• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Introduction to the Emerging JSON-Based Identity and Security Protocols
 

Introduction to the Emerging JSON-Based Identity and Security Protocols

on

  • 5,526 views

A quick(ish) technical introduction, presented at Gluecon 2013, to some aspects of JOSE (JWS, JWE, JWK) and JSON Web Token (JWT), OAuth 2.0 and OpenID Connect.

A quick(ish) technical introduction, presented at Gluecon 2013, to some aspects of JOSE (JWS, JWE, JWK) and JSON Web Token (JWT), OAuth 2.0 and OpenID Connect.

Statistics

Views

Total Views
5,526
Views on SlideShare
5,149
Embed Views
377

Actions

Likes
11
Downloads
65
Comments
2

5 Embeds 377

https://twitter.com 236
http://eventifier.co 121
http://librosweb.es 14
http://eventifier.com 5
http://tweetedtimes.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

12 of 2 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Introduction to the Emerging JSON-Based Identity and Security Protocols Introduction to the Emerging JSON-Based Identity and Security Protocols Presentation Transcript

    • An Introduction to the Emerging JSON-BasedIdentity and Security ProtocolsAs Portfolio Architect for Ping Identity, Brian Campbell aspires to one day knowwhat a Portfolio Architect actually does for a living. In the meantime, he tries tomake himself useful by building software systems such as Ping‟s flagship productPingFederate. When not making himself useful, he contributes to various identityand security standards including a two-year stint as co-chair of the OASISSecurity Services Technical Committee (SAML) and a current focus on OAuth2.0, JOSE and OpenID Connect. He holds a B.A., magna cum laude, inComputer Science from Amherst College in Massachusetts. Despite spendingfour years in the state, he has to look up how to spell "Massachusetts" every timehe writes it.Brian Campbell@weeUnquietMindpresentsGlue Conference 2013slides: http://is.gd/1qoMXG
    • • Backstory– With a Quick SAML Intro/Refresher• Technical Overview of the new(ish) JSON-BasedProtocols– URL Safe Base 64 Encoding– JOSE Intro• JWS• JWE (just a wee bit)• JWT• JWK– A slice of OAuth 2.0– A bit of OpenID ConnectAgenda
    • • Security Assertion Markup Language• XML-based framework that allows identityand security information to be shared acrosssecurity domains• Primarily used for cross domain Web browsersingle sign-on• Assertion is a (usually signed, sometimesencrypted) security token• Enterprisy Reputation• Paying my bills for nearly a decadeQuick SAML Refresher
    • 4“one of the leading visionaries and analysts in thecomputer industry” declared that…SAMLisDEAD!Craig Burton
    • 5WTF “SAML is dead”?I‟ve got a mortgage topay…Beer is stillalivethough…*Disclaimer: I work with these guys
    • 6The News Traveled Fast Beyond the Conference WallsSAML
    • 7Death isn’t So Bad"on your deathbed, you will receive totalconsciousness."http://blogs.kuppingercole.com/kearns/2012/07/31/the-death-and-life-of-a-protocol/Some Qualification / Clarification was OfferedBurton said: “SAML is the Windows XP of Identity.No funding. No innovation. People still use it. But ithas no future.” And added, “There is no future forSAML. No one is putting money into SAMLdevelopment. NO ONE is writing new SAML code.SAML is dead.”And then he reiterated for the hard ofunderstanding: “SAML is dead does not meanSAML is bad. SAML is dead does not mean SAMLisn‟t useful. SAML is dead means SAML is not thefuture.”and I‟ve got 29 ½ years of mortgagepayments left and kids in private school somaybe I should find out what *is* the future…
