Your SlideShare is downloading. ×
  • Like
OpenID Connect Explained
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

OpenID Connect Explained


OpenID Connect is a simple identity/SSO protocol based on OAuth 2.0. This presentation explains its intent and core business features in 15 slides.

OpenID Connect is a simple identity/SSO protocol based on OAuth 2.0. This presentation explains its intent and core business features in 15 slides.

Published in Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Connect explained >>> :: 03/02/14
  • 2. OpenID Connect Explained OpenID Connect is >>> :: 03/02/14 a new Single Sign-On (SSO) protocol for the internet
  • 3. OpenID Connect Explained OpenID Connect supports >>> :: 03/02/14 web clients native clients
  • 4. OpenID Connect Explained OpenID Connect is good for >>> :: 03/02/14 consumer apps social apps enterprise apps mobile apps
  • 5. OpenID Connect Explained OpenID Connect is backed by >>> :: 03/02/14 Google Microsoft Aol Salesforce eBay PayPal … us and many others
  • 6. OpenID Connect Explained The OpenID Connect framework ● Provides a standard SSO protocol on top of the OAuth 2.0 authorisation framework. ● Simple clients, complexity absorbed by the server. ● Any method for authenticating users – LDAP, tokens, biometrics, etc. ● Includes user provisioning. ● Supports optional provider discovery, dynamic client registration and session management. ● Extensible to suit many use cases. ● SAML bridge available. OpenID Connect OAuth 2.0 JOSE + JWT >>> :: 03/02/14
  • 7. OpenID Connect Explained Why base OpenID Connect on OAuth 2.0? >>> :: 03/02/14 simple clients tokens add business value
  • 8. OpenID Connect Explained OAuth 2.0 distilled ● Authorisation framework specified in RFC 6749, forms the basis of OpenID Connect. ● An authorisation server issues clients with access tokens (typically bearer) to allow them access to protected HTTP resources. ● The access token is issued in exchange for a valid “grant”: – an explicit or implicit grant by sending the user to the authorisation server to be authenticated and authorise the client request; – password credentials grant where the client passes the user's name and password to the server; – client credentials grant where the client passes its own identifier and password; – JWT or SAML assertion (signed proof of something). ● Each access token has an associated scope and lifetime, and may optionally be refreshed. >>> :: 03/02/14
  • 9. OpenID Connect Explained The two key OpenID Connect artefacts >>> :: 03/02/14 ID Token asserts the user's identity Access Token provides access to the user's details and other protected HTTP resources
  • 10. OpenID Connect Explained ID token Resembles the concept of an identity card, in a standard digital format that can be verified by clients. ● Asserts the user's identity. ● Specifies the issuing authority (the IdP). ● May specify how (strength) and when the user was authenticated. ● Is generated for a particular audience (client). ● Has an issue and an expiration date. ● May contain additional subject details such as the user's name, email address and other profile information. ● Is digitally signed, so it can be verified by the intended recipients. ● May optionally be encrypted for confidentiality. >>> :: 03/02/14
  • 11. OpenID Connect Explained ID token encoding ● Encoded as a JSON Web Token (JWT). ● The claims about the subject are packed in a simple JSON object. ● It is signed. Typically with the provider's private RSA key or a shared secret (HMAC) issued to the client during registration. ● Is URL-safe. {    "iss"       : "",    "sub"       : "alice",    "aud"       : "s6BhdRkqt3",    "nonce"     : "n­0S6_WzA2Mj",    "exp"       : 1311281970,    "iat"       : 1311280970,    "auth_time" : 1311280969,    "acr"       : "urn:2fa",    "at_hash"   : "MTI..."  } >>> :: 03/02/14
  • 12. OpenID Connect Explained Cool ID token uses ● Can be used for basic session management: – Check if the user is still logged in with the OpenID Connect provider. – Initiate logout at the OpenID Connect provider. ● May be passed to third authorised parties to assert the user's identity. ● May be exchanged for an OAuth 2.0 access token at the token endpoint of an OAuth 2.0 authorisation server. The access token can then be used to make HTTP requests to one or more protected resources. This feature has uses in distributed and enterprise applications. >>> :: 03/02/14
