The OpenID Foundation Workshop was held today from 4:30 to 8:00 a.m. Japan time at the Google campus in California. The video and slides will be released soon, but here is the latest news.
Overview by Gail Hodges (Executive Director, OpenID Foundation)
Gail Hodges outlined some of the OpenID Foundation’s key accomplishments over the past six months:
Specification Progress:
- FAPI 2 security and attacker profiles finalized
- FAPI 1 submitted to ISO as public specification
- FAPI 2 Conformance Testing Supports DPoP
- Digital Credentials Protocol (DCP) Working Group Progress: OpenID for Verifiable Presentations at Implementer Draft 3, OpenID for VCI at Implementer Draft 2, HAIP Profile at Implementer Draft 1
- eKYC (Electronic Know Your Customer) and IDA (Identity Assurance) will see OpenID Connect Authority specifications reach 1.0, while AuthSen will be promoted to 2024 in November 11
Events and collaborations:
- Four different working groups conduct interoperability testing
- Shared Signals: Interoperability Events in Texas and London
- DCP Working Group: Hackathon in California, MOSIP event in the Philippines
- Collaboration with NIST: Small-scale interoperability testing under the NCCoE program
- AuthSen: First Interoperability Event at Gartner (Great Success)
- Federation: SUnet-sponsored events in Sweden (scheduled for the week of April 4th)
Governance and operations developments:
- Finalization of process documentation and IPR agreement (first update in about seven years)
- Mark Haine develops automated tools for checking specifications
Thought Leadership:
- Establishment of the Australian Digital Trust Community Group
- SIDI Hub: 9 reports published by Elizabeth Garber
- Feedback to the Government: Briefings to the Federal Reserve Bank of New York, Feedback to NIST Directives and NIST Attribute Services
- Participation in the Aspen Institute Fraud Task Force
- A blog post by Dima with specific recommendations on using fine-grained permissions and rich permission requests.
Media Appearance:
- Promoting the Foundation's activities and events
- Active blogging and podcasting by co-chairs and editors
- Okta Recognizes Leaders in Identity: Foundation Members and Partners Make Up More than Half of 25 People Recognized
eKYC (Electronic Know Your Customer) and IDA (Identity Assurance) Working Group Update
Presentation by Mr. Hodari:
- OpenID Connect Authority 1.0 implementations are spreading around the world, particularly in Australia and the UK
- The specification has been submitted to ISO (International Organization for Standardization) as a public specification, with the 12-week voting period ending soon.
- New Working Group Call for Identity Assurance Starts at 5:30am Tokyo Time
- Conformance Test Suite Graduates from Beta
- Next phase of work will include age assurance and authority use cases
- In Q2 2025, attachments are expected to be final and the Authority spec is expected to be Implementer Draft 2.
DADE (Death and Digital Estate) Community Group
Presentation by Dean Sachs:
- The group was founded in September 2024 and aims to better understand how individuals can manage their digital legacy.
- Digital heritage includes online texts, images, photographs, audio/video, code and other digital content.
- Developing use cases for temporary and permanent disability and death
- Collecting data about legacy contact and service mechanisms (highly inconsistent across platforms)
- Discussing the topic of death can be tricky depending on culture and language
- DADE panel planned for Identiverse 2025
- A white paper titled "The State of Digital Heritage Management" is being planned that will also include a planning guide.
- Released for Cyber Security Awareness Month
- Regular working group calls for North America/EMEA and APAC/North America
Q&A:
- Global or regional: Ideally global, but we need to work at a regional level. Groups are starting up in Australia.
- Question about cooperation with MOSIP: We would like to utilize the knowledge and experience gained in areas where MOSIP is active, such as India and Africa.
- It has been pointed out that accessing services on behalf of a deceased person can sometimes be a useful anti-pattern.
Panel discussion on AI authentication
Moderator: Tobin (MIT-Stanford researcher) Panelists: Aaron Parecki (Director), George Fletcher (Director), Dima Postnikov (Vice Chair)
Introduction by Tobin:
- The AI community is now discovering that chatbots can connect to APIs and take actions, and are trying to do this without authentication.
- Startups and AI companies are realizing they need more robust authentication and authorization, but are building it from scratch
- The OpenID Foundation is well positioned to take a clear stance to help the AI community avoid reinventing the wheel.
Summary of a recent blog post by Aaron Parecki:
- The Model Context Protocol (MCP) is trying to standardize access to AI tools, but authentication is problematic.
