Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Self isssued-idp


Published on

  • Be the first to comment

Self isssued-idp

  1. 1. @novIdentity in Your Device
  2. 2. OS, Browser, Mobile Apps
  3. 3. Self-Issued OpenID ProviderPersonal OP that issues self-signed ID TokensNo central IdP serversDefined in OpenID Connect Messages any apps / devices with secure stragee.g. iOS app with Keychain
  4. 4. 1) Launches “openid://?client_id=client://callback&..”No discovery (static OP config)No client registration (client_id = redirect_uri)2) End-user approval3) Self-issued ID Token generationGenerate RSA key pair on the device (only once)“sub” is automatically calculated by the public key4) Back to “client://callback#id_token=...”No API available, thus No Access Token5) ID Token Verification
  5. 5. Static OP Config
  6. 6. The sub (subject) Claim value isthe base64url encoded SHA-256 hash ofthe concatenation of the bytes ofthe UTF-8 representations ofthe base64url encoded key valuesin the sub_jwk Claim.OpenID Connect Messagesdra,18 Section 6.5
  7. 7. JWK - JSON Web Key
  8. 8. “sub” calculated from JWKHash of them
  9. 9. Self-Issued ID Token
  10. 10. Device specific key pair↓Device specific ID Token
  11. 11. No verified emailsNo verified profile
  12. 12. Holder of Key
  13. 13.