Ping Identity > Blogs > PingTalk 

PingTalk Blog

It took a few years and a few heated discussions to push OAuth 2.0 over the finish line, but less than a year after its standardization the framework is maturing quickly as enterprises and developers tap into its authentication and authorization capabilities.

Last week, at the 16th annual IIW conference, OAuth 2.0 was the focus in a half dozen sessions centered on topics such as client registration, permission controls, and protecting health records. In addition, the OAuth 2.0 mailing list has been very active since the first of the year.

"People are running up against OAuth more in the mainstream instead of just a few major Web services," said Mortezza Ansari, a principal engineer at Cisco who led a session on OAuth at IIW. "OAuth is getting more adoption on the enterprise side, in more business settings, and that brings interesting questions from people working on deployments."

When IT lies awake at night, it's not the loss of employee devices they are fearing - rather it's losing control of the business data *on* those devices that prevents REM.

And that's true whether the employee 'brought' the phone or tablet in, or it was supplied by the enterprise. As a famous cyclist (recently 'deprovisioned' of a number of championships for a somewhat well-known European race) might have said - 'BYOD - It's not about the device'.

At the Cloud Security Alliance Congress in Orlando this week, I am presenting a framework for dealing with BYOD that starts with identity.

As a preview, BYOD at its most basic, is an identity problem – how to reconcile two different identities (with different entitlements to various applications & data) using a single computing device. 

They say opinions are like noses - everybody's got one. Last week it was SAML. This week it is OAuth 2.0. Although with OAuth, I expect the debate will go on for a while. Securing computer-to-computer APIs over the Internet is an essential requirement for the future. My colleague, John Fontana, as usual has an excellent report on the hubbub about this protocol:

Additional articles in the OAuth debate, plus the rest of the identity news:

Every time I think I am finally getting a firm grip on the ins and outs of OAuth along comes something else that I have to add to the puzzle.

But last week, I came across one of the best layouts of the OAuth foundation from the ground up.

I was at the Glue Conference (developer focus and exceptional content) and I had the opportunity to sit in on an OAuth session given by my colleague Brian Campbell (@weeunquietmind on Twitter)

GlueCon, as it's called, is mainly a developer's conference, and it goes cutting edge on APIs, Big Data and Cloud. And while Campbell is the kind of guy who can sharpen the blade on the cutting edge, he had a nice simple OAuth slide entitled the Basic Abstract Flow.

Thinking there are some like me who could use a reference point now and again, I thought I would share the slide, and a link to Campbell's presentation: Is that a token in your phone in your pocket or are you just glad to see me? OAuth 2 and Mobile Devices.

The presentation starts at the introduction of OAuth and lays out where it is relevant today, social, mobile, APIs. It reminds us that the next generation of users don't make a distinction between mobile and computing - it's one thing and it better work. Then it ducks into the weeds with code samples showing mobile applications utilizing social logins with the help of OAuth. Oh yeah, and @paulmadsen is mentioned.

The OpenID Connect identity protocol is starting to garner the kind of recognition its creators envisioned when they set out to improve the original OpenID spec.

On Wednesday, analyst firm Kuppinger Cole handed the open specification the firm's award for Best Innovation/New Standard at its annual European Identity and Cloud Conference in Munich, Germany.

“What’s most impressive is that this elegantly simple design resulted from the cooperation of such a diverse global set of contributors," said Kuppinger Cole analyst Dave Kearns. "I expect OpenID Connect to have a substantial positive impact on usable, secure identity solutions both for traditional computing platforms and mobile devices."

OpenID Connect, built on JavaScript Object Notation (JSON) and REST standards, is the latest version of the OpenID protocol and adds improvements in security, flexibility, and significant new features including full support for a mechanism to exchange information about a user in the form of “claims.”

It's not that login systems on the Web are broken per se, it's that there are too many of them.

Each asking for you to create some unique credential (which likely isn't very unique). And that in turn fuels the password issue; too easy to guess, too much re-use, and too open to malicious use across sites.