- Most of the problems can be solved by applying the existing OAuth concept.
- There is a tendency in the AI world to create entirely new things, but many of the existing API usage and authorization patterns can be applied one-to-one.
Tobin adds:
- There was some disagreement at the Stanford workshop about agent authentication delegation.
- OpenAI claims that consumers only need to "have the robot perform the task"
- On the other hand, some people want to severely restrict the actions that AI can take.
- We need to consider the role of human intervention and how OpenID-style tools can help
According to George Fletcher:
- Where responsibility lies is a key issue
- Increasing user consent shifts responsibility to the user but creates a worse user experience
- Complex permission questions regarding the extent of delegation to agents (e.g., access to credit card information)
panel discussion:
- Discussion of delegated authority, expression of intent, and limits of scope
- AI use cases vs. normal use cases: Unpredictable behavior, expressing intent, learning agents
- The importance of building on existing infrastructure
- Possibility to extend existing OAuth mechanisms
Finally:
- The OpenID Foundation needs to provide a forum for the AI community to have a voice
- Planning to create a white paper
- Leverage knowledge from areas where solutions already exist, such as open banking and digital identity credentials
OpenID Connect Working Group Update
Presentation by Mike Jones:
Key developments:
- OpenID Federation security analysis completed, significant security holes discovered
- Authentication team developing authentication tests for OpenID Federation
- Interoperability event for the Federation to be held at SUNet in Sweden at the end of April
New specifications:
- OpenID Federation Wallet Architectures Draft
- OpenID Connect RP Metadata Choices Specification
- OpenID Provider Commands specification (later described by Dick Hardy)
Security analysis and response:
- A Federation security analysis by the University of Stuttgart found bugs or ambiguities in the audience value sent to the authorization server.
- The vulnerable deployment was privately discussed for several months and fixed.
- Corrections were made to OpenID Federation, OpenID Connect Core (Errata Draft), FAPI 2, FAPI 1 (Errata Draft), CIBA Core (Errata Draft), etc.
- A draft called 7523bis was adopted to address the OAuth specification.
Work in progress:
- Planning for Federation interoperability event (approximately 25 participants, approximately 12 implementations)
- Review and consideration of the RP Metadata Choices implementer draft
- Status assessment of three dormant specifications (OpenID Connect Claims Aggregation, User Info Verifiable Credentials, Self-issued OpenID Provider V.3)
Enhanced Authentication Profile (EAP) Working Group:
- OpenID Connect EAP ACR Values Specification Update
- Registering ACR values for phishing-resistant authentication and phishing-resistant hardware-enabled authentication in the official registry
- The final call for the working group is scheduled to end the next day.
OpenID Provider Commands
Presentation by Dick Hardt:
- A simple concept where an OP sends a command to an RP
- The command is a JWT token signed by the OP, and the RP can verify the signature just like with an ID token.
- Supports all stages of the account lifecycle (as defined by ISO): Activate, maintain, suspend, archive, reactivate, restore, and delete accounts
- Supports tenant level commands (metadata commands, audit tenant, suspend tenant, archive tenant, delete tenant)
- Addressing the challenge of long responses using Server-Sent Events
- Aims to lower the barrier to adoption compared to SCIM (System for Cross-domain Identity Management)
Q&A:
- Current Issue: A few small changes, such as the proposal to rename command URIs to command endpoints.
- Improvements based on implementation feedback, such as adding error events
AuthZen (Authorization) Working Group Update
Presentation by Omri Gazitt (participating remotely):
- A working group to be established in late 2023 with the aim of standardizing communication between policy enforcement points and decision points
- The first core API draft (rating API) will be released in November 2024, followed by the rating batch API in January 11 and the search API in March.
- Gartner IAM 2024 Interoperability Event in London Launches API Gateway Profile
Interoperability testing:
- Tested two policy enforcement points: API gateway (medium-grained authorization) and application (fine-grained authorization)
- Significant increase in participating vendors from December 2024 to March 12
- PDP vendors (Authzen implementations) increase to 17
- Seven new API gateway vendors join (Amazon API Gateway, Broadcom's L7 Gateway, Envoy, Kong, etc.)
Future roadmap:
- The Rating API and Rating Batch API are stable and no changes are planned.
