The document outlines an agenda covering various topics related to digital identity and authentication. It discusses entity identity, assurance frameworks, the digital authentication process flow, threats/risks/controls, strong authentication methods, token and credential management standards like JWT, OAuth 2.0, OpenID Connect, FAPI, and how they relate to identity in areas like banking and payments. It provides definitions for key terms and compares authentication flows using standards like SAML, OAuth and OpenID Connect.

1. Agenda
 Entity, Identity
 Entity AuthN Assurance framework
 Digital Authentication Process flow
 Threat, Risk, Control
 Strong Authentication
 Token and Credential Management
 Token
 Assertion
 JW-xxx
 JWS
 JWE
 JWK
 JWA
 JWT
 Certificate-based
 TLS
 Representation and Verification
 OAuth 2.0
 Oauth 2.0 framework (6749)
 Bearer Token Usage (6750)
 Oauth 2.0 Threat Model & Security (6819)
 Proof key of code Exchange (7636)
 Assertion FW 4 Oauth (7521)
 Proof of possession key for JWT (7800)
 Oauth for Native App (8525)
 Oauth 2.0 Device Authz grant (8628)
 Oauth 2.0 Token Exchange (8693)
 Oauth Mutual TLS (8705)
 Dynamic registration
 OIDC
 FAPI
 FAPI 1 – Baseline profile
 FAPI 1 – Advanced profile
 JAR – JWT Secured AuthZ Request (9101)
 JARM – JWT Secured AuthZ Response
 PAR – Pushed Authz Request (9126)
 CIBA – Client Initited BackChannel AuthN
profile
 OpenBanking – PSD2

2. IDENTITY

3. Identity = set of attributes
related to an entity [iso 29115]

4. Entity Identity

5. Entity
Human Machine Service

6. No direct way to perceive
Human

7. Blond/grey
Silver frame
glasses
6’5” tall

8. Entity
Identity
Sex
height
Boy
Friend
Sex height
Real
Name
Self Recognition
Delta between Self and 3rd Party
Recognition = interpersonal problem
Delta between Self and 3rd Party
Recognition= interpersonal problem
Role
Relatio
nship
3rd Party
Recognition
Relationship
Friends
Boss
Self Recognition
Identity
3rd Party
Recognition
Street
Address
Mail
Nickname
Birthday
Street
Address
Employee
number
licnese
performance

9. Man
Identity
Identity
Identity

10. Man
Work
Husband
Father

11. daughter
mother
wife
girl
friend
collea-
gue
boss
community
member friend
Woman

12. YOU
Identity
A
Identity
B
Identity
C
SiteA
Site B
Site C

13. Entity Authentication
Assuarance Framework

14. A digital identity is the unique representation of an entity engaged
in an online transaction. Assurance– that the digital identity with
which one is interacting is consistent with the claimed identity, lies at
the heart of online trust, security and access control

15. Assurance = a statement that something will certainly be
true or will certainly happen, particularly when there has
been doubt about it [oxford dictionary]

16. authentication [b-ISO/IEC 18014-2]: Provision of
assurance of the claimed identity of an entity

17. Claimed Identity = An applicant’s declaration of
unvalidated and unverified personal attributes
[NIST SP 800-63-3]
{
"sub": "1234567890",
"name": "John Doe",
"admin": true
}
JSON Web Token Claims
JSON web tokens (JWTs) claims are pieces of information asserted about a

18. Assurance
Type of Assurance
Level of Assurance

19. 3 types of Assurance
Three types of assurance are identified to contribute to establishing trust in a
digital identity: identity assurance; authentication assurance; and federation
assurance

20. Level of Assurance
• ISO/IEC 29115 Entity Authentication
Assurance
• IAL, AAL, FAL
LoA4
LoA3
LoA2
LoA1
Levels of assurance (LOAs)
A level of (identity) assurance is the certainty with which a claim to a particular identity during
authentication can be trusted to actually be the claimant's “true” identity.

