introduction to openid connect
play

Introduction to OpenID Connect October 23, 2018 Michael B. Jones - PowerPoint PPT Presentation

Nov 15, 2023 •252 likes •831 views

Introduction to OpenID Connect October 23, 2018 Michael B. Jones Identity Standards Architect Microsoft Working Together OpenID Connect What is OpenID Connect? Simple identity layer on top of OAuth 2.0 Enables RPs to verify identity

  1. Introduction to OpenID Connect October 23, 2018 Michael B. Jones Identity Standards Architect – Microsoft

  2. Working Together OpenID Connect

  3. What is OpenID Connect? • Simple identity layer on top of OAuth 2.0 • Enables RPs to verify identity of end-user • Enables RPs to obtain basic profile info • REST/JSON interfaces → low barrier to entry • Described at http://openid.net/connect/

  4. You’re Probably Already Using OpenID Connect! • If you have an Android phone or log in at AOL, Deutsche Telekom, Google, Microsoft, NEC, NTT, Salesforce, Softbank, Symantec, Verizon, or Yahoo! Japan, you’re already using OpenID Connect – Many other sites and apps large and small also use OpenID Connect

  5. OpenID Connect Range • Spans use cases, scenarios – Internet, Enterprise, Mobile, Cloud • Spans security & privacy requirements – From non-sensitive information to highly secure • Spans sophistication of claims usage – From basic default claims to specific requested claims to collecting claims from multiple sources • Maximizes simplicity of implementations – Uses existing IETF specs: OAuth 2.0, JWT, etc. – Lets you build only the pieces you need

  6. Numerous Awards • OpenID Connect won 2012 European Identity Award for Best Innovation/New Standard – http://openid.net/2012/04/18/openid-connect- wins-2012-european-identity-and-cloud-award/ • OAuth 2.0 won in 2013 • JSON Web Token (JWT) & JOSE won in 2014 • OpenID Certification program won 2018 Identity Innovation Award – http://openid.net/2018/03/29/openid-certification- program-wins-2018-identity-innovation-award/

  7. Presentation Overview • Introduction • Design Philosophy • Timeline • A Look Under the Covers • Overview of OpenID Connect Specs • More OpenID Connect Specs • OpenID Certification • Resources

  8. Design Philosophy Keep Simple Things Simple Make Complex Things Possible

  9. Keep Simple Things Simple UserInfo endpoint for simple claims about user Designed to work well on mobile phones

  10. How We Made It Simple • Built on OAuth 2.0 • Uses JavaScript Object Notation (JSON) • You can build only the pieces that you need • Goal: Easy implementation on all modern development platforms

  11. Make Complex Things Possible Encrypted Claims Aggregated Claims Distributed Claims

  12. Key Differences from OpenID 2.0 • Support for native client applications • Identifiers using e-mail address format • UserInfo endpoint for simple claims about user • Designed to work well on mobile phones • Uses JSON/REST, rather than XML • Support for encryption and higher LOAs • Support for distributed and aggregated claims • Support for session management, including logout • Support for self-issued identity providers

  13. OpenID Connect Timeline • Artifact Binding working group formed, Mar 2010 • Major design issues closed at IIW, May 2011 – Result branded “OpenID Connect” • Functionally complete specs, Jul 2011 • 5 rounds of interop testing between 2011 and 2013 – Specifications refined after each round of interop testing • Won Best New Standard award at EIC, April 2012 • Final specifications approved, February 2014 • Errata set 1 approved November, 2014 • Form Post Response Mode spec approved, April 2015 • OpenID 2.0 to Connect Migration spec approved, April 2015 • OpenID Provider Certification launched, April 2015 • Relying Party Certification launched, December 2016 • Logout Implementer’s Drafts approved, March 2017 • OpenID Certification program won Best Identity Innovation award, March 2018

  14. A Look Under the Covers • ID Token • Claims Requests • UserInfo Claims • Example Protocol Messages

  15. ID Token • JWT representing logged-in session • Claims: – iss – Issuer – sub – Identifier for subject (user) – aud – Audience for ID Token – iat – Time token was issued – exp – Expiration time – nonce – Mitigates replay attacks

