$OIDC^2$: Open Identity Certification with OpenID Connect

TL;DR

This paper introduces $OIDC^2$, a new user authentication method using short-lived JSON-based certificates called ICTs, enhancing end-to-end security and usability across multiple devices without complex key management.

Contribution

The paper defines the ICT concept for OIDC, proposes protocols for its implementation, and evaluates its performance, offering a practical, user-friendly alternative to traditional certificates.

Findings

ICTs enable end-to-end user authentication without complex key management

$OIDC^2$ improves usability by eliminating installation requirements

Performance evaluation shows practical viability of the approach

Abstract

OpenID Connect (OIDC) is a widely used authentication standard for the Web. In this work, we define a new Identity Certification Token (ICT) for OIDC. An ICT can be thought of as a JSON-based, short-lived user certificate for end-to-end user authentication without the need for cumbersome key management. A user can request an ICT from his OpenID Provider (OP) and use it to prove his identity to other users or services that trust the OP. We call this approach $OIDC^2$ and compare it to other well-known end-to-end authentication methods. Unlike certificates, $OIDC^2$ does not require installation and can be easily used on multiple devices, making it more user-friendly. We outline protocols for implementing $OIDC^2$ based on existing standards. We discuss the trust relationship between entities involved in $OIDC^2$, propose a classification of OPs' trust level, and propose authentication with multiple ICTs from different OPs. We explain how different applications such as videoconferencing, instant messaging, and email can benefit from ICTs for end-to-end authentication and recommend validity periods for ICTs. To test $OIDC^2$, we provide a simple extension to existing OIDC server software and evaluate its performance.