Connect
explained
>>> connect2id.com :: 03/02/14
OpenID Connect Explained
OpenID Connect is
>>> connect2id.com :: 03/02/14
a new Single Sign-On (SSO)
protocol for the inte...
OpenID Connect Explained
OpenID Connect supports
>>> connect2id.com :: 03/02/14
web
clients
native
clients
OpenID Connect Explained
OpenID Connect is good for
>>> connect2id.com :: 03/02/14
consumer
apps
social apps
enterprise
ap...
OpenID Connect Explained
OpenID Connect is backed by
>>> connect2id.com :: 03/02/14
Google Microsoft
Aol Salesforce
eBay
P...
OpenID Connect Explained
The OpenID Connect framework
● Provides a standard SSO protocol on
top of the OAuth 2.0 authorisa...
OpenID Connect Explained
Why base OpenID Connect on
OAuth 2.0?
>>> connect2id.com :: 03/02/14
simple clients
tokens add bu...
OpenID Connect Explained
OAuth 2.0 distilled
● Authorisation framework specified in RFC 6749, forms the basis of OpenID
Co...
OpenID Connect Explained
The two key OpenID Connect
artefacts
>>> connect2id.com :: 03/02/14
ID Token
asserts the user's i...
OpenID Connect Explained
ID token
Resembles the concept of an
identity card, in a standard digital
format that can be veri...
OpenID Connect Explained
ID token encoding
● Encoded as a JSON Web
Token (JWT).
● The claims about the subject
are packed ...
OpenID Connect Explained
Cool ID token uses
● Can be used for basic session management:
– Check if the user is still logge...
OpenID Connect Explained
Access token
Resembles the concept of a
physical token or ticket. Permits
the bearer access to a ...
OpenID Connect Explained
OpenID Connect endpoints
● Core provider endpoints:
– Authorisation endpoint
– Token endpoint
– U...
OpenID Connect Explained
The core provider endpoints
UserInfo endpoint
Authorisation endpoint
Token endpoint
browser redir...
OpenID Connect Explained
Authorisation endpoint
The authorisation endpoint is the only one
where the end-user interacts wi...
OpenID Connect Explained
Token endpoint
● The token endpoint
authenticates the client
application, then lets it exchange
t...
OpenID Connect Explained
UserInfo endpoint
● The UserInfo endpoint is an
OAuth 2.0 protected resource.
● The client applic...
OpenID Connect Explained
Optional endpoints
● WebFinger: enables dynamic discovery of the OpenID Connect provider
for a us...
OpenID Connect Explained
The specifications
● OpenID Connect: http://openid.net/connect
● OAuth 2.0 (RFC 6749): http://too...
Upcoming SlideShare
Loading in...5
×

OpenID Connect Explained

2,838

Published on

OpenID Connect is a simple identity/SSO protocol based on OAuth 2.0. This presentation explains its intent and core business features in 15 slides.

Published in: Technology, Business
0 Comments
10 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,838
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
183
Comments
0
Likes
10
Embeds 0
No embeds

