Events identity OpenID Foundation

OpenID Foundation Workshop Recap

Nat April 8, 2025 No Comments

On April 7, 2025, OpenID Foundation Workshop was given at Google campus in California.

Recordings and slides will be coming out in the near future, but till then, the following recap in can be useful. There is a podcast version of it created by NotebookLM based on this blog here as well.

Enjoy

Nat

Table of Contents

Gail Hodges (Executive Director of OpenID Foundation) – Overview Report

Gail Hodges presented the major achievements of the OpenID Foundation over the past 6 months:

Specification Progress:

  • FAPI 2 Security Profile and Attacker Profile reached final version
  • FAPI 1 submitted to ISO as a publicly available specification
  • FAPI 2 conformance tests now support DPoP
  • DCP (Digital Credentials Protocol) Working Group progress: OpenID for Verifiable Presentations to 3rd implementers draft, OpenID for VCI to implementers draft 2, and HYPE profile to implementers draft 1
  • eKYC (Electronic Know Your Customer) and IDA (Identity Assurance): OpenID Connect Authority specification to 1.0, and AuthZen 1.0 to Implementer’s Draft in November 2024

Events and Collaborations:

  • Four different working groups are conducting interoperability testing
  • Shared Signals: interoperability events in Texas and London
  • DCP Working Group: hackathons in California, MOSIP event in the Philippines
  • Collaboration with NIST: small group interoperability tests with the NCCoE program
  • AuthSen: first interoperability event at Gartner (well-attended)
  • Federation: SUnet-hosted event in Sweden (planned for the week of April 24)

Governance and Operations Progress:

  • Finalization of process document and IPR agreement (first update in about 7 years)
  • Development of specification checking automation tool by Mark Haine

Thought Leadership:

  • Establishment of Australian Digital Trust Community Group
  • SIDI Hub: nine reports published by Elizabeth Garber
  • Government feedback: briefing to New York Federal Reserve Bank, feedback on NIST directive and NIST attributes services
  • Participation in Aspen Institute’s fraud task force
  • Blog post with specific recommendations on fine-grained authorization and rich authorization requests (by Dima)

Media Coverage:

  • Promotion of foundation activities and events
  • Active participation by co-chairs and editors in blogs and podcasts
  • Recognition of identity field leaders by Okta: more than half of the 25 recognized people were from foundation members or partners

EKYC (Electronic Know Your Customer) and IDA (Identity Assurance) Update

Presentation by Hodari McClain:

  • OpenID Connect Authority 1.0 implementations spreading worldwide (particularly in Australia and UK)
  • Specs submitted to ISO as a publicly available specification, 12-week voting period almost complete
  • New working group call for Identity Assurance starting at 5:30 JST in Tokyo
  • Conformance testing suite out of Beta
  • Next phase of work to include age assurance, authority use cases
  • Attachments expected to reach final version in Q2 2025, Authority specification to implementers draft 2

DADE (Death and Digital Estate) Community Group

Presentation by Dean Sachs:

  • Group established in September 2024 to develop understanding of how individuals can manage their digital estate
  • Digital estate includes digital data such as online writing, images, photos, audio/video, code, etc.
  • Developing use cases for temporary/permanent disablement or death
  • Collecting data on legacy contacts and service mechanisms (highly inconsistent across platforms)
  • Discussion of death can be difficult depending on culture and language
  • DADE panel planned for Identiverse 2025
  • White paper planned titled “The State of Digital Estate Management” including a planning guide
  • Planned release for Cybersecurity Awareness Month
  • Regular working group calls for North America/EMEA and APAC/North America

Q&A:

  • Response to question about global vs. specific regions: Ideally global, but work at regional level needed. A group is starting up in Australia
  • Response to question about cooperation with MOSIP: Wish to utilize insights from regions where MOSIP is active, such as India and Africa
  • Discussion about accessing services on behalf of deceased individuals sometimes being a useful anti-pattern

AI Authentication Panel Discussion

Moderator: Tobin (researcher between MIT and Stanford) Panelists: Aaron Parecki, George Fletcher, Dima

Introduction by Tobin:

  • AI community currently in chaos as chatbots discovered to connect to APIs and take actions, attempting to do so without authentication
  • Startups and AI companies recognizing need for more robust authentication and authorization but trying to build from scratch
  • OpenID Foundation well-positioned to take a clear stance to prevent AI community from reinventing the wheel

Summary of recent blog post by Aaron Parecki:

