OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity Assurance Overview
- 1. OpenID Connect for Identity Assurance https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html Torsten Lodderstedt, yes.com
- 2. Objectives ● Allow OpenID Connect OPs explicit attestation of verification status of Claims (what, how, when, according to what rules, using what evidence) ● For use cases requiring strong identity assurance, such as Anti-money Laundering, eGovernment & eSigning ● Focus on natural person data, such as name or birth date
- 3. Design objectives ● Use existing End-User Claims and build something around to convey attestation, define additional End-User Claims where needed ● Verified claims can be added to any JSON-based response or JWT - mixed with unverified claims and other extensions ● Privacy by design
- 4. Representation ● Self contained and robust representation ● verified_claims Container ● verification element contains verification metadata (multiple evidence possible) ● claims element contains respective End-User Claims
- 5. User Info & ID Token
- 6. International Standard ● Trust frameworks, verification methods and evidence types ● So far review feedback & contributions from US, CA, UK, DE, EU & JP
- 7. Additional End-User Claims ● place_of_birth ● nationalities ● birth_family_name, birth_given_name, birth_middle_name ● salutation ● title
- 8. RPs request verified claims using “claims” parameter ● Fine grained control ● Data minimization
- 9. Constraints ● Leverages OpenID Connect Core syntax
- 10. Remark on URL length ● Request URLs can become quite long with “claims” parameter ● Recommendation: take a look into request_uri and Pushed Authorization Requests (https://tools.ietf.org/html/draft-lodderstedt-oauth-par)
- 11. Status ● Public Review has started https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html ● Couple of implementations are under way Need your feedback!