No notes for slide

OpenID Connect Explained

  1. 1. Connect explained >>> connect2id.com :: 03/02/14
  2. 2. OpenID Connect Explained OpenID Connect is >>> connect2id.com :: 03/02/14 a new Single Sign-On (SSO) protocol for the internet
  3. 3. OpenID Connect Explained OpenID Connect supports >>> connect2id.com :: 03/02/14 web clients native clients
  4. 4. OpenID Connect Explained OpenID Connect is good for >>> connect2id.com :: 03/02/14 consumer apps social apps enterprise apps mobile apps
  5. 5. OpenID Connect Explained OpenID Connect is backed by >>> connect2id.com :: 03/02/14 Google Microsoft Aol Salesforce eBay PayPal … us and many others
  6. 6. OpenID Connect Explained The OpenID Connect framework ● Provides a standard SSO protocol on top of the OAuth 2.0 authorisation framework. ● Simple clients, complexity absorbed by the server. ● Any method for authenticating users – LDAP, tokens, biometrics, etc. ● Includes user provisioning. ● Supports optional provider discovery, dynamic client registration and session management. ● Extensible to suit many use cases. ● SAML bridge available. OpenID Connect OAuth 2.0 JOSE + JWT >>> connect2id.com :: 03/02/14
  7. 7. OpenID Connect Explained Why base OpenID Connect on OAuth 2.0? >>> connect2id.com :: 03/02/14 simple clients tokens add business value
  8. 8. OpenID Connect Explained OAuth 2.0 distilled ● Authorisation framework specified in RFC 6749, forms the basis of OpenID Connect. ● An authorisation server issues clients with access tokens (typically bearer) to allow them access to protected HTTP resources. ● The access token is issued in exchange for a valid “grant”: – an explicit or implicit grant by sending the user to the authorisation server to be authenticated and authorise the client request; – password credentials grant where the client passes the user's name and password to the server; – client credentials grant where the client passes its own identifier and password; – JWT or SAML assertion (signed proof of something). ● Each access token has an associated scope and lifetime, and may optionally be refreshed. >>> connect2id.com :: 03/02/14
  9. 9. OpenID Connect Explained The two key OpenID Connect artefacts >>> connect2id.com :: 03/02/14 ID Token asserts the user's identity Access Token provides access to the user's details and other protected HTTP resources
  10. 10. OpenID Connect Explained ID token Resembles the concept of an identity card, in a standard digital format that can be verified by clients. ● Asserts the user's identity. ● Specifies the issuing authority (the IdP). ● May specify how (strength) and when the user was authenticated. ● Is generated for a particular audience (client). ● Has an issue and an expiration date. ● May contain additional subject details such as the user's name, email address and other profile information. ● Is digitally signed, so it can be verified by the intended recipients. ● May optionally be encrypted for confidentiality. >>> connect2id.com :: 03/02/14
  11. 11. OpenID Connect Explained ID token encoding ● Encoded as a JSON Web Token (JWT). ● The claims about the subject are packed in a simple JSON object. ● It is signed. Typically with the provider's private RSA key or a shared secret (HMAC) issued to the client during registration. ● Is URL-safe. {    "iss"       : "https://c2id.com",    "sub"       : "alice",    "aud"       : "s6BhdRkqt3",    "nonce"     : "n­0S6_WzA2Mj",    "exp"       : 1311281970,    "iat"       : 1311280970,    "auth_time" : 1311280969,    "acr"       : "urn:2fa",    "at_hash"   : "MTI..."  } >>> connect2id.com :: 03/02/14
  12. 12. OpenID Connect Explained Cool ID token uses ● Can be used for basic session management: – Check if the user is still logged in with the OpenID Connect provider. – Initiate logout at the OpenID Connect provider. ● May be passed to third authorised parties to assert the user's identity. ● May be exchanged for an OAuth 2.0 access token at the token endpoint of an OAuth 2.0 authorisation server. The access token can then be used to make HTTP requests to one or more protected resources. This feature has uses in distributed and enterprise applications. >>> connect2id.com :: 03/02/14
  13. 13. OpenID Connect Explained Access token Resembles the concept of a physical token or ticket. Permits the bearer access to a specific resource or service. Has typically an expiration associated with it. ● OAuth 2.0 access tokens are employed in OpenID Connect to allow the client application to retrieve consented information about the user from the server, thus facilitating a form of user provisioning. ● The server may extend the access token scope to allow the client access to other protected resources and web APIs. ● The client treats the access token as simple opaque string to be passed with the HTTP request to the protected resource. ● The OAuth 2.0 spec gives server implementers complete flexibility in how the tokens are implemented and verified. >>> connect2id.com :: 03/02/14
  14. 14. OpenID Connect Explained OpenID Connect endpoints ● Core provider endpoints: – Authorisation endpoint – Token endpoint – UserInfo endpoint ● Optional provider endpoints: – WebFinger endpoint – Provider configuration URI – Provider JWK set URI – Client registration endpoint – Session management endpoint HTTP Endpoints >>> connect2id.com :: 03/02/14
  15. 15. OpenID Connect Explained The core provider endpoints UserInfo endpoint Authorisation endpoint Token endpoint browser redirect to provider browser redirect back to client grant (e.g. code) access token user info ID token, access token Authenticates the user, asks for their consent Returns tokens if the client has been authorised Protected resource, returns user details >>> connect2id.com :: 03/02/14
  16. 16. OpenID Connect Explained Authorisation endpoint The authorisation endpoint is the only one where the end-user interacts with the OpenID Connect provider. The other endpoints are meant for handling direct back - channel requests from the client application. ● The client application redirects the user's browser to the authorisation endpoint of the OpenID Connect server to authenticate. ● If the user has an active session with the OpenID Connect provider authentication may be skipped. ● If the client application has requested access to the user's details (name, contact info, etc) a consent screen is presented. ● The browser is sent back to the client application with the encoded authentication result - authorisation code, ID token and/or access token. >>> connect2id.com :: 03/02/14
  17. 17. OpenID Connect Explained Token endpoint ● The token endpoint authenticates the client application, then lets it exchange the code received from the authorisation endpoint for an ID token and access token. ● The client authentication is meant to prevent token leaks to unauthorised parties. ● Being an OAuth 2.0 token endpoint it may also accept other grant types to issue tokens. authorisation code ID token + access token >>> connect2id.com :: 03/02/14
  18. 18. OpenID Connect Explained UserInfo endpoint ● The UserInfo endpoint is an OAuth 2.0 protected resource. ● The client application must pass the access token it was issued in order to access it. ● The UserInfo returns consented profile information to the client application. ● The profile information is intended to facilitate user provisioning. ● It is JSON encoded and may optionally be packaged as a JWT that is signed or encrypted. { “sub” : “alice”, “name” : “Alice Adams”, “email” : “alice@wonderland.net”, “website” : “http://alice.me”, “picture” : “http://alice.me/pic.jpg”, “birthdate” : “1980-05-31” } UserInfo >>> connect2id.com :: 03/02/14
  19. 19. OpenID Connect Explained Optional endpoints ● WebFinger: enables dynamic discovery of the OpenID Connect provider for a user based on their email address. ● Provider configuration URI: well-known URI returning endpoint and other provider information such as optional capabilities; the client applications can use it to configure their OpenID Connect requests to the provider. ● Provider JWK set URI: JSON document containing the provider's public (typically RSA) keys in JSON Web Key (JWK) format; these keys are used to secure the issued ID tokens and other artefacts. ● Client registration: enables client applications to register dynamically, then update their details or unregister; registration may be open (public). ● Session management: enables client applications to check if a logged in user has still an active session with the OpenID Connect provider; also to signal logout. >>> connect2id.com :: 03/02/14
  20. 20. OpenID Connect Explained The specifications ● OpenID Connect: http://openid.net/connect ● OAuth 2.0 (RFC 6749): http://tools.ietf.org/html/rfc6749 ● OAuth 2.0 Bearer token (RFC 6750): http://tools.ietf.org/html/rfc6750 ● JSON Web Signature: http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-20 ● JSON Web Encryption: http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-20 ● JSON Web Key: http://tools.ietf.org/html/draft-ietf-jose-json-web-key-20 ● JSON Web Token: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-15 >>> connect2id.com :: 03/02/14
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×