  16. ID Token Claims Example { "iss": "https://server.example.com", "sub": "248289761001", "aud": "0acf77d4-b486-4c99-bd76-074ed6a64ddf", "iat": 1311280970, "exp": 1311281970, "nonce": "n-0S6_WzA2Mj" }

  17. Claims Requests • Basic requests made using OAuth scopes: – openid – Declares request is for OpenID Connect – profile – Requests default profile info – email – Requests email address & verification status – address – Requests postal address – phone – Requests phone number & verification status – offline_access – Requests Refresh Token issuance • Requests for individual claims can be made using JSON “ claims ” request parameter

  18. UserInfo Claims • sub • gender • birthdate • name • locale • given_name • zoneinfo • family_name • updated_at • middle_name • email • nickname • email_verified • preferred_username • phone_number • profile • phone_number_verified • picture • address • website

  19. UserInfo Claims Example { "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "email": "janedoe@example.com", "email_verified": true, "picture": "http://example.com/janedoe/me.jpg" }

  20. Authorization Request Example https://server.example.com/authorize ?response_type=id_token%20token &client_id=0acf77d4-b486-4c99-bd76-074ed6a64ddf &redirect_uri=https%3A%2F%2Fclient.example.com%2Fcb &scope=openid%20profile &state=af0ifjsldkj &nonce=n-0S6_WzA2Mj

  21. Authorization Response Example HTTP/1.1 302 Found Location: https://client.example.com/cb #access_token=mF_9.B5f-4.1JqM &token_type=bearer &id_token=eyJhbGzI1NiJ9.eyJz9Glnw9J.F9-V4IvQ0Z &expires_in=3600 &state=af0ifjsldkj

  22. UserInfo Request Example GET /userinfo HTTP/1.1 Host: server.example.com Authorization: Bearer mF_9.B5f-4.1JqM

  23. OpenID Connect Specs Overview

  24. Additional Final Specifications (1 of 2) • OpenID 2.0 to OpenID Connect Migration – Defines how to migrate from OpenID 2.0 to OpenID Connect • Has OpenID Connect identity provider also return OpenID 2.0 identifier, enabling account migration – http://openid.net/specs/openid-connect-migration-1_0.html – Completed April 2015 – Google shut down OpenID 2.0 support in April 2015 – Yahoo, others also plan to replace OpenID 2.0 with OpenID Connect

  25. Additional Final Specifications (2 of 2) • OAuth 2.0 Form Post Response Mode – Defines how to return OAuth 2.0 Authorization Response parameters (including OpenID Connect Authentication Response parameters) using HTML form values auto-submitted by the User Agent using HTTP POST – A “form post” binding, like SAML and WS -Federation • An alternative to fragment encoding – http://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html – Completed April 2015 – In production use by Microsoft, Ping Identity

  26. Session Management / Logout (works in progress) • Three approaches being pursued by the working group: – Session Management • http://openid.net/specs/openid-connect-session-1_0.html • Uses HTML5 postMessage to communicate state change messages between OP and RP iframes – Front-Channel Logout • http://openid.net/specs/openid-connect-frontchannel-1_0.html • Uses HTTP GET to load image or iframe, triggering logout (similar to SAML, WS-Federation) – Back-Channel Logout • http://openid.net/specs/openid-connect-backchannel-1_0.html • Server-to-communication not using the browser • Can be used by native applications, which have no active browser • Unfortunately, no one approach best for all use cases • Became Implementer’s Drafts in March 2017 – Working group decided this year to advance them to Final Specification status

  27. Federation Specification (work in progress) • Roland Hedberg created OpenID Connect Federation specification – http://openid.net/specs/openid-connect-federation-1_0.html • Enables establishment and maintenance of multi-party federations using OpenID Connect • Defines hierarchical JSON-based metadata structures for federation participants • Still under active development – Please review! • Prototype implementations being interop tested w/ each other

