OpenID Connect Demo at OpenID Tech Night

6,119 views

Published on

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
6,119
On SlideShare
0
From Embeds
0
Number of Embeds
3,636
Actions
Shares
0
Downloads
0
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide
  • OpenID Connectのチョー概要について…OpenID Connect はOauthの上に建つアイデンティティレイヤです
  • OpenID Connectと他のプロトコルの違いOpenIDとはシンプルなディスカバリーメカニズムLoAのすべてのレベルへの対応 SAMLとの違いはシンプルなアサーションフォーマットウェブとネイティブアプリへの対応 OAuth2.0との違いは、ユーザクライアントに依るアイデンティの検証エンドポイントから返されたオブジェクトに対する暗号化・署名・トークンの形式などのプロファイルダイナミックなクライアントの登録など
  • idTrade:Identity Infrastructure: OpenID Connect Provider 1st mile authN serviceOAuth 2.0 ASOAuth 2.0 RS (userinfo)API PlatformIncludes OAuth 2.0-only resource servicesStock Expert:Web application that needs:SSOAPI Access
  • Step 1: Request goes out, scope is “openid profile portfolio”This means the token you get can be used at the userinfo endpoint and at the portfolio endpointAn Authorization Code comes backShort lived tokenShould only be used onceShould be traded immediately
  • Step 2:Authorization code traded for access token and idtokenin the BACK CHANNEL
  • Step 3: Access token used to access user information
  • Some time later (user may not be present) the portfolio API may be called.
  • Pieces:Identity Infrastructure: OpenID Connect Provider 1st mile authN serviceOAuth 2.0 ASOAuth 2.0 RS (userinfo)API PlatformIncludes OAuth 2.0-only resource services
  • OpenID Connect Demo at OpenID Tech Night

    1. 1. OpenID Connect デモンストレーション 福家 大輔 dfuke@pingidentity.com Ping Identity Corporation Web: https://www.pingidentity.jp1 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    2. 2. OpenID Connect についてのさわり • OpenID Connect Workshop …3 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    3. 3. Elevator Pitch OpenID Connect is an identity layer built on top of OAuth 2.0, which offers secure API and federated sign-on services to clients using a single REST- based mechanismhttp://www.flickr.com/photos/joits/3214054244 4 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    4. 4. Differentiators • From OpenID 2.0: – Simplied Discovery Mechanism – Ability to achieve all levels of assurance in one protocol • From SAML: – Simplified assertion format – Focus on both web and native applications • From OAuth 2.0: – Validates identity of user to the client – Profiles use of encryption, signing, token formats, objects returned from endpoints – Dynamic Client Registration • From all: OpenID Connect REQUIRES TLShttp://www.flickr.com/photos/40348123@N02/3996348907 5 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    5. 5. OAuth Protocol Is the Base+--------+ +---------------+| |--(A)------- Authorization Grant --------->| || | | || |<-(B)----------- Access Token -------------| || | & Refresh Token | || | | || | +----------+ | || |--(C)---- Access Token ---->| | | || | | | | || |<-(D)- Protected Resource --| Resource | | Authorization || Client | | Server | | Server || |--(E)---- Access Token ---->| | | || | | | | || |<-(F)- Invalid Token Error -| | | || | +----------+ | || | | || |--(G)----------- Refresh Token ----------->| || | | || |<-(H)----------- Access Token -------------| |+--------+ & Optional Refresh Token +---------------+8 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    6. 6. OpenID Connect OverlaysRP OP +--------+ +---------------+ | |--(A)------- Authorization Grant --------->| | | | Scope: openid | | | |<-(B)----------- Access Token -------------| | | | & Refresh Token | | | | & ID Token | | | | +----------+ | | | |--(C)---- Access Token ---->| | | | | | | User Info | | | | |<-(D)- Protected Resource --| Resource | | Authorization | | Client | | Server | | Server | | |--(E)---- Access Token ---->| | | | | | | | | | | |<-(F)- Invalid Token Error -| | | | | | +----------+ | | | | | | | |--(G)----------- Refresh Token ----------->| | | | | | | |<-(H)----------- Access Token -------------| | +--------+ & Optional Refresh Token +---------------+ 9 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    7. 7. Spec Family10 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    8. 8. Spec Family • Minimal Profiles for Simple Relying Parties – Basic Client (code flow) – Implicit Client (token flow) • Complete Profiles for OpenID Providers & Complex RPs – Messages – Standard (HTTP Binding) • Additional Functionality – Discovery – Dynamic Client Registration – Session Management11 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    9. 9. デモについて • 弊社CTO、Patrick HardingがCIS2012で行ったデモ – WebApp – MobileApp • 想定シナリオ • 株式トレーダー向けサイトでの株式取引を行う • 登場人物 • StockExport • 株式のトレーダー向けサイト • 証券会社の提供するAPIを用いて株式の取引を行う • WebAppとMobileAppを提供 • idTrade • 株式取引APIを提供する証券会社 • 認証・認可にOpenID Connectを利用12 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    10. 10. WebAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo TradeInfo Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service h :/ ta . i gbc tpi rdp l so t / d e na . Miep ol a b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert13 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    11. 11. WebAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 1. Request h :/ ta . i gbc tpi rdp l so t / d e na . Miep ol a b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee 2. Code Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert14 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    12. 12. WebAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 1. Request 3. Code h :/ ta . i gbc tpi rdp l so t / d e na . Miep ol a 4. Access b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee 2. Code Token & id_token Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert15 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    13. 13. WebAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 5. Access 1. Request 3. Code Token h :/ ta . i gbc tpi rdp l so t / d e na . Miep ol a 4. Access b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee 2. Code Token & 6.User info id_token Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert16 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    14. 14. WebAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 5. Access h :/ ta . i gbc tpi rdp l so t / d e na . Token Miep ol a b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee 6. API Content Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert17 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    15. 15. WebAppデモ Basic Client Profile Flow used at Web App (response type: code) StockExpert OP Authorization Browser Web App (RP) OP UserInfo Endpoint Other APIs Service Clicks Front Sign-in Channel 1. OpenID Connect Basic Profile authorization request - response type=code scope=openid AuthN/Consent OP Session Created 2. AuthZ code returned from OP C Back 3. AuthZ code traded for id_token and access token C Channel I T 4. Possible call to userinfo endpoint to populate session T RP Session Created Content Front Returned API calls Back T as needed OpenID Connect OAuth 2.0 OAuth 2.0 Note: Token Refresh not Shown I ID Token C AuthZ Code T Access Token18 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    16. 16. MobileAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service h :/ ta . i gbc tpi rdp l so t / d e na . Miep ol a b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert19 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    17. 17. MobileAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 1. Request 2. Access Token h :/ ta . i gbc tpi rdp l so t / d e na . & ID Token Miep ol a b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert20 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    18. 18. MobileAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 1. Request 2. Access Token 4. User info h :/ ta . i gbc tpi rdp l so t / d e na . & ID Token 3. Miep ol a b p Access Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee Token Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert21 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    19. 19. MobileAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 1. Access h :/ ta . i gbc tpi rdp l so t / d e na . Token Miep ol a b p Ot 2 c n A . le u 0i t h 2. API Content Sc x r t k pt o Ee Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert22 Copyright ©2012 Ping Identity Corporation. All rights reserved.
    20. 20. おわり23 Copyright ©2012 Ping Identity Corporation. All rights reserved.

    ×