undefined | Better HN

0 pointsunscaled6y ago0 comments

OpenID Connect predates the final JOSE RFCs, but not the drafts. It was not published by IETF, so it allowed itself to refer to internet drafts describing JWT before being released. The JOSE RFCs and Open ID Connect were basically authored by the same people (M. Jones, J. Bradly, N. Sakimura).

0 comments

1 comments · 1 top-level

jogux6y ago

Spot on - in fact over time what we're seeing happen is the authors of the OpenID Connect standards submitting the parts as RFCs to the IETF. The OpenID Foundation is able to move a lot faster than the RFC process whilst coming with similar benefits of protection against patents etc. Obviously there's always speed vs quality tradeoffs, but given the number of interoperable OpenID implementations and the adoption into various openbanking systems (e.g. the UK OpenBanking standards) then it seems like (with the benefit of hindsight) the OpenID Foundation made some good choices.

From example, the request object in OpenID Connect (that can prevent authorization request parameters from tampering) is only just now coming out as an RFC https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-19

j / k navigate · click thread line to collapse