The I/DW attribute service platform has incorporated the current best practices implementing OpenID Connect protocols using Oauth 2.0 and JSON web tokens to bind the relationship between real-world and electronic identities. Google and I/DW are building an initial demo of a model called Street Identity using the Street Identity API model. Using an OpenID services of an Identity Provider (IDP), web applications can hand off User authentication tasks to the IDP. This feature frees Relying Party (RP) from having to manage log-in information and security measures, and also avoids forcing Users to set up yet another login account.
RP web services do not need to handle User login information when RPs use an OpenID provider. After a User successfully logs in to their IDP account, the OpenID server returns a persistent User identifier that the RP application can use to recognize that User, handle sessions, store user-specific data, and so on.
OAuth 2.0 is a new, simplified authorization protocol online APIs. OAuth 2.0 relies on SSL for security instead of requiring an RP application to perform cryptographic signing directly. This protocol allows your application to request access to data associated with a user’s Google Account. I/DW supports a recent draft of the OAuth 2.0 protocol for authorizing access to private user data, and we intend to update our code to match the final OAuth 2.0 and bearer token standards.
The core concepts are simple. When the RP application asks for a particular scope of access, the IDP displays an OAuth dialog to Users, asking for consent to authorize access to the RP application. With User approval, the RP application gets a short-lived access token that you can use to validate requests for the User’s attribute data.
I/DW currently supports three OAuth 2.0 flows: