Your SlideShare is downloading. ×

Introduction to OpenID Connect

5,879
views

Published on

OpenID Connect is a new identity layer on top of OAuth 2.0.

OpenID Connect is a new identity layer on top of OAuth 2.0.

Published in: Technology, News & Politics

0 Comments
15 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,879
On Slideshare
0
From Embeds
0
Number of Embeds
44
Actions
Shares
0
Downloads
259
Comments
0
Likes
15
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Connect OpenID OpenID Connect Nat Sakimura Chairman Senior Researcher C6b. New School Identity Frameworks Panel Foundation
  • 2. Connect OpenID OAuth 2.0 Identity Layer on top of Base Protocol
  • 3. Connect OpenID Q Identity
  • 4. Connect OpenID Identity = set of attributes related to an entity [iso 29115]
  • 5. Connect OpenID Entity Identity
  • 6. Connect OpenID Entity Human Machine Service
  • 7. Connect OpenID No direct way to perceive Human
  • 8. Connect OpenID Blond/grey Silver frame glasses 6’5” tall
  • 9. Connect OpenID Entity Identity Identity Sex Mail height Boy Friend Sex height Real Name Self Recognition Delta between Self and 3rd Party Recognition = interpersonal problem Delta between Self and 3rd Party Recognition= interpersonal problem Role Relatio nship 3rd Party Recognition Relationship Friends Boss Self Recognition 3rd Party Recognition Street Address Nickname Birthday Street Address Employee number licnese performance
  • 10. Connect OpenID Man Identity Identity Identity
  • 11. Connect OpenID Man Work Husband Father
  • 12. Connect OpenID daughter mother wife girl friend collea- gue boss community member friend Woman
  • 13. Connect OpenID YOU Identity A Identity B Identity C Site A Site B Site C
  • 14. Connect OpenID Q Why not just OAuth?
  • 15. Connect OpenID OAuth is an Access Granting Protocol Betty’s Profile Alice Cindy Cindy ≠ Betty Alice ≠ Betty
  • 16. Connect OpenID Facebook extends OAuth with “signed request” “ID Token” in OpenID Connect
  • 17. Connect OpenID Token Swap Attack
  • 18. Connect OpenID Login with Amazon
  • 19. Connect OpenID http://blog.chromium.org/2013/07/richer- access-to-google-services-and.html?m=1
  • 20. Connect OpenID Signed Request •  Works only with a single identity provider •  Proprietary signature format ID Token •  Works with multiple identity providers •  IETF JSON Web Signature
  • 21. Connect OpenID ID Token Claims Example { "iss": "https://server.example.com", "sub": "248289761001", "aud": "0acf77d4-b486-4c99-bd76-074ed6a64ddf", "iat": 1311280970, "exp": 1311281970, "nonce": "n-0S6_WzA2Mj" }
  • 22. Connect OpenID Stick with OpenID Connect and not “OAuth Authentication”
  • 23. Connect OpenID An Identity Layer provides: •  is the user that got authenticated Who •  was he authenticated Where •  was he authenticated When •  was he authenticated How •  attributes he can give you What •  he is providing them Why
  • 24. Connect OpenID Interoperable Simple & Mobile Friendly Secure Flexible
  • 25. Connect OpenID Interoperable Simple & Mobile Friendly Secure Flexible
  • 26. Connect OpenID Interoperable Simple & Mobile Friendly Secure Flexible
  • 27. Connect OpenID Interoperable Simple & Mobile Friendly Secure Flexible
  • 28. Connect OpenID Interoperable Simple & Mobile Friendly Secure Flexible
  • 29. Connect OpenID Interoperable •  openid, profile, email, address, phone Standard scopes •  Request object and claims Method to ask for more granular claims •  Info about the authenticated user ID Token •  Get attributes about the user •  Translate the tokens UserInfo endpoint
