CIS13: Introduction to OpenID Connect
-
Upload
cloudidsummit -
Category
Technology
-
view
1.385 -
download
2
description
Transcript of CIS13: Introduction to OpenID Connect
![Page 1: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/1.jpg)
Connect OpenID
OpenID Connect
Nat Sakimura
Chairman
Senior Researcher
C6b. New School Identity Frameworks Panel
Foundation
![Page 2: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/2.jpg)
Connect OpenID
OAuth 2.0
Identity Layer on top of
Base Protocol
![Page 3: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/3.jpg)
Connect OpenID
Q Identity
![Page 4: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/4.jpg)
Connect OpenID
Identity = set of attributes related to an entity [iso 29115]
![Page 5: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/5.jpg)
Connect OpenID
Entity Identity
![Page 6: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/6.jpg)
Connect OpenID
Entity
Human Machine Service
![Page 7: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/7.jpg)
Connect OpenID
No direct way to perceive
Human
![Page 8: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/8.jpg)
Connect OpenID
Blond/grey
Silver frame glasses
6’5” tall
![Page 9: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/9.jpg)
Connect OpenID
Entity
Identity
Identity
Sex
height
Boy Friend
Sex height
Real Name
Self Recognition
Delta between Self and 3rd Party Recognition = interpersonal problem
Delta between Self and 3rd Party Recognition= interpersonal problem
Role
Relationship
3rd Party Recognition
Relationship
Friends
Boss
Self Recognition 3rd Party
Recognition
Street Address
Nickname
Birthday
Street Address
Employee number
licnese
performance
![Page 10: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/10.jpg)
Connect OpenID
Man
Identity
Identity
Identity
![Page 11: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/11.jpg)
Connect OpenID
Man
Work
Husband
Father
![Page 12: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/12.jpg)
Connect OpenID
daughter mother
wife
girl friend
collea-gue
boss
community member friend
Woman
![Page 13: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/13.jpg)
Connect OpenID
YOU
Identity
A
Identity
B
Identity
C
Site A
Site B
Site C
![Page 14: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/14.jpg)
Connect OpenID
Q Why not just OAuth?
![Page 15: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/15.jpg)
Connect OpenID
OAuth is an Access Granting Protocol
Betty’s Profile
Alice Cindy
Cindy ≠ Betty Alice ≠ Betty
![Page 16: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/16.jpg)
Connect OpenID
Facebook extends OAuth with “signed request”
“ID Token” in OpenID Connect
![Page 17: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/17.jpg)
Connect OpenID
Token Swap Attack
![Page 18: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/18.jpg)
Connect OpenID
Login with Amazon
![Page 19: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/19.jpg)
Connect OpenID
http://blog.chromium.org/2013/07/richer-access-to-google-services-and.html?m=1
![Page 20: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/20.jpg)
Connect OpenID
Signed Request • Works only with
a single identity provider
• Proprietary signature format
ID Token
• Works with multiple identity providers
• IETF JSON Web Signature
![Page 21: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/21.jpg)
Connect OpenID
ID Token Claims Example { "iss": "https://server.example.com",
"sub": "248289761001", "aud": "0acf77d4-b486-4c99-bd76-074ed6a64ddf",
"iat": 1311280970,
"exp": 1311281970, "nonce": "n-0S6_WzA2Mj"
}
![Page 22: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/22.jpg)
Connect OpenID
Stick with OpenID Connect and not “OAuth Authentication”
![Page 23: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/23.jpg)
Connect OpenID
An Identity Layer provides:
• is the user that got authenticated Who • was he authenticated Where
• was he authenticated When • was he authenticated How • attributes he can give you What • he is providing them Why
![Page 24: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/24.jpg)
Connect OpenID
Interoperable
Simple &
Mobile Friendly
Secure
Flexible
![Page 25: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/25.jpg)
Connect OpenID
Interoperable
Simple &
Mobile Friendly
Secure
Flexible
![Page 26: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/26.jpg)
Connect OpenID
Interoperable
Simple &
Mobile Friendly
Secure
Flexible
![Page 27: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/27.jpg)
Connect OpenID
Interoperable
Simple &
Mobile Friendly
Secure
Flexible
![Page 28: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/28.jpg)
Connect OpenID
Interoperable
Simple &
Mobile Friendly
Secure
Flexible
![Page 29: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/29.jpg)
Connect OpenID
Interoperable
• openid, profile, email, address, phone Standard scopes
• Request object and claims Method to ask for
more granular claims
• Info about the authenticated user ID Token
• Get attributes about the user • Translate the tokens UserInfo endpoint
![Page 30: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/30.jpg)
Connect OpenID
Simple & Mobile Friendly
JSON Based
REST Friendly
In simplest cases, just copy and paste
Mobile & App Friendly
e.g., ID Token is signed JSON { "iss": "https://client.example.com", ”sub": "24400320", "aud": "s6BhdRkqt3", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "auth_time": 1311280969, "acr": "2", "at_hash":
"MTIzNDU2Nzg5MDEyMzQ1Ng" }
![Page 31: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/31.jpg)
Connect OpenID
Secure
• ISO/IEC 29115 Entity Authentication Assurance
• Choice of crypto
LoA1
LoA2
LoA3 LoA4
![Page 32: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/32.jpg)
Connect OpenID
Flexible
• Through Request Object (JSON) • Data Minimization
Granular Request
• Does not disclose data recipients to data sources
Aggregated Claims
• Decentralized Data Storage Distributed
Claims
![Page 33: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/33.jpg)
Connect OpenID
Choice of your provider
Can be Google, eBay, AOL, Deutsche Telecom etc.