21. How to increase LoA?

22. Box 39. NIST levels of assurance for digital ID
• Identity proofing LOAs:
• IAL1: Attributes, if any, are self-asserted or should be treated as self-asserted; there is no
proofing process.
• IAL2: Either remote or in-person identity proofing is required using, at a minimum, the
procedures given in SP 800-63A.
• IAL3: In-person or supervised-remote identity proofing is required. Identifying attributes must
be verified through examination of physical documentation as described in SP 800-63A.
• Authentication LOAs:
• AAL1: Provides some assurance that the claimant controls an authenticator registered to the
user. AAL1 requires single-factor authentication using a wide range of available
authentication technologies. Successful authentication requires that the claimant prove
possession and control of the authenticator through a secure authentication protocol.
• AAL2: Provides high confidence that the claimant controls authenticator(s) registered to the
user. In order to authenticate at AAL2, claimants must prove possession and control of two
distinct authentication factors through secure authentication protocol(s). Approved
cryptographic techniques are required.
• AAL3: Provides very high confidence that the claimant controls authenticator(s) registered to
the user. Authentication at AAL3 is based on proof of possession of a key through a
cryptographic protocol. AAL3 is like AAL2 but also requires a “hard” cryptographic
authenticator that provides verifier impersonation resistance.
• Federation LOAs:
• FAL1: Permits the relying party to receive a bearer assertion from an identity provider. The
identity provider must sign the assertion using approved cryptography.
• FAL2: Adds the requirement that the assertion be encrypted using approved cryptography
such that the relying party is the only party that can decrypt it.
• FAL3: Requires the user to present proof of possession of a cryptographic key reference to in
the assertion and the assertion artifact itself. The assertion must be signed using approved
cryptography and encrypted to the relying party using approved cryptography.
Source: NIST SP 800-63-3

24. Digital Authentication
Process Flow

25. authentication [b-ISO/IEC 18014-2]: Provision of
assurance of the claimed identity of an entity

26. digital authentication involves verification, to some
degree of confidence, of an entity’s claimed identity
for the purpose of granting it access to an online
service

27. Digital authentication process flow:
1. an entity accesses an online service of an RP;
2. the RP redirects the entity to the CSP for authentication;
3. the CSP verifies the entity's possession of the registered
authenticator(s);
4. the CSP sends an authentication assertion to the RP to
assert the entity's authentication status;
5. an authenticated session is established between the entity
and the RP

28. 1
2
3
7
6
4
5

30. • assertion [b-ITU-T X.1252]: A statement made by an entity without accompanying
evidence of its validity
• authentication factor [b-ISO/IEC 19790]: Piece of information and/or process used to
authenticate or verify the identity of an entity
• authentication protocol [b-ISO/IEC 29115]: Defined sequence of messages between
an entity and a verifier that enables the verifier to perform authentication of an entity
• credential [b-ITU-T X.1252]: A set of data presented as evidence of a claimed identity
and/or entitlements
• identity proofing [b-ISO/IEC 29115]: Process by which the registration authority (RA)
captures and verifies sufficient information to identify an entity to a specified or
understood level of assurance
• multifactor authentication [b-ISO/IEC 19790]: Authentication with at least two
independent authentication factors
• mutual authentication [b-ISO/IEC 29115]: Authentication of identities of entities which
provides both entities with assurance of each other's identity
• verification [b-ISO/IEC 29115]: Process of checking information by comparing the
provided information with previously corroborated information
• credential service provider (CSP): A trusted actor that issues or manages credentials
• identity service provider (ISP): responsible for identity proofing an entity's claimed
identity and ensuring that this claimed identity is associated with the credential used by
the entity
• identifier: One or more attributes that uniquely characterize an entity in a specific
context
• relying party (RP): Actor that relies on an identity assertion or claim
Terms and Definitions

31. Threat, Risk, Control

32. Strong Authentication

33. Token and Credential
Management

34. JW-xxx
JWS, JWE, JWK, JWA, JWT

35. Certificate-based
TLS, Representation & Verification

36. OAuth 2.0

37. OIDC
OpenID Connect Core 1.0

38. FAPI
Financial-grade API

39. OpenBanking & PSD2

40. Why not just OAuth?

41. OAuth is an Access Granting Protocol
OpenIDConnect
Betty’s
Profile
Alice Cindy
Cindy ≠ Betty
Alice ≠ Betty

42. Facebook extends OAuth with
“signed request”
OpenIDConnect
“ID Token”
in OpenID Connect

43. Token Swap Attack
OpenIDConnect

44. Login with Amazon
OpenIDConnect

45. http://blog.chromium.org/2013/07/richer-
access-to-google-services-and.html?m=1
OpenIDConnect

46. Signed Request
• Works only with
a single identity
provider
• Proprietary
signature format
ID Token
• Works with
multiple identity
providers
• IETF JSON Web
Signature
OpenIDConnect

47. ID Token Claims Example
OpenIDConnect
{
"iss": "https://server.example.com",
"sub": "248289761001",
"aud": "0acf77d4-b486-4c99-bd76-074ed6a64ddf",
"iat": 1311280970,
"exp": 1311281970,
"nonce": "n-0S6_WzA2Mj"
}

