Signing users in to a mobile or web app isn’t necessarily hard, but keeping their credentials safe is something that’s often best left to specialists. The OpenID Foundation today announced the launch of OpenID Connect, the organization’s latest standard for authenticating users and building distributed identity systems. The standard has the backing of Google, Microsoft, Salesforce, Deutsche Telekom, TechCrunch parent AOL and numerous other companies and mobile network operators.
With this, developers can create a straightforward sign-in process for their users by outsourcing the actual sign-in and identity verification to companies like Google or Microsoft. Using OpenID, developers don’t have to store and manage passwords on their own servers.
The OpenID Foundation argues that the new protocol will ensure that developers won’t have to worry about keeping their users’ accounts safe. Instead, this data will be managed by “operators who continually invest in sophisticated authentication infrastructure and who have the specialized skills required to securely manage sign-in and detect abuse.”
Unlike previous versions of the OpenID Foundation’s login standards, OpenID Connect uses OAuth in addition to using the secure SSL connections. The previous version used XML and a custom message signature scheme that was often difficult for developers to implement. In the new version, all of this is now based on OAuth 2.0, which handles the secure connection and the exchange of data.
So why not just use OAuth instead of this new layer that was built on top of it? OpenID Foundation chairman Nat Sakimura notes that OAuth is an “access granting protocol,” but it doesn’t have any notion of identity. Facebook uses OAuth this way, but with the help of tokens and an extension called “signed requests,” which is quite similar to what OpenID Connect does (with the difference that it only works with Facebook).
Most developers are already familiar with using OAuth, as Google’s Group Product Manager for Identity Eric Sachs stressed when I asked him about the advantages of Connect. This new protocol, which is based on technologies developers have probably already implemented in their services to talk to various APIs, should make implementing Connect very easy for them. He noted that Google will throw its full weight behind the standard and will support OpenID Connect through its Google+ Sign-In libraries, for example.
Indeed, Google will consolidate all of its federated login solutions onto the OpenID Connect standard and will deprecate support for previous versions of OpenID over the course of the next year. Sachs recommends that developers switch over to the new libraries as soon as possible, though.
One of the biggest recent wins for OpenID Connect was actually announced earlier this week (before the protocol was fully ratified). The GSMA, the association of over 800 mobile operators and the organization behind the Mobile World Congress in Barcelona this week, unveiled Mobile Connect. It’s an initiative to develop new applications that allow users to securely access online services using their mobile phone account for authentication. OpenID Connect, the network operators hope, can provide a standard for creating interoperability between the different operators.