  • 30. Connect OpenID Simple & Mobile Friendly JSON Based REST Friendly In simplest cases, just copy and paste Mobile & App Friendly e.g., ID Token is signed JSON { "iss": "https://client.example.com", ”sub": "24400320", "aud": "s6BhdRkqt3", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "auth_time": 1311280969, "acr": "2", "at_hash": "MTIzNDU2Nzg5MDEyMzQ1Ng" }
  • 31. Connect OpenID Secure •  ISO/IEC 29115 Entity Authentication Assurance •  Choice of crypto LoA1 LoA2 LoA3 LoA4
  • 32. Connect OpenID Flexible •  Through Request Object (JSON) •  Data Minimization Granular Request •  Does not disclose data recipients to data sources Aggregated Claims •  Decentralized Data Storage Distributed Claims
  • 33. Connect OpenID Choice of your provider Can be Google, eBay, AOL, Deutsche Telecom etc. Can be your Phone => Self-Issued Provider
  • 34. Connect OpenID Details
  • 35. Connect OpenID Name: Alice de Wonderland Mail: alice@example.com Notary: Google. Official Google Seal 株式会 社グー グル印 Name: Alice de Wonderland Mail: alice@example.com Notary: Google. SAML Authentication 1.  Who are you. Get me a referral letter. Do not forget about Your email! 2. Plz write me a referral letter。 3. Here you are Alice 4. Here is the certificate. notary Eve Official Google Seal
  • 36. Connect OpenID 1.  Who are YOU? Give me a valet key to your house. Then I will trust that you are the owner of the house. 2. Can you give me a valet key to my house? 3. Here you are! Alice 4. Her is the key! Pseudo-Authentication using OAuth Apartment Controller Eve
  • 37. Connect OpenID OpenID Connect Authentication 1.  Who are you. Get me a referral letter. Do not forget about Your email! 2. Give Eve the locker Key and a referral letter. 3. Here you are! Alice 4. Here you are Date:2011/5/15 11:00:04 Level of Assurance:2 Verifier:Google Official Google Seal Butler Locker Locker Eve Date:2011/5/15 11:00:04 Level of Assurance:2 Verifier:Google Official Google Seal
  • 38. Connect OpenID OpenID Connect's Clams aggregation and distributed claims. Name: Alice de Wanderland DoB: 1989/3/3 Sex: F Address: 135 Broadway., NY, NY NY City Official Seal Locker UserInfo Endpoint Site X Site Y Site Z Eve
  • 39. Connect OpenID Applying it to Enterprise model
  • 40. Connect OpenID Entity Identity Identity Sex Mail height Boy Friend Sex height Real Name Self Recognition Delta between Self and 3rd Party Recognition = interpersonal problem Delta between Self and 3rd Party Recognition= interpersonal problem Role Relatio nship 3rd Party Recognition Relationship Friends Boss Self Recognition 3rd Party Recognition Street Address Nickname Birthday Street Address Employee number licnese performance
  • 41. Connect OpenID Real Name Professional qualification department Geo-location Employee number Entity Identity Resource Authentication Policy Enforcement Rules
  • 42. Connect OpenID ABAC (Attribute Based Access Control) Based on SP800-162 figure on page viii identity Resource Rules
  • 43. Connect OpenID Real Name Professional qualification department Geo-location Employee number Entity Identity Resource Authentication PEP PDP PAP Boss Metadata Log Log
  • 44. Connect OpenID Q What kind of “Identity” (set of attributes) an enterprise needs?
  • 45. Connect OpenID Current Standard Claims wont do
  • 46. Connect OpenID UserInfo Claims •  sub •  name •  given_name •  family_name •  middle_name •  nickname •  preferred_username •  profile •  picture •  website •  gender •  birthdate •  locale •  zoneinfo •  updated_at •  email •  email_verified •  phone_number •  phone_number_verified •  address