  • Model Context Protocol (MCP) attempting to standardize access to AI tools but issues with authentication aspect
  • Most issues can be addressed by applying existing OAuth thinking
  • Tendency in AI world to create completely new things, but many existing API access patterns and authorization patterns apply one-to-one

Additional context from Tobin:

  • Workshop at Stanford showed diverging opinions on authenticated delegation for agents
  • OpenAI claimed consumers just want “robot to do the task”
  • Others want to severely restrict actions AI can take
  • Need to consider role of human in the loop and how OpenID-style tools can help

George Fletcher’s perspective:

  • Liability and responsibility is an important issue
  • Increasing user consent shifts responsibility to users but degrades user experience
  • Complex authorization questions regarding degree of delegation to agents (e.g., scope of credit card information usage)

Panel discussion:

  • Discussion on delegated authority, expression of intent, limitations of scopes
  • Differences between AI use cases and normal use cases: unanticipated behavior, expression of intent, learning agents
  • Importance of building on existing infrastructure
  • Possibilities for extending existing OAuth mechanisms

Conclusion:

  • OpenID Foundation needs to provide a voice to the AI community
  • White paper planned
  • Leverage knowledge from areas with existing solutions, such as open banking and digital ID credentials

OpenID Connect Working Group Update

Presentation by Mike Jones:

Key Developments:

  • Security analysis of OpenID Federation completed, revealing significant security hole
  • Certification team developing certification tests for OpenID Federation
  • Interoperability event for Federation planned at SUNet in Sweden at the end of April

Newly Adopted Specifications:

  • OpenID Federation Wallet Architectures draft
  • OpenID Connect RP Metadata Choices specification
  • OpenID Provider Commands specification (to be detailed later by Dick Hardy)

Security Analysis and Response:

  • Federation security analysis by University of Stuttgart found bug or ambiguity in audience values sent to authorization servers
  • Discussed privately for months with deployments vulnerable to the bug and fixed
  • Fixes implemented for OpenID Federation, OpenID Connect Core (errata draft), FAPI 2, FAPI 1 (errata draft), CIBA Core (errata draft)
  • Draft called 7523bis adopted to address OAuth specifications

Ongoing Work:

  • Planning Federation interoperability event (about 25 participants, about 12 implementations)
  • Considering review for implementers draft of RP Metadata Choices
  • Assessing status of three dormant specifications (OpenID Connect Claims Aggregation, User Info Verifiable Credentials, Self-issued OpenID Provider V.2)

EAP (Enhanced Authentication Profile) Working Group:

  • Updates to OpenID Connect EAP ACR Values specification
  • Registration of ACR values for phishing-resistant authentication and phishing-resistant hardware-backed authentication in official registries
  • Working group last call ending the next day

OpenID Provider Commands

Presentation by Dick Hardt:

  • Simple concept of OP sending commands to RP
  • Command is a JWT token signed by OP, which RP can verify signature like an ID token
  • Supports all stages of account lifecycle (as defined by ISO): activating, maintaining, suspending, archiving, reactivating, restoring, and deleting accounts
  • Also supports tenant-level commands (metadata command, audit tenant, suspend tenant, archive tenant, delete tenant)
  • Uses Server-Sent Events to address challenges with long responses
  • Aims to lower barrier to entry compared to SCIM (System for Cross-domain Identity Management)

Q&A:

  • Current issues: proposal to rename command URI to command endpoint, among other small changes
  • Improvements based on implementation feedback, such as adding error events

Authn (Authorization) Working Group Update

Remote presentation by Omri Gazitt:

  • Working group established in late 2023 to standardize communication between policy enforcement points and decision points
  • Published first core API draft (evaluation API) in November 2024, evaluations batch API draft in January 2025, search API draft in March
  • Started developing API gateway profile at Gartner IAM 2024 London interoperability event

Interoperability Testing:

  • Tested two policy enforcement points: API gateway (medium-grained authorization) and ToDo application (fine-grained authorization)
  • Significant increase in participating vendors from December 2024 to March 2025
  • PDP vendors (Authn implementations) increased to 17
  • Seven new API gateway vendors joined (Amazon API Gateway, Broadcom’s L7 Gateway, Envoy, Kong, etc.)

