen to clarify our ways of working and affirm that all the usual due processes have been followed during IPSIE’s formation. 

Background

• The OpenID Foundation (OIDF) is committed to a world in which everyone can assert their identity wherever they choose. We do this by defining identity standards that are secure, interoperable, and privacy-preserving.
• OIDF’s Working Groups, through which much of this work is delivered, are underpinned by trust. They provide a safe space for competing organizations to come together and agree on common rules and practices that will solve mutual challenges. 
• The outcomes of these groups are OIDF Standards – a culmination of the valuable feedback of all the OIDF members in those groups – which go on to become trusted by millions of organizations across the globe. 
• All the organizations and individual contributors involved in OIDF’s Working Groups are respected thought leaders in their fields and OIDF is proud to be able to bring together their valuable contributions.

Introducing IPSIE

Last month, seven members of the OpenID Foundation proposed the IPSIE Working Group under a new proposal and charter to the OpenID Foundation Specifications Committee. That proposal was then supported by the Specifications Council, which means that the new IPSIE Work Group would address a new and relevant area of specification development aligned to the OpenID Foundation’s Mission and Vision.

There are many specifications underlying the Identity and Access Management (IAM) functions in enterprise operations. Achieving interoperability between them and optimizing for security is the challenge at the heart of the IPSIE Working Group charter.

The IPSIE Working Group will develop secure-by-design profiles of these existing specifications with a primary goal of achieving interoperability and security-by-design by minimizing optionality in multiple specifications that are used in enterprise implementations.

Key clarifications: 

• No one entity or member can create an OpenID Foundation Working Group on their own. A minimum of five active members in the OpenID Foundation are required to propose a new Working Group. In the case of the IPSIE Work Group, there were seven proposers, thus conforming to the usual due process. 
• No single entity or individual controls the substance of the work conducted within a Working Group. The IPSIE Working Group is a collaboration hosted by the OIDF and made up of many member organizations and individuals, including leading global tech firms and startups, who have committed to working together to address this key industry challenge. 
• The IPSIE Working Group is in its early days, so there is no new security standard yet. This is work in progress and any proposed standards will follow a rigorous process of community contributions, community feedback, and refining as per the OpenID Foundation Process document. 
• Since there are no IPSIE Specifications yet, there are no products or services on the market that are based on IPSIE specifications or that can be considered conformant to an IPSIE specification. 
• Proposers are not Contributors or Adopters. Proposers agree to a problem statement and express willingness to collaborate. At the stage of proposing a WG and until Contribution Agreements are signed, no intellectual property has been contributed to the WG.
• Consensus is a core value of how the OpenID Foundation conducts the development of standards, and the OpenID Foundation follows the World Trade Organization guidelines for standards bodies. No single entity or individual can make a decision for the group.

These distinctions are important. The work of Standards organizations, like the OIDF, the IETF, the W3C, ISO, and others, are all underpinned by trust. Standards organizations provide safe spaces for government, individuals, and private entities – many of whom often compete – to agree upon common rules and practices. This ensures a level playing field and protects businesses and consumers by promoting security and portability. 

As part of the inquiry into the misunderstanding, the OpenID Foundation Board did recognize that we lack a clear policy on how OpenID Foundation members, contributors, and implementers should refer to OIDF processes and work groups in media and marketing channels. We are working actively to close this policy gap to offer the OpenID Foundation community better clarity and avert future misunderstandings. As always, the Foundation values the trust the community places in OIDF processes and specifications and appreciates the lengths our community goes to sustain the trust that helps deliver on our Mission and Vision.  

To become a member of the IPSIE WG you can find more information here. 

Full information on the OIDF Process Document is here.  

To become a member of the OpenID Foundation link here.  

About the OpenID Foundation

The post For the Record: The IPSIE WG and OpenID Foundation Processes first appeared on OpenID Foundation.

The post FAPI 2.0 Conformance Tests Now Support DPoP first appeared on OpenID Foundation.

The OpenID AB/Connect Working Group recommends approval of the following specification as an OpenID Implementer’s Draft:

• OpenID4VP: https://openid.net/specs/openid-4-verifiable-presentations-1_0-22.html

This would be the third Implementer’s Draft of this specification.

• Implementer’s Draft public review period: Friday, November 1, 2024 to Sunday, December 16, 2024 (45 days)
• Implementer’s Draft vote announcement: Tuesday, December 3, 2024
• Implementer’s Draft early voting opens: Tuesday, December 10, 2024 *
• Implementer’s Draft official voting period: Tuesday, December 17 to Tuesday, December 24, 2024 *

* Note: Early voting before the start of the formal voting period will be allowed.

The OpenID AB/Connect working group page is https://openid.net/wg/connect/. Information on joining the OpenID Foundation can be found at https://openid.net/foundation/members/registration. If you’re not a current OpenID Foundation member, please consider joining to participate in the approval vote. You can send feedback on the specification in a way that enables the working group to act upon it by (1) signing the Contribution Agreement at https://openid.net/intellectual-property/ to join the working group (at a minimum, please specify that you are joining the “DCP” working group or select “All Work Groups” on your Contribution Agreement), (2) joining the working group mailing list at [email protected], and (3) sending your feedback to the list.