Can be your Phone => Self-Issued Provider
![Page 34: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/34.jpg)
Connect OpenID
Details
![Page 35: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/35.jpg)
Connect OpenID
Name: Alice de Wonderland Mail: [email protected] Notary: Google.
Official Google
Seal 株式会 社グー
グル印
Name: Alice de Wonderland Mail: [email protected] Notary: Google.
SAML Authentication
1. Who are you. Get me a referral letter. Do not forget about Your email!
2. Plz write me a referral letter。
3. Here you are
Alice
4. Here is the certificate.
notary
Eve
Official Google
Seal
![Page 36: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/36.jpg)
Connect OpenID
1. Who are YOU? Give me a valet key to your house. Then I will trust that you are the owner of the house.
2. Can you give me a valet key to my house?
3. Here you are!
Alice
4. Her is the key!
Pseudo-Authentication using OAuth
Apartment Controller
Eve
![Page 37: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/37.jpg)
Connect OpenID
OpenID Connect Authentication
1. Who are you. Get me a referral letter. Do not forget about Your email!
2. Give Eve the locker Key and a referral letter.
3. Here you are!
Alice
4. Here you are
Date:2011/5/15 11:00:04 Level of Assurance:2 Verifier:Google
Official Google
Seal
Butler
Locker Locker
Eve
Date:2011/5/15 11:00:04 Level of Assurance:2 Verifier:Google
Official Google
Seal
![Page 38: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/38.jpg)
Connect OpenID
OpenID Connect's Clams aggregation and distributed claims.
Name: Alice de Wanderland DoB: 1989/3/3 Sex: F Address: 135 Broadway., NY, NY
NY City Official
Seal
Locker
UserInfo Endpoint
Site X
Site Y Site Z
Eve
![Page 39: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/39.jpg)
Connect OpenID
Applying it to Enterprise model
![Page 40: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/40.jpg)
Connect OpenID
Entity
Identity
Identity
Sex
height
Boy Friend
Sex height
Real Name
Self Recognition
Delta between Self and 3rd Party Recognition = interpersonal problem
Delta between Self and 3rd Party Recognition= interpersonal problem
Role
Relationship
3rd Party Recognition
Relationship
Friends
Boss
Self Recognition 3rd Party
Recognition
Street Address
Nickname
Birthday
Street Address
Employee number
licnese
performance
![Page 41: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/41.jpg)
Connect OpenID
Real Name
Professional qualification
department
Geo-location
Employee number
Entity Identity Resource
Authentication
Policy Enforcement
Rules
![Page 42: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/42.jpg)
Connect OpenID
ABAC (Attribute Based Access Control)
Based on SP800-162 figure on page viii
identity Resource
Rules
![Page 43: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/43.jpg)
Connect OpenID
Real Name
Professional qualification
department
Geo-location
Employee number
Entity Identity
Resource
Authentication PEP
PDP
PAP
Boss Metadata
Log Log
![Page 44: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/44.jpg)
Connect OpenID
Q What kind of “Identity” (set of attributes)
an enterprise needs?
![Page 45: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/45.jpg)
Connect OpenID
Current Standard Claims wont do
![Page 46: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/46.jpg)
Connect OpenID
UserInfo Claims
• sub • name • given_name • family_name • middle_name • nickname • preferred_username • profile • picture • website
• gender • birthdate • locale • zoneinfo • updated_at • email • email_verified • phone_number • phone_number_verified • address
![Page 47: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/47.jpg)
Connect OpenID
UserInfo Claims Example { "sub": "248289761001",
"name": "Jane Doe", "given_name": "Jane",
"family_name": "Doe",
"email": "[email protected]", "email_verified": true,
"picture": "http://example.com/janedoe/me.jpg"
}
![Page 48: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/48.jpg)
Connect OpenID
Perhaps we need standard “enterprise” claims
![Page 49: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/49.jpg)
Connect OpenID
SCIM?
