Just dropped our paper on eprint: OpenPubkey

#OpenPubkey adds user-held public keys into OpenID Connect without breaking compatibility. This means users can create digital signatures on the web that are associated with their ID Tokens. Fully signed APIs here we come.

Our protocol is so compatible with existing IDPs that not only have we been using it in production with Google, Okta, and Microsoft IDPs for over a year, but that IDPs can't even tell that OpenPubkey is being used!

#OIDC #JSON #JWS #websec

https://eprint.iacr.org/2023/296.pdf

Referenced link: http://cs.co/90013icSc
Originally posted by Duo Security / @duosec@twitter.com: https://twitter.com/duosec/status/1622882869948387328#m

You want #SSO to enable users to sign on to everything. That's why we're excited that Duo SSO support for #OIDC apps is in GA 🙌 Learn how you can help your users seamlessly connect to all their apps: http://cs.co/90013icSc

#CiscoLiveEMEA

What's the best OpenID Connect podcast out there? #infosec #OIDC

Referenced link: http://cs.co/9009MhE4L
Originally posted by Duo Security / @duosec@twitter.com: https://twitter.com/duosec/status/1598376381049671709#m

We know you have applications to protect 📱 So we're excited to announce that #OIDC support in Duo #SSO is now in early access. Learn more in our latest blog: http://cs.co/9009MhE4L

In the OpenID Connect spec they call the case in which an ID Token has only one audience in its 'aud' claim "the common special case". Which sounds like they expect most people to have one audience but they want to treat the default behavior as a special case, odd.
#OIDC

Going to posting a survey thread on Mastodon of OpenIDConnect attacks and defenses on Sunday. I've reading RFCs all these week.

I want to make sure I don't miss anything good, send me top shelf #OIDC/OAuth attacks

Sich bei vielen Diensten mit einem Account und idealerweise U2F einloggen zu können benötigt so viel Zeit, man muss es schon ein Hobby nennen
#SSO #OIDC #U2F