OpenID Connect — LLMpedia

OpenID Connect
Name	OpenID Connect
Author	OpenID Foundation
Released	2014
Genre	Authentication protocol
License	Various implementations

Contents

Overview
History and Development
Protocol and Architecture
Authentication Flows and Profiles
Security Considerations
Implementations and Adoption
Governance and Standards

OpenID Connect is an interoperable identity layer for authentication built on top of OAuth 2.0 that enables clients to verify end-user identity and obtain basic profile information. It integrates with widely used platforms and services to provide single sign-on and identity federation across applications from providers such as Google, Microsoft, Facebook, Apple Inc., and enterprise systems like Okta, Ping Identity, and Auth0. Adopted by developers, product teams, and standards bodies including the OpenID Foundation, it is deployed in contexts ranging from consumer web services to government identity programs such as UK Government Digital Service initiatives and enterprise identity stacks in organizations like Amazon (company) and IBM.

Overview

OpenID Connect defines token formats, discovery mechanisms, and RESTful interactions to carry authentication assertions between Relying Parties and Identity Providers. It reuses primitives from OAuth 2.0 and incorporates JSON Web Tokens specified by the IETF, including JSON Web Signature and JSON Web Encryption, enabling interoperability with ecosystems maintained by Mozilla Foundation, W3C, Linux Foundation, and major cloud vendors like Google Cloud Platform and Microsoft Azure. Implementations interoperate with directory services such as Active Directory and identity protocols like SAML 2.0 and can be integrated into platforms including Heroku, Salesforce, Oracle Corporation, and Red Hat.

History and Development

Development began in response to fragmentation among earlier identity systems such as SAML and the original OpenID community, with major contributions from companies like Google, Microsoft, and PayPal along with the OpenID Foundation. Key milestones include publication of the core specification alongside draft extensions influenced by work from the IETF OAuth Working Group and cryptographic advances from contributors associated with RSA Security and VeriSign. The protocol’s evolution has been shaped by adoption by portals and platforms such as Yahoo!, AOL, WordPress.com, and enterprise adopters including Cisco Systems and VMware.

Protocol and Architecture

The architecture describes roles including End-User, Relying Party, and OpenID Provider, and specifies endpoints for Authorization, Token, UserInfo, and Discovery. Tokens and claims conform to JSON Web Token structures defined through IETF specifications and are often signed with keys managed by services like Amazon Web Services Key Management Service and Google Cloud KMS. Metadata discovery uses well-known URIs similar to conventions promoted by IETF, and the model interacts with certificate infrastructures and trust chains used by Let's Encrypt, DigiCert, and enterprise PKI deployments such as those at Bank of America or Deutsche Bank.

Authentication Flows and Profiles

OpenID Connect provides multiple flows including Authorization Code Flow, Implicit Flow, Hybrid Flow, and Client Credentials adaptations used by platforms like Stripe, GitHub, Dropbox, and Slack. Profiles and extensions such as the Financial-grade API profile are adopted by financial institutions like Open Banking consortia in the United Kingdom and authentication deployments at European Central Bank partners. Mobile SDKs for Android and iOS are available from vendors including Google LLC and Apple Inc., while libraries for server frameworks like Node.js, Ruby on Rails, Django, and Spring Framework enable integration into applications from Spotify, Airbnb, and Uber.

Security Considerations

Security recommendations address token integrity, nonce usage, and transport security via TLS as implemented by Cloudflare and major CDN providers. Threat models reference mitigations for Cross-Site Request Forgery and token replay that are relevant to deployments by GitLab, Atlassian, and public sector projects such as Estonia’s e-Identity initiatives. Cryptographic guidance aligns with standards from NIST and the IETF, and security audits and certifications often involve firms like KPMG, Deloitte, and PwC as well as independent researchers formerly associated with MIT and Stanford University.

Implementations and Adoption

Commercial and open-source implementations include identity platforms like Auth0, Keycloak, ForgeRock, Okta, and corporate offerings from Amazon Cognito and Azure Active Directory. Major consumer services supporting the protocol include Google, Microsoft, Facebook, Apple Inc., LinkedIn, and developer ecosystems such as GitHub and GitLab. Government and regulatory adoption appears in projects by Gov.uk Verify, Danish National IT and Telecom Agency, and cross-border initiatives like those coordinated by the European Commission and NATO partner programs. Academic and nonprofit research groups at Carnegie Mellon University, ETH Zurich, and University of Oxford have published interoperability analyses and threat assessments.

Governance and Standards

Governance is overseen by the OpenID Foundation membership and working groups, coordinating with standards bodies including the IETF and collaboration from organizations such as IEEE and the W3C. Ongoing maintenance, errata, and extension work are proposed and ratified through foundation processes involving contributors from corporations like Google, Microsoft, Amazon (company), Facebook, Okta, and academic partners. The evolution of conformance suites and test harnesses engages vendors and projects including Kong (company), Traefik, Apache Software Foundation, and certification labs operated by regional bodies such as NIST and national cybersecurity centers.

Category:Identity protocols