CloudIDSummit, profile picture
Uploaded byCloudIDSummit
PDF, PPTX996 views

CIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn Fay

This document summarizes an OpenID Connect workshop about challenges for mobile applications. It introduces OpenID Connect, explaining that it combines functionality from SAML and OAuth. It then discusses high-level challenges for mobile, conformance and interoperability testing, and OAuth and OpenID Connect protocols and flows, focusing on authorization code and implicit flows. Key points covered include security challenges on mobile, dynamic client registration, and issues around webviews versus system browsers for authentication.

Embed presentation

Download as PDF, PPTX
OpenID Connect Workshop Part 1: Challenges for mobile B. Allyn Fay
Introduction •  What is OpenID Connect •  Conformance and Interop •  How does it differ from OAuth •  Profiles for mobile •  High level challenges Copyright © 2015 Cloud Identity Summit. All rights reserved. 3
Why OpenID Connect? •  OpenID Connect logically combines the functionality of SAML and OAuth •  SAML has limited support for dynamic trust and attribute sharing mechanisms have not been widely deployed •  OAuth has emerged as a powerful authorization mechanism, but has no explicit concept of identity •  OpenID Connect addresses the limitations of SAML and OAuth with a modern REST and JSON based architecture Copyright © 2015 Cloud Identity Summit. All rights reserved. 4
So what’s the deal with mobile? •  High level mobile challenges Copyright © 2015 Cloud Identity Summit. All rights reserved. 5
What’s New: Conformance and Interop Copyright © 2015 Cloud Identity Summit. All rights reserved. 6 •  OIDF self certification •  Current implementations •  Google Authentication Service •  AWS Cognito •  MSFT? •  SFDC?
Copyright © 2015 Cloud Identity Summit .All rights reserved. 7 OAuth 2.0 Overview AUTHORIZATION SERVER Token Endpoint Authorization Endpoint RESOURCE SERVER Important Stuff CLIENT Where the magic happens Use an access token Get an access token
OpenID Connect Protocols Copyright © 2015 Cloud Identity Summit. All rights reserved. 8 •  Graphic goes here
Copyright © 2015 Cloud Identity Summit .All rights reserved. 9 OIDC 1.0 Overview AUTHORIZATION SERVER RESOURCE SERVER •  Important Stuff CLIENT Get an access token and an ID token (JWT) •  Registration endpoint •  /.well-known /webfinger /openid-configuration •  Check session Iframe •  End session endpoint •  Token endpoint •  Authorization endpoint •  JWKS endpoint Userinfo endpointUse an access token
AuthN vs. AuthZ and OIDC features •  ID Tokens •  User Info •  Endpoint Discovery •  Web Keys •  Session Management •  Dynamic Registration Copyright © 2015 Cloud Identity Summit. All rights reserved. 10
OIDC Flows •  Basic •  Implicit •  Hybrid Copyright © 2015 Cloud Identity Summit. All rights reserved. 11
OIDC Basic Client •  OpenID Connect Basic Client Implementer’s Guide 1.0 •  http://openid.net/specs/openid-connect-basic-1_0.html •  “a subset of the OpenID Connect Core 1.0 specification that is designed to be easy to read and implement for basic Web-based Relying Parties using the OAuth Authorization Code Flow.” Copyright © 2015 Cloud Identity Summit. All rights reserved. 12
OIDC Basic Client Flow •  Logical graphic goes here Copyright © 2015 Cloud Identity Summit. All rights reserved. 13
OIDC Implicit Client •  OpenID Connect Basic Client Implementer’s Guide 1.0 •  http://openid.net/specs/openid-connect-basic-1_0.html •  “a subset of the OpenID Connect Core 1.0 specification that is designed to be easy to read and implement for basic Web-based Relying Parties using the OAuth Authorization Code Flow.” Copyright © 2015 Cloud Identity Summit. All rights reserved. 14
OIDC Implicit Client Flow •  Graphic goes here Copyright © 2015 Cloud Identity Summit. All rights reserved. 15
Why OIDC for mobile •  OAuth is “bad” •  OIDC is a real spec •  OS Level integration •  ID Tokens from Google Play •  Token Agent Copyright © 2015 Cloud Identity Summit. All rights reserved. 16
Mobile Challenges •  Security •  Pixie – Why we need it •  Dynamic client registration •  Webview vs. system browser •  Shared sessions •  Account chooser Copyright © 2015 Cloud Identity Summit. All rights reserved. 17
Copyright © 2015 Cloud Identity Summit. All rights reserved. 18 Questions?

More Related Content

PDF
Red Hat Summit - OpenShift Identity Management and Compliance
byMarc Boorshtein
 
PPTX
OpenIG Webinar: Your Swiss Army Knife for Protecting and Securing Web Apps, A...
byForgeRock
 
PPTX
Identity Summit UK: STATELESS SESSIONS AND MANAGING HIGH-VOLUME DIGITAL SERVICES
byForgeRock
 
PPTX
Customer Scale: Stateless Sessions and Managing High-Volume Digital Services
byForgeRock
 
PPTX
Provisioning IoT...Oh Baby You Know Meeee!
byForgeRock
 
PDF
Taking Flexibility to the Next Level
byForgeRock
 
PPTX
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
byForgeRock
 
PPTX
A CONTEMPLATION OF OPENIG DEEP THOUGHTS
byForgeRock
 
Red Hat Summit - OpenShift Identity Management and Compliance
byMarc Boorshtein
 
OpenIG Webinar: Your Swiss Army Knife for Protecting and Securing Web Apps, A...
byForgeRock
 
Identity Summit UK: STATELESS SESSIONS AND MANAGING HIGH-VOLUME DIGITAL SERVICES
byForgeRock
 
Customer Scale: Stateless Sessions and Managing High-Volume Digital Services
byForgeRock
 
Provisioning IoT...Oh Baby You Know Meeee!
byForgeRock
 
Taking Flexibility to the Next Level
byForgeRock
 
NYC Identity Summit Tech Day: ForgeRock DevOps/Cloud Strategy
byForgeRock
 
A CONTEMPLATION OF OPENIG DEEP THOUGHTS
byForgeRock
 

What's hot

PDF
CIS14: PingAccess 101
byCloudIDSummit
 
PDF
The Role of IAM in Microservices
byWSO2
 
PDF
SSO with the WSO2 Identity Server
byWSO2
 
PPTX
Directory Services with the ForgeRock Identity Platform - So What’s New?
byForgeRock
 
PPTX
Bevywise IoT Platform
byRanjith Kumar
 
PDF
OpenAM as Flexible Integration Component
byForgeRock
 
PDF
Shoot Me a Token: OpenAM as an OAuth2 Provider
byForgeRock
 
PPTX
OpenAM Survival Tips
byForgeRock
 
PDF
Federation in Practice
byForgeRock
 
PDF
OpenAM Best Practices - Corelio Media Case Study
byForgeRock
 
PPTX
IDP Proxy Concept: Accessing Identity Data Sources Everywhere!
byForgeRock
 
PDF
Deep Dive into dockerized Microservices
byinovex GmbH
 
PPTX
K8s rbac-sso
byMarc Boorshtein
 
PDF
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
bySouth Tyrol Free Software Conference
 
PPTX
Webinar: Access Management with the ForgeRock Identity Platform - So What’s N...
byForgeRock
 
PPTX
K8s idm-devfest
byMarc Boorshtein
 
PPTX
Develop Your Own Bitcoin Wallet App
byRapidsoft Technologies
 
PPT
Open Identity Stack Roadmap
byForgeRock
 
PDF
CIS14: Building a Plug-in with the PingAccess SDK
byCloudIDSummit
 
PDF
Standard Issue: Preparing for the Future of Data Management
byInside Analysis
 
CIS14: PingAccess 101
byCloudIDSummit
 
The Role of IAM in Microservices
byWSO2
 
SSO with the WSO2 Identity Server
byWSO2
 
Directory Services with the ForgeRock Identity Platform - So What’s New?
byForgeRock
 
Bevywise IoT Platform
byRanjith Kumar
 
OpenAM as Flexible Integration Component
byForgeRock
 
Shoot Me a Token: OpenAM as an OAuth2 Provider
byForgeRock
 
OpenAM Survival Tips
byForgeRock
 
Federation in Practice
byForgeRock
 
OpenAM Best Practices - Corelio Media Case Study
byForgeRock
 
IDP Proxy Concept: Accessing Identity Data Sources Everywhere!
byForgeRock
 
Deep Dive into dockerized Microservices
byinovex GmbH
 
K8s rbac-sso
byMarc Boorshtein
 
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
bySouth Tyrol Free Software Conference
 
Webinar: Access Management with the ForgeRock Identity Platform - So What’s N...
byForgeRock
 
K8s idm-devfest
byMarc Boorshtein
 
Develop Your Own Bitcoin Wallet App
byRapidsoft Technologies
 
Open Identity Stack Roadmap
byForgeRock
 
CIS14: Building a Plug-in with the PingAccess SDK
byCloudIDSummit
 
Standard Issue: Preparing for the Future of Data Management
byInside Analysis
 

Viewers also liked

PDF
The Case For Next Generation IAM
byPatrick Harding
 
PPTX
IAM Methods 2.0 Presentation Michael Nielsen Deloitte
byIBM Sverige
 
PPTX
Mit 2014 introduction to open id connect and o-auth 2
byJustin Richer
 
PPT
Identity and Access Management Reference Architecture for Cloud Computing
byJohn Bauer
 
PDF
Identity and Access Management 101
byJerod Brennen
 
PPTX
Identity and Access Management (IAM)
byIdentacor
 
PPT
The Gartner IAM Program Maturity Model
bySarah Moore
 
PDF
CIS13: Deliver Secure Apps with Great Experiences
byCloudIDSummit
 
PDF
CIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
byCloudIDSummit
 
PDF
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
byCloudIDSummit
 
The Case For Next Generation IAM
byPatrick Harding
 
IAM Methods 2.0 Presentation Michael Nielsen Deloitte
byIBM Sverige
 
Mit 2014 introduction to open id connect and o-auth 2
byJustin Richer
 
Identity and Access Management Reference Architecture for Cloud Computing
byJohn Bauer
 
Identity and Access Management 101
byJerod Brennen
 
Identity and Access Management (IAM)
byIdentacor
 
The Gartner IAM Program Maturity Model
bySarah Moore
 
CIS13: Deliver Secure Apps with Great Experiences
byCloudIDSummit
 
CIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
byCloudIDSummit
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
byCloudIDSummit
 

Similar to CIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn Fay

PPTX
OpenID Connect: An Overview
byPat Patterson
 
PPTX
Configuring Single Sign-On (SSO) via Identity Management | MuleSoft Mysore Me...
byMysoreMuleSoftMeetup
 
PDF
OpenID Connect Explained
byVladimir Dzhuvinov
 
PDF
Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...
byLeonard Moustacchis
 
PPTX
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
byBrian Campbell
 
PDF
Introduction to SAML & OIDC
byForgeRock Identity Tech Talks
 
PDF
CIS 2015 Extreme OpenID Connect - John Bradley
byCloudIDSummit
 
PDF
EduID Mobile App - Use-Cases, Concepts and Implementation
byChristian Glahn
 
PDF
CIS 2015 OpenID Connect and Mobile Applications - David Chase
byCloudIDSummit
 
PDF
OpenID Foundation Connect Working Group Update - October 22, 2018
byOpenIDFoundation
 
PDF
OpenID Connect "101" Introduction -- October 23, 2018
byOpenIDFoundation
 
PDF
OpenID Foundation Workshop at EIC 2018 - OpenID Connect Working Group Update
byMikeLeszcz
 
PPTX
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Working Group U...
byOpenIDFoundation
 
PDF
Enabling Large-Scale Multi-Party Federations with OpenID Connect - OpenID Sum...
byOpenID Foundation Japan
 
PDF
OpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
byMikeLeszcz
 
PPTX
OpenAthens Conference 2018 - Don Thibeau - OpenID Connect
byOpenAthens
 
PDF
Mobile Cloud Identity
byMark Diodati
 
PPTX
RSA Europe: Future of Cloud Identity
byMike Schwartz
 
PPTX
Lecture 20101124
byAnderson Liang
 
PDF
OpenID Connect - An Emperor or Just New Cloths?
byOliver Pfaff
 
OpenID Connect: An Overview
byPat Patterson
 
Configuring Single Sign-On (SSO) via Identity Management | MuleSoft Mysore Me...
byMysoreMuleSoftMeetup
 
OpenID Connect Explained
byVladimir Dzhuvinov
 
Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...
byLeonard Moustacchis
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
byBrian Campbell
 
Introduction to SAML & OIDC
byForgeRock Identity Tech Talks
 
CIS 2015 Extreme OpenID Connect - John Bradley
byCloudIDSummit
 
EduID Mobile App - Use-Cases, Concepts and Implementation
byChristian Glahn
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
byCloudIDSummit
 
OpenID Foundation Connect Working Group Update - October 22, 2018
byOpenIDFoundation
 
OpenID Connect "101" Introduction -- October 23, 2018
byOpenIDFoundation
 
OpenID Foundation Workshop at EIC 2018 - OpenID Connect Working Group Update
byMikeLeszcz
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Working Group U...
byOpenIDFoundation
 
Enabling Large-Scale Multi-Party Federations with OpenID Connect - OpenID Sum...
byOpenID Foundation Japan
 
OpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
byMikeLeszcz
 
OpenAthens Conference 2018 - Don Thibeau - OpenID Connect
byOpenAthens
 
Mobile Cloud Identity
byMark Diodati
 
RSA Europe: Future of Cloud Identity
byMike Schwartz
 
Lecture 20101124
byAnderson Liang
 
OpenID Connect - An Emperor or Just New Cloths?
byOliver Pfaff
 

More from CloudIDSummit

PDF
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
byCloudIDSummit
 
PDF
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
byCloudIDSummit
 
PDF
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
byCloudIDSummit
 
PPTX
CIS 2016 Content Highlights
byCloudIDSummit
 
PDF
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
byCloudIDSummit
 
PDF
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
byCloudIDSummit
 
PDF
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
byCloudIDSummit
 
PDF
CIS 2015 The IDaaS Dating Game - Sean Deuby
byCloudIDSummit
 
PDF
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
byCloudIDSummit
 
PDF
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
byCloudIDSummit
 
PDF
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
byCloudIDSummit
 
PDF
CIS 2015 Identity Relationship Management in the Internet of Things
byCloudIDSummit
 
PDF
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
byCloudIDSummit
 
PDF
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
byCloudIDSummit
 
PDF
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
byCloudIDSummit
 
PDF
CIS 2015 The Ethics of Personal Data - Robin Wilton
byCloudIDSummit
 
PDF
Mobile security, identity & authentication reasons for optimism 20150607 v2
byCloudIDSummit
 
PDF
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
byCloudIDSummit
 
PDF
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
byCloudIDSummit
 
PPTX
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
byCloudIDSummit
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
byCloudIDSummit
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
byCloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
byCloudIDSummit
 
CIS 2016 Content Highlights
byCloudIDSummit
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
byCloudIDSummit
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
byCloudIDSummit
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
byCloudIDSummit
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
byCloudIDSummit
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
byCloudIDSummit
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
byCloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
byCloudIDSummit
 
CIS 2015 Identity Relationship Management in the Internet of Things
byCloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
byCloudIDSummit
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
byCloudIDSummit
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
byCloudIDSummit
 
CIS 2015 The Ethics of Personal Data - Robin Wilton
byCloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
byCloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
byCloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
byCloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
byCloudIDSummit
 

Recently uploaded

PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PPTX
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
PPTX
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
PPTX
cybercrime in Information security .pptx
byismaeelsahib032
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PPTX
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
API-First Architecture in Financial Systems
bycyy111112
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
The year in review - MarvelClient in 2025
bypanagenda
 
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
cybercrime in Information security .pptx
byismaeelsahib032
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 

CIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn Fay

  • 2.
    OpenID Connect Workshop Part1: Challenges for mobile B. Allyn Fay
  • 3.
    Introduction •  What isOpenID Connect •  Conformance and Interop •  How does it differ from OAuth •  Profiles for mobile •  High level challenges Copyright © 2015 Cloud Identity Summit. All rights reserved. 3
  • 4.
    Why OpenID Connect? • OpenID Connect logically combines the functionality of SAML and OAuth •  SAML has limited support for dynamic trust and attribute sharing mechanisms have not been widely deployed •  OAuth has emerged as a powerful authorization mechanism, but has no explicit concept of identity •  OpenID Connect addresses the limitations of SAML and OAuth with a modern REST and JSON based architecture Copyright © 2015 Cloud Identity Summit. All rights reserved. 4
  • 5.
    So what’s thedeal with mobile? •  High level mobile challenges Copyright © 2015 Cloud Identity Summit. All rights reserved. 5
  • 6.
    What’s New: Conformanceand Interop Copyright © 2015 Cloud Identity Summit. All rights reserved. 6 •  OIDF self certification •  Current implementations •  Google Authentication Service •  AWS Cognito •  MSFT? •  SFDC?
  • 7.
    Copyright © 2015Cloud Identity Summit .All rights reserved. 7 OAuth 2.0 Overview AUTHORIZATION SERVER Token Endpoint Authorization Endpoint RESOURCE SERVER Important Stuff CLIENT Where the magic happens Use an access token Get an access token
  • 8.
    OpenID Connect Protocols Copyright© 2015 Cloud Identity Summit. All rights reserved. 8 •  Graphic goes here
  • 9.
    Copyright © 2015Cloud Identity Summit .All rights reserved. 9 OIDC 1.0 Overview AUTHORIZATION SERVER RESOURCE SERVER •  Important Stuff CLIENT Get an access token and an ID token (JWT) •  Registration endpoint •  /.well-known /webfinger /openid-configuration •  Check session Iframe •  End session endpoint •  Token endpoint •  Authorization endpoint •  JWKS endpoint Userinfo endpointUse an access token
  • 10.
    AuthN vs. AuthZand OIDC features •  ID Tokens •  User Info •  Endpoint Discovery •  Web Keys •  Session Management •  Dynamic Registration Copyright © 2015 Cloud Identity Summit. All rights reserved. 10
  • 11.
    OIDC Flows •  Basic • Implicit •  Hybrid Copyright © 2015 Cloud Identity Summit. All rights reserved. 11
  • 12.
    OIDC Basic Client • OpenID Connect Basic Client Implementer’s Guide 1.0 •  http://openid.net/specs/openid-connect-basic-1_0.html •  “a subset of the OpenID Connect Core 1.0 specification that is designed to be easy to read and implement for basic Web-based Relying Parties using the OAuth Authorization Code Flow.” Copyright © 2015 Cloud Identity Summit. All rights reserved. 12
  • 13.
    OIDC Basic ClientFlow •  Logical graphic goes here Copyright © 2015 Cloud Identity Summit. All rights reserved. 13
  • 14.
    OIDC Implicit Client • OpenID Connect Basic Client Implementer’s Guide 1.0 •  http://openid.net/specs/openid-connect-basic-1_0.html •  “a subset of the OpenID Connect Core 1.0 specification that is designed to be easy to read and implement for basic Web-based Relying Parties using the OAuth Authorization Code Flow.” Copyright © 2015 Cloud Identity Summit. All rights reserved. 14
  • 15.
    OIDC Implicit ClientFlow •  Graphic goes here Copyright © 2015 Cloud Identity Summit. All rights reserved. 15
  • 16.
    Why OIDC formobile •  OAuth is “bad” •  OIDC is a real spec •  OS Level integration •  ID Tokens from Google Play •  Token Agent Copyright © 2015 Cloud Identity Summit. All rights reserved. 16
  • 17.
    Mobile Challenges •  Security • Pixie – Why we need it •  Dynamic client registration •  Webview vs. system browser •  Shared sessions •  Account chooser Copyright © 2015 Cloud Identity Summit. All rights reserved. 17
  • 18.
    Copyright © 2015Cloud Identity Summit. All rights reserved. 18 Questions?