![Page 50: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/50.jpg)
Connect OpenID
SCIM Enterprise User Schema Extension
• employeeNumber – Numeric or alphanumeric identifier assigned to a person, typically
based on order of hire or association with an organization. • costCenter
– Identifies the name of a cost center. organization Identifies the name of an organization.
• division – Identifies the name of a division.
• department – Identifies the name of a department.
• manager – The User's manager. A complex type that optionally allows Service
Providers to represent organizational hierarchy by referencing the "id" attribute of another User.
![Page 51: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/51.jpg)
Connect OpenID
Not Quite.
![Page 52: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/52.jpg)
Connect OpenID
Perhaps we need standard “enterprise” claims
![Page 53: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/53.jpg)
Connect OpenID
Q When shall I start using OpenID Connect?
![Page 54: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/54.jpg)
Connect OpenID
Timeline
2nd Implementers Draft Public Review (45
days)
2nd Implementers
Draft Vote (14 days)
Final Review (60 days) Final
We are here! December
2013
![Page 55: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/55.jpg)
Connect OpenID
Q uestions?
![Page 56: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/56.jpg)
Connect OpenID
OAuth and OpenID Connect: In the Trenches
Wednesday, July 10, 4:00 – 5:30 PM Salon C/D/E
to be continued at …
![Page 57: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/57.jpg)
Connect OpenID
Details …
![Page 58: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/58.jpg)
Connect OpenID
Working Together
OpenID Connect
![Page 59: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/59.jpg)
Connect OpenID
Working Group Members • Key working group participants:
– Nat Sakimura – Nomura Research Institute – Japan – John Bradley – Ping Identity – Chile – Breno de Medeiros – Google – US – Axel Nennker – Deutsche Telekom – Germany – Torsten Lodderstedt – Deutsche Telekom – Germany – Roland Hedberg – Umeå University – Sweden – Andreas Åkre Solberg – UNINETT – Norway – Chuck Mortimore – Salesforce – US – Brian Campbell – Ping Identity – US – George Fletcher – AOL – US – Justin Richer – Mitre – US – Nov Matake – Independent – Japan – Mike Jones – Microsoft – US
• By no means an exhaustive list!
![Page 60: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/60.jpg)
Connect OpenID
Design Philosophy
Simple Things Simple
Complex Things Possible
![Page 61: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/61.jpg)
Connect OpenID
Simple Things Simple
UserInfo endpoint for simple claims about user
Designed to work well on mobile phones
![Page 62: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/62.jpg)
Connect OpenID
How We Make It Simple
• Build on OAuth 2.0 • Use JavaScript Object Notation (JSON) • Build only the pieces that you need
• Goal: Easy implementation on all modern development platforms
![Page 63: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/63.jpg)
Connect OpenID
Complex Things Possible
Encrypted Claims
Aggregated Claims
Distributed Claims
![Page 64: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/64.jpg)
Connect OpenID
A Look Under the Covers
• ID Token • Claims Requests • UserInfo Claims • Example Protocol Messages
![Page 65: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/65.jpg)
Connect OpenID
OpenID Connect Authentication
1. Who are you. Get me a referral letter. Do not forget about Your email!
2. Give Eve the locker Key and a referral letter.
3. Here you are!
Alice
4. Here you are
Date:2011/5/15 11:00:04 Level of Assurance:2 Verifier:Google
Official Google
Seal
Butler
Locker Locker
Bob
Date:2011/5/15 11:00:04 Level of Assurance:2 Verifier:Google
Official Google
Seal
Access Token ID Token
![Page 66: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/66.jpg)
Connect OpenID
ID Token • JWT representing logged-in session • Claims:
– iss – Issuer – sub – Identifier for subject (user) – aud – Audience for ID Token – iat – Time token was issued – exp – Expiration time – nonce – Mitigates replay attacks – at_hash – Left hash of the access token – azp – Authorized Party
![Page 67: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/67.jpg)
Connect OpenID
ID Token Claims Example { "iss": "https://server.example.com",
"sub": "alice", "aud": "https://bob.example.com",
"iat": 1311280970,
"exp": 1311281970, "nonce": "n-0S6_WzA2Mj",
"at_hash": "MTIzNDU2Nzg5MDEyMzQ1Ng",
"azp": "https://cindy.example.com/" }
![Page 68: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/68.jpg)
Connect OpenID
at_hash makes ID Token
a detached signature for the access token
![Page 69: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/69.jpg)
Connect OpenID
azp allows token to be used by another party
Site X
Cindy
Bob
ID Token Access Token
![Page 70: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/70.jpg)
Connect OpenID
Using Access Token only for Authentication is Dangerous.
