Overview#

A gathering of why OAuth 2.0 and the related Protocols OpenID Connect and User-Managed Access are the way forward for Authentication and Authorization/Delegation for WEB Single Sign-On.

First some opinions, OAuth 2.0 is a basic framework that only meets the basic Delegation/Authorization requirements. We would not consider OAuth 2.0 adequate as for WEB Single Sign-On solution

Some Links from Others#

• Comparison of Standards Based SSO for WEB Single Sign-On
• Why OpenID Connect[2]
• Why the Future of Identity is OpenID Connect and not SAML
• The death (and life) of a protocol
• Despite the popularity of SAML, the mobile and cloud benefits of OpenID Connect may spur adoption as an enterprise authentication platform.
• One Small Step for OpenID Connect, a Giant Leap for the Evolution of Identity Management
• Kerberos Might Not Be Dead, but It's Not Feeling Well!! OpenID Connect Leverages other emerging technologies

The summary:

• OpenID Connect OpenID Connect, published in 2014, is the emerging standard for single Sign-On and identity provision on the internet.
• OpenID Connect formula for success is how it Leverages other emerging technologies delivered via the use OAuth 2.0 flows to obtain tokens[1]
• OpenID Connect has learned lessons from past efforts such as SAML and OpenID 1.0 and 2.0
• OpenID Connect designed to fit web apps as well as native / mobile apps.
• OpenID Connect is simple enough to integrate with basic apps, but it also offers a number of features and security options to match demanding enterprise requirements.
• OpenID Connect Builds on OAuth 2.0's Delegation/Authorization framework to provide Authentication
• OpenID Connect Allows choice of Identity Provider (IDP)
• OpenID Connect is REST/JSON Friendly:
  • JSON Web Tokens
  • JSON Web Signature
  • JSON Web Encryption
  • Simple Web Discovery using WebFinger via Openid-configuration
• OpenID Connect Can provide Level Of Assurance
• OpenID Connect Cool Identity Token Uses

User-Managed Access#

• Builds on OAuth 2.0's Delegation/Authorization framework to provide Authentication
• Can use OpenID Connect and uses most of the OpenID Connect additions.
• Provides UMA-obligations to Satisfy Legal conditions

Broad Usage#

OpenID Connect specifications are open, public and include extensibility. This along with Broad Usage provides an Delegation/Authorization/Authentication framework that is extremely well tested and flexible.

As another example of the activity for OpenID Connect, subsribe to the OpenID Connect Tag at StackoverFlow

Some of the MAJOR entities using OpenID Connect:

• Single Sign On Vendors
  • Ping Identity
  • ForgeRock
  • Connect2ID
  • WSO2
  • MITREid
  • NetIQ Access Manager 4.x
  • Microsoft Azure Active Directory (Azure AD)
  • Microsoft ADFS
• Social Networks
  • Google
  • Facebook
  • Yahoo
• Others
  • Salesforce
  • PayPal
  • AWS account
  • WebSphere
  • Implementing OAuth on IBM WebSphere DataPower Appliances
  • WebSphere Application Server Liberty server as an OpenID Connect Client

More Information#

There might be more information for this subject on one of the following: ...nobody

---

• [#1] - OpenID Connect explained - based on information obtained 2013-04-10
• [#2] - Why OpenID Connect will be ubiquitous for domain authentication - based on information obtained 2013-04-10