Today the OpenID Foundation A/B Connect Working Group adopted the OpenID Provider Commands draft that I created with Karl McGuinness as a working group item. OP Commands introduces a standardized set of commands that empower OpenID Providers (OPs) to manage user accounts directly at Relying Parties (RPs). The suite of commands enabled management of the full identity lifecycle as defined in ISO 24760-1 §7.2. In addition, an unauthorize command is defined that an OP can send to an RP to terminate all access to a resource if an account is suspected of having been compromised.
Motivation Behind OP Commands
Our primary motivation behind creating OP Commands was to provide a simple path for B2B SaaS apps to enable their customers to centrally manage application access and authorization. Unlike the System for Cross-domain Identity Management (SCIM) protocol, which necessitates setting up an OAuth server to authorize SCIM endpoints, OP Commands leverage existing OpenID Connect authentication mechanisms. This means that SaaS applications already supporting OpenID Connect can implement OP Commands without the additional overhead of configuring a separate OAuth server, simplifying integration and reducing maintenance efforts.
OP Commands could also be used in B2C apps to improve security and privacy. The user’s OP could send the unauthorize command to all RPs if the user’s account had been taken over, and the user could centrally delete their data at RPs at their OP.
We will be implementing early drafts of OpenID Provider Commands for our customers using Hellō for B2B SaaS to try out and plan on deploying that in production for our customers to offer their customers centralized account lifecycle management.
If you are interested in following the sausage making of turning the draft into a standard, you can subscribe to the mailing list. If you want to contribute, you will need to sign the OpenID Foundation IPR agreement. Note that you do not need to be a member of the Foundation to participate, but being a member allows you to vote on Foundation matters!
You can also listen to Karl and I in the upcoming Episode 99 of the Identerati Office Hours hosted by Gluu on March 17.
Leave a Reply