For those of you who do not know, OpenID/AB is a chartered Working Group at the OpenID Foundation, and aims to create another binding for OpenID, so that it is
More Secure so that it can go all the way up.
Browser URL length limit friendly.
In addition, we have been targeting to make it
Very easy to write libraries, only with standard libraries
Highly scalable: Completely stateless so that it can scale
I think the goal has been achieved as of draft 06.
It is using OAuth2.0 as the base protocol, and is building identity layer on top of it. Unlike David’s OpenID Connect straw man, it is not overloading the access token of OAuth2.0, so we can use that as OAuth token even for this OpenID flow.
The size of the code shows how easy it is.
OP (PHP): 251 lines including debug codes and comments, as well as HTML.
RP (PHP): 109 lines including debug codes and comments, as well as HTML.
Magic Signatures Library: 83 lines including documentation.
AES Encryption Library (wrapper): 30 lines.
So, in total, it is 373 lines including documentation and debug codes.
AND: it supports asymmetric signature for non-repudiation, completely stateless OP, and my (proprietary version of) attribute exchange.
Nice thing about what I did here for the attribute exchange is that the relying party can ask what combination so ever that the RP wishes of any of the attributes supported by the user. It is just a matter of making a “Request Parameter File”, which looks like this.
Having been working on Digital Identity since 2000.
Co-author of various identity related specifications like OpenID Connect, JSON Web Token.
Chair of the OpenID Foundation (2011-)
Vice Chair of the OpenID Foundation (2010),
Founder of OpenID Foundation Japan (2008-),
Trustee of Kantara Initiative (2009-).