After a decade of creating a multitude of online accounts, with a plethora of usernames and passwords, most people will welcome some form of consolidation. OpenID Connect 1.0 will whittle that down to just one, allowing you to use your email address to identify yourself online and to authenticate.
OpenID Connect 1.0 is a profile of OAUTH 2.0, an IETF Internet Draft. The OpenID Foundation Members include Google, Microsoft and Yahoo. This group collectively serves a critical mass of American consumers, and if they support one method of authentication, there will be an overwhelming advantage for web sites to adopt it.
By using your email to identify yourself on the web, OpenID Connect 1.0 will enable web sites to send a request to your domain to confirm that you are authenticated. It also defines how to grant access to certain resources, such as your profile or your list of friends. The standard is a win-win for consumers and web sites.
OpenID Connect has the potential to be one of the pillars that will enable the NSTIC vision to realize a safer Internet for consumers. With fewer web-based accounts to manage, consumers will have an incentive to invest in stronger authentication technologies, and there will be fewer passwords on the Internet for hackers to steal.
I like to compare the first version of OpenID to the Vikings. The Vikings were able to cross the North Atlantic 600 years before other Europeans, but made no permanent settlements in North America. In 2005, the first version of OpenID was the Viking of consumer federated identity: it was groundbreaking, but other than a few abandoned campsites, there is not much sign of it left. After seven years, this latest version, OpenID Connect 1.0, is poised to put down roots. Both the user experience and the security have been vetted by technologists at the web’s leading consumer identity providers. In fact, OpenID Connect borrows aspects of the user experience from Facebook Connect while also defining several other related standards to make the solution more comprehensive.
If your organization provides users with an email account, you will probably want to launch (1) an OpenID Provider (“OP”) where people at your organizations can authenticate and (2) launch an OpenID Connect discovery service, so Internet web sites can “validate” your users. If you are a web site, you should consider adding support for OpenID Connect 1.0 into your release roadmap. The good news for web sites is that OpenID Connect is relatively lightweight; uses JSON, REST and all that stuff; and there are client libraries out there in Java, Python and other popular programming platforms.
Organizations have a number of options to support OpenID Connect: using open source software, buying commercial software and using cloud service providers. I am proud to announce this week the launch of a new Gluu Cloud Identity Server, which leverages the OpenStack Compute API to just-in-time provision Rackspace Cloud Servers. With OpenID Connect, the availability of an organization’s authentication and authorization service becomes increasingly critical. The design of Gluu’s service around OpenStack enables us to leverage Rackspace’s network to launch a highly robust organizational identity service. Gluu also makes its OpenID Connect software available for free as part of the OX project. But whatever your OpenID Connect deployment strategy, I think one thing is for sure: the tide of Internet identity is changing, and those businesses that position themselves correctly will be in a position to be lifted by it.