OpenID Connect: An Overview
Pat Patterson
Developer Evangelist Architect
salesforce.com
@metadaddy
What is OpenID Connect?
Simple Identity Layer for the Internet
[OpenID Connect] allows Clients to verify the
identity of t...
What is OpenID Connect?
• Specification defined by OpenID
Foundation ‘Connect’ Work Group
– NRI, Ping
Identity, Microsoft,...
OpenID Connect Status
• ‘Nearly complete’
– Second set of OpenID Connect
Implementer’s Drafts approved in July, 2013
– Int...
OpenID Connect Specification
• OpenID Connect 1.0 Specification
– Core
– Discovery (optional)
– Dynamic Registration (opti...
OpenID Connect Roles

Web-based, mobile, or
JavaScript Clients verify the
identity of End-Users based on
authentication pe...
OpenID Connect Basic Client Profile
OpenID Connect Implicit Client Profile
OpenID Connect Token Response
{
"access_token":"SlAV32hkKG",
"token_type":"Bearer",
"expires_in":3600,
"refresh_token":"tG...
OpenID Connect ID Token
{
"iss": "https://server.example.com",
"sub": "24400320",
"aud": "s6BhdRkqt3",
"exp": 1311281970,
...
Who is Deploying OpenID Connect?
• Services:
Google, Salesforce, eBay, AOL, Deutsche
Telekom, Orange
• Vendors: IBM, Micro...
OpenID Connect in Action

• Client: Salesforce Community
• Auth Server: Google
• End User: Me!
Salesforce Community Login Page
Google Login Page
Google Authorization Page
Salesforce Community Home Page
Questions?
Pat Patterson
Developer Evangelist Architect
salesforce.com
@metadaddy
Upcoming SlideShare
Loading in...5
×

OpenID Connect: An Overview

4,115

Published on

Brief overview of OpenID Connect - presented at Bay Area Identity Developers Meetup, Dec 2 2013.

Published in: Technology, News & Politics
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,115
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
130
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

OpenID Connect: An Overview

  1. 1. OpenID Connect: An Overview Pat Patterson Developer Evangelist Architect salesforce.com @metadaddy
  2. 2. What is OpenID Connect? Simple Identity Layer for the Internet [OpenID Connect] allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
  3. 3. What is OpenID Connect? • Specification defined by OpenID Foundation ‘Connect’ Work Group – NRI, Ping Identity, Microsoft, Google, Salesforce etc • Built on OAuth 2.0 • REST-based • Successor to SAML?
  4. 4. OpenID Connect Status • ‘Nearly complete’ – Second set of OpenID Connect Implementer’s Drafts approved in July, 2013 – Interop testing under way – Waiting for dependencies to be standardized • JWT, JWS etc
  5. 5. OpenID Connect Specification • OpenID Connect 1.0 Specification – Core – Discovery (optional) – Dynamic Registration (optional) – Session Management (optional) – OAuth 2.0 Multiple Response Types • Implementer’s Guides – Basic Client Profile – Implicit Client Profile
  6. 6. OpenID Connect Roles Web-based, mobile, or JavaScript Clients verify the identity of End-Users based on authentication performed by an Authorization Server.
  7. 7. OpenID Connect Basic Client Profile
  8. 8. OpenID Connect Implicit Client Profile
  9. 9. OpenID Connect Token Response { "access_token":"SlAV32hkKG", "token_type":"Bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "id_token":"eyJ0 ... NiJ9.eyJ1c ... ZXso” } • id_token is a JSON Web Token (JWT) – Signed, URL/filename-safe base64 encoded JSON data
  10. 10. OpenID Connect ID Token { "iss": "https://server.example.com", "sub": "24400320", "aud": "s6BhdRkqt3", "exp": 1311281970, "iat": 1311280970 } • Issuer, Subject, Audience, Expiry, Issued At • Also optional email, auth_time, nonce etc
  11. 11. Who is Deploying OpenID Connect? • Services: Google, Salesforce, eBay, AOL, Deutsche Telekom, Orange • Vendors: IBM, Microsoft, Ping Identity, Layer 7, ForgeRock, Gluu, MITRE, NRI
  12. 12. OpenID Connect in Action • Client: Salesforce Community • Auth Server: Google • End User: Me!
  13. 13. Salesforce Community Login Page
  14. 14. Google Login Page
  15. 15. Google Authorization Page
  16. 16. Salesforce Community Home Page
  17. 17. Questions? Pat Patterson Developer Evangelist Architect salesforce.com @metadaddy
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×