48. Stick with OpenID Connect
and not “OAuth Authentication”
OpenIDConnect

49. An Identity Layer provides:
OpenIDConnect
• is the user that got authenticated
• was he authenticated
• was he authenticated
• was he authenticated
• attributes he can give you
• he is providing them
Who
Where
When
How
What
Why

50. Interoperable
OpenIDConnect
Simple
&
Mobile
Friendly
Secure
Flexible

51. Interoperable
OpenIDConnect
Simple
&
Mobile
Friendly
Secure
Flexible

52. Interoperable
OpenIDConnect
Simple
&
Mobile
Friendly
Secure
Flexible

53. Interoperable
OpenIDConnect
Simple
&
Mobile
Friendly
Secure
Flexible

54. Interoperable
OpenIDConnect
Simple
&
Mobile
Friendly
Secure
Flexible

55. Interoperable
OpenIDConnect
• openid, profile, email, address, phone
Standard scopes
• Request object and claims
Method to ask for
more granular claims
• Info about the authenticated user
ID Token
• Get attributes about the user
• Translate the tokens
UserInfo endpoint

56. Simple & Mobile Friendly
OpenIDConnect
JSON Based
REST Friendly
In simplest cases,
just copy and paste
Mobile &App
Friendly
e.g., ID Token is signed JSON
{
"iss": "https://client.example.com",
”sub": "24400320",
"aud": "s6BhdRkqt3",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970,
"auth_time": 1311280969,
"acr": "2",
"at_hash":
"MTIzNDU2Nzg5MDEyMzQ1Ng"
}

57. Secure
OpenIDConnect
• ISO/IEC 29115 Entity Authentication
Assurance
• Choice of crypto
LoA4
LoA3
LoA2
LoA1

58. Flexible
OpenIDConnect
• Through Request Object (JSON)
• Data Minimization
Granular
Request
• Does not disclose data recipients
to data sources
Aggregated
Claims
• Decentralized Data Storage
Distributed
Claims

59. Choice of your provider
OpenIDConnect
Can be Google,
eBay, AOL,
Deutsche
Telecom etc.
Can be your
Phone =>
Self-Issued
Provider

60. Details
OpenIDConnect

61. Name: Alicede
Wonderland
Mail: alice@example.com
Notary: Google.
Name: Alicede
Wonderland
Mail: alice@example.com
Notary: Google.
SAML Authentication
OpenIDConnect
2. Plz write me a
referral letter。
3. Here you are
Alice
1. Who are you. Get me
a referral letter.
Do not forgetabout
Your email!
4. Here is the
certificate.
notary
Eve

62. 1. Who are YOU? Give me a
valet key to your house.
Then I will trust that
you are the owner of the house.
2. Can you give me
a valet key to my house?
3. Here you are!
Alice
4. Her is the key!
Pseudo-Authentication using OAuth
OpenIDConnect
Apartment
Controller
Eve

63. OpenID Connect Authentication
OpenIDConnect
1. Who are you. Get me
a referral letter.
Do not forgetabout
Your email!
2. Give Eve the locker
Key and a referral
letter.
3. Here you are!
Alice
4. Here you are
Date：2011/5/15 11:00:04
Level ofAssurance：2
Verifier：Google
Butler
Locker Locker
Eve
Date：2011/5/15 11:00:04
Level ofAssurance：2
Verifier：Google

64. OpenID Connect's Clams aggregation and
distributed claims.
OpenIDConnect
Name: Alice de Wanderland
DoB: 1989/3/3
Sex: F
Address: 135 Broadway., NY,
NY
Locker
UserInfo Endpoint
Site X
Site Y
Site Z
Eve

65. Applying it to Enterprise model
OpenIDConnect

66. OpenIDConnect
Entity
Identity
Sex
height
Boy
Friend
Sex height
Real
Name
Self Recognition
Delta between Self and 3rd Party
Recognition = interpersonal problem
Delta between Self and 3rd Party
Recognition= interpersonal problem
Role
Relatio
nship
3rd Party
Recognition
Relationship
Friends
Boss
Self Recognition
Identity
3rd Party
Recognition
Street
Address
Mail
Nickname
Birthday
Street
Address
Employee
number
licnese
performance

67. OpenIDConnect
Real
Name
Professional
qualification
department
Geo-location
Employee
number
Entity Identity Resource
Authentication
Policy Enforcement
Rules

