In this episode of Identity. Unlocked, principal architect at Auth0 and podcast host, Vittorio Bertocci, focuses on the Self-Issued OpenID Provider specification, also known as SIOP. We are joined today by Kristina Yasuda, Identity Standards Architect at Microsoft and longtime advocate of decentralized Identity.
Kristina opens by enunciating what SIOP is about, in a nutshell: the ability for an end user to present claims about themselves to a relying party (RP) without the need to redirect to an external provider. The scenario is further clarified through the enumeration of key use cases where that ability is useful, such as circumstances in which an external identity provider might cease to exist (as it actually happened in the earthquake/tsunami disaster that hit Japan ten years ago), or no longer be willing to provide service (as it might be the case in situations where democratic rule is under threat).
The original OpenID Core specification predicted the need for the SIOP, codifying it in chapter 7. However, at the time, the scenario was largely theoretical; hence the specification leaves out a number of important details - it is those gaps that SIOP is meant to fill.
One of the most fundamental challenges to solve is the discovery problem, that is to say, the ability of an RP to discover and select a self-issued OP to use to authenticate the user in the current transaction. As a discovery mechanism to invoke a Self-Issued OP, the discussion on the podcast covered the usage of a custom schema 'openid://'. Alternative mechanisms to address the limitations of custom schemas are being actively explored in the WG.
The conversation meanders through deeper details, from how the current SIOP specification draft under the OpenID Foundation picks up the mission from a former attempt under DIF to encoding approaches for verifiable presentations (embedding in JWTs, LD proofs), how to represent attributes (with a mention of eKYC, which we covered in an earlier episode of the show).
As a final thought, Kristina relays that a lot of the work that took place so far in this space aimed at developing data models- and that it's time to flesh out the transport, the protocol aspect of the scenarios.
In closing: the ideal call to action from all this is to implement the specs and give concrete feedback - and if the episode helped clarify the aim and the scenarios SIOP targets, to help spread that clarity and demystify the topic for others!
[3:25] - What is SIOP?
[7:27] - Mechanisms to leverage the relationship between OpenID provider and user.
[8:52] - A look at the original Chapter 7 of OpenID Connect.
[11:10] - Planned revisions for Chapter 7 of OpenID Connect.
[13:35] - On what platform do these DIDs live?
[20:28] - What is the current status of SIOP?
[25:00] - Vittorio’s summary of the episode.
[27:00] - Kristina’s call to action for listeners.
About OpenID Foundation
The OpenID Foundation is a non-profit international standardization organization of individuals and companies committed to enabling, promoting, and protecting OpenID technologies. Formed in June 2007, the foundation serves as a public trust organization representing the open community of developers, vendors, and users. OIDF assists the community by providing needed infrastructure and helps in promoting and supporting the expanded adoption of OpenID. This entails managing intellectual property and brand marks as well as fostering viral growth and global participation in the proliferation of OpenID.
Identity, Unlocked is the podcast that discusses identity specs and trends from a developer perspective. Identity, Unlocked is powered by Auth0. Vittorio Bertocci is Principal Architect at Auth0 and applies his vast knowledge of the identity industry to Auth0 in all aspects of the company, including internal and external education, product innovation, and customer integration.
Auth0 by Okta takes a modern approach to customer identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit https://auth0.com.