    • 8The FutureEuropean Identity and Cloud Conference:„“Best Innovation/New Standard in Information Security” went to OpenID Connect for“Providing the Consumerization of SAML. Driving the adoption of federation and makingthis much simpler.”‟„OpenID Connect is a simple JSON/REST-based interoperable identity protocol built on topof the OAuth 2.0 family of specifications. Its design philosophy is “make simple thingssimple and make complicated things possible.”‟three nerds holding a blurry piece of paper...*Disclaimer: I also work with this guy
    • 9WebFinger
    • base64url• It‟s like regular base64 but better!– Both are a means of encoding binary data in an ASCIIstring format– Each 6 bits -> 1 character– 3 bytes -> 4 characters• Uses a URL safe alphabet rather than the almostURL safe alphabet of regular base64– “-” rather than “+”– “_” rather than “/”– Padding “=” is typically omitted• A remaining unreserved URI character: “.”– This will be important later
    • • Javascript Object Signing and Encryption• IETF Working Group– JWS– JWE– JWK– JWAJOSE
    • • JSON Web Signature• A way of representing content secured with adigital signature or MAC using JSON datastructures and base64url encoding– Encoded segment are concatenated with a “.”• Intended for space constrained environmentssuch as HTTP Authorization headers and URIquery parameters• Conceptually Simple:– Header.Payload.SignatureJWS
    • • JWS Header– A bit of JSON that describes the digital signature or MAC operation applied tocreate the JWS Signature value• Reserved Header Parameter Names– “alg”: Algorithm• HMAC using SHA-XXX: HS256, HS384, HS512• RSA using SHA-XXX: RS256, RS384, RS512• ECDSA using P-XXX and SHA-XXX: ES256, ES384, ES512 (P-521)• None• Also extensible– “kid”: Key ID– “jku”: JWK Set URL– “jwk”: JSON Web Key– “x5u”: X.509 URL– “x5t”: X.509 Certificate Thumbprint– “x5c”: X.509 Certificate Chain– “typ”: Type– “cty”: Content Type• Header Example“I signed this thing with RSA-SHA256 using key ID of 9er and you can find thecorresponding public key at https://www.example.com/jwk”{"alg":"RS256", "kid":”9er", "jwk”:"https://www.example.com/jwk"}JWS Header
    • JWS ExamplePayload -> USA #1!base64url encoded payload -> VVNBICMxIQHeader (going to sign with ECDSA P-256 SHA-256) -> {"alg":"ES256"}base64url encoded header -> eyJhbGciOiJFUzI1NiJ9Secured Input -> eyJhbGciOiJFUzI1NiJ9.VVNBICMxIQbase64url encoded signature over the Secured Input-> Y3xOwO2E99asvYvmAB-r37ikzgIzC6Kgu04_kBVrPizicWZ4lYTk3b7g5uHz0r6bi1U0Tg4eFwZWPAelrMMzkJWS Compact Serialization ->eyJhbGciOiJFUzI1NiJ9.VVNBICMxIQ.Y3xOwO2E99asvYvmAB-r37ikzgIzC6Kgu04_kBVrPizicWZ4lYTk3b7g5uHz0r6bi1U0Tg4eFwZWPAelrMMzkwWhich you can think of sort of like:{"alg":"ES256"}.USA #1!.<SIGNATURE>
    • • Simple [Relatively]• Compact• No canonicalization• Entirely Web Safe AlphabetSome Strengths of JWS
