The OpenID Foundation is unshackling developers from the burden of having to work with XML, with the launch of a protocol designed to make the tasks performed by its OpenID protocol more mobile-and-API-friendly.
OpenID Connect, described here, is backed by Deutsche Telekom, Google, Microsoft, Ping Identity and Salesforce.
It gets rid of the need for users to run an extension, as is required for apps trying to integrate with OAuth 1.0a and OpenID 2.0. “In OpenID Connect, OAuth 2.0 capabilities are integrated with the protocol itself,” the foundation says.
In its FAQ, the foundation explains that the OAuth 2.0 framework defined standardised JSON and HTTP message flows (as per RFC 6749 and RFC 6750, if you feel like looking at the fine detail). OpenID Connect is designed to use these flows to provide identity services.
Developers can choose between a minimalist implementation, or they can draw on other capabilities (discovery, dynamic client registration, session management and form post response mode).
For the developer, of course, the main advantage is being able to handle user identity without having to assume the burden of being responsible for storing and securing passwords. And by abandoning XML in favour of simpler message structures, the foundation says interoperability should be easier to achieve.
One of OpenID Connect's leaders, Nat Sakimura, has a discussion of using OpenID Connect messages here. ®