After three years of development, the OpenID Connect protocol is out for final review and the timing could not be better as the mobile computing industry is hungry for an open identity infrastructure.
Tuesday, Mike Jones, board member and OpenID Connect working group member at the OpenID Foundation and standards architect at Microsoft, sat at a table during the fall Internet Identity Workshop (IIW) evaluating comments and making edits to the spec, which was sent to its final release stage on Oct. 15.
The previous day at the foundation's meeting, Jones asked members for their final reviews in a development process that began in 2010 and is shaping up to be worth the wait.
OpenID Connect is coming to completion just as a hub model for identity is taking shape among mobile operators, service providers and identity initiatives around the world such as NSTIC in the U.S. and the U.K.'s Identity Assurance Program (IDAP), which will go operational next month.
"It's hubba, hubba time," said Don Thibeau, chairman and president of the Open Identity Exchange (OIX) and executive director of the OpenID Foundation, making reference to the way the global digital identity infrastructure is shaping into a hub model. He said the road that links mobile and identity is complete and the two are streaking toward that union, with OpenID Connect now an additive in the fuel.
Interest is high among service providers, vendors, consortiums, and governments, but perhaps the most significant development involves work between OIX and the U.K.'s IDAP leaders.
A number of U.K. mobile providers have enlisted OIX in evaluating OpenID Connect to fill in a piece of their identity strategy. The group attended last summer's Cloud Identity Summit conference to meet with OpenID Connect leaders and inspect the technology.
OIX would provide governance, while the IDAP contributes a 60 million-person use case. The other significant piece is the Global System for Communications Association (GSMA), an association of mobile operators, that will certainly be monitoring the U.K.'s efforts.
OpenID Connect coupled with the OpenID Foundation's Account Chooser specification, which lays out a standard user interface, mobile operators would have a tidy front and back-end to handle user logins with identities provided by any number of providers.
The momentum behind OpenID Connect also includes industry giants Google, Microsoft and Salesforce, which all have OpenID Connect running in production. Notably absent, however, are Apple and Facebook.
Google cemented its commitment on Tuesday at IIW saying it will phase out support for OpenID 2.0 and OAuth 1.0. Going forward, it will require support for OpenID Connect for all relying parties, those that want to accept IDs issued by Google.
Ping Identity, and other identity infrastructure vendors, including ForgeRock and Gluu, also provide support for the protocol.
The Kantara Initiative, which focuses on technical advancement of digital identity, stepped up Tuesday at IIW to build leadership around creating an OpenID Connect profile geared for inclusion in the Federal Identity, Credential and Access Management (FICAM) program, which vets identity standards against federal policies, requirements and laws.
To add to the synergy, OpenID Connect is built on top of the OAuth authentication/authorization framework, which is enjoying widespread industry adoption, mobile operator support and incorporates other developer-popular IETF protocols including JOSE (JSON Object Signing and Encryption) and JWT (JSON Web Token).
It's a powerful convergence, with the mobile operators's interest perhaps the most significant force in the bunch.
Mobile computing is exploding and disrupting both consumer and enterprise computing. Mobile is re-defining the way applications and services are developed and delivered.
The International Telecommunications Union reports that in 2013 there are 2.1 billion mobile broadband subscriptions.
Jones would not offer a timetable for OpenID Connect's completed specification, but the OpenID Foundation by-laws call for a review period (60 days) and vote (7 days) after the release candidate has been accepted.