    • • JSON Web Encryption• Similar in motivation and design to JWS but for encryptingcontent– Header.EncryptedKey.InitializationVector.Ciphertext.AuthenticationTag• More complicated– More headers• “alg”: Algorithm (key wrap or agreement)• “enc”: Encryption Method (Authenticated Encryption only)• “zip”: Compression Algorithm• And more– More options and variations– More partsJWE
    • • JSON Web Token• Suggested pronunciation: "jot”• Compact URL-safe means of representingclaims to be transferred between two parties• A JWT is a JWS and/or JWE– With JSON claims as the payloadJWT
    • • A piece of information asserted about a subject (or theJWT itself). Here, Claims are represented name/valuepairs, consisting of a Claim Name and a Claim Value(which can be any JSON object).• Reserved Claim Names– “iss”: Issuer– “sub”: Subject– “aud”: Audience– “exp”: Expiration Time– “nbf”: Not Before– “iat”: Issued At– “jti”: JWT ID– “typ”: TypeJWT Claims
    • JWT ExampleThe JSON claims of a JWT saying that the subject is Brian, the JWT wasissued by https://idp.example.com, expires at such and such a time, and isintended for consumption by https://sp.example.org (+ a few other things)would look like this:{"iss":"https://idp.example.com","exp":1357255788,"aud":"https://sp.example.org","jti":"tmYvYVU2x8LvN72B5Q_EacH._5A”,"acr":"2","sub":"Brian”}Which becomes the JWS payload.JWS Header saying it’s signed with ECDSA P-256 SHA-256 -> {"alg":"ES256"}And the whole JWT->eyJhbGciOiJFUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwiZXhwIjoxMzU3MjU1Nzg4LCJhdWQiOiJodHRwczpcL1wvc3AuZXhhbXBsZS5vcmciLCJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLCJhY3IiOiIyIiwic3ViIjoiQnJpYW4ifQ.2htJZOHbuk2kpQUnfwcLrfqtKuhY8vJP8KU4O9pFBiea4fvpUHQK68M_yQj74EiBHruaarDGnpwaFrOtdbN06A
    • JWT alongside a comparable SAML AssertioneyJhbGciOiJFUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwiZXhwIjoxMzU3MjU1Nzg4LCJhdWQiOiJodHRwczpcL1wvc3AuZXhhbXBsZS5vcmciLCJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLCJhY3IiOiIyIiwic3ViIjoiQnJpYW4ifQ.2htJZOHbuk2kpQUnfwcLrfqtKuhY8vJP8KU4O9pFBiea4fvpUHQK68M_yQj74EiBHruaarDGnpwaFrOtdbN06A<Assertion Version="2.0" IssueInstant="2013-01-03T23:34:38.546Z” ID="oPm.DxOqT3ZZi83IwuVr3x83xlr"xmlns="urn:oasis:names:tc:SAML:2.0:assertion” xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><Issuer>https://idp.example.com</Issuer><ds:Signature><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/><ds:Reference URI="#oPm.DxOqT3ZZi83IwuVr3x83xlr"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>8JT03jjlsqBgXhStxmDhs2zlCPsgMkMTC1lIK9g7e0o=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>SAXf8eCmTjuhV742blyvLvVumZJ+TqiG3eMsRDUQU8RnNSspZzNJ8MOUwffkT6kvAR3BXeVzob5p08jsb99UJQ==</ds:SignatureValue></ds:Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Brian</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData NotOnOrAfter="2013-01-03T23:39:38.552Z" Recipient="https://sp.example.org"/></SubjectConfirmation></Subject><Conditions NotOnOrAfter="2013-01-03T23:39:38.552Z" NotBefore="2013-01-03T23:29:38.552Z"><AudienceRestriction><Audience>https://sp.example.org</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant="2013-01-03T23:34:38.483Z" SessionIndex="oPm.DxOqT3ZZi83IwuVr3x83xlr"><AuthnContext><AuthnContextClassRef>2</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>
    • • JSON Web Key• JSON representation of public keys withsome metadata– RSA & Elliptic Curve– JWK & JWK SetJWK
    • JWK Parameters and Example{"keys":[{"kty":"EC","crv":"P-256","x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4","y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM","kid":”9er"},{"kty":"RSA","n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw","e":"AQAB","kid":”7ish"}]}• Common Parameters: "kty”: Key Type, "use”: Key Use, "alg”: Algorithm, "kid”: KeyID• RSA: “n”: Modulus, “e”: Exponent• EC: “crv”: Curve (P-256, P-384, P-521), “x”: X Coordinate, “y”: Y Coordinate
    • Side by Side JWK & X509 Certificate:Data:Version: 3 (0x2)Serial Number:01:3c:05:fe:51:4bSignature Algorithm: sha1WithRSAEncryptionIssuer: C=AU, O=Skull and Bones, CN=Brians KeyValidityNot Before: Jan 4 14:36:58 2013 GMTNot After : Jan 6 14:36:58 2013 GMTSubject: C=AU, O=Skull and Bones, CN=Brians KeySubject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public Key: (2048 bit)Modulus (2048 bit):00:83:aa:49:64:72:a1:0d:a6:93:ee:e8:6a:3a:94:26:6e:3d:1d:8a:3a:5f:2e:31:b8:78:76:4f:58:6d:92:4a:a1:e0:40:1f:ce:d5:8c:b7:1b:93:03:c5:65:79:98:89:41:c5:2e:73:e4:b8:81:1f:d6:ae:74:0e:29:0f:04:f9:80:45:23:e9:38:bf:b6:79:c5:3e:cd:53:8f:59:e7:82:b8:cb:4f:73:0e:6d:84:13:b3:67:e0:f0:94:d6:95:ef:f0:3d:ec:cc:21:82:a2:64:cc:e8:d9:37:b6:e9:ac:10:2a:ef:d0:52:e2:5f:c4:67:f1:fb:88:35:9d:39:ae:5d:45:27:d1:21:9f:33:18:f3:a5:6f:13:20:b4:b9:58:dd:8e:93:82:9c:28:6a:65:a0:a4:46:0a:72:5e:e5:93:0e:21:50:a8:4e:1b:c2:15:e6:b7:77:23:de:9a:b8:63:a2:53:3e:a3:e5:6f:6a:dd:f4:57:c4:c4:8d:d3:84:e7:3f:44:f3:66:5c:66:59:0e:df:bf:88:d6:3d:ba:a5:dd:6e:c7:29:cb:ac:94:b0:c9:9f:7e:41:f4:d3:ea:cf:bd:8a:13:c2:a5:ad:67:96:9e:60:3c:a1:19:eb:29:14:18:a6:cc:e6:9b:8f:f2:49:c1:bb:ab:bb:d2:a0:d1:96:ad:92:2fExponent: 65537 (0x10001)Signature Algorithm: sha1WithRSAEncryption24:50:50:de:c3:94:f0:e8:32:88:a4:6c:36:c3:f3:b0:59:dc:56:39:dd:36:0d:68:2b:3f:4d:4c:de:ef:f4:ff:23:ba:a9:a3:3c:c8:29:41:21:0e:d3:94:89:a8:de:c8:f2:1f:10:4e:57:16:5c:7a:36:2c:5c:df:2e:ff:cf:7e:9e:1e:6b:26:7b:ee:b2:8a:68:29:cb:7a:b1:86:a8:a8:ba:94:b4:6d:ab:79:52:6e:84:39:1f:28:35:b9:ee:ec:51:7d:22:33:82:e7:6c:a8:9c:45:8e:a7:ab:93:79:39:9f:83:62:c1:9a:1d:64:bc:b3:39:c9:50:e4:78:b3:8c:c4:ea:d5:d3:d7:41:c3:61:60:55:4e:20:a5:f2:56:30:6c:f0:b5:58:45:88:c1:79:31:f4:ed:ab:2d:1e:3e:21:c5:2f:a3:3b:8c:5b:38:04:d8:a7:02:4c:09:b3:18:1c:a3:49:50:5a:96:a8:24:38:80:ee:c0:87:3c:c4:69:1d:10:cb:32:b6:61:9b:a1:73:1a:f2:53:8f:29:e1:7a:42:14:57:77:1c:59:37:fb:99:f9:c6:c6:88:c0:67:59:c7:eb:ac:e0:2c:bd:87:7c:27:a6:f5:40:b3:e1:96:77:40:ec:2e:ca:ed:2b:54:fb:91:0c:68:07:16:01:96:9e:fa-----BEGIN CERTIFICATE-----MIIC+DCCAeCgAwIBAgIGATwF/lFLMA0GCSqGSIb3DQEBBQUAMD0xCzAJBgNVBAYTAkFVMRgwFgYDVQQKEw9Ta3VsbCBhbmQgQm9uZXMxFDASBgNVBAMTC0JyaWFuJ3MgS2V5MB4XDTEzMDEwNDE0MzY1OFoXDTEzMDEwNjE0MzY1OFowPTELMAkGA1UEBhMCQVUxGDAWBgNVBAoTD1NrdWxsIGFuZCBCb25lczEUMBIGA1UEAxMLQnJpYW4ncyBLZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCDqklkcqENppPu6Go6lCZuPR2KOl8uMbh4dk9YbZJKoeBAH87VjLcbkwPFZXmYiUHFLnPkuIEf1q50DikPBPmARSPpOL+2ecU+zVOPWeeCuMtPcw5thBOzZ+DwlNaV7/A97MwhgqJkzOjZN7bprBAq79BS4l/EZ/H7iDWdOa5dRSfRIZ8zGPOlbxMgtLlY3Y6TgpwoamWgpEYKcl7lkw4hUKhOG8IV5rd3I96auGOiUz6j5W9q3fRXxMSN04TnP0TzZlxmWQ7fv4jWPbql3W7HKcuslLDJn35B9NPqz72KE8KlrWeWnmA8oRnrKRQYpszmm4/yScG7q7vSoNGWrZIvAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBACRQUN7DlPDoMoikbDbD87BZ3FY53TYNaCs/TUze7/T/I7qpozzIKUEhDtOUiajeyPIfEE5XFlx6Nixc3y7/z36eHmsme+6yimgpy3qxhqioupS0bat5Um6EOR8oNbnu7FF9IjOC52yonEWOp6uTeTmfg2LBmh1kvLM5yVDkeLOMxOrV09dBw2FgVU4gpfJWMGzwtVhFiMF5MfTtqy0ePiHFL6M7jFs4BNinAkwJsxgco0lQWpaoJDiA7sCHPMRpHRDLMrZhm6FzGvJTjynhekIUV3ccWTf7mfnGxojAZ1nH66zgLL2HfCem9UCz4ZZ3QOwuyu0rVPuRDGgHFgGWnvo=-----END CERTIFICATE-----{"kty":"RSA","n":"g6pJZHKhDaaT7uhqOpQmbj0dijpfLjG4eHZPWG2SSqHgQB_O1Yy3G5MDxWV5mIlBxS5z5LiBH9audA4pDwT5gEUj6Ti_tnnFPs1Tj1nngrjLT3MObYQTs2fg8JTWle_wPezMIYKiZMzo2Te26awQKu_QUuJfxGfx-4g1nTmuXUUn0SGfMxjzpW8TILS5WN2Ok4KcKGploKRGCnJe5ZMOIVCoThvCFea3dyPemrhjolM-o-Vvat30V8TEjdOE5z9E82ZcZlkO37-I1j26pd1uxynLrJSwyZ9-QfTT6s-9ihPCpa1nlp5gPKEZ6ykUGKbM5puP8knBu6u70qDRlq2SLw","e":"AQAB”}
    • • JWKs can be– included in a JWS/JWE/JWT header– saved in a file– published at an HTTPS endpoint– used in place of self signed certificatesJSON Web Key
    • • Java– https://bitbucket.org/b_c/jose4j• Ruby– https://github.com/nov/json-jwt• JavaScript– http://kjur.github.com/jsjws/• Perl– https://metacpan.org/module/JSON::WebTokenSome JOSE/JWT Implementations*Disclaimer: I‟m writing this one
    • OAuth Basic Abstract Flow• client: An applicationobtaining authorization andmaking protected resourcerequests.– Native app on mobile device• resource server (RS): Aserver capable of acceptingand responding to protectedresource requests.– Protected APIs• authorization server (AS): Aserver capable of issuingtokens after successfullyauthenticating the resourceowner and obtainingauthorization.ClientResourceServerA few other protocol terms• Access token (AT) – Presented by client whenaccessed protected resources at the RS• Refresh token (RT) - Allows clients to obtain a freshaccess token without re-obtaining authorization• Scope – A permission (or set of permissions) definedby the AS/RS• Authorization endpoint – used by the client to obtainauthorization from the resource owner via user-agentredirection• Token endpoint – used for direct client to AScommunication• Authorization Code – One time code issued by an ASto be exchanged for an AT.AuthorizationServer
    • 27The OAuth 2.0 (RFC 6749)Code Flowa.k.a.Authorization Code Grant Typea.k.a.Authorization Code Flowa.k.a.etc.
    • 28Authorization ServerAuthorizationEndpointTokenEndpointClientResource ServerProtectedResource(s)ResourceOwnerOAuth 2.0*Disclaimer: I also work with this guy
    • 29Authorization ServerAuthorizationEndpointTokenEndpointClientResourceOwnerAuthorization Request withresponse_type=codeOAuth 2.0Resource ServerProtectedResource(s)
    • 30Authorization ServerAuthorizationEndpointTokenEndpointClientResource ServerProtectedResource(s)ResourceOwnerAuthenticate and ApproveOAuth 2.0Resource ServerProtectedResource(s)
    • 31Authorization ServerAuthorizationEndpointTokenEndpointClientResourceOwnerAuthorization Response +codeOAuth 2.0Resource ServerProtectedResource(s)
    • 32Authorization ServerAuthorizationEndpointTokenEndpointClientResource ServerProtectedResource(s)ResourceOwnerAccess Token Request withauthorization_code grant type+ codeOAuth 2.0Resource ServerProtectedResource(s)
    • 33Authorization ServerAuthorizationEndpointTokenEndpointClientResource ServerProtectedResource(s)ResourceOwnerAccess Token Response withAccess Token (and maybeRefresh)OAuth 2.0Resource ServerProtectedResource(s)
