Hacker News new | past | comments | ask | show | jobs | submit login

OpenID Connect is based on JWT: http://openid.net/specs/openid-connect-core-1_0.html#IDToken

If JWT is too complicated and confusing, OpenID Connect inherits all that complexity and then adds some more.

OAUTH2+OpenID Connect does not require a consumer or producer read, parse, or produce a JWT for the single-sign-on flow.

The authentication event is a regular JSON object.

There is no need to validate it since it was received from a server-to-server TLS-protected HTTPS request.

This is not anywhere near as complicated as using JWT for session storage directly.

Well, if you're using authorization code flow, trust your TLS certification authorities enough, then yeah, it's probably safe, though you'll be definitely violating the spec: http://openid.net/specs/openid-connect-core-1_0.html#CodeFlo...

But if you go as far as not verifying the ID Token for, what do you need OpenID Connect for? Just use plain old OAuth 2.0.

There are a lot of convenient things to lift out of OpenID Connect, for example:

* The Discovery URL

* Standardisation in the subject name

* The userinfo endpoint

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact