• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
CIS13: Introduction to OpenID Connect
 

CIS13: Introduction to OpenID Connect

on

  • 989 views

Nat Sakimura, Senior Researcher, Information Tech. Research Dept, Nomura Research Institute ...

Nat Sakimura, Senior Researcher, Information Tech. Research Dept, Nomura Research Institute
OpenID Connect is a layer on top of the OAuth 2.0 protocol that adds critical identity-related information and validation to API interactions. Targeted both towards Web SSO and native application scenarios, OpenID Connect defines all the pieces necessary for an IT department to deliver an industry best practice identity regime based on the OAuth 2.0 protocol. Join Nat Sakimura to find out about ID Tokens, userinfo REST endpoints, dynamic client registration, session management, discovery, and all the other important concepts that OpenID Connect standardizes.

Statistics

Views

Total Views
989
Views on SlideShare
989
Embed Views
0

Actions

Likes
0
Downloads
23
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    CIS13: Introduction to OpenID Connect CIS13: Introduction to OpenID Connect Presentation Transcript

    • Connect OpenID OpenID Connect Nat Sakimura Chairman Senior Researcher C6b. New School Identity Frameworks Panel Foundation
    • Connect OpenID OAuth 2.0 Identity Layer on top of Base Protocol
    • Connect OpenID Q Identity
    • Connect OpenID Identity = set of attributes related to an entity [iso 29115]
    • Connect OpenID Entity Identity
    • Connect OpenID Entity Human Machine Service
    • Connect OpenID No direct way to perceive Human
    • Connect OpenID Blond/grey Silver frame glasses 6’5” tall
    • Connect OpenID Entity Identity Identity Sex Mail height Boy Friend Sex height Real Name Self Recognition Delta between Self and 3rd Party Recognition = interpersonal problem Delta between Self and 3rd Party Recognition= interpersonal problem Role Relatio nship 3rd Party Recognition Relationship Friends Boss Self Recognition 3rd Party Recognition Street Address Nickname Birthday Street Address Employee number licnese performance
    • Connect OpenID Man Identity Identity Identity
    • Connect OpenID Man Work Husband Father
    • Connect OpenID daughter mother wife girl friend collea- gue boss community member friend Woman
    • Connect OpenID YOU Identity A Identity B Identity C Site A Site B Site C
    • Connect OpenID Q Why not just OAuth?
    • Connect OpenID OAuth is an Access Granting Protocol Betty’s Profile Alice Cindy Cindy ≠ Betty Alice ≠ Betty
    • Connect OpenID Facebook extends OAuth with “signed request” “ID Token” in OpenID Connect
    • Connect OpenID Token Swap Attack
    • Connect OpenID Login with Amazon
    • Connect OpenID http://blog.chromium.org/2013/07/richer- access-to-google-services-and.html?m=1
    • Connect OpenID Signed Request •  Works only with a single identity provider •  Proprietary signature format ID Token •  Works with multiple identity providers •  IETF JSON Web Signature
    • Connect OpenID ID Token Claims Example { "iss": "https://server.example.com", "sub": "248289761001", "aud": "0acf77d4-b486-4c99-bd76-074ed6a64ddf", "iat": 1311280970, "exp": 1311281970, "nonce": "n-0S6_WzA2Mj" }
    • Connect OpenID Stick with OpenID Connect and not “OAuth Authentication”
    • Connect OpenID An Identity Layer provides: •  is the user that got authenticated Who •  was he authenticated Where •  was he authenticated When •  was he authenticated How •  attributes he can give you What •  he is providing them Why
    • Connect OpenID Interoperable Simple & Mobile Friendly Secure Flexible
    • Connect OpenID Interoperable Simple & Mobile Friendly Secure Flexible
    • Connect OpenID Interoperable Simple & Mobile Friendly Secure Flexible
    • Connect OpenID Interoperable Simple & Mobile Friendly Secure Flexible
    • Connect OpenID Interoperable Simple & Mobile Friendly Secure Flexible
    • Connect OpenID Interoperable •  openid, profile, email, address, phone Standard scopes •  Request object and claims Method to ask for more granular claims •  Info about the authenticated user ID Token •  Get attributes about the user •  Translate the tokens UserInfo endpoint
    • Connect OpenID Simple & Mobile Friendly JSON Based REST Friendly In simplest cases, just copy and paste Mobile & App Friendly e.g., ID Token is signed JSON { "iss": "https://client.example.com", ”sub": "24400320", "aud": "s6BhdRkqt3", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "auth_time": 1311280969, "acr": "2", "at_hash": "MTIzNDU2Nzg5MDEyMzQ1Ng" }
    • Connect OpenID Secure •  ISO/IEC 29115 Entity Authentication Assurance •  Choice of crypto LoA1 LoA2 LoA3 LoA4
    • Connect OpenID Flexible •  Through Request Object (JSON) •  Data Minimization Granular Request •  Does not disclose data recipients to data sources Aggregated Claims •  Decentralized Data Storage Distributed Claims
    • Connect OpenID Choice of your provider Can be Google, eBay, AOL, Deutsche Telecom etc. Can be your Phone => Self-Issued Provider
    • Connect OpenID Details
    • Connect OpenID Name: Alice de Wonderland Mail: alice@example.com Notary: Google. Official Google Seal 株式会 社グー グル印 Name: Alice de Wonderland Mail: alice@example.com Notary: Google. SAML Authentication 1.  Who are you. Get me a referral letter. Do not forget about Your email! 2. Plz write me a referral letter。 3. Here you are Alice 4. Here is the certificate. notary Eve Official Google Seal
    • Connect OpenID 1.  Who are YOU? Give me a valet key to your house. Then I will trust that you are the owner of the house. 2. Can you give me a valet key to my house? 3. Here you are! Alice 4. Her is the key! Pseudo-Authentication using OAuth Apartment Controller Eve
    • Connect OpenID OpenID Connect Authentication 1.  Who are you. Get me a referral letter. Do not forget about Your email! 2. Give Eve the locker Key and a referral letter. 3. Here you are! Alice 4. Here you are Date:2011/5/15 11:00:04 Level of Assurance:2 Verifier:Google Official Google Seal Butler Locker Locker Eve Date:2011/5/15 11:00:04 Level of Assurance:2 Verifier:Google Official Google Seal
    • Connect OpenID OpenID Connect's Clams aggregation and distributed claims. Name: Alice de Wanderland DoB: 1989/3/3 Sex: F Address: 135 Broadway., NY, NY NY City Official Seal Locker UserInfo Endpoint Site X Site Y Site Z Eve
    • Connect OpenID Applying it to Enterprise model
    • Connect OpenID Entity Identity Identity Sex Mail height Boy Friend Sex height Real Name Self Recognition Delta between Self and 3rd Party Recognition = interpersonal problem Delta between Self and 3rd Party Recognition= interpersonal problem Role Relatio nship 3rd Party Recognition Relationship Friends Boss Self Recognition 3rd Party Recognition Street Address Nickname Birthday Street Address Employee number licnese performance
    • Connect OpenID Real Name Professional qualification department Geo-location Employee number Entity Identity Resource Authentication Policy Enforcement Rules
    • Connect OpenID ABAC (Attribute Based Access Control) Based on SP800-162 figure on page viii identity Resource Rules
    • Connect OpenID Real Name Professional qualification department Geo-location Employee number Entity Identity Resource Authentication PEP PDP PAP Boss Metadata Log Log
    • Connect OpenID Q What kind of “Identity” (set of attributes) an enterprise needs?
    • Connect OpenID Current Standard Claims wont do
    • Connect OpenID UserInfo Claims •  sub •  name •  given_name •  family_name •  middle_name •  nickname •  preferred_username •  profile •  picture •  website •  gender •  birthdate •  locale •  zoneinfo •  updated_at •  email •  email_verified •  phone_number •  phone_number_verified •  address
    • Connect OpenID UserInfo Claims Example { "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "email": "janedoe@example.com", "email_verified": true, "picture": "http://example.com/janedoe/me.jpg" }
    • Connect OpenID Perhaps we need standard “enterprise” claims
    • Connect OpenID SCIM?
    • Connect OpenID SCIM Enterprise User Schema Extension •  employeeNumber –  Numeric or alphanumeric identifier assigned to a person, typically based on order of hire or association with an organization. •  costCenter –  Identifies the name of a cost center. organization Identifies the name of an organization. •  division –  Identifies the name of a division. •  department –  Identifies the name of a department. •  manager –  The User's manager. A complex type that optionally allows Service Providers to represent organizational hierarchy by referencing the "id" attribute of another User.
    • Connect OpenID Not Quite.
    • Connect OpenID Perhaps we need standard “enterprise” claims
    • Connect OpenID Q When shall I start using OpenID Connect?
    • Connect OpenID Timeline 2nd Implementers Draft Public Review (45 days) 2nd Implementers Draft Vote (14 days) Final Review (60 days) Final We are here! December 2013
    • Connect OpenID Q uestions?
    • Connect OpenID OAuth and OpenID Connect: In the Trenches Wednesday, July 10, 4:00 – 5:30 PM Salon C/D/E to be continued at …
    • Connect OpenID Details …
    • Connect OpenID Working Together OpenID Connect
    • Connect OpenID Working Group Members •  Key working group participants: –  Nat Sakimura – Nomura Research Institute – Japan –  John Bradley – Ping Identity – Chile –  Breno de Medeiros – Google – US –  Axel Nennker – Deutsche Telekom – Germany –  Torsten Lodderstedt – Deutsche Telekom – Germany –  Roland Hedberg – Umeå University – Sweden –  Andreas Åkre Solberg – UNINETT – Norway –  Chuck Mortimore – Salesforce – US –  Brian Campbell – Ping Identity – US –  George Fletcher – AOL – US –  Justin Richer – Mitre – US –  Nov Matake – Independent – Japan –  Mike Jones – Microsoft – US •  By no means an exhaustive list!
    • Connect OpenID Design Philosophy Simple Things Simple Complex Things Possible
    • Connect OpenID Simple Things Simple UserInfo endpoint for simple claims about user Designed to work well on mobile phones
    • Connect OpenID How We Make It Simple •  Build on OAuth 2.0 •  Use JavaScript Object Notation (JSON) •  Build only the pieces that you need •  Goal: Easy implementation on all modern development platforms
    • Connect OpenID Complex Things Possible Encrypted Claims Aggregated Claims Distributed Claims
    • Connect OpenID A Look Under the Covers •  ID Token •  Claims Requests •  UserInfo Claims •  Example Protocol Messages
    • Connect OpenID OpenID Connect Authentication 1.  Who are you. Get me a referral letter. Do not forget about Your email! 2. Give Eve the locker Key and a referral letter. 3. Here you are! Alice 4. Here you are Date:2011/5/15 11:00:04 Level of Assurance:2 Verifier:Google Official Google Seal Butler Locker Locker Bob Date:2011/5/15 11:00:04 Level of Assurance:2 Verifier:Google Official Google Seal Access Token ID Token
    • Connect OpenID ID Token •  JWT representing logged-in session •  Claims: –  iss – Issuer –  sub – Identifier for subject (user) –  aud – Audience for ID Token –  iat – Time token was issued –  exp – Expiration time –  nonce – Mitigates replay attacks –  at_hash – Left hash of the access token –  azp – Authorized Party
    • Connect OpenID ID Token Claims Example { "iss": "https://server.example.com", "sub": "alice", "aud": "https://bob.example.com", "iat": 1311280970, "exp": 1311281970, "nonce": "n-0S6_WzA2Mj", "at_hash": "MTIzNDU2Nzg5MDEyMzQ1Ng", "azp": "https://cindy.example.com/" }
    • Connect OpenID at_hash makes ID Token a detached signature for the access token
    • Connect OpenID azp allows token to be used by another party Site X Cindy Bob ID Token Access Token
    • Connect OpenID Using Access Token only for Authentication is Dangerous. 1.  Who are you. Get me a referral letter. Do not forget about Your email! 2. Give Eve the locker Key and a referral letter. 3. Here you are! Alice 4. Here you are Butler Access Token Eve
    • Connect OpenID OpenID Connect's Clams aggregation and distributed claims. Name: Alice de Wanderland DoB: 1989/3/3 Sex: F Address: 135 Broadway., NY, NY NY City Official Seal Locker UserInfo Endpoint Site X Site Y Site Z Bob
    • Connect OpenID Aggregated Claims Data Source Data Source Identity Provider Relying Party Signed Claims Claim Values
    • Connect OpenID Distributed Claims Identity Provider Signed Claims Relying Party Claim Refs Data Source Data Source
    • Connect OpenID Claims Requests •  Basic requests made using OAuth scopes: –  openid – Declares request is for OpenID Connect –  profile – Requests default profile info –  email – Requests email address & verification status –  address – Requests postal address –  phone – Requests phone number & verification status –  offline_access – Requests Refresh Token issuance •  Requests for individual claims can be made using JSON “claims” request parameter
    • Connect OpenID Request Object
    • Connect OpenID You can register it at registration time : request_uri Personally Recommended
    • Connect OpenID Authorization Request Example https://server.example.com/authorize ?response_type=token%20id_token &client_id=0acf77d4-b486-4c99-bd76-074ed6a64ddf &redirect_uri=https%3A%2F%2Fclient.example.com%2Fcb &scope=openid%20profile &state=af0ifjsldkj &nonce=n-0S6_WzA2Mj
    • Connect OpenID Authorization Response Example HTTP/1.1 302 Found Location: https://client.example.com/cb #access_token=mF_9.B5f-4.1JqM &token_type=bearer &id_token=eyJhbGzI1NiJ9.eyJz9Glnw9J.F9-V4IvQ0Z &expires_in=3600 &state=af0ifjsldkj
    • Connect OpenID UserInfo Request Example GET /userinfo?schema=openid HTTP/1.1 Host: server.example.com Authorization: Bearer mF_9.B5f-4.1JqM
    • Connect OpenID Connect Specs Overview
    • Connect OpenID Resources •  OpenID Connect –  http://openid.net/connect/ •  OpenID Connect Working Group Mailing List –  http://lists.openid.net/mailman/listinfo/openid-specs-ab •  OpenID Connect Interop Wiki –  http://osis.idcommons.net/ •  OpenID Connect Interop Mailing List –  http://groups.google.com/group/openid-connect-interop •  Mike Jones’ Blog –  http://self-issued.info/ •  Nat Sakimura’s Blog –  http://nat.sakimura.org/ •  John Bradley’s Blog –  http://www.thread-safe.com/
    • Connect OpenID Current Status •  Waiting for dependencies to be completed •  JWS, JWE, JWA, JWK IETF JOSE WG •  JSON Web Token (JWT) IETF OAuth WG •  WebFinger IETF Apps WG
    • Connect OpenID Interop testing underway AOL, Google, IBM, Layer 7, Mitre, NRI, @nov, Orange, eBay, Gluu, Ping Identity, GÉANT, @ritou, Emmanuel Raviart 120+ feature tests 14 implementations
    • Connect OpenID Start Building
    • Connect OpenID Start Building Now!
    • Connect OpenID http://nat.sakimura.org/