OpenID specifications are developed by OpenID working groups and go through three phases: Drafts, Implementer’s Drafts, and Final Specifications. Implementer’s Drafts and Final Specifications provide intellectual property protections to implementers. Final Specifications are OpenID Foundation standards.
Final Specifications
OpenID Connect specifications:
- OpenID Connect Core – Defines the core OpenID Connect functionality: authentication built on top of OAuth 2.0 and the use of claims to communicate information about the End-User
- OpenID Connect Discovery – Defines how clients dynamically discover information about OpenID Providers
- OpenID Connect Dynamic Client Registration – Defines how clients dynamically register with OpenID Providers
- OAuth 2.0 Multiple Response Types – Defines several specific new OAuth 2.0 response types
- OAuth 2.0 Form Post Response Mode – Defines how to return OAuth 2.0 Authorization Response parameters (including OpenID Connect Authentication Response parameters) using HTML form values that are auto-submitted by the User-Agent using HTTP POST
- OpenID 2.0 to OpenID Connect Migration 1.0 – Defines how to migrate from OpenID 2.0 to OpenID Connect
- OpenID Connect RP-Initiated Logout – Defines how a Relying Party requests that an OpenID Provider log out the End-User
- OpenID Connect Session Management – Defines how to manage OpenID Connect sessions, including postMessage-based logout functionality
- OpenID Connect Front-Channel Logout – Defines a front-channel logout mechanism that does not use an OP iframe on RP pages
- OpenID Connect Back-Channel Logout – Defines a logout mechanism that uses direct back-channel communication between the OP and RPs being logged out
- OpenID Connect Core Error Code unmet_authentication_requirements – Defines the unmet_authentication_requirements authentication response error code
- Initiating User Registration via OpenID Connect – Defines the prompt=create authentication request parameter
FAPI working group specifications:
- Financial-grade API Security Profile (FAPI) 1.0 – Part 1: Baseline – A secured OAuth profile that aims to provide specific implementation guidelines for security and interoperability.
- Financial-grade API Security Profile (FAPI) 1.0 – Part 2: Advanced – A highly secured OAuth profile that aims to provide specific implementation guidelines for security and interoperability.
- JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) – This specification was created to bring some of the security features defined as part of OpenID Connect to OAuth 2.0
MODRNA working group specifications:
Implementer’s Drafts
OpenID Connect working group specifications:
- OpenID Connect Federation – Defines how sets of OPs and RPs can establish trust by utilizing a Federation Operator [Most recent Implementer’s Draft]
- Self-Issued OpenID Provider V2 – Enables End-users to use OpenID Providers (OPs) that they control [Most recent Implementer’s Draft]
- OpenID for Verifiable Presentations – This specification defines a mechanism on top of OAuth 2.0 to allow presentation of claims in the form of verifiable credentials as part of the protocol flow [Most recent Implementer’s Draft]
- OpenID Connect Native SSO for Mobile Apps – Enables native applications by the same vendor to share login information [Most recent Implementer’s Draft]
FAPI working group specifications:
- Financial-grade API: Client Initiated Backchannel Authentication Profile – FAPI CIBA is a profile of the OpenID Connect’s CIBA specification that supports the decoupled flow [Most recent Implementer’s Draft]
- FAPI 2.0 Security Profile – FAPI 2.0 has a broader scope than FAPI 1.0 as it aims for complete interoperability at the interface between client and authorization server as well as interoperable security mechanisms at the interface between client and resource server [Most recent Implementer’s Draft]
- FAPI 2.0 Attacker Model [Most recent Implementer’s Draft]
- Grant Management for OAuth 2.0 – This profile specifies a standards based approach to managing “grants” that represent the consent a data subject has given. It was born out of experience with the roll out of PSD2 and requirements in Australia. [Most recent Implementer’s Draft]
MODRNA working group specifications:
- OpenID Connect MODRNA Authentication Profile 1.0 [Most recent Implementer’s Draft]
- OpenID Connect Account Porting 1.0 [Most recent Implementer’s Draft]
- OpenID Connect User Questioning API 1.0 [Most recent Implementer’s Draft]
EAP working group specifications:
- Token Bound Authentication – Defines how to apply Token Binding to OpenID Connect ID Tokens [Most recent Implementer’s Draft]
- EAP ACR Values – Enables OpenID Connect RPs to request that specific authentication context classes be applied to authentications performed and for OPs to inform RPs whether these requests were satisfied [Most recent Implementer’s Draft]
Shared Signals working group specifications:
- OpenID Shared Signals and Events Framework Specification 1.0 [Most recent Implementer’s Draft]
- OpenID Continuous Access Evaluation Profile 1.0 [Most recent Implementer’s Draft]
- OpenID RISC Profile Specification 1.0 [Most recent Implementer’s Draft]
eKYC-IDA working group specifications:
HEART working group specifications:
- Health Relationship Trust Profile for OAuth 2.0 [Most recent Implementer’s Draft]
- Health Relationship Trust Profile for Fast Healthcare Interoperability Resources (FHIR) OAuth 2.0 Scopes [Most recent Implementer’s Draft]
- Health Relationship Trust Profile for User-Managed Access 2.0 [Most recent Implementer’s Draft]
- Health Relationship Trust Profile for Fast Healthcare Interoperability Resources (FHIR) UMA 2 Resources [Most recent Implementer’s Draft]
Active Drafts
OpenID Connect working group specifications:
- See the OpenID Connect Working Group Status page
MODRNA working group specifications:
- See the MODRNA Working Group Status page
EAP working group specifications:
- See the EAP Working Group Status page
iGov working group specifications:
- See the iGov Working Group Status page
Inactive Drafts
Native Applications working group specifications:
Account Chooser & Open YOLO working group specifications:
Obsolete Specifications
Final OpenID 2.0 specifications:
- OpenID Authentication 2.0 (txt)
- OpenID Attribute Exchange 1.0 (txt)
- OpenID Provider Authentication Policy Extension 1.0 (txt)
- OpenID Simple Registration Extension 1.0 (txt)
- Yadis Discovery Protocol (Developed separately from OpenID, though used in OpenID 2.0)
OpenID 2.0 Drafts:
- OpenID Simple Registration Extension 1.1 – Draft 1 (txt)
- Contract Exchange 1.0
Early OpenID specifications: