Recommended
More Related Content
What's hot
What's hot (20)
Similar to OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- FAPI Certification Update
Similar to OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- FAPI Certification Update (20)
More from OpenIDFoundation
More from OpenIDFoundation (18)
Recently uploaded
Recently uploaded (20)
OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- FAPI Certification Update
- 1. OpenID Connect for Identity Assurance Dr. Torsten Lodderstedt @tlodderstedt yes® European Identity & Cloud Conference 2019
- 2. Objective ● OpenID Connect extension to allow RPs to perform Identity Verification of a natural person ● Use Cases ○ Opening a banking account (Anti-Money Laundering Law) ○ Signing up for a prepaid mobile phone plan (Telecommunications Act) ○ Identification for access to health data (Privacy Protection, e.g. Germany’s criminal code §203) ○ Contract signing using a Qualified Electronic Signature (EU Directive on electronic IDentification, Authentication and trust Services/eIDAS)
- 3. Status ● Initial submission to AB/Connect Working Group based on implementation experience at yes.com ● Document adopted as WG Draft ● Incrementally enhanced to support requirements of different jurisdictions (work in progress) ○ different trust frameworks ○ multiple sources for identity evidences ● Current revision: -03 ● https://openid.net/specs/openid-connect-4-identity-assurance.html
- 4. { "verified_person_data":{ "verification":{ "trust_framework":"de_aml", "date":"2013-02-21", "id":"676q3636461467647q8498785747q487", "evidences":[ { "type":"id_document", "method":"pipp", "document":{ "type":"idcard", "issuer":{"name":"Stadt Musterstadt","country":"DE"}, "number":"53554554", "date_of_issuance":"2012-04-23", "date_of_expiry":"2022-04-22" } } ] }, "claims":{ "given_name":"Max", "family_name":"Meier", "birthdate":"1956-01-28", "nationality":"DE" } } } New composite verified_person_data Claim Container for verified User Claims Data about the Identity Verification with the IDP Container for identity evidences
- 6. Requesting Verified Person Data (claims Parameter) { ... "userinfo":{ "verified_person_data":{ "claims":{ "given_name":null, "family_name":null, "birthdate":null, "nationality":null } } } ... } Verified person data shall be delivered by user info response Every user claim is listed individually, facilitating data minimization
- 7. User Info Response "evidences":[{ "type":"id_document", "method":"pipp", "document":{ "type":"idcard", "issuer":{ "name":"Stadt Musterstadt", "country":"DE" }, "number":"53554554", "date_of_issuance":"2012-04-23", "date_of_expiry":"2022-04-22" } }] }, "claims":{ "given_name":"Max", "family_name":"Meier", "birthdate":"1956-01-28", "nationality":"DE" } } } HTTP/1.1 200 OK Content-Type: application/json { "iss":"https://server.example.com", "sub":"248289761001", "email":"janedoe@example.com", "email_verifed":true, "verified_person_data":{ "verification":{ "trust_framework":"de_aml", "date":"2013-02-21", "id":"676q3636461467647q8498785747q487", OpenID Connect Standard Claims
- 8. Next Steps ● Seeking for contributions from other jurisdictions ● Check the concept against local regulatory and legal requirements ● Add further ○ Trust frameworks ○ Identity documents ○ Verification methods
- 9. Q&A! Latest Drafts & Publications OAuth 2.0 Security BCP https://tools.ietf.org/html/draft-ietf-oauth-security-topics OpenID Connect 4 Identity Assurance https://openid.net/specs/openid-connect-4-identity-assurance.html Transaction Authorization or why we need to re-think OAuth scopes https://cutt.ly/oauth-transaction-authorization Financial-grade API: Pushed Request Object https://cutt.ly/pushed_request_object Cross-Browser Payment Initiation Attack https://cutt.ly/cross-browser-payment-initation JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) https://openid.net/specs/openid-financial-api-jarm-ID1.html OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer https://tools.ietf.org/html/draft-fett-oauth-dpop Dr. Torsten Lodderstedt CTO, yes.com torsten@yes.com @tlodderstedt yes® Talk to me about - OpenID Connect 4 Identity Assurance - Authorization for financial and other security-sensitive APIs - OAuth Security (BCP & OAuth Security Workshop) - Working at yes.com