OpenID Connect RP for Apache 2.x

OpenID Connect is a next-generation federated Single-SignOn protocol, comparable to SAML but much simpler and easier to understand and implement. The standard is developed within the OpenID Foundation and is about to be finished, see http://openid.net/connect/.  Proposed Final Specifications were published December 19, 2013 and are currently undergoing public review. Unless recall-class issues are found during the review, this means we’ll have final OpenID Connect specifications on Tuesday, February 25, 2014.

Recently I’ve been working on an OpenID Connect module for Apache. This would allow an Apache webserver (or Apache proxy for that matter) to act as an OpenID Connect Relying Party, requiring users to authenticate at a remote OpenID Connect Identity Provider. You may ask “why?” and what this has to do with the Federation at Scale topic that I’ve been blogging about so far.

Well, first of all, I would never think about implementing for example SAML or any other XML based heavy-weight old-fashioned federation protocol as an Apache module in plain old C: it is much too cumbersome, error-prone and practically impossible to get it right. OpenID Connect is a different story though: the Relying Party side of things (cq. the Service Provider as we used to call it in SAML) is extremely easy to implement. I just wanted to test and prove that by doing it in C… OpenID Connect is a truly modern identity protocol that can be implemented across virtually any application and operating system environment out there, ranging from mainframes and heavy-weight enterprise software stacks all the way down to embedded devices (read: Internet of Things). It is the SSO protocol of the future!

Secondly and more importantly: OpenID Connect was designed to scale much better than SAML or WS-Federation allow for today. It has extensions (called Discovery and Dynamic Client Registration)  that allow a Relying Party to find and to register itself with an Identity Provider. That solves one part of the classical connection introduction and maintenance problem that good-old SAML has and allows for a more frictionless and less painful federation administration experience. I believe those features are important for a low-touch-maintenance and high-frequency-usage environment such as the Apache platform.

Thirdly and most important: the protocol is so simple, elegant and functional that it removes the need for light-weight internal (enterprise) proprietary SSO protocols and integration protocols. This could mean that OpenID Connect becomes the de-facto standardized protocol (and in fact REST API) for SSO-enabling application stacks, whether for internal or external (federated) SSO, across different vendor implementations and platforms.

I guess my point is clear by now: in the future all Web SSO may be based on OpenID Connect scaling up to numbers unseen before, and Apache is surely one of the most important web platforms that will be a part of that.

I’ve added this module to the OpenID Connect Interop event at http://osis.idcommons.net/wiki/OC5:OpenID_Connect_Interop_5, hashing out some interesting interop stuff already. The future looks bright 🙂

Oh, one more thing: the module is called mod_auth_openidc and code, binaries and documentation are on Github:

https://github.com/pingidentity/mod_auth_openidc

make sure that you read the “README” first and send me your comments

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s