Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
IIW #16 Report@nov
http://iiw.idcommons.net/IIW_16_Notes
Mobile SSO - EnterpriseSascha Preibisch, Layer7Similar Talkhttp://www.slideshare.net/rnewton/xapp-sso-flascellescsa2013Conc...
A1 A2Local Keychain Local KeychainShared KeychainAccessTokenAccessTokenID TokenID Token+Access TokenID TokenAccessToken12 ...
A1Local Keychain Shared KeychainAccessTokenID TokenID Token+Access TokenB1NG12 2
Mobile SSO - Device to BrowserGeorge Fletcher, AOLSimilar Talkhttp://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mo...
Auth @ Google - Next 5 YearsEric Sachs, GoogleReferencehttps://docs.google.com/document/d/1r9qnZUehCbtkQR86Wp-sJR2Zu6sHx47...
Past 5 yearsRisk-based2-factor authenticationOpenIDNo new passwords!OAuthNo password sharing!
Good News
Bad NewsOpenID Migration is hardUsabilityAccount linking issueshttps://docs.google.com/document/pub?id=1O7jyQLb7dW6EnJrFsW...
Next 5 yearsSetup, not Sign-inReduce Bearer TokensSmarter HardwareBeyond BootstrappingAdvanced Combination
Setup, not Sign-inLogin Once Login Each Time
Setup, not Sign-inLogin Once Login OnceOS LevelAccountManager
Reduce Bearer TokensBearer Tokens?OAuth 2.0 access tokensJWT bearer tokens..and session cookies!
Reduce Bearer TokensCookieIDSelf-signed Cookie (probably, like self-issued IdP’s ID Token?)http://tools.ietf.org/html/dra8...
chrome://settings/cookies
Smarter Hardware
Smarter Hardware
Smarter Hardwareauthorize a new device by having an existingdevice talk to it via a cryptographic protocol
Smarter Hardwareauthorize a new device by having an existingdevice talk to it via a cryptographic protocol?
Smarter HardwareU2F (Universal Second Factor)Open ecosystem of small robust “keychain devices”FIDO Alliancehttp://www.fidoa...
OAuth & JOSE @ BlueButton+Justin Richer, MITREActual title was “Blue Button and Patient Health Records using OAuth , JOSE”...
BlueButtonref) http://www.healthit.gov/patients-families/blue-button/about-blue-button“Blue Button” is a way for you to ge...
BlueButton+ Pull APIOAuth2 API for RESTful access to patientdata and bootstrapping DIRECT-basedinformation exchangeref) ht...
RegistryAuthZ & ResourceServerResource OwnerClient
Client “class” and “instance”“class” is registered to the registryRegistration method is out of scope (e.g. manual)Establi...
RegistryAuthZ & ResourceServerResource OwnerClientTrustRegister“class”Register“instance”
DiscoveryRegistry Discovery @ RegistryGet Registry Endpoints, Public Keys etc.Providers Discovery @ RegistryGet Trusted Pr...
RegistryAuthZ & ResourceServerResource OwnerClientDiscoveryDiscovery‣Registry Metadata‣Trusted Providers‣Trusted Apps‣Prov...
[appendix]Push Authorizationhttp://blue-button.github.io/blue-button-plus-pull/#push-authorization
IIW 16th Report at #idcon
IIW 16th Report at #idcon
IIW 16th Report at #idcon
IIW 16th Report at #idcon
IIW 16th Report at #idcon
IIW 16th Report at #idcon
IIW 16th Report at #idcon
IIW 16th Report at #idcon
IIW 16th Report at #idcon
IIW 16th Report at #idcon
Upcoming SlideShare
Loading in …5
×

IIW 16th Report at #idcon

1,532 views

Published on

Published in: Technology
  • Be the first to comment

IIW 16th Report at #idcon

  1. 1. IIW #16 Report@nov
  2. 2. http://iiw.idcommons.net/IIW_16_Notes
  3. 3. Mobile SSO - EnterpriseSascha Preibisch, Layer7Similar Talkhttp://www.slideshare.net/rnewton/xapp-sso-flascellescsa2013ConceptStore ID Token in “Shared Keychain”Only for iOS appsGenerate RSA key pair on client side (OPTIONAL)During white-listed apps by admin“msso” scope for SSO-enabled ID Token
  4. 4. A1 A2Local Keychain Local KeychainShared KeychainAccessTokenAccessTokenID TokenID Token+Access TokenID TokenAccessToken12 2 345
  5. 5. A1Local Keychain Shared KeychainAccessTokenID TokenID Token+Access TokenB1NG12 2
  6. 6. Mobile SSO - Device to BrowserGeorge Fletcher, AOLSimilar Talkhttp://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20121231/002768.htmlConcept“websso” scopeDown scope via token refreshPass an ID Token in native app to browser & skip login
  7. 7. Auth @ Google - Next 5 YearsEric Sachs, GoogleReferencehttps://docs.google.com/document/d/1r9qnZUehCbtkQR86Wp-sJR2Zu6sHx47queuqmegW2PYSummary
  8. 8. Past 5 yearsRisk-based2-factor authenticationOpenIDNo new passwords!OAuthNo password sharing!
  9. 9. Good News
  10. 10. Bad NewsOpenID Migration is hardUsabilityAccount linking issueshttps://docs.google.com/document/pub?id=1O7jyQLb7dW6EnJrFsWZDyh0Yq0aFJU5UJ4i5QzYlTjUAccount Recovery is their achilles heel
  11. 11. Next 5 yearsSetup, not Sign-inReduce Bearer TokensSmarter HardwareBeyond BootstrappingAdvanced Combination
  12. 12. Setup, not Sign-inLogin Once Login Each Time
  13. 13. Setup, not Sign-inLogin Once Login OnceOS LevelAccountManager
  14. 14. Reduce Bearer TokensBearer Tokens?OAuth 2.0 access tokensJWT bearer tokens..and session cookies!
  15. 15. Reduce Bearer TokensCookieIDSelf-signed Cookie (probably, like self-issued IdP’s ID Token?)http://tools.ietf.org/html/dra8-balfanz-tls-channelidAlready available on Chrome
  16. 16. chrome://settings/cookies
  17. 17. Smarter Hardware
  18. 18. Smarter Hardware
  19. 19. Smarter Hardwareauthorize a new device by having an existingdevice talk to it via a cryptographic protocol
  20. 20. Smarter Hardwareauthorize a new device by having an existingdevice talk to it via a cryptographic protocol?
  21. 21. Smarter HardwareU2F (Universal Second Factor)Open ecosystem of small robust “keychain devices”FIDO Alliancehttp://www.fidoalliance.org
  22. 22. OAuth & JOSE @ BlueButton+Justin Richer, MITREActual title was “Blue Button and Patient Health Records using OAuth , JOSE”Referencehttp://blue-button.github.io/blue-button-plus-pull/ConceptOAuth 2.0 Dynamic Client Registration use-case“Trusted Registration”
  23. 23. BlueButtonref) http://www.healthit.gov/patients-families/blue-button/about-blue-button“Blue Button” is a way for you to get easy, secure onlineaccess to your health information....America’s health care system is rapidly going digital, andhealth care providers, insurance companies and others arestarting to give patients and consumers access to theirhealth information electronically through “Blue Button”.
  24. 24. BlueButton+ Pull APIOAuth2 API for RESTful access to patientdata and bootstrapping DIRECT-basedinformation exchangeref) http://blue-button.github.io/blue-button-plus-pull/
  25. 25. RegistryAuthZ & ResourceServerResource OwnerClient
  26. 26. Client “class” and “instance”“class” is registered to the registryRegistration method is out of scope (e.g. manual)Establish “registration_jwt” as a JWT Bearer token“instance” is dynamically registered to the authorization serverOAuth 2.0 Dynamic Client Registration“registration_jwt” token for “Trusted Registration”
  27. 27. RegistryAuthZ & ResourceServerResource OwnerClientTrustRegister“class”Register“instance”
  28. 28. DiscoveryRegistry Discovery @ RegistryGet Registry Endpoints, Public Keys etc.Providers Discovery @ RegistryGet Trusted Providers ListProvider Discovery @ ProviderGet Single Provider MetadataApps Discovery @ RegistryGet Trusted Apps List
  29. 29. RegistryAuthZ & ResourceServerResource OwnerClientDiscoveryDiscovery‣Registry Metadata‣Trusted Providers‣Trusted Apps‣ProviderMetadata
  30. 30. [appendix]Push Authorizationhttp://blue-button.github.io/blue-button-plus-pull/#push-authorization

×