  • 47. Connect OpenID UserInfo Claims Example { "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "email": "janedoe@example.com", "email_verified": true, "picture": "http://example.com/janedoe/me.jpg" }
  • 48. Connect OpenID Perhaps we need standard “enterprise” claims
  • 49. Connect OpenID SCIM?
  • 50. Connect OpenID SCIM Enterprise User Schema Extension •  employeeNumber –  Numeric or alphanumeric identifier assigned to a person, typically based on order of hire or association with an organization. •  costCenter –  Identifies the name of a cost center. organization Identifies the name of an organization. •  division –  Identifies the name of a division. •  department –  Identifies the name of a department. •  manager –  The User's manager. A complex type that optionally allows Service Providers to represent organizational hierarchy by referencing the "id" attribute of another User.
  • 51. Connect OpenID Not Quite.
  • 52. Connect OpenID Perhaps we need standard “enterprise” claims
  • 53. Connect OpenID Q When shall I start using OpenID Connect?
  • 54. Connect OpenID Timeline 2nd Implementers Draft Public Review (45 days) 2nd Implementers Draft Vote (14 days) Final Review (60 days) Final We are here! December 2013
  • 55. Connect OpenID Q uestions?
  • 56. Connect OpenID OAuth and OpenID Connect: In the Trenches Wednesday, July 10, 4:00 – 5:30 PM Salon C/D/E to be continued at …
  • 57. Connect OpenID Details …
  • 58. Connect OpenID Working Together OpenID Connect
  • 59. Connect OpenID Working Group Members •  Key working group participants: –  Nat Sakimura – Nomura Research Institute – Japan –  John Bradley – Ping Identity – Chile –  Breno de Medeiros – Google – US –  Axel Nennker – Deutsche Telekom – Germany –  Torsten Lodderstedt – Deutsche Telekom – Germany –  Roland Hedberg – Umeå University – Sweden –  Andreas Åkre Solberg – UNINETT – Norway –  Chuck Mortimore – Salesforce – US –  Brian Campbell – Ping Identity – US –  George Fletcher – AOL – US –  Justin Richer – Mitre – US –  Nov Matake – Independent – Japan –  Mike Jones – Microsoft – US •  By no means an exhaustive list!
  • 60. Connect OpenID Design Philosophy Simple Things Simple Complex Things Possible
  • 61. Connect OpenID Simple Things Simple UserInfo endpoint for simple claims about user Designed to work well on mobile phones
  • 62. Connect OpenID How We Make It Simple •  Build on OAuth 2.0 •  Use JavaScript Object Notation (JSON) •  Build only the pieces that you need •  Goal: Easy implementation on all modern development platforms
  • 63. Connect OpenID Complex Things Possible Encrypted Claims Aggregated Claims Distributed Claims
  • 64. Connect OpenID A Look Under the Covers •  ID Token •  Claims Requests •  UserInfo Claims •  Example Protocol Messages
  • 65. Connect OpenID OpenID Connect Authentication 1.  Who are you. Get me a referral letter. Do not forget about Your email! 2. Give Eve the locker Key and a referral letter. 3. Here you are! Alice 4. Here you are Date:2011/5/15 11:00:04 Level of Assurance:2 Verifier:Google Official Google Seal Butler Locker Locker Bob Date:2011/5/15 11:00:04 Level of Assurance:2 Verifier:Google Official Google Seal Access Token ID Token
  • 66. Connect OpenID ID Token •  JWT representing logged-in session •  Claims: –  iss – Issuer –  sub – Identifier for subject (user) –  aud – Audience for ID Token –  iat – Time token was issued –  exp – Expiration time –  nonce – Mitigates replay attacks –  at_hash – Left hash of the access token –  azp – Authorized Party
