IIW 16th Report at #idcon

1,270 views
1,187 views

Published on

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,270
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
9
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

IIW 16th Report at #idcon

  1. 1. IIW #16 Report@nov
  2. 2. http://iiw.idcommons.net/IIW_16_Notes
  3. 3. Mobile SSO - EnterpriseSascha Preibisch, Layer7Similar Talkhttp://www.slideshare.net/rnewton/xapp-sso-flascellescsa2013ConceptStore ID Token in “Shared Keychain”Only for iOS appsGenerate RSA key pair on client side (OPTIONAL)During white-listed apps by admin“msso” scope for SSO-enabled ID Token
  4. 4. A1 A2Local Keychain Local KeychainShared KeychainAccessTokenAccessTokenID TokenID Token+Access TokenID TokenAccessToken12 2 345
  5. 5. A1Local Keychain Shared KeychainAccessTokenID TokenID Token+Access TokenB1NG12 2
  6. 6. Mobile SSO - Device to BrowserGeorge Fletcher, AOLSimilar Talkhttp://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20121231/002768.htmlConcept“websso” scopeDown scope via token refreshPass an ID Token in native app to browser & skip login
  7. 7. Auth @ Google - Next 5 YearsEric Sachs, GoogleReferencehttps://docs.google.com/document/d/1r9qnZUehCbtkQR86Wp-sJR2Zu6sHx47queuqmegW2PYSummary
  8. 8. Past 5 yearsRisk-based2-factor authenticationOpenIDNo new passwords!OAuthNo password sharing!
  9. 9. Good News
  10. 10. Bad NewsOpenID Migration is hardUsabilityAccount linking issueshttps://docs.google.com/document/pub?id=1O7jyQLb7dW6EnJrFsWZDyh0Yq0aFJU5UJ4i5QzYlTjUAccount Recovery is their achilles heel
  11. 11. Next 5 yearsSetup, not Sign-inReduce Bearer TokensSmarter HardwareBeyond BootstrappingAdvanced Combination
  12. 12. Setup, not Sign-inLogin Once Login Each Time
  13. 13. Setup, not Sign-inLogin Once Login OnceOS LevelAccountManager
  14. 14. Reduce Bearer TokensBearer Tokens?OAuth 2.0 access tokensJWT bearer tokens..and session cookies!
  15. 15. Reduce Bearer TokensCookieIDSelf-signed Cookie (probably, like self-issued IdP’s ID Token?)http://tools.ietf.org/html/dra8-balfanz-tls-channelidAlready available on Chrome
  16. 16. chrome://settings/cookies
  17. 17. Smarter Hardware
  18. 18. Smarter Hardware
  19. 19. Smarter Hardwareauthorize a new device by having an existingdevice talk to it via a cryptographic protocol
  20. 20. Smarter Hardwareauthorize a new device by having an existingdevice talk to it via a cryptographic protocol?
  21. 21. Smarter HardwareU2F (Universal Second Factor)Open ecosystem of small robust “keychain devices”FIDO Alliancehttp://www.fidoalliance.org
  22. 22. OAuth & JOSE @ BlueButton+Justin Richer, MITREActual title was “Blue Button and Patient Health Records using OAuth , JOSE”Referencehttp://blue-button.github.io/blue-button-plus-pull/ConceptOAuth 2.0 Dynamic Client Registration use-case“Trusted Registration”
  23. 23. BlueButtonref) http://www.healthit.gov/patients-families/blue-button/about-blue-button“Blue Button” is a way for you to get easy, secure onlineaccess to your health information....America’s health care system is rapidly going digital, andhealth care providers, insurance companies and others arestarting to give patients and consumers access to theirhealth information electronically through “Blue Button”.
  24. 24. BlueButton+ Pull APIOAuth2 API for RESTful access to patientdata and bootstrapping DIRECT-basedinformation exchangeref) http://blue-button.github.io/blue-button-plus-pull/
  25. 25. RegistryAuthZ & ResourceServerResource OwnerClient
  26. 26. Client “class” and “instance”“class” is registered to the registryRegistration method is out of scope (e.g. manual)Establish “registration_jwt” as a JWT Bearer token“instance” is dynamically registered to the authorization serverOAuth 2.0 Dynamic Client Registration“registration_jwt” token for “Trusted Registration”
  27. 27. RegistryAuthZ & ResourceServerResource OwnerClientTrustRegister“class”Register“instance”
  28. 28. DiscoveryRegistry Discovery @ RegistryGet Registry Endpoints, Public Keys etc.Providers Discovery @ RegistryGet Trusted Providers ListProvider Discovery @ ProviderGet Single Provider MetadataApps Discovery @ RegistryGet Trusted Apps List
  29. 29. RegistryAuthZ & ResourceServerResource OwnerClientDiscoveryDiscovery‣Registry Metadata‣Trusted Providers‣Trusted Apps‣ProviderMetadata
  30. 30. [appendix]Push Authorizationhttp://blue-button.github.io/blue-button-plus-pull/#push-authorization

×