Paper 2023/296

OpenPubkey: Augmenting OpenID Connect with User held Signing Keys

Ethan Heilman, BastionZero
Lucie Mugnier, BastionZero
Athanasios Filippidis, BastionZero
Sharon Goldberg, BastionZero
Sebastien Lipman, BastionZero
Yuval Marcus, BastionZero
Mike Milano, BastionZero
Sidhartha Premkumar, BastionZero
Chad Unrein, BastionZero
John Merfeld, BastionZero

OpenPubkey makes a client-side modification to OpenID Connect so that an ID Token issued by an OpenID Provider commits to a user held public key. This transforms an ID Token into a certificate that cryptographically binds an OpenID Connect identity to a public key. We call such an ID Token, a PK Token. The user can then sign messages with their signing key and these signatures can be authenticated and attributed to the user’s OpenID Connect identity. This allows OpenPubkey to upgrade OpenID Connect from Bearer Authentication to Proof-of-Possession, eliminating trust assumptions in OpenID Connect and defeating entire categories of attacks present in OpenID Connect. OpenPubkey was designed to satisfy a decade-long need for this functionality. Prior to OpenPubkey, OpenID Connect did not have a secure way for users to sign statements under their OpenID identities. OpenPubkey is transparent to users and OpenID Providers. An OpenID Provider can not even determine that OpenPubkey is being used. This makes OpenPubkey fully compatible with existing OpenID Providers. In fact a variant of OpenPubkey is currently deployed and used to authenticate signed messages and identities for users with accounts on Google, Microsoft, Okta, and Onelogin. OpenPubkey does not add new trusted parties to OpenID Connect and reduces preexisting trust assumptions. If used in tandem with our MFA-cosigner, OpenPubkey can maintain security even against a malicious OpenID Provider (the most trusted party in OpenID Connect).

Note: Minor updates to authors, fixes links to open source project

Available format(s)
Cryptographic protocols
Publication info
Contact author(s)
ethan r heilman @ gmail com
lucie @ bastionzero com
thanos @ bastionzero com
goldbe @ bastionzero com
sebby @ bastionzero com
yuval @ bastionzero com
mbmilano @ bastionzero com
chad @ bastionzero com
2024-04-10: last of 5 revisions
2023-02-27: received
See all versions
Short URL
Creative Commons Attribution


      author = {Ethan Heilman and Lucie Mugnier and Athanasios Filippidis and Sharon Goldberg and Sebastien Lipman and Yuval Marcus and Mike Milano and Sidhartha Premkumar and Chad Unrein and John Merfeld},
      title = {OpenPubkey: Augmenting OpenID Connect with User held Signing Keys},
      howpublished = {Cryptology ePrint Archive, Paper 2023/296},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.