Those and other concerns will come under the industry's microscope when the OpenID Foundation (OIDF) hosts a workshop on March 28 in London. The target audience, according to Don Thibeau, the OpenID Foundation's executive director, is owners of consumer websites, citizen oriented government sites, and enterprise SaaS services.

The workshop's focus is how to improve login systems using technologies such as OAuth, OpenID and Account Chooser, a UI developed by Google and handed over to the OIDF.

"We are trying to convince Web site operators to get out of the password management business," says Eric Sachs, senior product manager for identity at Google.

The Foundation hopes those operators will agree to be relying parties and that a set of identity providers will outfit end-users with secured tokens and/or assertions they can present to validate their identity instead of using passwords.

(Update with link to demo)

It’s a pleasure for me to interact with the guys (and gal) in our CTO office. No one can do more with lines and boxes to push theories, ideas and concepts forward - and I mean that as a compliment.

At last week’s IIW, my colleague Travis Spencer got himself involved in a discussion with Personal's CTO, Tarik Kurspahic and Stanford’s Scotty Logan on how to best get OAuth tokens into native mobile apps. The two primary methods today answer many questions, but leave some known crumbs out for hungry hackers.

Tarik, Scotty and Travis along with others came up with a way to sweep up the crumbs. Their definition of the solution was this: traditional three-legged OAuth with a twist. It included boxes and lines and bullet points.

Travis blogged about it with this caveat, “….but it's involved. So let me explain.”

So I’ll let him do just that.

And how Travis has tested it on Android and reported on the results.

(Updated with comment from UnboundID)

Mountain View, Calif. - The group developing a specification to support open cloud provisioning completed its first interoperability test Wednesday with five vendors linking their implementations and exchanging user data.

The Simple Cloud Identity Management (SCIM) protocol, first unveiled in May at the Internet Identity Workshop (IIW), returned to that same venue to test what they have been building.

"Short of a few minor issues discovered during the interop, the specification is nearly ready for 1.0 status and an expanded conversation with the broader identity community,” said Nicholas Crown, director of product marketing at UnboundID. 

SCIM is a data access protocol for provisioning and managing user identity in the cloud. It supports creating, editing, deleting, querying and retrieving user resources. The intent is to create a fast and efficient way for enterprises to provide access to cloud services.

For years, cloud providers have been touting how easy and cost effective it is to adopt online services. The behind-the-scenes enterprise pain, however, is user management, namely provisioning and deprovisioning users into and out of those environments.

Wednesday, Nexus, SailPoint,, UnboundID and Ping Identity linked their wares via SCIM messages formatted in either XML or JavaScript Object Notation (JSON) and began sharing user data. The data exchange was secured using Basic Auth and OAuth.

OpenID Connect was a hot topic at the Cloud Identity Summit in Keystone, Colo. last month - but what is it?

OpenID Connect is a specification that codifies how parties can use the OAuth 2.0 protocol to communicate about identity. If you have tried to connect to multiple OAuth-enabled cloud providers, you will understand the pain point we want to alleviate with OpenID Connect: Namely that each cloud provider creates a separate, unique API for accessing their own particular silo. Wouldn’t it be great if developers could discover typical information about the currently authenticated user using the same ceremony everywhere?

Currently in development at the OpenID Foundation, OpenID Connect 1.0 has been designed to support the use of Javascript and rich-client applications, an area that previous protocols such as OpenID 2.0 did not cover well. OpenID Connect 1.0 is also extensible; while the core specification defines standardized REST endpoints for profile data and for session information, standardization of additional identity-related services such as activity streams and portable contacts are also possible in the future.

The current version of the specification has reached a point where its fundamental operations are agreed upon, and where initial implementers can begin to ‘test-drive’ the functionality. Focus is starting to shift away from developing the specification towards education and communication in order to grease the wheels of adoption. The documents themselves are likely to change in name, number and order, but the content is quite stable.  Go to to see more information (or click "More" and see a diagram. Click on the boxes themselves to see the listed specification).