- Planned to move to second implementer draft, including search API, partial evaluation, and discovery
- Aiming for final version of Authzen 2025 in summer or fall 1.0
- Initiatives for 2025: Formalization of API gateway profile, stateful PDP event delivery (utilizing Shared Signals), consideration of IDP profile
- Commercial implementations: Topaz supports native Authzen endpoints; Zuplo supports native Authzen; Amazon's Cedar plans to support Authzen in the second half of 2025
IPSIE (Interoperability Profiles for Secure Identity in the Enterprise)
Presentation by Dean Sachs and Aaron Parecki:
- Working Group to Address Interoperability and Security Challenges in Enterprise Identity
- Established in October 2024, the challenge is that there are many standards and many options for each standard
- The goal is to define profiles that use existing standards, reducing optionality and ambiguity.
- A tiered approach based on the maturity of the company: Session Lifecycle Track (SL) and Identity Lifecycle Track (IL), each with three levels
- An OpenID Connect profile has been proposed as an early draft and an open call for adoption is currently underway.
- Another draft has also been contributed that describes how SAML can be applied to achieve the goals of SL1.
- Work has also begun on a draft on the ID (provisioning) lifecycle
- Gartner IAM targets SL2025 interoperability event in December 12
Q&A:
- Regarding the Applications and Identity Services column: Identity Services refers to anything that manages enterprise-run identities (IDPs, threat monitoring services, etc.)
Shared Signals Framework
Presentation by Atul:
Overview:
- A framework for asynchronously and reliably delivering information between collaborating parties
- Provides a framework for negotiating what information is exchanged and about whom
- Provides controls to start, stop, pause, and resume the stream
- There are application profiles for Risk (account security) and CAPE (session management)
- SCIM Events are drafts that communicate account management changes.
architecture:
- The receiver initiates the communication, telling the sender which events it would like to listen for.
- The actual event is sent as a JWT via asynchronous transport.
- Uses a specific structure of JWT called Security Event Tokens (SET)
Specification Progress:
- Three specifications (Shared Signal Framework Core, CAPE, and RISK) are expected to move forward to finalization once several issues have been resolved.
- Addressing issues based on implementation feedback and issues regarding specification cleanup
Interoperability testing:
- Testing will be conducted at Gartner IAM (Texas) in December 2024 with the participation of many vendors.
- Participation in London in March 2025 is conditional on senders passing conformance tests
- Gradually increasing the level of interoperability testing, with the third event being even more rigorous
Recruitment status:
- Apple, Okta, Signal, Jamf and others support SSF in production
- More beta and implementation plans announced
- Financial services white paper in preparation
- Collaboration with Aspen Institute: The potential of shared signals in fraud prevention
Modrna (MNoble Operator Discovery, REdition & AuthorizationNticAtion)
Presentation by Bjorn Hjelm:
Working Group Update:
- CIBA Core specification has reached final version
- Final working group calls for Discovery Profile and Modrna CIBA Profile to be completed
- CIBA Core errata work in progress
- Outreach to the GSMA community (the industry association of mobile network operators), ETSI, and the CAMARA project (Linux Foundation)
- CAMARA: Identity and Consent Management SP, KnwoYourCustomer SP
- Working towards a liaison agreement with GSMA
plan:
- Second errata expected in Q3, with agreement with GSMA expected by end of year
Submission to the ITU (International Telecommunications Union)
Bjorn Hjelm continues:
- The ITU is part of the United Nations and is a formal standards organization similar to ISO.
- Some governments require specifications from a formal standards body (ISO or ITU)
- Efforts to get the OpenID specification adopted by the ITU to enable implementation in more regions
- In ISO, adoption was by reference (the specification was published as is on the ISO cover sheet), but in ITU, adoption by implementation (the specification was reformatted into ITU format) is required.
- Converting the OpenID Connect Core specification to ITU format and submitting it for review
- We plan to get feedback at the meeting next week.
- Test your process one specification at a time, not all at once
SIDI Hub
Presentation by Elizabeth Garber:
Overview and principles:
- A global multi-stakeholder community collaborating on requirements for achieving global interoperability of digital identities
- More than 25 countries participate, and the initiative also works with intergovernmental organizations such as the OECD and the World Bank.
- Five summits on five continents: Paris, Cape Town, Berlin, Washington DC, Tokyo (latest)
- The next event will be in Addis Ababa (ID for Africa) in May 2025
- Based on human-centrism, national sovereignty, multilateral cooperation, and real use cases, with a focus on both technology and policy
2024 Outcome:
- 9 reports published: post-event reports, 3 champion use cases (refugees, education/educational qualifications, bank account opening)
- Global Credentials Ecosystem Governance Report
- Annual report sets short-term, medium-term and long-term goals
Current activity:
- Building a "digital commons": an open suite of policy, technology and other tools
- Technology workstream: Focusing on trust management, analyzing existing models such as OpenID Federation, LUCI's initiative, and Train
- Trust Framework Workstream: Expanding Open Identity Exchange analysis to build bridges with cross-border ecosystems
- Consideration of a trust framework in the context of the Financial Action Task Force (FATF) and other bodies
- Approaching the European Certification Rulebook
FAPI Update
Presentation by Joseph Heenan:
Key developments:
- FAPI 2 security profile and attacker model released as final specification
- Compatibility testing under development, beta release scheduled for April 2025
- Expanding the ecosystem: BIS project, UK SelectID, Chile and Colombia considering adoption of grant management specifications
- Ongoing collaboration with the Australian Government
- FDX is transitioning to FAPI 2
Major changes from FAPI 2 Implementer Draft to Final:
- Changes to the audience value for private key JWT client authentication (security vulnerability response)
- Implementation transition is expected to be relatively easy
Future Initiatives:
- Progressing the FAPI 2 Message Signature Specification to Final Version
- Focus on implementation and deployment advice documents
- Shared Signal White Paper Plans for Regions Interested in Financial Services (Chile, Brazil, etc.)
DCP (Digital Credentials Protocol) Update
Joseph Heenan continues:
Recent implementer draft releases:
- OpenID for Verifiable Presentations (VP) 3rd Implementer Draft:
- Addition of Digital Entitlement Query Language (DQCL, pronounced "duckle")
- Adding transaction data (embedding user-confirmed data)
- Adding SD-JWT profile and X.509 authentication method
- Changed the way client IDs are passed in presentation exchanges (resolving security issues)
- Browser Digital Certification API Addendum
- OpenID for Verifiable Credential Issuance (VCI) Second Implementer Draft:
- Implemented a Nonce endpoint (solves the issue of multiple user operations)
- Improved unlinkability by issuing the same qualifications in bulk
- Removed Batch Endpoint (reduced complexity)
- High Assurance Interoperability (HAIP) First Implementer's Draft:
- Includes MDOC display profile on Digital Entitlement API in browser
- Alignment with ISO/IEC 18013-7
- Mandatory use of DQCL
Current initiatives:
- Presentation exchange has been completely removed from OpenID for VP and consolidated into DQCL
- Support for Trusted Authorities
- Addressing the Challenges of Multi-RP Authentication
Conformance test:
- Alpha test development for Verifiable Credential Issuance (focus on SD-JWT)
- Updated wallet tests for Verifiable Presentations (Implementer Draft 3)
- Adding Verifier Tests for Verifiable Presentations
alignment:
- Work closely with the European Commission to ensure that the OpenID specifications are explicitly referenced in the next revision of EU implementing legislation
NIST NCCoE (National Cybersecurity Center of Excellence) Interoperability Testing
Presentation by Juliana (Microsoft):
Event Background:
- Part of NIST's National Cybersecurity Center of Excellence project
- Mobile Driver's License/Digital ID Initiatives
- Bank account opening and regular access use cases with high assurance levels
Test summary:
- Tested on multiple wallets, multiple browsers, multiple OS, single validator (Mattr)
- Testing the ISO mDL Annex C profile and four different OpenID for VP configurations
- Building an architecture to enable remote interoperability testing
result:
- The April 2025, 4 test has a success rate of about 4%
- In mdoc, out of 80 pairs tested, 1 unsigned and 8 signed failed.
- 27 pairs passed and 1 pair failed in SD-JWT.
- Some known gaps reportedly resolved over the weekend
- No significant feedback on the protocol itself
Future plans:
- Additional tests will be conducted on April 4th and May 25th.
- Detailed demo for SDOs (standards organizations) and government officials in the morning of May 5th, followed by a public webinar in the afternoon
Conformity and Certification Program Updates
The final presentation by Joseph Heenan:
Test development for multiple specifications:
- FAPI: DPOP support provided, FAPI 2 final testing coming soon in beta
- Federation: Beta testing available, developing automated registration flow test for interoperability events
- eKYC: Testing upgrade in progress; certification program details under review
- Shared Signals: Sender testing has been completed and receiver testing has begun
- Verifiable Credentials: VP tests are used for interoperability testing, VCI tests coming soon
Cooperation with the European Commission:
- Ongoing conversations about potential uses for testing
Closing
The workshop concluded with a group photo of all participants, and board members were informed that they had two more hours of meetings ahead of them.