Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
OpenID Connect: An Overview
Pat Patterson
Developer Evangelist Architect
salesforce.com
@metadaddy
What is OpenID Connect?
Simple Identity Layer for the Internet
[OpenID Connect] allows Clients to verify the
identity of t...
What is OpenID Connect?
• Specification defined by OpenID
Foundation ‘Connect’ Work Group
– NRI, Ping
Identity, Microsoft,...
OpenID Connect Status
• ‘Nearly complete’
– Second set of OpenID Connect
Implementer’s Drafts approved in July, 2013
– Int...
OpenID Connect Specification
• OpenID Connect 1.0 Specification
– Core
– Discovery (optional)
– Dynamic Registration (opti...
OpenID Connect Roles

Web-based, mobile, or
JavaScript Clients verify the
identity of End-Users based on
authentication pe...
OpenID Connect Basic Client Profile
OpenID Connect Implicit Client Profile
OpenID Connect Token Response
{
"access_token":"SlAV32hkKG",
"token_type":"Bearer",
"expires_in":3600,
"refresh_token":"tG...
OpenID Connect ID Token
{
"iss": "https://server.example.com",
"sub": "24400320",
"aud": "s6BhdRkqt3",
"exp": 1311281970,
...
Who is Deploying OpenID Connect?
• Services:
Google, Salesforce, eBay, AOL, Deutsche
Telekom, Orange
• Vendors: IBM, Micro...
OpenID Connect in Action

• Client: Salesforce Community
• Auth Server: Google
• End User: Me!
Salesforce Community Login Page
Google Login Page
Google Authorization Page
Salesforce Community Home Page
Questions?
Pat Patterson
Developer Evangelist Architect
salesforce.com
@metadaddy
Upcoming SlideShare
Loading in …5
×

OpenID Connect: An Overview

10,208 views

Published on

Brief overview of OpenID Connect - presented at Bay Area Identity Developers Meetup, Dec 2 2013.

Published in: Technology, News & Politics
  • Be the first to comment

OpenID Connect: An Overview

  1. 1. OpenID Connect: An Overview Pat Patterson Developer Evangelist Architect salesforce.com @metadaddy
  2. 2. What is OpenID Connect? Simple Identity Layer for the Internet [OpenID Connect] allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
  3. 3. What is OpenID Connect? • Specification defined by OpenID Foundation ‘Connect’ Work Group – NRI, Ping Identity, Microsoft, Google, Salesforce etc • Built on OAuth 2.0 • REST-based • Successor to SAML?
  4. 4. OpenID Connect Status • ‘Nearly complete’ – Second set of OpenID Connect Implementer’s Drafts approved in July, 2013 – Interop testing under way – Waiting for dependencies to be standardized • JWT, JWS etc
  5. 5. OpenID Connect Specification • OpenID Connect 1.0 Specification – Core – Discovery (optional) – Dynamic Registration (optional) – Session Management (optional) – OAuth 2.0 Multiple Response Types • Implementer’s Guides – Basic Client Profile – Implicit Client Profile
  6. 6. OpenID Connect Roles Web-based, mobile, or JavaScript Clients verify the identity of End-Users based on authentication performed by an Authorization Server.
  7. 7. OpenID Connect Basic Client Profile
  8. 8. OpenID Connect Implicit Client Profile
  9. 9. OpenID Connect Token Response { "access_token":"SlAV32hkKG", "token_type":"Bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "id_token":"eyJ0 ... NiJ9.eyJ1c ... ZXso” } • id_token is a JSON Web Token (JWT) – Signed, URL/filename-safe base64 encoded JSON data
  10. 10. OpenID Connect ID Token { "iss": "https://server.example.com", "sub": "24400320", "aud": "s6BhdRkqt3", "exp": 1311281970, "iat": 1311280970 } • Issuer, Subject, Audience, Expiry, Issued At • Also optional email, auth_time, nonce etc
  11. 11. Who is Deploying OpenID Connect? • Services: Google, Salesforce, eBay, AOL, Deutsche Telekom, Orange • Vendors: IBM, Microsoft, Ping Identity, Layer 7, ForgeRock, Gluu, MITRE, NRI
  12. 12. OpenID Connect in Action • Client: Salesforce Community • Auth Server: Google • End User: Me!
  13. 13. Salesforce Community Login Page
  14. 14. Google Login Page
  15. 15. Google Authorization Page
  16. 16. Salesforce Community Home Page
  17. 17. Questions? Pat Patterson Developer Evangelist Architect salesforce.com @metadaddy

×