The Cambrian Explosion of OAuth and OpenID Specifications
02-28, 10:00–10:30 (UTC), Kaldalón

The number of OAuth and OpenID specs continues to grow. We will discuss how people and organizations have gone about selecting and curating the specs to implement in an attempt to create coherent and useful open source and commercial offerings.


The number of OAuth and OpenID specifications continues to grow. At present there are 30 OAuth RFCs, two more in the RFC Editor queue, 13 OAuth working group drafts, and another eight individual OAuth drafts that may advance. There are nine JOSE RFCs and seven working group drafts. There are four SecEvent RFCs. On the OpenID side, there are 12 final OpenID Connect specs, three final FAPI specs, one final MODRNA spec, three final eKYC-IDA specs, and 24 Implementer’s drafts across the OpenID working groups, plus another ten working group drafts.

The number of possible combinations boggles the mind. And there’s no end in sight!

What’s a developer to do? How have people and organizations gone about selecting and curating the specs to implement in an attempt to create coherent and useful open source and commercial offerings? And faced with such an array of combinations and choices, how are application developers to make sense of it all? How can interoperability be achieved in the face of continued innovation?

This session will prime the pump by discussing choices made by some existing open source and commercial offerings in the OAuth and OpenID space and lead to an open discussion of choices made by the workshop attendees and the reasoning behind them. It’s our goal that useful strategies emerge from the discussion that help people grapple with the ever-expanding sets of specifications and make informed implementation choices, while still fostering the innovation and problem-solving that these specifications represent.

Between now and the workshop, we plan to gather data from multiple organizations offering OAuth and OpenID libraries and products to try to understand how they’re wrestling with the situation. We’ll present a summary of that data to help kick off the discussions at the workshop. It’s possible that people from some of the organizations we gather data from will be added as co-presenters.

Michael B. Jones is on a quest to build the Internet's missing identity layer. He is an editor of the OpenID Connect specifications, IETF OAuth specifications, including JSON Web Token (JWT) and DPoP, the IETF JSON Object Signing and Encryption (JOSE) specifications, FIDO 2.0, and W3C Web Authentication. Michael was recognized as Distinguished Engineer by OpenID Foundation and was granted a lifetime achievement award by Kuppinger Cole for creating simple, secure, ubiquitous, interoperable digital identity solutions since 2005. As a long-time member of the OpenID Board of Directors, he architected the award-winning and globally adopted OpenID Certification program. He chairs the IETF COSE working group. Michael's Ph.D. in Computer Science from Carnegie Mellon University led to a lifelong career in digital identity, computer security, privacy, and networking. He is passionate about mentoring the next generation of identity leaders. His professional Web site is https://self-issued.consulting/, he blogs at https://self-issued.info/ and tweets at @selfissued.