Introduction to OpenID Connect

10,564 views
10,407 views

Published on

OpenID Connect is a new identity layer on top of OAuth 2.0.

Published in: Technology, News & Politics

Introduction to OpenID Connect

  1. 1. Connect OpenID OpenID Connect Nat Sakimura Chairman Senior Researcher C6b. New School Identity Frameworks Panel Foundation
  2. 2. Connect OpenID OAuth 2.0 Identity Layer on top of Base Protocol
  3. 3. Connect OpenID Q Identity
  4. 4. Connect OpenID Identity = set of attributes related to an entity [iso 29115]
  5. 5. Connect OpenID Entity Identity
  6. 6. Connect OpenID Entity Human Machine Service
  7. 7. Connect OpenID No direct way to perceive Human
  8. 8. Connect OpenID Blond/grey Silver frame glasses 6’5” tall
  9. 9. Connect OpenID Entity Identity Identity Sex Mail height Boy Friend Sex height Real Name Self Recognition Delta between Self and 3rd Party Recognition = interpersonal problem Delta between Self and 3rd Party Recognition= interpersonal problem Role Relatio nship 3rd Party Recognition Relationship Friends Boss Self Recognition 3rd Party Recognition Street Address Nickname Birthday Street Address Employee number licnese performance
  10. 10. Connect OpenID Man Identity Identity Identity
  11. 11. Connect OpenID Man Work Husband Father
  12. 12. Connect OpenID daughter mother wife girl friend collea- gue boss community member friend Woman
  13. 13. Connect OpenID YOU Identity A Identity B Identity C Site A Site B Site C
  14. 14. Connect OpenID Q Why not just OAuth?
  15. 15. Connect OpenID OAuth is an Access Granting Protocol Betty’s Profile Alice Cindy Cindy ≠ Betty Alice ≠ Betty
  16. 16. Connect OpenID Facebook extends OAuth with “signed request” “ID Token” in OpenID Connect
  17. 17. Connect OpenID Token Swap Attack
  18. 18. Connect OpenID Login with Amazon
  19. 19. Connect OpenID http://blog.chromium.org/2013/07/richer- access-to-google-services-and.html?m=1
  20. 20. Connect OpenID Signed Request •  Works only with a single identity provider •  Proprietary signature format ID Token •  Works with multiple identity providers •  IETF JSON Web Signature
  21. 21. Connect OpenID ID Token Claims Example { "iss": "https://server.example.com", "sub": "248289761001", "aud": "0acf77d4-b486-4c99-bd76-074ed6a64ddf", "iat": 1311280970, "exp": 1311281970, "nonce": "n-0S6_WzA2Mj" }
  22. 22. Connect OpenID Stick with OpenID Connect and not “OAuth Authentication”
  23. 23. Connect OpenID An Identity Layer provides: •  is the user that got authenticated Who •  was he authenticated Where •  was he authenticated When •  was he authenticated How •  attributes he can give you What •  he is providing them Why
  24. 24. Connect OpenID Interoperable Simple & Mobile Friendly Secure Flexible
  25. 25. Connect OpenID Interoperable Simple & Mobile Friendly Secure Flexible
  26. 26. Connect OpenID Interoperable Simple & Mobile Friendly Secure Flexible
  27. 27. Connect OpenID Interoperable Simple & Mobile Friendly Secure Flexible
  28. 28. Connect OpenID Interoperable Simple & Mobile Friendly Secure Flexible
  29. 29. Connect OpenID Interoperable •  openid, profile, email, address, phone Standard scopes •  Request object and claims Method to ask for more granular claims •  Info about the authenticated user ID Token •  Get attributes about the user •  Translate the tokens UserInfo endpoint
  30. 30. Connect OpenID Simple & Mobile Friendly JSON Based REST Friendly In simplest cases, just copy and paste Mobile & App Friendly e.g., ID Token is signed JSON { "iss": "https://client.example.com", ”sub": "24400320", "aud": "s6BhdRkqt3", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "auth_time": 1311280969, "acr": "2", "at_hash": "MTIzNDU2Nzg5MDEyMzQ1Ng" }
  31. 31. Connect OpenID Secure •  ISO/IEC 29115 Entity Authentication Assurance •  Choice of crypto LoA1 LoA2 LoA3 LoA4
  32. 32. Connect OpenID Flexible •  Through Request Object (JSON) •  Data Minimization Granular Request •  Does not disclose data recipients to data sources Aggregated Claims •  Decentralized Data Storage Distributed Claims
  33. 33. Connect OpenID Choice of your provider Can be Google, eBay, AOL, Deutsche Telecom etc. Can be your Phone => Self-Issued Provider
  34. 34. Connect OpenID Details
  35. 35. Connect OpenID Name: Alice de Wonderland Mail: alice@example.com Notary: Google. Official Google Seal 株式会 社グー グル印 Name: Alice de Wonderland Mail: alice@example.com Notary: Google. SAML Authentication 1.  Who are you. Get me a referral letter. Do not forget about Your email! 2. Plz write me a referral letter。 3. Here you are Alice 4. Here is the certificate. notary Eve Official Google Seal
  36. 36. Connect OpenID 1.  Who are YOU? Give me a valet key to your house. Then I will trust that you are the owner of the house. 2. Can you give me a valet key to my house? 3. Here you are! Alice 4. Her is the key! Pseudo-Authentication using OAuth Apartment Controller Eve
  37. 37. Connect OpenID OpenID Connect Authentication 1.  Who are you. Get me a referral letter. Do not forget about Your email! 2. Give Eve the locker Key and a referral letter. 3. Here you are! Alice 4. Here you are Date:2011/5/15 11:00:04 Level of Assurance:2 Verifier:Google Official Google Seal Butler Locker Locker Eve Date:2011/5/15 11:00:04 Level of Assurance:2 Verifier:Google Official Google Seal
  38. 38. Connect OpenID OpenID Connect's Clams aggregation and distributed claims. Name: Alice de Wanderland DoB: 1989/3/3 Sex: F Address: 135 Broadway., NY, NY NY City Official Seal Locker UserInfo Endpoint Site X Site Y Site Z Eve
  39. 39. Connect OpenID Applying it to Enterprise model
  40. 40. Connect OpenID Entity Identity Identity Sex Mail height Boy Friend Sex height Real Name Self Recognition Delta between Self and 3rd Party Recognition = interpersonal problem Delta between Self and 3rd Party Recognition= interpersonal problem Role Relatio nship 3rd Party Recognition Relationship Friends Boss Self Recognition 3rd Party Recognition Street Address Nickname Birthday Street Address Employee number licnese performance
  41. 41. Connect OpenID Real Name Professional qualification department Geo-location Employee number Entity Identity Resource Authentication Policy Enforcement Rules
  42. 42. Connect OpenID ABAC (Attribute Based Access Control) Based on SP800-162 figure on page viii identity Resource Rules
  43. 43. Connect OpenID Real Name Professional qualification department Geo-location Employee number Entity Identity Resource Authentication PEP PDP PAP Boss Metadata Log Log
  44. 44. Connect OpenID Q What kind of “Identity” (set of attributes) an enterprise needs?
  45. 45. Connect OpenID Current Standard Claims wont do
  46. 46. Connect OpenID UserInfo Claims •  sub •  name •  given_name •  family_name •  middle_name •  nickname •  preferred_username •  profile •  picture •  website •  gender •  birthdate •  locale •  zoneinfo •  updated_at •  email •  email_verified •  phone_number •  phone_number_verified •  address
  47. 47. Connect OpenID UserInfo Claims Example { "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "email": "janedoe@example.com", "email_verified": true, "picture": "http://example.com/janedoe/me.jpg" }
  48. 48. Connect OpenID Perhaps we need standard “enterprise” claims
  49. 49. Connect OpenID SCIM?
  50. 50. Connect OpenID SCIM Enterprise User Schema Extension •  employeeNumber –  Numeric or alphanumeric identifier assigned to a person, typically based on order of hire or association with an organization. •  costCenter –  Identifies the name of a cost center. organization Identifies the name of an organization. •  division –  Identifies the name of a division. •  department –  Identifies the name of a department. •  manager –  The User's manager. A complex type that optionally allows Service Providers to represent organizational hierarchy by referencing the "id" attribute of another User.
  51. 51. Connect OpenID Not Quite.
  52. 52. Connect OpenID Perhaps we need standard “enterprise” claims
  53. 53. Connect OpenID Q When shall I start using OpenID Connect?
  54. 54. Connect OpenID Timeline 2nd Implementers Draft Public Review (45 days) 2nd Implementers Draft Vote (14 days) Final Review (60 days) Final We are here! December 2013
  55. 55. Connect OpenID Q uestions?
  56. 56. Connect OpenID OAuth and OpenID Connect: In the Trenches Wednesday, July 10, 4:00 – 5:30 PM Salon C/D/E to be continued at …
  57. 57. Connect OpenID Details …
  58. 58. Connect OpenID Working Together OpenID Connect
  59. 59. Connect OpenID Working Group Members •  Key working group participants: –  Nat Sakimura – Nomura Research Institute – Japan –  John Bradley – Ping Identity – Chile –  Breno de Medeiros – Google – US –  Axel Nennker – Deutsche Telekom – Germany –  Torsten Lodderstedt – Deutsche Telekom – Germany –  Roland Hedberg – Umeå University – Sweden –  Andreas Åkre Solberg – UNINETT – Norway –  Chuck Mortimore – Salesforce – US –  Brian Campbell – Ping Identity – US –  George Fletcher – AOL – US –  Justin Richer – Mitre – US –  Nov Matake – Independent – Japan –  Mike Jones – Microsoft – US •  By no means an exhaustive list!
  60. 60. Connect OpenID Design Philosophy Simple Things Simple Complex Things Possible
  61. 61. Connect OpenID Simple Things Simple UserInfo endpoint for simple claims about user Designed to work well on mobile phones
  62. 62. Connect OpenID How We Make It Simple •  Build on OAuth 2.0 •  Use JavaScript Object Notation (JSON) •  Build only the pieces that you need •  Goal: Easy implementation on all modern development platforms
  63. 63. Connect OpenID Complex Things Possible Encrypted Claims Aggregated Claims Distributed Claims
  64. 64. Connect OpenID A Look Under the Covers •  ID Token •  Claims Requests •  UserInfo Claims •  Example Protocol Messages
  65. 65. Connect OpenID OpenID Connect Authentication 1.  Who are you. Get me a referral letter. Do not forget about Your email! 2. Give Eve the locker Key and a referral letter. 3. Here you are! Alice 4. Here you are Date:2011/5/15 11:00:04 Level of Assurance:2 Verifier:Google Official Google Seal Butler Locker Locker Bob Date:2011/5/15 11:00:04 Level of Assurance:2 Verifier:Google Official Google Seal Access Token ID Token
  66. 66. Connect OpenID ID Token •  JWT representing logged-in session •  Claims: –  iss – Issuer –  sub – Identifier for subject (user) –  aud – Audience for ID Token –  iat – Time token was issued –  exp – Expiration time –  nonce – Mitigates replay attacks –  at_hash – Left hash of the access token –  azp – Authorized Party