Future Roadmap:

  • Evaluation API and evaluations batch API stable with no planned changes
  • Moving toward second implementers draft including search APIs, partial evaluation, and discovery
  • Aiming for Authn 1.0 final in summer or fall 2025
  • 2025 initiatives: formalizing API gateway profile, event delivery for stateful PDPs (leveraging Shared Signals), IDP profile consideration
  • Commercial implementations: Topaz supporting native Authn endpoints, Zuplo with native Authn support, Amazon’s Cedar planning Authn support later in 2025

IPSIE (Interoperability Profiles for Secure Identity in the Enterprise)

Presentation by Dean Sachs and Aaron Parecki:

  • Working group addressing interoperability and security challenges in enterprise identity
  • Established in October 2024, addressing the challenge of many standards with many options in each standard
  • Goal is to define profiles using existing standards, reducing optionality and ambiguity
  • Level-based approach based on enterprise maturity: Session Lifecycle track (SL) and Identity Lifecycle track (IL), each with 3 levels
  • OpenID Connect profile proposed as initial draft, with public call for adoption
  • Another draft contributed describing how to apply SAML to achieve SL1 goals
  • Work beginning on draft for ID (provisioning) lifecycle
  • Aiming for SL1 interoperability event at Gartner IAM in December 2025

Q&A:

  • Regarding columns for application and identity service: Identity service refers to everything the enterprise runs to manage identities (IDP, threat monitoring services, etc.)

Shared Signals Framework

Presentation by Atul:

Overview:

  • Framework for reliably providing information asynchronously between cooperating parties
  • Provides a framework for negotiating what type of information to exchange about whom
  • Provides controls for starting, stopping, pausing, restarting streams
  • Application profiles for Risk (account security) and CAPE (session management)
  • SCIM Events is a draft for conveying account management changes

Architecture:

  • Receiver initiates communication, telling the transmitter which events it wants to listen to
  • Actual events sent through asynchronous transport as JWTs
  • Uses specific structure of JWTs called Security Event Tokens (SET)

Specification Progress:

  • Three specifications (Shared Signals Framework Core, CAPE, Risk) progressing to final after resolving some issues
  • Addressing issues based on implementation feedback and organizing the specification

Interoperability Testing:

  • Testing conducted at Gartner IAM in Texas (December 2024) with numerous vendors
  • In London (March 2025), required transmitters to pass conformance tests to participate
  • Progressively raising the bar for interoperability tests, with third event being more rigorous

Adoption:

  • Apple, Okta, Signl, Jamf supporting SSF in actual products
  • Increasing announcements of betas and implementation plans
  • Preparing white paper for financial services
  • Engagement with Aspen Institute: potential of shared signals in fraud prevention

Modrna (Mobile Operator Discovery, Registration & autheNticAtion)

Presentation by Bjorn Hjelm:

Working Group Status:

  • CIBA Core specification has reached final version
  • Completing working group last calls for Discovery Profile and Modrna CIBA Profile
  • Working on errata for CIBA Core
  • Outreach to GSMA community (industry organization of mobile network operators), ETSI, and Camara project (Linux Foundation)
  • Working toward liaison agreement with GSMA

Plans:

  • Targeting errata version 2 in Q3, agreement with GSMA by year-end

ITU (International Telecommunication Union) Submission

Continued by Bjorn Hjelm:

  • ITU is part of UN, formal standardization organization like ISO
  • Some governments require specifications from formal standardization organizations (ISO or ITU)
  • Effort to have OpenID specifications adopted by ITU to enable implementations in more regions
  • ISO used adoption by reference (specification published as-is with ISO cover sheet), but ITU requires adoption by implementation (specification reformatted to ITU format)
  • Converted OpenID Connect Core specification to ITU format and submitted for review
  • Feedback expected at meeting next week
  • Testing process with one specification first rather than all at once

SIDI Hub

Presentation by Elizabeth Garber:

Overview and Principles:

  • Global multi-stakeholder community collaborating on requirements for global interoperability of digital identity
  • Over 25 countries participating, engagement with intergovernmental organizations like OECD, World Bank
  • Five summits across five continents: Paris, Cape Town, Berlin, Washington DC, Tokyo (most recent)
  • Next event in Addis Ababa (ID for Africa) in May 2025
  • Principles include human-centricity, domestic sovereignty, multilateral engagement, grounding in real-life use cases, focus on both technology and policy

2024 Achievements:

  • Nine reports published: reports after each event, three champion use cases (refugee, education/credentials, opening bank account)
  • Report on global credential ecosystem governance
  • End-of-year report setting short, medium, and long-term goals

Current Work:

  • Building a “digital commons”: open suite of policy, technical, and other tools
  • Technical workstream: focusing on trust management, analyzing existing models like OpenID Federation, LUCI’s work, Train
  • Trust Framework workstream: expanding Open Identity Exchange analysis and bridging with cross-border ecosystems
  • Considering trust frameworks in context of Financial Action Task Force (FATF)
  • Approach to attestation rulebook in Europe

FAPI Update

Presentation by Joseph Heenan:

Key Developments:

  • FAPI 2 Security Profile and Attacker Model published as final specifications
  • Conformance tests in development, beta release planned for April 2025
  • Ecosystem expansion: BIS (Bank for International Settlements) project, UK’s SelectID, Chile and Colombia considering grant management specification
  • Continued engagement with Australian government
  • FDX moving to FAPI 2

Major Changes from FAPI 2 Implementers Draft to Final:

  • Change related to audience value in private key JWT client authentication (addressing security vulnerability)
  • Migration expected to be relatively easy

Future Work:

  • Working on moving FAPI 2 Message Signing specification to final
  • Focus on implementation and deployment advice documents
  • Planning Shared Signals white paper for regions interested in financial services (Chile, Brazil, etc.)

DCP (Digital Credentials Protocol) Update

Continued by Joseph Heenan:

Recent Implementers Draft Releases:

  1. OpenID for Verifiable Presentations (VP) 3rd Implementers Draft:
    • Addition of Digital Credentials Query Language (DQCL, pronounced “duckle”)
    • Addition of transaction data (embedding data acknowledged by user)
    • Addition of SD-JWT profile and X.509 authentication method
    • Change in how client IDs are passed in presentation exchange (resolving security issue)
    • Addition of Browser Digital Credentials API appendix
  2. OpenID for Verifiable Credential Issuance (VCI) 2nd Implementers Draft:
    • Implementation of Nonce endpoint (solving issues with multiple user interactions)
    • Batch issuance of same credential improving unlinkability
    • Removal of Batch Endpoint (reducing complexity)
  3. High Assurance Interoperability (HYPE) 1st Implementers Draft:
    • Includes MDOC presentation profile over Digital Credentials API in browser
    • Coordination with ISO/IEC 18013-7
    • Mandates use of DQCL

Current Work:

  • Complete removal of presentation exchange from OpenID for VP, standardizing on DQCL
  • Support for Trusted Authorities
  • Addressing Multi-RP authentication challenges

Conformance Testing:

  • Alpha tests developed for Verifiable Credential Issuance (focusing on SD-JWT)
  • Updated wallet tests for Verifiable Presentations (supporting implementers draft 3)
  • Added verifier tests for Verifiable Presentations

Coordination:

  • Close coordination with the European Commission to ensure OpenID specifications explicitly referenced in next revision of EU implementing acts

NIST NCCoE (National Cybersecurity Center of Excellence) Interoperability Testing

Presentation by Juliana (Microsoft):

Event Background:

  • Part of NIST’s National Cybersecurity Center of Excellence project
  • Work on mobile driver’s licenses/digital identity
  • Use case for opening bank account and recurring access at high assurance levels

Test Overview:

  • Testing with multiple wallets, multiple browsers, multiple operating systems, single verifier (Mattr)
  • Testing Annex C profile from ISO MDL and four different OpenID for VP configurations
  • Built architecture enabling remote interoperability testing

Results:

  • Approximately 87% success rate in April 4, 2025 test
  • For MDOC: 80 pairs tested, with 1 unsigned and 8 signed failures
  • For SD-JWT: 27 pairs passed, 1 pair failed
  • Report that some known gaps already closed over weekend
  • No major feedback on protocols themselves

Future Plans:

  • Additional tests on April 25 and May 5
  • Detailed demo for SDO and government stakeholders on morning of May 5, public webinar in afternoon

Conformance and Certification Program Update

Final presentation by Joseph Heenan:

Test Development for Multiple Specifications:

  • FAPI: Provided DPoP support, FAPI 2 final tests coming to beta soon
  • Federation: Beta tests available, developing test with automatic registration flow for interoperability events
  • EKYC: Upgrading tests, discussing certification program details
  • Shared Signals: Conducted transmitter tests, starting receiver tests
  • Verifiable Credentials: VP tests used in interoperability testing, VCI tests coming soon

Coordination with European Commission:

  • Ongoing conversation about the potential use of tests

Closing

Group photo taken with all participants, workshop concluded. Board members informed they have another two hours of meeting ahead.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.