68. OpenIDConnect
ABAC (Attribute Based Access Control)
Based on SP800-162 figure on page viii
identity
Resource
Rules

69. Real
Name
Professional
qualification
department
Geo-location
Employee
number
Entity Identity
Resource
Authentication PEP
PDP
PAP
Boss
OpenIDConnect
Metadata
Log Log

70. What kind of
OpenIDConnect
“Identity” (set of attributes)
an enterprise needs?

71. Current Standard Claims wont do
OpenIDConnect

72. UserInfo Claims
OpenIDConnect
• sub
• name
• given_name
• family_name
• middle_name
• nickname
• preferred_username
• profile
• picture
• website
• gender
• birthdate
• locale
• zoneinfo
• updated_at
• email
• email_verified
• phone_number
• phone_number_verified
• address

73. UserInfo Claims Example
OpenIDConnect
{
"sub": "248289761001",
"name": "Jane Doe",
"given_name": "Jane",
"family_name": "Doe",
"email": "janedoe@example.com",
"email_verified": true,
"picture": "http://example.com/janedoe/me.jpg"
}

74. Perhaps we need standard
“enterprise” claims
OpenIDConnect

75. SCIM?
OpenIDConnect

76. SCIM Enterprise User Schema Extension
OpenIDConnect
• employeeNumber
– Numeric or alphanumeric identifier assigned to a person, typically
based on order of hire or association with an organization.
• costCenter
– Identifies the name of a cost center. organization Identifies the name
of an organization.
• division
– Identifies the name of a division.
• department
– Identifies the name of a department.
• manager
– The User's manager. A complex type that optionally allows Service
Providers to represent organizational hierarchy by referencing the "id"
attribute of another User.

77. Not Quite.
OpenIDConnect

78. Perhaps we need standard
“enterprise” claims
OpenIDConnect

79. Q
OpenIDConnect
When shall I start using
OpenID Connect?

80. Timeline
OpenIDConnect
2nd
Implementers
Draft Public
Review (45
days)
2nd
Implementers
Draft Vote
(14 days)
Final Review
(60 days)
Final
We are here!
December
2013

81. Q
OpenIDConnect
uestions?

82. OAuth and OpenID Connect:
In the Trenches
OpenIDConnect
Wednesday, July 10, 4:00 – 5:30 PM
Salon C/D/E
to be continued at …

83. Details …
OpenIDConnect

84. Working Together
OpenID Connect
OpenIDConnect

85. Working Group Members
OpenIDConnect
• Key working group participants:
– Nat Sakimura – Nomura Research Institute – Japan
– John Bradley – Ping Identity – Chile
– Breno de Medeiros – Google – US
– Axel Nennker – Deutsche Telekom – Germany
– Torsten Lodderstedt – Deutsche Telekom – Germany
– Roland Hedberg – Umeå University – Sweden
– Andreas Åkre Solberg – UNINETT – Norway
– Chuck Mortimore – Salesforce – US
– Brian Campbell – Ping Identity – US
– George Fletcher – AOL – US
– Justin Richer – Mitre – US
– Nov Matake – Independent – Japan
– Mike Jones – Microsoft – US
• By no means an exhaustive list!

86. Design Philosophy
OpenIDConnect
Simple Things Simple
Complex Things
Possible

87. Simple Things Simple
OpenIDConnect
UserInfo endpoint for
simple claims about
user
Designed to work well
on mobile phones

88. How We Make It Simple
OpenIDConnect
• Build on OAuth 2.0
• Use JavaScript Object Notation (JSON)
• Build only the pieces that you need
• Goal: Easy implementation on all modern
development platforms

89. Complex Things Possible
OpenIDConnect
Encrypted Claims
Aggregated Claims
Distributed Claims

90. A Look Under the Covers
OpenIDConnect
• ID Token
• Claims Requests
• UserInfo Claims
• Example Protocol Messages

91. OpenID Connect Authentication
OpenIDConnect
1. Who are you. Get me
a referral letter.
Do not forgetabout
Your email!
2. Give Eve the locker
Key and a referral
letter.
3. Here you are!
Alice
4. Here you are
Date：2011/5/15 11:00:04
Level ofAssurance：2
Verifier：Google
Butler
Locker Locker
Bob
Date：2011/5/15 11:00:04
Level ofAssurance：2
Verifier：Google
Access Token ID Token

