This is an exciting week for the OpenID and OAuth communities. The OpenID summit, sponsored by the OpenID Foundation and kindly hosted by Facebook, kicked things off on Monday, and will be followed by 3 days at the Internet Identity Workshop (IIW). The summit was a chance for many of the industry players to discuss openly the past, present, and future of authentication, discovery, security, user experience and profile data. Although, much discussion happens year round via mailing lists, it’s always good to have face to face meetings to advance the conversation, especially for many of the contributors who are not based in the San Francisco Bay Area. While much of this conversation will continue at the IIW, the OpenID summit allowed for particular focus on consumer initiated authentication transactions, a particular sweet spot for Janrain. There was strong representation from Microsoft, Yahoo, Google, Facebook, PayPal, Salesforce, and Mozilla.
It’s hard to pinpoint many absolute conclusions, out of the six hours of discussion. However, as an observer and a participant in this community for many years, it’s clear there are several changes underway in the next wave of buildout. Many of these ideas have been around for a while. While they are bold, some how the consensus is that they are less controversial now, than they were several years ago. Here’s a quick list of where I think the protocols are going in the next year. Your mileage may vary.
- A new generation of discovery. It will be simpler, less ambiguous, and more efficient than the current dance required in the current stack.
- Identifiers won’t be URL’s. One of the sacred light weight identity assumptions, was that the identifier is a URL. This is now fading into an idea that a tuple of domain and local-identifier constitues a global identifier.
- The entire round trip will be over SSL (or TLS). This will move from a best practice, to a mandatory “will-not-interop” over non-ssl mindset.
- There will be two flavors of next generation OpenID.
- OpenID Connect based on OAuth2
- Artifact Binding for OpenID, preserving extensions and compatibility, while moving next generation payloads through all kinds of devices.
- Portable contacts (PoCo) will be the profile container of choice for the web.
- Tokens will have structure. Token will move from their current opaqueness to more transparent JSON envelopes, with useful meta data.
Janrain wears many hats in community participation. It’s important to help build out a healthy ecosystem, with high assurance of interoperability and alternative implementations. This requires working with identity providers, partners, competitors, and end-users. The largest hat we wear is that of a consumer advocate, to make sure their use cases are covered, their data is protected, and their deployment and user experience is smooth. To our customers, current and future, it’s all good, we’ve got you covered in the next wave of identity buildout.