  • 13. OpenID Connect Explained Access token Resembles the concept of a physical token or ticket. Permits the bearer access to a specific resource or service. Has typically an expiration associated with it. ● OAuth 2.0 access tokens are employed in OpenID Connect to allow the client application to retrieve consented information about the user from the server, thus facilitating a form of user provisioning. ● The server may extend the access token scope to allow the client access to other protected resources and web APIs. ● The client treats the access token as simple opaque string to be passed with the HTTP request to the protected resource. ● The OAuth 2.0 spec gives server implementers complete flexibility in how the tokens are implemented and verified. >>> :: 03/02/14
  • 14. OpenID Connect Explained OpenID Connect endpoints ● Core provider endpoints: – Authorisation endpoint – Token endpoint – UserInfo endpoint ● Optional provider endpoints: – WebFinger endpoint – Provider configuration URI – Provider JWK set URI – Client registration endpoint – Session management endpoint HTTP Endpoints >>> :: 03/02/14
  • 15. OpenID Connect Explained The core provider endpoints UserInfo endpoint Authorisation endpoint Token endpoint browser redirect to provider browser redirect back to client grant (e.g. code) access token user info ID token, access token Authenticates the user, asks for their consent Returns tokens if the client has been authorised Protected resource, returns user details >>> :: 03/02/14
  • 16. OpenID Connect Explained Authorisation endpoint The authorisation endpoint is the only one where the end-user interacts with the OpenID Connect provider. The other endpoints are meant for handling direct back - channel requests from the client application. ● The client application redirects the user's browser to the authorisation endpoint of the OpenID Connect server to authenticate. ● If the user has an active session with the OpenID Connect provider authentication may be skipped. ● If the client application has requested access to the user's details (name, contact info, etc) a consent screen is presented. ● The browser is sent back to the client application with the encoded authentication result - authorisation code, ID token and/or access token. >>> :: 03/02/14
  • 17. OpenID Connect Explained Token endpoint ● The token endpoint authenticates the client application, then lets it exchange the code received from the authorisation endpoint for an ID token and access token. ● The client authentication is meant to prevent token leaks to unauthorised parties. ● Being an OAuth 2.0 token endpoint it may also accept other grant types to issue tokens. authorisation code ID token + access token >>> :: 03/02/14
  • 18. OpenID Connect Explained UserInfo endpoint ● The UserInfo endpoint is an OAuth 2.0 protected resource. ● The client application must pass the access token it was issued in order to access it. ● The UserInfo returns consented profile information to the client application. ● The profile information is intended to facilitate user provisioning. ● It is JSON encoded and may optionally be packaged as a JWT that is signed or encrypted. { “sub” : “alice”, “name” : “Alice Adams”, “email” : “”, “website” : “”, “picture” : “”, “birthdate” : “1980-05-31” } UserInfo >>> :: 03/02/14
  • 19. OpenID Connect Explained Optional endpoints ● WebFinger: enables dynamic discovery of the OpenID Connect provider for a user based on their email address. ● Provider configuration URI: well-known URI returning endpoint and other provider information such as optional capabilities; the client applications can use it to configure their OpenID Connect requests to the provider. ● Provider JWK set URI: JSON document containing the provider's public (typically RSA) keys in JSON Web Key (JWK) format; these keys are used to secure the issued ID tokens and other artefacts. ● Client registration: enables client applications to register dynamically, then update their details or unregister; registration may be open (public). ● Session management: enables client applications to check if a logged in user has still an active session with the OpenID Connect provider; also to signal logout. >>> :: 03/02/14
  • 20. OpenID Connect Explained The specifications ● OpenID Connect: ● OAuth 2.0 (RFC 6749): ● OAuth 2.0 Bearer token (RFC 6750): ● JSON Web Signature: ● JSON Web Encryption: ● JSON Web Key: ● JSON Web Token: >>> :: 03/02/14