OpenID Connect spec family adopted as international standards

They grow up so fast. A full decade has passed since OpenID Connect was launched, and now nine specifications have been published as international specifications, while three more specifications for digital identity assurance have been approved by the OpenID Foundation.

The International Standards Organization and the International Electrical Commission has published ISO/IEC 26131 through 26130, all with the 2024 suffix.

ISO/IEC 26131:2024 sets out the core functionality of the 1.0 specification for a digital identity layer atop the OAuth 2.0 protocol. ISO/IEC 26132 defines how relying parties discover the end-users OpenID provider and begin an interaction. The next specifications in the series define dynamic client registration, logouts initiated by relying parties, session management, front and back-channel logouts, proper encoding of responses to authorization requests and the “Form Post Response Mode.”

The organization notes that OpenID Connect is already used by millions of developers and billions of applications around the world. The Foundation says the publication of the documents as publicly available specifications will drive further adoption by organizations that require the stamp of approval from global standards bodies.

OpenID Connect and OAuth 2.0 were declared ready for mainstream adoption by Gartner just over a year ago.

Identity Assurance specifications

A trio of final digital identity assurance specifications formulated by the eKYC and IDA working group have also been approved by the Foundation’s membership.

The OpenID Identity Assurance Schema Definition lays out the payload scheme for identity assurance metadata that can be applied across different contexts and protocols, not just OpenID. OpenID Connect for Identity Assurance Claims Registration establishes an OpenID Connect extension for registering JSON web token (JWT) claims relating to an end-user’s identity. OpenID Connect for Identity Assurance extends the protocol to give relying parties claims about end-users that reach a specified level of verification or metadata so they can be used in “access control, entitlement decisions or input to further verification processes.”

All three final specifications are versions 1.0, and were approved by a 98 to 0 vote with 18 abstentions.

Article Topics

digital identity  |  identity assurance  |  identity verification  |  ISO standards  |  OpenID Connect  |  OpenID Foundation  |  standards