1. Who are you. Get me a referral letter. Do not forget about Your email!
2. Give Eve the locker Key and a referral letter.
3. Here you are!
Alice
4. Here you are
Butler
Access Token
Eve
![Page 71: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/71.jpg)
Connect OpenID
OpenID Connect's Clams aggregation and distributed claims.
Name: Alice de Wanderland DoB: 1989/3/3 Sex: F Address: 135 Broadway., NY, NY
NY City Official
Seal
Locker
UserInfo Endpoint
Site X
Site Y Site Z
Bob
![Page 72: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/72.jpg)
Connect OpenID
Aggregated Claims
Data Source
Data Source
Identity Provider
Relying Party
Signed Claims
Claim Values
![Page 73: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/73.jpg)
Connect OpenID
Distributed Claims
Identity Provider
Signed Claims
Relying Party
Claim Refs
Data Source
Data Source
![Page 74: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/74.jpg)
Connect OpenID
Claims Requests
• Basic requests made using OAuth scopes: – openid – Declares request is for OpenID Connect – profile – Requests default profile info – email – Requests email address & verification
status – address – Requests postal address – phone – Requests phone number & verification
status – offline_access – Requests Refresh Token
issuance • Requests for individual claims can be made
using JSON “claims” request parameter
![Page 75: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/75.jpg)
Connect OpenID
Request Object
![Page 76: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/76.jpg)
Connect OpenID
You can register it at registration time :
request_uri
Personally Recommended
![Page 77: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/77.jpg)
Connect OpenID
Authorization Request Example
https://server.example.com/authorize
?response_type=token%20id_token
&client_id=0acf77d4-b486-4c99-bd76-074ed6a64ddf
&redirect_uri=https%3A%2F%2Fclient.example.com%2Fcb
&scope=openid%20profile
&state=af0ifjsldkj
&nonce=n-0S6_WzA2Mj
![Page 78: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/78.jpg)
Connect OpenID
Authorization Response Example
HTTP/1.1 302 Found
Location: https://client.example.com/cb
#access_token=mF_9.B5f-4.1JqM
&token_type=bearer
&id_token=eyJhbGzI1NiJ9.eyJz9Glnw9J.F9-V4IvQ0Z
&expires_in=3600
&state=af0ifjsldkj
![Page 79: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/79.jpg)
Connect OpenID
UserInfo Request Example
GET /userinfo?schema=openid HTTP/1.1 Host: server.example.com
Authorization: Bearer mF_9.B5f-4.1JqM
![Page 80: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/80.jpg)
Connect OpenID
Connect Specs Overview
![Page 81: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/81.jpg)
Connect OpenID
Resources • OpenID Connect
– http://openid.net/connect/ • OpenID Connect Working Group Mailing List
– http://lists.openid.net/mailman/listinfo/openid-specs-ab • OpenID Connect Interop Wiki
– http://osis.idcommons.net/ • OpenID Connect Interop Mailing List
– http://groups.google.com/group/openid-connect-interop • Mike Jones’ Blog
– http://self-issued.info/ • Nat Sakimura’s Blog
– http://nat.sakimura.org/ • John Bradley’s Blog
– http://www.thread-safe.com/
![Page 82: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/82.jpg)
Connect OpenID
Current Status
• Waiting for dependencies to be completed
• JWS, JWE, JWA, JWK IETF JOSE
WG
• JSON Web Token (JWT) IETF OAuth WG
• WebFinger IETF Apps WG
![Page 83: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/83.jpg)
Connect OpenID
Interop testing underway
AOL, Google, IBM, Layer 7, Mitre, NRI, @nov, Orange, eBay, Gluu, Ping Identity, GÉANT, @ritou, Emmanuel Raviart
120+ feature tests
14 implementations
![Page 84: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/84.jpg)
Connect OpenID
Start Building
![Page 85: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/85.jpg)
Connect OpenID
Start Building
Now!
![Page 86: CIS13: Introduction to OpenID Connect](https://reader034.fdocuments.net/reader034/viewer/2022051313/547cca575906b575378b45bb/html5/thumbnails/86.jpg)
Connect OpenID
http://nat.sakimura.org/