OpenID Connect what it is and how it changes with OpenPubkey

While Europe pushes the accelerator on the Digital Identity Wallet, almost all web and mobile applications rely on it OpenID Connect (OIDC). It is a authentication protocol and authorization based on OAuth 2.0. It is designed to enable user authentication across web applications and services in a secure and interoperable manner. OpenID Foundationa consortium of organizations and individuals interested in promoting standards digital identity open, shaped OpenID Connect in 2014 by adding an authentication layer to OAuth 2.0.

The idea behind the work carried out by OpenID Foundation was in fact precisely to overcome some limitations and complexities of OAuth 2.0, providing a framework more robust for authentication and digital identity.

With OpenID Connect, users can use their authentication credentials provided by a Identity Provider (IdP) to access services and applications without having to create new separate accounts for each service. Furthermore, the so-called JSON Web Tokens (JWT) allow the transmission of identity information in a safe and structured way.

Logo OpenID Connect

The advantages of OpenID Connect

OpenID Connect offre molteplici benefits, helping to improve user authentication and authorization on the Internet. Below we summarize the main advantages:

  • Interoperability: OIDC is designed to be interoperable, allowing different applications and web services to support a common protocol for authentication. This makes it easy to integrate “standard” authentication features across multiple different platforms.
  • Standardization: As an open standard, OIDC offers a clear and well-defined specification for OAuth 2.0-based authentication. This makes it easier for software developers to implement and understand the protocol.
  • Reuse of credentials: Users can use their authentication credentials obtained from a Identity Provider (IdP) across multiple services and applications, avoiding the need to create and remember multiple username and password pairs.
  • Safety: The use of JSON Web Tokens (JWT) for transmitting identity information provides a secure mechanism for exchanging data between clients and servers.
  • Discovery degli endpoint: OIDC integrates a functionality that allows endpoint searching. This way, client applications can dynamically find the URLs needed to authenticate and obtain authorization tokens.
  • Session management: The protocol offers tools for session management, allowing you to more effectively manage user state during interactions with the application.
  • Assignment of permissions: OIDC supports the concept of authorization assignment, allowing applications to request and receive additional information about the user during the authorization phase.

Single sign-on and federated identity

OpenID Connect is considered a protocol Single Sign-On (SSO) as it provides a standardized mechanism to allow users to authenticate once and access multiple services and applications without the need to log in separately on each one.

OIDC is also the component of a digital ecosystem of federated identity mainly because it promotes interoperability between different IdPs and clients (services or applications) within a distributed system.

For all these reasons, OpenID Connect has quickly become one of the most used protocols by large companies operating in the technology sector: Google, Microsoft, Meta, Okta, Amazon Cognito act as IdPs. Thanks to open structure of the system, however, many organizations implement their own custom IdP services based on OpenID Connect to manage user authentication directly on their systems, without relying on third parties.

Il operation of OpenID Connect and the flow that characterizes each authentication and authorization procedure are summarized on this page.

The points of contact with SPID and CIE

If, by reading the description of OpenID Connect and the list of its main advantages, you have found similarities with the principles behind SPID (Public Digital Identity System) is because they actually exist.

We have already seen how SPID really works: although it is an Europen system that offers aunique digital identity for access to online services of the Public Administration and participating private entities, SPID is interoperable. Examining the technical rules published by AgID, we learn that SPID also adopts the OpenID Connect standard and therefore looks to full technical convergence e di process between the two digital identity systems.

Digital Identity Managers and public and private service providers have had to adapt starting from May 2022 by also embracing the use of OpenID Connect within SPID. The benefits of integration, which also affects CIE id or the verification of digital identity using an electronic identity card, are tangible and include the possibility of avoiding entering the password at each access and, for example, blocking all authentication carried out on a specific service.

Also, speaking of Digital Identity Wallet, the European Commission leaves the burden of defining the tools useful for providing attestation of the identity of each user to each member state. SPID, CIE and OpenID Connect can therefore fully become among the permitted mechanisms.

OpenID Connect migliora con OpenPubkey

OpenPubkey is a cryptographic protocol which adds the possibility of using signature keys generated using OpenID Connect. The new protocol, just presented by heavyweights such as The Linux Foundation, BastionZero and Docker, allows you to sign messages and requests using your OIDC digital identity without the need to add additional supporting information.

The novelty OpenPubkey is fully compatible with existing OIDC providers, without any changes on the operator side. Instead, the change is only required lato client: An ID Token issued by an OIDC provider must bind to a public key held by the user.

OpenPubkey allows users to pair securely and accurately cryptographic keys to users and workloads by transforming a Identity Provider (IdP) OpenID Connect in a Certificate Authority (CA).

BastionZero is a company that offers a cloud service for managing secure access to IT resources, such as servers, containers, clusters, databases and web servers. It is designed to ensure maximum security and ease of use, allowing users to access IT resources without having to manage a variety of different systems.

To give an idea of ​​the potential of OpenPubkey just think that BastionZero has announced the integration of the new protocol for Docker container signing: in this way you help protect the open source software ecosystem with theauthentication zero-trust without password.

Introducing the OpenPubkey GitHub repository, The Linux Foundation explains that the initiative will play a fundamental role in strengthening the security of open source software by significantly improving the entire supply chain of the software.

Opening image credit: IS


Please enter your comment!
Please enter your name here