Marie Jordan – OpenID Foundation Secretary

The post Public Review Period for Proposed Implementer’s Draft of OpenID4VP Specification first appeared on OpenID Foundation.

The official voting period will be between Thursday, November 7, 2024 and Thursday, November 14, 2024 (12:00pm  PT), once the 45 day review of the specification has been completed. For the convenience of members who have completed their reviews by then, voting will actually begin on Thursday, October 31, 2024.

The AuthZEN work group page is  https://openid.net/wg/authzen/. If you’re not already an OpenID Foundation member, or if your membership has expired, please consider joining to participate in the approval vote. Information on joining the OpenID Foundation can be found at https://openid.net/foundation/members/registration.

The vote will be conducted at https://openid.net/foundation/members/polls/343

Marie Jordan – OpenID Foundation Secretary

The post Notice of Vote for Proposed AuthZEN Authorization API 1.0 Implementer’s Draft first appeared on OpenID Foundation.

The post Revisions to OpenID Process Document and IPR Policy Approved first appeared on OpenID Foundation.

Mike Leszcz, OpenID Foundation Operations Director

This was a hybrid event with some CMF and ecosystem members participating in person in Santiago. OIDF was very fortunate to have founding member and long-time board member, John Bradley with Yubico, representing OIDF in person. The goal of the workshop was to introduce OIDF and OpenID specifications with a focus on FAPI 2.0 to the ecosystem as Chile will require FAPI 2.0 when the Chilean Open Finance System goes live.

OIDF Standards Overview

Victor Andrade, Senior Analyst with the CMF, opened the workshop welcoming approximately 190 participants. Gail Hodges, OIDF Executive Director, kicked off the agenda with a brief introduction to OIDF including how the Foundation operates including with other ecosystems and then highlighted how to get involved.

Mark Haine, OIDF Technical Director, presented an overview of current OpenID specifications including recommendations for new vs. existing ecosystems. This introduced a deeper dive into FAPI 2.0, delivered by Domingos Creado who represents OIDF certification team and is a valued FAPI Contributor. Domingos discussed key technical details from FAPI 2.0, including how it builds on FAPI 1.0 and is intended to be easier to implement. Domingos also confirmed that FAPI 2.0 is on track to be a Final Specification by the end of 2024.

At the request of the CMF, the workshop also included a high-level overview of the Shared Signals Framework (SSF) specification that improves API efficiency and security by providing privacy-protected, secure webhooks. It is in use by some of the largest cloud services to communicate security alerts and status changes of users, continuously and securely to prevent and mitigate security breaches. It is currently leveraged by two applications – the Continuous Access Evaluation Protocol (CAEP) and Risk Incident Sharing and Coordination (RISC) to achieve this result. Shared Signals WG co-chairs, Atul Tulshibagwale, CTO at SGNL, and Sean O’Dell, Senior Staff Security Engineer at Disney, provided this overview and addressed SSF questions.

Joseph Heenan, OIDF Specifications Specialist and Certification Director as well as a FAPI 2.0 Editor, provided an overview of the OpenID Certification Program. This included the value of certification including how ecosystems that mandate FAPI and FAPI certification are achieving high security within their ecosystems as well as enabling interoperability. He noted that FAPI 2.0 conformance tests and certifications are currently available with a number of OP and RP certifications from the ConnectID private ecosystem in Australia. Joseph highlighted a number of other conformance test suites for other OpenID specifications are currently in development and will be made available for certifications once in production.

Ecosystem Engagement

The workshop then turned to ecosystem engagement, facilitated by OIDF Operations Director, Mike Leszcz. Mike spoke about the ecosystems that OIDF has partnered with in recommending or mandating FAPI adoption and FAPI certifications. He noted that OIDF is also supporting some ecosystems that are in the process of going live with their open finance/open data ecosystems.

This overview introduced the strong partnership that OIDF has had with Open Finance Brazil (OFB) the last several years as OFB mandates FAPI adoption and certifications with annual recertifications required. We were privileged to have Elcio Calefi, CIO at OFB and OIF board member present, “Technology in Finance – Innovation, Security and Inclusion”, highlighting OFB’s journey from including FAPI into the Brazilian open finance regulation and then operationalizing the mandate for FAPI adoption and certification.

Questions Answered

After a lunch break, OIDF presenters and workshop participants reconvened for a Q&A session that addressed hot topic such as the lifecycle of the standards, the use of mTLS, the implementation of refresh tokens, the practical aspects of changing the scope of authorizations or grants, among others. Other topics during this session included:

• Certification costs and OIDF’s recommendations regarding the implementation of certification processes.
• Adaptations to the applicable profile(s) for Chile and OIDF’s position on possible deviations that a local implementation may have from the plain vanilla standard.
• OIDF recommendations regarding the use of RAR / PAR, especially in replay attack threat scenarios.
• Questions on DCR single profile.
• Inclusion of data finality principles and their relationship to the FAPI standard.
• Questions on how OIDF has approached to embedded finance for FAPI compliance, in particular where authorizations come from or are managed by third parties.

John Bradley, representing OIDF and an author on a number of the specifications being discussed, took the lead on many of the topics during the Q&A session with support from the workshop presenters. The Q&A session allowed additional time for the Chilean Open Finance System participants to dive deeper into the workshop topics.

OIDF thanks our colleagues at the CMF for their support and coordination of these two important events in support of the Chilean Open Finance System.

Links to the session recordings and workshop deck can be found on the OpenID Foundation’s Presentations and Media page.

About the OpenID Foundation

The post An Outreach Workshop for Open Banking Chile first appeared on OpenID Foundation.

The OpenID Foundation is delighted to announce the formation of the Interoperability Profiling for Secure Identity in the Enterprise (IPSIE) Working Group. This WG aims to tackle key challenges that underlie identity security in today’s enterprise environments. 

The Core Challenge

Identity and Access Management (IAM) within the enterprise is a multifaceted endeavor, as indicated by the growing Body of Knowledge maintained by IDPro. There is a broad range of specifications that are relevant to securing the many IAM functions that underpin operations. Some of these are OIDF standards – like OpenID Connect, FAPI, and Shared Signals – while others are maintained in different standards bodies. For example, IPSIE has already identified the IETF’s OAuth 2.0 and System for Cross-Domain Identity Management (SCIM) as relevant to their initial scope (below). But these specifications are written to support many contexts and use cases; they contain optionality that reduces the likelihood that independent implementations will interoperate. 

The IPSIE Working Group will develop secure-by-design profiles of these existing specifications with a primary goal of achieving interoperability across enterprise implementations.

Getting Involved

According to its Charter, the IPSIE WG will initially focus on standards that support:

• Single Sign-On
• User Lifecycle Management
• Entitlements
• Risk Signal Sharing
• Logout
• Token Revocation.

As of this publication, the WG is meeting weekly on Tuesdays, though Contributors should always check the OpenID Calendar for any updates to the schedule. To stay up-to-date with the latest news, please join the IPSIE mailing list.

About the OpenID Foundation

The post Announcing the IPSIE Working Group first appeared on OpenID Foundation.

The OpenID Connect Final specification was launched on February 26, 2014 with a vision of increased security, privacy, and usability on the internet. Ten years after that publication, we are delighted to announce that 9 OpenID Connect specifications are now published as ISO/IEC standards.

• ISO/IEC 26131:2024 — Information technology — OpenID connect — OpenID connect core 1.0 incorporating errata set 2
• ISO/IEC 26132:2024 — Information technology — OpenID connect — OpenID connect discovery 1.0 incorporating errata set 2
• ISO/IEC 26133:2024 — Information technology — OpenID connect — OpenID connect dynamic client registration 1.0 incorporating errata set 2
• ISO/IEC 26134:2024 — Information technology — OpenID connect — OpenID connect RP-initiated logout 1.0
• ISO/IEC 26135:2024 — Information technology — OpenID connect — OpenID connect session management 1.0
• ISO/IEC 26136:2024 — Information technology — OpenID connect — OpenID connect front-channel logout 1.0
• ISO/IEC 26137:2024 — Information technology — OpenID connect — OpenID connect back-channel logout 1.0 incorporating errata set 1
• ISO/IEC 26138:2024 — Information technology — OpenID connect — OAuth 2.0 multiple response type encoding practices
• ISO/IEC 26139:2024 — Information technology — OpenID connect — OAuth 2.0 form post response mode

We would like to thank the AB/Connect Working Group for their tireless efforts building and maintaining this family of specifications, including the process of applying errata corrections to the specifications, so that the ISO versions would have all known corrections incorporated. 

OpenID Connect has been used by millions of developers and deployed in billions of applications worldwide. Publication by ISO as a Publicly Available Specifications (PAS) will enable even broader global adoption by enabling deployments within ecosystems and jurisdictions that require the use of specifications from standards bodies recognized by international treaties (such as ISO).

The OpenID Foundation remains committed to helping people assert their identities wherever they choose – and to do so by building identity standards that are secure, interoperable, and privacy-preserving. For the benefit of individual and ecosystem security all over the world, OIDF will soon follow this same process with other specification families. These include the FAPI 1.0 and eKYC-IDA specifications, and once they’re final, the  FAPI 2.0 specifications.

Many thanks to all of OIDF spec authors, implementers, members, and contributors who have ensured the success of OpenID Connect over the last 10 years!

About the OpenID Foundation

The post 10 Years On: OpenID Connect Published as an ISO/IEC Spec first appeared on OpenID Foundation.

• OpenID Identity Assurance Schema Definition 1.0 – https://openid.net/specs/openid-ida-verified-claims-1_0-final.html
• OpenID Connect for Identity Assurance Claims Registration 1.0 – https://openid.net/specs/openid-connect-4-ida-claims-1_0-final.html
• OpenID Connect for Identity Assurance 1.0 – https://openid.net/specs/openid-connect-4-identity-assurance-1_0-final.html

• Approve – 89 votes
• Object – 0 votes
• Abstain – 18 votes

The post Three OpenID Connect for Identity Assurance Final Specifications Approved first appeared on OpenID Foundation.