  • 67. Connect OpenID ID Token Claims Example { "iss": "https://server.example.com", "sub": "alice", "aud": "https://bob.example.com", "iat": 1311280970, "exp": 1311281970, "nonce": "n-0S6_WzA2Mj", "at_hash": "MTIzNDU2Nzg5MDEyMzQ1Ng", "azp": "https://cindy.example.com/" }
  • 68. Connect OpenID at_hash makes ID Token a detached signature for the access token
  • 69. Connect OpenID azp allows token to be used by another party Site X Cindy Bob ID Token Access Token
  • 70. Connect OpenID Using Access Token only for Authentication is Dangerous. 1.  Who are you. Get me a referral letter. Do not forget about Your email! 2. Give Eve the locker Key and a referral letter. 3. Here you are! Alice 4. Here you are Butler Access Token Eve
  • 71. Connect OpenID OpenID Connect's Clams aggregation and distributed claims. Name: Alice de Wanderland DoB: 1989/3/3 Sex: F Address: 135 Broadway., NY, NY NY City Official Seal Locker UserInfo Endpoint Site X Site Y Site Z Bob
  • 72. Connect OpenID Aggregated Claims Data Source Data Source Identity Provider Relying Party Signed Claims Claim Values
  • 73. Connect OpenID Distributed Claims Identity Provider Signed Claims Relying Party Claim Refs Data Source Data Source
  • 74. Connect OpenID Claims Requests •  Basic requests made using OAuth scopes: –  openid – Declares request is for OpenID Connect –  profile – Requests default profile info –  email – Requests email address & verification status –  address – Requests postal address –  phone – Requests phone number & verification status –  offline_access – Requests Refresh Token issuance •  Requests for individual claims can be made using JSON “claims” request parameter
  • 75. Connect OpenID Request Object
  • 76. Connect OpenID You can register it at registration time : request_uri Personally Recommended
  • 77. Connect OpenID Authorization Request Example https://server.example.com/authorize ?response_type=token%20id_token &client_id=0acf77d4-b486-4c99-bd76-074ed6a64ddf &redirect_uri=https%3A%2F%2Fclient.example.com%2Fcb &scope=openid%20profile &state=af0ifjsldkj &nonce=n-0S6_WzA2Mj
  • 78. Connect OpenID Authorization Response Example HTTP/1.1 302 Found Location: https://client.example.com/cb #access_token=mF_9.B5f-4.1JqM &token_type=bearer &id_token=eyJhbGzI1NiJ9.eyJz9Glnw9J.F9-V4IvQ0Z &expires_in=3600 &state=af0ifjsldkj
  • 79. Connect OpenID UserInfo Request Example GET /userinfo?schema=openid HTTP/1.1 Host: server.example.com Authorization: Bearer mF_9.B5f-4.1JqM
  • 80. Connect OpenID Connect Specs Overview
  • 81. Connect OpenID Resources •  OpenID Connect –  http://openid.net/connect/ •  OpenID Connect Working Group Mailing List –  http://lists.openid.net/mailman/listinfo/openid-specs-ab •  OpenID Connect Interop Wiki –  http://osis.idcommons.net/ •  OpenID Connect Interop Mailing List –  http://groups.google.com/group/openid-connect-interop •  Mike Jones’ Blog –  http://self-issued.info/ •  Nat Sakimura’s Blog –  http://nat.sakimura.org/ •  John Bradley’s Blog –  http://www.thread-safe.com/
  • 82. Connect OpenID Current Status •  Waiting for dependencies to be completed •  JWS, JWE, JWA, JWK IETF JOSE WG •  JSON Web Token (JWT) IETF OAuth WG •  WebFinger IETF Apps WG
  • 83. Connect OpenID Interop testing underway AOL, Google, IBM, Layer 7, Mitre, NRI, @nov, Orange, eBay, Gluu, Ping Identity, GÉANT, @ritou, Emmanuel Raviart 120+ feature tests 14 implementations
  • 84. Connect OpenID Start Building
  • 85. Connect OpenID Start Building Now!
  • 86. Connect OpenID http://nat.sakimura.org/