Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

$OIDC^2$: Open Identity Certification with OpenID Connect

Jonas Primbs, Michael Menth

TL;DR

OIDC² introduces Identity Certification Tokens (ICT) as JSON‑based, short‑lived credentials issued by trusted OpenID Providers to enable end‑to‑end authentication between users without heavy key management. By extending OpenID Connect with ICT issuance and POP verification, the approach shifts trust toward identity providers, while enabling selective, context‑bound authentication across video conferencing, instant messaging, and email. The paper formalizes terminology, threat considerations, and a three‑tier OP classification, and demonstrates a lightweight prototype extension with comparative performance to standard token endpoints. If broadly adopted, oidc² could simplify secure cross‑platform user verification while reducing the need for revocation infrastructure and long‑term key handling, offering practical gains in usability and privacy for consumer and enterprise apps.

Abstract

OpenID Connect (OIDC) is a widely used authentication standard for the Web. In this work, we define a new Identity Certification Token (ICT) for OIDC. An ICT can be thought of as a JSON-based, short-lived user certificate for end-to-end user authentication without the need for cumbersome key management. A user can request an ICT from his OpenID Provider (OP) and use it to prove his identity to other users or services that trust the OP. We call this approach $OIDC^2$ and compare it to other well-known end-to-end authentication methods. Unlike certificates, $OIDC^2$ does not require installation and can be easily used on multiple devices, making it more user-friendly. We outline protocols for implementing $OIDC^2$ based on existing standards. We discuss the trust relationship between entities involved in $OIDC^2$, propose a classification of OPs' trust level, and propose authentication with multiple ICTs from different OPs. We explain how different applications such as videoconferencing, instant messaging, and email can benefit from ICTs for end-to-end authentication and recommend validity periods for ICTs. To test $OIDC^2$, we provide a simple extension to existing OIDC server software and evaluate its performance.

$OIDC^2$: Open Identity Certification with OpenID Connect

TL;DR

OIDC² introduces Identity Certification Tokens (ICT) as JSON‑based, short‑lived credentials issued by trusted OpenID Providers to enable end‑to‑end authentication between users without heavy key management. By extending OpenID Connect with ICT issuance and POP verification, the approach shifts trust toward identity providers, while enabling selective, context‑bound authentication across video conferencing, instant messaging, and email. The paper formalizes terminology, threat considerations, and a three‑tier OP classification, and demonstrates a lightweight prototype extension with comparative performance to standard token endpoints. If broadly adopted, oidc² could simplify secure cross‑platform user verification while reducing the need for revocation infrastructure and long‑term key handling, offering practical gains in usability and privacy for consumer and enterprise apps.

Abstract

OpenID Connect (OIDC) is a widely used authentication standard for the Web. In this work, we define a new Identity Certification Token (ICT) for OIDC. An ICT can be thought of as a JSON-based, short-lived user certificate for end-to-end user authentication without the need for cumbersome key management. A user can request an ICT from his OpenID Provider (OP) and use it to prove his identity to other users or services that trust the OP. We call this approach and compare it to other well-known end-to-end authentication methods. Unlike certificates, does not require installation and can be easily used on multiple devices, making it more user-friendly. We outline protocols for implementing based on existing standards. We discuss the trust relationship between entities involved in , propose a classification of OPs' trust level, and propose authentication with multiple ICTs from different OPs. We explain how different applications such as videoconferencing, instant messaging, and email can benefit from ICTs for end-to-end authentication and recommend validity periods for ICTs. To test , we provide a simple extension to existing OIDC server software and evaluate its performance.
Paper Structure (41 sections, 9 figures)

This paper contains 41 sections, 9 figures.

Table of Contents

  1. Introduction
  2. Introduction to OAuth 2.0 and oidc
  3. OAuth 2.0
  4. OpenID Connect (OIDC)
  5. Trust Relationship
  6. Single Sign-On with OAuth 2.0 and OIDC
  7. Related Technologies
  8. Identity Providers and Certificates
  9. Self-Sovereign Identity (SSI)
  10. OpenPubkey
  11. OIDC²: Open Identity Certification with oidc
  12. Concept of oidc²
  13. Terminology
  14. ict
  15. ict Request
  16. ...and 26 more sections

Figures (9)

  • Figure 1: OAuth 2.0 protocol flows.
  • Figure 2: OpenID Connect Authentication Flow and trust relationship.
  • Figure 3: Simplified authentication to an as with oidc and authorization of a Client with OAuth 2.0.
  • Figure 4: Protocol extension of oidc².
  • Figure 5: Trust relationship between OIDC²'s entities.
  • ...and 4 more figures