    • 34Authorization ServerAuthorizationEndpointTokenEndpointClientResource ServerProtectedResource(s)ResourceOwnerUse Access Token to accessProtected ResourcesOAuth 2.0Resource ServerProtectedResource(s)
    • 35OpenID Connect is asimple identity layer on topof the OAuth 2.0 protocol.
    • 36OpenID ConnectBasic Client ProfileorCode Flow
    • 37Authorization Server /Identity Provider /OpenID ProviderAuthorizationEndpointTokenEndpointClient /RelyingPartyResourceOwner /OAuth 2.0Resource ServerProtectedResource(s)OpenID ConnectResource ServerUser InfoEndpointEnd-User
    • 38Authorization Server /Identity Provider /OpenID ProviderAuthorizationEndpointTokenEndpointClient /RelyingPartyResourceOwner /OAuth 2.0Resource ServerProtectedResource(s)OpenID ConnectResource ServerUser InfoEndpointEnd-UserAuthorization Request withresponse_type=code &scope=openid profile email address phone& maybe other newstuff, request[_uri], prompt, nonce, etc.
    • 39Authorization Server /Identity Provider /OpenID ProviderAuthorizationEndpointTokenEndpointClient /RelyingPartyResourceOwner /OAuth 2.0Resource ServerProtectedResource(s)OpenID ConnectResource ServerUser InfoEndpointEnd-UserAuthenticate and Approve
    • 40Authorization Server /Identity Provider /OpenID ProviderAuthorizationEndpointTokenEndpointClient /RelyingPartyResourceOwner /OAuth 2.0Resource ServerProtectedResource(s)OpenID ConnectResource ServerUser InfoEndpointEnd-UserAuthorization Response + code
    • 41Authorization Server /Identity Provider /OpenID ProviderAuthorizationEndpointTokenEndpointClient /RelyingPartyResourceOwner /OAuth 2.0Resource ServerProtectedResource(s)OpenID ConnectResource ServerUser InfoEndpointEnd-UserAccess Token Request withauthorization_code grant type+ code
    • 42Authorization Server /Identity Provider /OpenID ProviderAuthorizationEndpointTokenEndpointClient /RelyingPartyResourceOwner /OAuth 2.0Resource ServerProtectedResource(s)OpenID ConnectResource ServerUser InfoEndpointEnd-UserAccess Token Response withAccess Token+ ID Token (JWT)
    • 43Authorization Server /Identity Provider /OpenID ProviderAuthorizationEndpointTokenEndpointClient /RelyingPartyResourceOwner /OAuth 2.0Resource ServerProtectedResource(s)OpenID ConnectResource ServerUser InfoEndpointEnd-UserUse Access Token to accessUser Info Endpoint
    • 44Authorization Server /Identity Provider /OpenID ProviderAuthorizationEndpointTokenEndpointClient /RelyingPartyResourceOwner /OAuth 2.0Resource ServerProtectedResource(s)OpenID ConnectResource ServerUser InfoEndpointEnd-UserUser Info Endpoint returnsadditional claims about (aboot)the authenticated End-User.
    • 45Authorization Server /Identity Provider /OpenID ProviderAuthorizationEndpointTokenEndpointClient /RelyingPartyResourceOwner /OAuth 2.0Resource ServerProtectedResource(s)OpenID ConnectResource ServerUser InfoEndpointEnd-UserEnd-User is logged into theClient/RP
    • 46Authorization Server /Identity Provider /OpenID ProviderAuthorizationEndpointTokenEndpointClient /RelyingPartyResourceOwner /OAuth 2.0Resource ServerProtectedResource(s)OpenID ConnectResource ServerUser InfoEndpointEnd-User[Maybe] Use Access Token toaccess additional ProtectedResources
    • 47
    • You’ve just been Introduced to some EmergingJSON-Based Identity and Security ProtocolsBrian Campbell@weeUnquietMindGluecon 2013http://is.gd/1qoMXGSAMLAny Questions?