92. ID Token
OpenIDConnect
• JWT representing logged-in session
• Claims:
– iss – Issuer
– sub – Identifier for subject (user)
– aud – Audience for ID Token
– iat – Time token was issued
– exp – Expiration time
– nonce – Mitigates replay attacks
– at_hash – Left hash of the access token
– azp – Authorized Party

93. ID Token Claims Example
OpenIDConnect
{
"iss": "https://server.example.com",
"sub": "alice",
"aud": "https://bob.example.com",
"iat": 1311280970,
"exp": 1311281970,
"nonce": "n-0S6_WzA2Mj",
"at_hash": "MTIzNDU2Nzg5MDEyMzQ1Ng",
"azp": "https://cindy.example.com/"
}

94. at_hash makes
ID Token
a detached signature
for the access token
OpenIDConnect

95. azp allows token to be used by another party
OpenIDConnect
Site X
Cindy
Bob
ID Token
Access Token

96. Using Access Token only for Authentication is
Dangerous.
OpenIDConnect
1. Who are you. Get me
a referral letter.
Do not forgetabout
Your email!
2. Give Eve the locker
Key and a referral
letter.
3. Here you are!
Alice
4. Here you are
Butler
Access Token
Eve

97. OpenID Connect's Clams aggregation and
distributed claims.
OpenIDConnect
Name: Alice de Wanderland
DoB: 1989/3/3
Sex: F
Address: 135 Broadway., NY,
NY
Locker
UserInfo Endpoint
Site X
Site Y
Site Z
Bob

98. Aggregated Claims
OpenIDConnect
Data
Source
Data
Source
Identity
Provider
Relying
Party
Signed Claims
Claim Values

99. Distributed Claims
OpenIDConnect
Identity
Provider
Signed Claims
Relying
Party
Claim Refs
Data
Source
Data
Source

100. Claims Requests
OpenIDConnect
• Basic requests made using OAuth scopes:
– openid – Declares request is for OpenID Connect
– profile – Requests default profile info
– email – Requests email address & verification
status
– address – Requests postal address
– phone – Requests phone number & verification
status
– offline_access – Requests Refresh Token
issuance
• Requests for individual claims can be made
using JSON “claims” request parameter

101. Request Object
OpenIDConnect

102. You can register it at registration
time :
request_uri
Personally Recommended
OpenIDConnect

103. Authorization Request Example
• https://server.example.com/authorize
• ?response_type=token%20id_token &client_id=0acf77d4-
b486-4c99-bd76-074ed6a64ddf
• &redirect_uri=https%3A%2F%2Fclient.example.com%2Fcb
&scope=openid%20profile
• &state=af0ifjsldkj
&nonce=n-
0S6_WzA2Mj
OpenIDConnect

104. Authorization Response Example
OpenIDConnect
HTTP/1.1 302 Found
Location: https://client.example.com/cb
#access_token=mF_9.B5f-4.1JqM
&token_type=bearer
&id_token=eyJhbGzI1NiJ9.eyJz9Glnw9J.F9-V4IvQ0Z
&expires_in=3600
&state=af0ifjsldkj

105. UserInfo Request Example
OpenIDConnect
GET /userinfo?schema=openid HTTP/1.1
Host: server.example.com
Authorization: Bearer mF_9.B5f-4.1JqM

106. Connect Specs Overview
OpenIDConnect

107. Resources
OpenIDConnect
• OpenID Connect
– http://openid.net/connect/
• OpenID Connect Working Group Mailing List
– http://lists.openid.net/mailman/listinfo/openid-specs-ab
• OpenID Connect Interop Wiki
– http://osis.idcommons.net/
• OpenID Connect Interop Mailing List
– http://groups.google.com/group/openid-connect-interop
• Mike Jones’ Blog
– http://self-issued.info/
• Nat Sakimura’s Blog
– http://nat.sakimura.org/
• John Bradley’s Blog
– http://www.thread-safe.com/

108. Current Status
OpenIDConnect
• Waiting for dependencies to be completed
• JWS, JWE, JWA, JWK
• JSON Web Token (JWT)
• WebFinger
IETF JOSE
WG
IETF OAuth
WG
IETFApps
WG

109. Interop testing underway
•14
•implementation
s
• AOL, Google, IBM,
Layer 7, Mitre, NRI,
@nov, Orange, eBay,
Gluu, Ping Identity,
GÉANT, @ritou,
Emmanuel Raviart
OpenIDConnect
120+
feature tests

110. Start Building
OpenIDConnect

111. Start Building
•No
w!
OpenIDConnect

112. http://nat.sakimura.org/
OpenIDConnect