It took four and a half years of hard work, starting with creating a working group, and six years of hard work before we finally released OpenID Connect.
OpenID Connect is an "identity layer" for the Internet.
Speaking of layers, there is a commonly used model called the TCP/IP reference model.[1]This is a set of rules established by the IETF that hosts on the Internet should have.communicationfunctionHierarchical structureDivided intoモデルso,TCP/IP Reference Model, Internet Protocol SuiteAlso called "communication function (Communication protocol) is defined as four hierarchical levels (RFC1122) This fourth layer is called the application layer, but it is only used for HTTP, FTP, etc.communication serviceThis does not mean "business applications." The "business applications" that actual users use are built on this. Is this the image you have?
In Figure 1, we have drawn an oval to represent "authentication and authorization" within the "business application layer." We have highlighted this because this function exists in all business applications.
It is said that more than 95% of security problems on the Internet are caused by poor authentication and authorization.Dr. Peter TippettOpportunity to hear[2] However, the doctor said, "In terms of strengthening security, even if you perfected antivirus, firewalls, and all other security functions, it would still not come close to the benefits you would get from just slightly improving identity functions."
What has been released this time is an international standard for externalizing the "authentication and authorization" function as a single layer, the "identity layer," just like the network layer, rather than implementing it individually for each application. A rough image of this is shown in Figure 2.
Here, application software can safely perform "authentication and authorization" by exchanging information with the identity layer using predefined standard procedures (protocols). By outsourcing the authentication and authorization functions in this way to specialized software or services, application software can specialize in its core competency, the "application function," without having to perform "authentication and authorization," which is extremely difficult to perform correctly, and thus without creating security holes that result from it.
This release covers the following parts of the overall identity layer architecture:
| OpenID Connect Core | This is the core of everything, and authentication and authorization is possible here alone. |
| OpenID Connect Discovery | It allows you to find out where there are locations that provide per-user authentication and authorization services. |
| OpenID Connect Dynamic Registration | This is a specification that allows application software (called a client) to dynamically register itself with the identity layer. |
| OAuth Multiple Response Types | The above defines some of the messages we will use. |
Many companies have already declared their support for OpenID Connect. Google has already declared that it will fully transition to OpenID Connect by April 2015, and Microsoft and Salesforce have already begun providing the service. In Japan, Nomura Research Institute provides technology as a backend for various companies, and SoftBank and Yahoo! already support it. Other notable companies that have declared their support include (in no particular order) ForgeRock, CA, VMWare, AOL, Cisco, and others.
Additionally, at the Mobile World Congress in Barcelona, organizers GSMABut"MobileConnect" is a profile of OpenID Connect for mobile carriers. (I will write a separate article about this at a later date.)
OpenID Connect is the fruit of the blood and sweat of many people. I would like to take this opportunity to thank the many people who have helped us.
[1] Speaking of layers, there is another commonly used one called the OSI reference model. This isInternational Organization for Standardization (ISO)Formulated byComputerShould havecommunicationfunctionHierarchical structureDivided intoモデルso,OSI Basic Reference Model,OSI ModelAlso called "communication function (Communication protocolThis seventh layer is called the application layer, but it is only used for HTTP, FTP, etc.communication serviceThis does not mean "application software" as it is commonly known. "Application software" that actual users use is built on this.
[2] At the International Identity Summit, an invitation-only event (about 30 people?) held at the White House.
[3] Here, we loosely refer to it as the "identity layer," but in reality it is divided into a layer that issues tokens representing access rights, a so-called identity layer that exchanges identity data (attribute data related to a certain entity), and an access control layer that uses the tokens to perform actual access control.
(Revision History)
- 2014/3/1 – I originally wrote it using the OSI reference model, but it didn't sit well, so I changed it to the TCP/IP reference model. Also, I changed list to table.
1 Response to "OpenID Connect Released: The Identity Layer of the Internet"