Nat Sakimura, Senior Researcher, Information Tech. Research Dept, Nomura Research Institute OpenID Connect is a layer on top of the OAuth 2.0 protocol that adds critical identity-related information and validation to API interactions. Targeted both towards Web SSO and native application scenarios, OpenID Connect defines all the pieces necessary for an IT department to deliver an industry best practice identity regime based on the OAuth 2.0 protocol. Join Nat Sakimura to find out about ID Tokens, userinfo REST endpoints, dynamic client registration, session management, discovery, and all the other important concepts that OpenID Connect standardizes.

1. Connect
OpenID
OpenID Connect
Nat Sakimura
Chairman Senior Researcher
C6b. New School Identity Frameworks Panel
Foundation

2. Connect
OpenID
OAuth 2.0
Identity Layer on top of
Base Protocol

3. Connect
OpenID
Q
Identity

4. Connect
OpenID
Identity = set of attributes
related to an entity [iso 29115]

5. Connect
OpenID
Entity
Identity

6. Connect
OpenID
Entity
Human
Machine
Service

7. Connect
OpenID
No direct way to perceive
Human

8. Connect
OpenID
Blond/grey
Silver frame
glasses
6’5” tall

9. Connect
OpenID
Entity
Identity
Identity
Sex
Mail
height
Boy
Friend
Sex
height
Real
Name
Self Recognition
Delta between Self and 3rd Party
Recognition = interpersonal problem
Delta between Self and 3rd Party
Recognition= interpersonal problem
Role
Relatio
nship
3rd Party
Recognition
Relationship
Friends
Boss
Self Recognition
3rd Party
Recognition
Street
Address
Nickname
Birthday
Street
Address
Employee
number
licnese
performance

10. Connect
OpenID
Man
Identity
Identity
Identity

11. Connect
OpenID
Man
Work
Husband
Father

12. Connect
OpenID
daughter
mother
wife
girl
friend
collea-
gue
boss
community
member friend
Woman

13. Connect
OpenID
YOU
Identity
A
Identity
B
Identity
C
Site A
Site B
Site C

14. Connect
OpenID
Q
Why not just OAuth?

15. Connect
OpenID
OAuth is an Access Granting Protocol
Betty’s
Profile
Alice
Cindy
Cindy ≠ Betty
Alice ≠ Betty

16. Connect
OpenID
Facebook extends OAuth with
“signed request”
“ID Token”
in OpenID Connect

17. Connect
OpenID
Token Swap Attack

18. Connect
OpenID
Login with Amazon

19. Connect
OpenID
http://blog.chromium.org/2013/07/richer-
access-to-google-services-and.html?m=1

20. Connect
OpenID
Signed Request
• Works only with
a single identity
provider
• Proprietary
signature format
ID Token
• Works with
multiple identity
providers
• IETF JSON Web
Signature

21. Connect
OpenID
ID Token Claims Example
{
"iss": "https://server.example.com",
"sub": "248289761001",
"aud": "0acf77d4-b486-4c99-bd76-074ed6a64ddf",
"iat": 1311280970,
"exp": 1311281970,
"nonce": "n-0S6_WzA2Mj"
}

22. Connect
OpenID
Stick with OpenID Connect
and not “OAuth Authentication”

23. Connect
OpenID
An Identity Layer provides:
• is the user that got authenticated
Who
• was he authenticated
Where
• was he authenticated
When
• was he authenticated
How
• attributes he can give you
What
• he is providing them
Why

24. Connect
OpenID
Interoperable
Simple
&
Mobile
Friendly
Secure
Flexible

25. Connect
OpenID
Interoperable
Simple
&
Mobile
Friendly
Secure
Flexible

26. Connect
OpenID
Interoperable
Simple
&
Mobile
Friendly
Secure
Flexible

27. Connect
OpenID
Interoperable
Simple
&
Mobile
Friendly
Secure
Flexible

28. Connect
OpenID
Interoperable
Simple
&
Mobile
Friendly
Secure
Flexible

29. Connect
OpenID
Interoperable
• openid, profile, email, address, phone
Standard scopes
• Request object and claims
Method to ask for
more granular claims
• Info about the authenticated user
ID Token
• Get attributes about the user
• Translate the tokens
UserInfo endpoint

30. Connect
OpenID
Simple & Mobile Friendly
JSON Based
REST Friendly
In simplest cases,
just copy and paste
Mobile & App
Friendly
e.g., ID Token is signed JSON
{
"iss": "https://client.example.com",
”sub": "24400320",
"aud": "s6BhdRkqt3",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970,
"auth_time": 1311280969,
"acr": "2",
"at_hash":
"MTIzNDU2Nzg5MDEyMzQ1Ng"
}

31. Connect
OpenID
Secure
• ISO/IEC 29115 Entity Authentication
Assurance
• Choice of crypto
LoA1
LoA2
LoA3
LoA4

32. Connect
OpenID
Flexible
• Through Request Object (JSON)
• Data Minimization
Granular
Request
• Does not disclose data recipients
to data sources
Aggregated
Claims
• Decentralized Data Storage
Distributed
Claims

33. Connect
OpenID
Choice of your provider
Can be Google,
eBay, AOL,
Deutsche
Telecom etc.
Can be your
Phone =>
Self-Issued
Provider

34. Connect
OpenID
Details

35. Connect
OpenID
Name: Alice de
Wonderland
Mail: alice@example.com
Notary: Google.
Official
Google
Seal
株式会
社グー
グル印
Name: Alice de
Wonderland
Mail: alice@example.com
Notary: Google.
SAML Authentication
1. Who are you. Get me
a referral letter.
Do not forget about
Your email!
2. Plz write me a
referral letter。
3. Here you are
Alice
4. Here is the
certificate.
notary
Eve
Official
Google
Seal

36. Connect
OpenID
1. Who are YOU? Give me
a valet key to your house.
Then I will trust that
you are the owner of the house.
2. Can you give me
a valet key to my house?
3. Here you are!
Alice
4. Her is the key!
Pseudo-Authentication using OAuth
Apartment
Controller
Eve

37. Connect
OpenID
OpenID Connect Authentication
1. Who are you. Get me
a referral letter.
Do not forget about
Your email!
2. Give Eve the locker
Key and a referral
letter.
3. Here you are!
Alice
4. Here you are
Date：2011/5/15 11:00:04
Level of Assurance：2
Verifier：Google
Official
Google
Seal
Butler
Locker
Locker
Eve
Date：2011/5/15 11:00:04
Level of Assurance：2
Verifier：Google
Official
Google
Seal

38. Connect
OpenID
OpenID Connect's Clams aggregation and
distributed claims.
Name: Alice de Wanderland
DoB: 1989/3/3
Sex: F
Address: 135 Broadway., NY,
NY
NY City
Official
Seal
Locker
UserInfo Endpoint
Site X
Site Y
Site Z
Eve

39. Connect
OpenID
Applying it to Enterprise model

40. Connect
OpenID
Entity
Identity
Identity
Sex
Mail
height
Boy
Friend
Sex
height
Real
Name
Self Recognition
Delta between Self and 3rd Party
Recognition = interpersonal problem
Delta between Self and 3rd Party
Recognition= interpersonal problem
Role
Relatio
nship
3rd Party
Recognition
Relationship
Friends
Boss
Self Recognition
3rd Party
Recognition
Street
Address
Nickname
Birthday
Street
Address
Employee
number
licnese
performance

41. Connect
OpenID
Real
Name
Professional
qualification
department
Geo-location
Employee
number
Entity
Identity
Resource
Authentication
Policy Enforcement
Rules

42. Connect
OpenID
ABAC (Attribute Based Access Control)
Based on SP800-162 figure on page viii
identity
Resource
Rules

43. Connect
OpenID
Real
Name
Professional
qualification
department
Geo-location
Employee
number
Entity
Identity
Resource
Authentication
PEP
PDP
PAP
Boss
Metadata
Log
Log

44. Connect
OpenID
Q
What kind of
“Identity” (set of attributes)
an enterprise needs?

45. Connect
OpenID
Current Standard Claims wont do

46. Connect
OpenID
UserInfo Claims
• sub
• name
• given_name
• family_name
• middle_name
• nickname
• preferred_username
• profile
• picture
• website
• gender
• birthdate
• locale
• zoneinfo
• updated_at
• email
• email_verified
• phone_number
• phone_number_verified
• address

47. Connect
OpenID
UserInfo Claims Example
{
"sub": "248289761001",
"name": "Jane Doe",
"given_name": "Jane",
"family_name": "Doe",
"email": "janedoe@example.com",
"email_verified": true,
"picture": "http://example.com/janedoe/me.jpg"
}

48. Connect
OpenID
Perhaps we need standard
“enterprise” claims

49. Connect
OpenID
SCIM?

50. Connect
OpenID
SCIM Enterprise User Schema Extension
• employeeNumber
– Numeric or alphanumeric identifier assigned to a person, typically
based on order of hire or association with an organization.
• costCenter
– Identifies the name of a cost center. organization Identifies the name
of an organization.
• division
– Identifies the name of a division.
• department
– Identifies the name of a department.
• manager
– The User's manager. A complex type that optionally allows Service
Providers to represent organizational hierarchy by referencing the "id"
attribute of another User.

51. Connect
OpenID
Not Quite.

52. Connect
OpenID
Perhaps we need standard
“enterprise” claims

53. Connect
OpenID
Q
When shall I start using
OpenID Connect?

54. Connect
OpenID
Timeline
2nd
Implementers
Draft Public
Review (45
days)
2nd
Implementers
Draft Vote
(14 days)
Final Review
(60 days)
Final
We are here!
December
2013

55. Connect
OpenID
Q
uestions?

56. Connect
OpenID
OAuth and OpenID Connect:
In the Trenches
Wednesday, July 10, 4:00 – 5:30 PM
Salon C/D/E
to be continued at …

57. Connect
OpenID
Details …

58. Connect
OpenID
Working Together
OpenID Connect

59. Connect
OpenID
Working Group Members
• Key working group participants:
– Nat Sakimura – Nomura Research Institute – Japan
– John Bradley – Ping Identity – Chile
– Breno de Medeiros – Google – US
– Axel Nennker – Deutsche Telekom – Germany
– Torsten Lodderstedt – Deutsche Telekom – Germany
– Roland Hedberg – Umeå University – Sweden
– Andreas Åkre Solberg – UNINETT – Norway
– Chuck Mortimore – Salesforce – US
– Brian Campbell – Ping Identity – US
– George Fletcher – AOL – US
– Justin Richer – Mitre – US
– Nov Matake – Independent – Japan
– Mike Jones – Microsoft – US
• By no means an exhaustive list!

60. Connect
OpenID
Design Philosophy
Simple Things Simple
Complex Things
Possible

61. Connect
OpenID
Simple Things Simple
UserInfo endpoint for
simple claims about
user
Designed to work well
on mobile phones

62. Connect
OpenID
How We Make It Simple
• Build on OAuth 2.0
• Use JavaScript Object Notation (JSON)
• Build only the pieces that you need
• Goal: Easy implementation on all modern
development platforms

63. Connect
OpenID
Complex Things Possible
Encrypted Claims
Aggregated Claims
Distributed Claims

64. Connect
OpenID
A Look Under the Covers
• ID Token
• Claims Requests
• UserInfo Claims
• Example Protocol Messages

65. Connect
OpenID
OpenID Connect Authentication
1. Who are you. Get me
a referral letter.
Do not forget about
Your email!
2. Give Eve the locker
Key and a referral
letter.
3. Here you are!
Alice
4. Here you are
Date：2011/5/15 11:00:04
Level of Assurance：2
Verifier：Google
Official
Google
Seal
Butler
Locker
Locker
Bob
Date：2011/5/15 11:00:04
Level of Assurance：2
Verifier：Google
Official
Google
Seal
Access Token
ID Token

66. Connect
OpenID
ID Token
• JWT representing logged-in session
• Claims:
– iss – Issuer
– sub – Identifier for subject (user)
– aud – Audience for ID Token
– iat – Time token was issued
– exp – Expiration time
– nonce – Mitigates replay attacks
– at_hash – Left hash of the access token
– azp – Authorized Party

67. Connect
OpenID
ID Token Claims Example
{
"iss": "https://server.example.com",
"sub": "alice",
"aud": "https://bob.example.com",
"iat": 1311280970,
"exp": 1311281970,
"nonce": "n-0S6_WzA2Mj",
"at_hash": "MTIzNDU2Nzg5MDEyMzQ1Ng",
"azp": "https://cindy.example.com/"
}

68. Connect
OpenID
at_hash makes
ID Token
a detached signature
for the access token

69. Connect
OpenID
azp allows token to be used by another party
Site X
Cindy
Bob
ID Token
Access Token

70. Connect
OpenID
Using Access Token only for Authentication is
Dangerous.
1. Who are you. Get me
a referral letter.
Do not forget about
Your email!
2. Give Eve the locker
Key and a referral
letter.
3. Here you are!
Alice
4. Here you are
Butler
Access Token
Eve

71. Connect
OpenID
OpenID Connect's Clams aggregation and
distributed claims.
Name: Alice de Wanderland
DoB: 1989/3/3
Sex: F
Address: 135 Broadway., NY,
NY
NY City
Official
Seal
Locker
UserInfo Endpoint
Site X
Site Y
Site Z
Bob

72. Connect
OpenID
Aggregated Claims
Data
Source
Data
Source
Identity
Provider
Relying
Party
Signed Claims
Claim Values

73. Connect
OpenID
Distributed Claims
Identity
Provider
Signed Claims
Relying
Party
Claim Refs
Data
Source
Data
Source

74. Connect
OpenID
Claims Requests
• Basic requests made using OAuth scopes:
– openid – Declares request is for OpenID Connect
– profile – Requests default profile info
– email – Requests email address & verification
status
– address – Requests postal address
– phone – Requests phone number & verification
status
– offline_access – Requests Refresh Token
issuance
• Requests for individual claims can be made
using JSON “claims” request parameter

75. Connect
OpenID
Request Object

76. Connect
OpenID
You can register it at registration
time :
request_uri
Personally Recommended

77. Connect
OpenID
Authorization Request Example
https://server.example.com/authorize
?response_type=token%20id_token
&client_id=0acf77d4-b486-4c99-bd76-074ed6a64ddf
&redirect_uri=https%3A%2F%2Fclient.example.com%2Fcb
&scope=openid%20profile
&state=af0ifjsldkj
&nonce=n-0S6_WzA2Mj

78. Connect
OpenID
Authorization Response Example
HTTP/1.1 302 Found
Location: https://client.example.com/cb
#access_token=mF_9.B5f-4.1JqM
&token_type=bearer
&id_token=eyJhbGzI1NiJ9.eyJz9Glnw9J.F9-V4IvQ0Z
&expires_in=3600
&state=af0ifjsldkj

79. Connect
OpenID
UserInfo Request Example
GET /userinfo?schema=openid HTTP/1.1
Host: server.example.com
Authorization: Bearer mF_9.B5f-4.1JqM

80. Connect
OpenID
Connect Specs Overview

81. Connect
OpenID
Resources
• OpenID Connect
– http://openid.net/connect/
• OpenID Connect Working Group Mailing List
– http://lists.openid.net/mailman/listinfo/openid-specs-ab
• OpenID Connect Interop Wiki
– http://osis.idcommons.net/
• OpenID Connect Interop Mailing List
– http://groups.google.com/group/openid-connect-interop
• Mike Jones’ Blog
– http://self-issued.info/
• Nat Sakimura’s Blog
– http://nat.sakimura.org/
• John Bradley’s Blog
– http://www.thread-safe.com/

82. Connect
OpenID
Current Status
• Waiting for dependencies to be completed
• JWS, JWE, JWA, JWK
IETF JOSE
WG
• JSON Web Token (JWT)
IETF OAuth
WG
• WebFinger
IETF Apps
WG

83. Connect
OpenID
Interop testing underway
AOL, Google, IBM,
Layer 7, Mitre, NRI,
@nov, Orange, eBay,
Gluu, Ping Identity,
GÉANT, @ritou,
Emmanuel Raviart
120+
feature tests
14
implementations

84. Connect
OpenID
Start Building

85. Connect
OpenID
Start Building
Now!

86. Connect
OpenID
http://nat.sakimura.org/