  67. 67. Connect OpenID ID Token Claims Example { "iss": "https://server.example.com", "sub": "alice", "aud": "https://bob.example.com", "iat": 1311280970, "exp": 1311281970, "nonce": "n-0S6_WzA2Mj", "at_hash": "MTIzNDU2Nzg5MDEyMzQ1Ng", "azp": "https://cindy.example.com/" }
  68. 68. Connect OpenID at_hash makes ID Token a detached signature for the access token
  69. 69. Connect OpenID azp allows token to be used by another party Site X Cindy Bob ID Token Access Token
  70. 70. Connect OpenID Using Access Token only for Authentication is Dangerous. 1.  Who are you. Get me a referral letter. Do not forget about Your email! 2. Give Eve the locker Key and a referral letter. 3. Here you are! Alice 4. Here you are Butler Access Token Eve
  71. 71. Connect OpenID OpenID Connect's Clams aggregation and distributed claims. Name: Alice de Wanderland DoB: 1989/3/3 Sex: F Address: 135 Broadway., NY, NY NY City Official Seal Locker UserInfo Endpoint Site X Site Y Site Z Bob
  72. 72. Connect OpenID Aggregated Claims Data Source Data Source Identity Provider Relying Party Signed Claims Claim Values
  73. 73. Connect OpenID Distributed Claims Identity Provider Signed Claims Relying Party Claim Refs Data Source Data Source
  74. 74. Connect OpenID Claims Requests •  Basic requests made using OAuth scopes: –  openid – Declares request is for OpenID Connect –  profile – Requests default profile info –  email – Requests email address & verification status –  address – Requests postal address –  phone – Requests phone number & verification status –  offline_access – Requests Refresh Token issuance •  Requests for individual claims can be made using JSON “claims” request parameter
  75. 75. Connect OpenID Request Object
  76. 76. Connect OpenID You can register it at registration time : request_uri Personally Recommended
  77. 77. Connect OpenID Authorization Request Example https://server.example.com/authorize ?response_type=token%20id_token &client_id=0acf77d4-b486-4c99-bd76-074ed6a64ddf &redirect_uri=https%3A%2F%2Fclient.example.com%2Fcb &scope=openid%20profile &state=af0ifjsldkj &nonce=n-0S6_WzA2Mj
  78. 78. Connect OpenID Authorization Response Example HTTP/1.1 302 Found Location: https://client.example.com/cb #access_token=mF_9.B5f-4.1JqM &token_type=bearer &id_token=eyJhbGzI1NiJ9.eyJz9Glnw9J.F9-V4IvQ0Z &expires_in=3600 &state=af0ifjsldkj
  79. 79. Connect OpenID UserInfo Request Example GET /userinfo?schema=openid HTTP/1.1 Host: server.example.com Authorization: Bearer mF_9.B5f-4.1JqM
  80. 80. Connect OpenID Connect Specs Overview
  81. 81. Connect OpenID Resources •  OpenID Connect –  http://openid.net/connect/ •  OpenID Connect Working Group Mailing List –  http://lists.openid.net/mailman/listinfo/openid-specs-ab •  OpenID Connect Interop Wiki –  http://osis.idcommons.net/ •  OpenID Connect Interop Mailing List –  http://groups.google.com/group/openid-connect-interop •  Mike Jones’ Blog –  http://self-issued.info/ •  Nat Sakimura’s Blog –  http://nat.sakimura.org/ •  John Bradley’s Blog –  http://www.thread-safe.com/
  82. 82. Connect OpenID Current Status •  Waiting for dependencies to be completed •  JWS, JWE, JWA, JWK IETF JOSE WG •  JSON Web Token (JWT) IETF OAuth WG •  WebFinger IETF Apps WG
  83. 83. Connect OpenID Interop testing underway AOL, Google, IBM, Layer 7, Mitre, NRI, @nov, Orange, eBay, Gluu, Ping Identity, GÉANT, @ritou, Emmanuel Raviart 120+ feature tests 14 implementations
  84. 84. Connect OpenID Start Building
  85. 85. Connect OpenID Start Building Now!
  86. 86. Connect OpenID http://nat.sakimura.org/

×