February 26 this year marks the 5th birthday of OpenID Connect.
In Tokyo, we had a celebration workshop + party.
Last 5 years
In the last 5 years, a lot has happened.
Besides the great adoption, such little thing like Signed Request Object (Ch.6 of OIDC Core) that many people said “too complex, and no one will ever use” and the detached signature on the authorization response (3.3.2 of OIDC Core) got adopted in the last year or two by the higher security requiring verticals such as banking made me happy. It just paid off to insist that they should be in the Core spec.
Next 5 years
What I would expect as the next step are the claims model (Ch.5) and Self-issued OP (Ch.7). Both are starting to attract attention from various parties and have the potential to take off in the next three to five years.
For example, claims model would be immensely useful for something like eKYC. European Commission started a study on eKYC framework and the model seems to be a perfect fit.
Self-issued OP is gaining interest from the context of Self-sovereign identity. Last year, several scholars including friends of mine got their facebook and twitter accounts suspended by somebody reporting that they are violating the terms of use. In some cases, it was while they were speaking up and fighting for the freedom and rights of people. The attempt to suspend was to shut them up. Of course, they did not and fought back, but that’s because they were quite powerful and had support of people. For the rest of us, fighting back like them can just be too daunting and decide to give up. That is a real threat to the freedom of speech. To avoid such a situation, data portability and self-sovereign identity become ever important.
Let us see what happens by the time OpenID Connect becomes 10 years old.