Nat Sakimura, Senior Researcher, Information Tech. Research Dept, Nomura Research Institute
OpenID Connect is a layer on top of the OAuth 2.0 protocol that adds critical identity-related information and validation to API interactions. Targeted both towards Web SSO and native application scenarios, OpenID Connect defines all the pieces necessary for an IT department to deliver an industry best practice identity regime based on the OAuth 2.0 protocol. Join Nat Sakimura to find out about ID Tokens, userinfo REST endpoints, dynamic client registration, session management, discovery, and all the other important concepts that OpenID Connect standardizes.
20. Connect
OpenID
Signed Request
• Works only with
a single identity
provider
• Proprietary
signature format
ID Token
• Works with
multiple identity
providers
• IETF JSON Web
Signature
23. Connect
OpenID
An Identity Layer provides:
• is the user that got authenticated
Who
• was he authenticated
Where
• was he authenticated
When
• was he authenticated
How
• attributes he can give you
What
• he is providing them
Why
29. Connect
OpenID
Interoperable
• openid, profile, email, address, phone
Standard scopes
• Request object and claims
Method to ask for
more granular claims
• Info about the authenticated user
ID Token
• Get attributes about the user
• Translate the tokens
UserInfo endpoint
30. Connect
OpenID
Simple & Mobile Friendly
JSON Based
REST Friendly
In simplest cases,
just copy and paste
Mobile & App
Friendly
e.g., ID Token is signed JSON
{
"iss": "https://client.example.com",
”sub": "24400320",
"aud": "s6BhdRkqt3",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970,
"auth_time": 1311280969,
"acr": "2",
"at_hash":
"MTIzNDU2Nzg5MDEyMzQ1Ng"
}
32. Connect
OpenID
Flexible
• Through Request Object (JSON)
• Data Minimization
Granular
Request
• Does not disclose data recipients
to data sources
Aggregated
Claims
• Decentralized Data Storage
Distributed
Claims
33. Connect
OpenID
Choice of your provider
Can be Google,
eBay, AOL,
Deutsche
Telecom etc.
Can be your
Phone =>
Self-Issued
Provider
35. Connect
OpenID
Name: Alice de
Wonderland
Mail: alice@example.com
Notary: Google.
Official
Google
Seal
株式会
社グー
グル印
Name: Alice de
Wonderland
Mail: alice@example.com
Notary: Google.
SAML Authentication
1. Who are you. Get me
a referral letter.
Do not forget about
Your email!
2. Plz write me a
referral letter。
3. Here you are
Alice
4. Here is the
certificate.
notary
Eve
Official
Google
Seal
36. Connect
OpenID
1. Who are YOU? Give me
a valet key to your house.
Then I will trust that
you are the owner of the house.
2. Can you give me
a valet key to my house?
3. Here you are!
Alice
4. Her is the key!
Pseudo-Authentication using OAuth
Apartment
Controller
Eve
37. Connect
OpenID
OpenID Connect Authentication
1. Who are you. Get me
a referral letter.
Do not forget about
Your email!
2. Give Eve the locker
Key and a referral
letter.
3. Here you are!
Alice
4. Here you are
Date:2011/5/15 11:00:04
Level of Assurance:2
Verifier:Google
Official
Google
Seal
Butler
Locker
Locker
Eve
Date:2011/5/15 11:00:04
Level of Assurance:2
Verifier:Google
Official
Google
Seal
38. Connect
OpenID
OpenID Connect's Clams aggregation and
distributed claims.
Name: Alice de Wanderland
DoB: 1989/3/3
Sex: F
Address: 135 Broadway., NY,
NY
NY City
Official
Seal
Locker
UserInfo Endpoint
Site X
Site Y
Site Z
Eve
50. Connect
OpenID
SCIM Enterprise User Schema Extension
• employeeNumber
– Numeric or alphanumeric identifier assigned to a person, typically
based on order of hire or association with an organization.
• costCenter
– Identifies the name of a cost center. organization Identifies the name
of an organization.
• division
– Identifies the name of a division.
• department
– Identifies the name of a department.
• manager
– The User's manager. A complex type that optionally allows Service
Providers to represent organizational hierarchy by referencing the "id"
attribute of another User.
59. Connect
OpenID
Working Group Members
• Key working group participants:
– Nat Sakimura – Nomura Research Institute – Japan
– John Bradley – Ping Identity – Chile
– Breno de Medeiros – Google – US
– Axel Nennker – Deutsche Telekom – Germany
– Torsten Lodderstedt – Deutsche Telekom – Germany
– Roland Hedberg – Umeå University – Sweden
– Andreas Åkre Solberg – UNINETT – Norway
– Chuck Mortimore – Salesforce – US
– Brian Campbell – Ping Identity – US
– George Fletcher – AOL – US
– Justin Richer – Mitre – US
– Nov Matake – Independent – Japan
– Mike Jones – Microsoft – US
• By no means an exhaustive list!
62. Connect
OpenID
How We Make It Simple
• Build on OAuth 2.0
• Use JavaScript Object Notation (JSON)
• Build only the pieces that you need
• Goal: Easy implementation on all modern
development platforms
64. Connect
OpenID
A Look Under the Covers
• ID Token
• Claims Requests
• UserInfo Claims
• Example Protocol Messages
65. Connect
OpenID
OpenID Connect Authentication
1. Who are you. Get me
a referral letter.
Do not forget about
Your email!
2. Give Eve the locker
Key and a referral
letter.
3. Here you are!
Alice
4. Here you are
Date:2011/5/15 11:00:04
Level of Assurance:2
Verifier:Google
Official
Google
Seal
Butler
Locker
Locker
Bob
Date:2011/5/15 11:00:04
Level of Assurance:2
Verifier:Google
Official
Google
Seal
Access Token
ID Token
66. Connect
OpenID
ID Token
• JWT representing logged-in session
• Claims:
– iss – Issuer
– sub – Identifier for subject (user)
– aud – Audience for ID Token
– iat – Time token was issued
– exp – Expiration time
– nonce – Mitigates replay attacks
– at_hash – Left hash of the access token
– azp – Authorized Party
70. Connect
OpenID
Using Access Token only for Authentication is
Dangerous.
1. Who are you. Get me
a referral letter.
Do not forget about
Your email!
2. Give Eve the locker
Key and a referral
letter.
3. Here you are!
Alice
4. Here you are
Butler
Access Token
Eve
71. Connect
OpenID
OpenID Connect's Clams aggregation and
distributed claims.
Name: Alice de Wanderland
DoB: 1989/3/3
Sex: F
Address: 135 Broadway., NY,
NY
NY City
Official
Seal
Locker
UserInfo Endpoint
Site X
Site Y
Site Z
Bob
81. Connect
OpenID
Resources
• OpenID Connect
– http://openid.net/connect/
• OpenID Connect Working Group Mailing List
– http://lists.openid.net/mailman/listinfo/openid-specs-ab
• OpenID Connect Interop Wiki
– http://osis.idcommons.net/
• OpenID Connect Interop Mailing List
– http://groups.google.com/group/openid-connect-interop
• Mike Jones’ Blog
– http://self-issued.info/
• Nat Sakimura’s Blog
– http://nat.sakimura.org/
• John Bradley’s Blog
– http://www.thread-safe.com/
82. Connect
OpenID
Current Status
• Waiting for dependencies to be completed
• JWS, JWE, JWA, JWK
IETF JOSE
WG
• JSON Web Token (JWT)
IETF OAuth
WG
• WebFinger
IETF Apps
WG