  28. What is OpenID Certification? • Enables OpenID Connect implementations to be certified as meeting the requirements of defined conformance profiles – Goal is to make high-quality, secure, interoperable OpenID Connect implementations the norm • An OpenID Certification has two components: – Technical evidence of conformance resulting from testing – Legal statement of conformance • Certified implementations can use the “OpenID Certified” logo

  29. What value does certification provide? • Technical: – Certification testing gives confidence that things will “just work” – No custom code required to integrate with implementation – Better for all parties – Relying parties explicitly asking identity providers to get certified • Business: – Enhances reputation of organization and implementation – Shows that organization is taking interop seriously – Customers may choose certified implementations over others

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

OpenID Connect fredag 7 september 12 OpenID Connect fredag 7 september 12 Necessity for

OpenID Connect fredag 7 september 12 OpenID Connect fredag 7 september 12 Necessity for

OpenID Connect fredag 7 september 12 OpenID Connect fredag 7 september 12 Necessity for communication - information about the other part fredag 7 september 12 Trust management not solved! fredag 7 september 12 (1) OP discovery The user

254 views • 23 slides
CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID

CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID

CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID Connect. However, unlike OpenID Connect, there is direct Relying Party to OpenID Provider communication without redirects through the user's browser.

505 views • 17 slides
OpenID Connect & OAuth 2.0 Server for the Enterprise Your enterprise server for single

OpenID Connect & OAuth 2.0 Server for the Enterprise Your enterprise server for single

OpenID Connect & OAuth 2.0 Server for the Enterprise Your enterprise server for single identity sign-on provision identity API access federation management The four Connect2id server pillars Based on the latest standards OpenID

580 views • 26 slides
Fediz OIDC CXF Powered OpenId Connect Server Sergey Beryozkin Dr Colm O hEgeartaigh Talend

Fediz OIDC CXF Powered OpenId Connect Server Sergey Beryozkin Dr Colm O hEgeartaigh Talend

Fediz OIDC CXF Powered OpenId Connect Server Sergey Beryozkin Dr Colm O hEgeartaigh Talend Introduction to Apache CXF Production quality framework for creating Java JAX-RS 2.0 and JAX-WS services Widely used and integrated into

1.01k views • 27 slides
openid connect all the things @pquerna CTO, ScaleFT CoreOS Fest 2017 - 2017-07-01 Problem -

openid connect all the things @pquerna CTO, ScaleFT CoreOS Fest 2017 - 2017-07-01 Problem -

openid connect all the things @pquerna CTO, ScaleFT CoreOS Fest 2017 - 2017-07-01 Problem - More Client Devices per-Human - Many Cloud Accounts - More Apps: yay k8s - More Distributed Teams - VPNs arent fun - Legacy Solutions

788 views • 32 slides
OpenID Connect Authentication in iRODS Kyle Ferriter kferriter@renci.org Renaissance Computing

OpenID Connect Authentication in iRODS Kyle Ferriter kferriter@renci.org Renaissance Computing

OpenID Connect Authentication in iRODS Kyle Ferriter kferriter@renci.org Renaissance Computing Institute (RENCI) UNC - Chapel Hill Context and Use Case NIH Data Commons Web application - CommonsShare.org Compute Platform and

318 views • 11 slides
Leveraging OpenID To connect Vehicle to the Cloud ALS 2017 Tokyo Fulup Ar Foll Lead Architect

Leveraging OpenID To connect Vehicle to the Cloud ALS 2017 Tokyo Fulup Ar Foll Lead Architect

Leveraging OpenID To connect Vehicle to the Cloud ALS 2017 Tokyo Fulup Ar Foll Lead Architect fulup@iot.bzh Who Are We ? Securing AGL V2C with OpenIDconnect May-2017 2 V2C Multiple Requirements Car to Cloud Telematics Car

605 views • 16 slides
Bridging OpenID and SAML 2.0 Andreas kre Solberg andreas@uninett.no Terminology OpenID

Bridging OpenID and SAML 2.0 Andreas kre Solberg andreas@uninett.no Terminology OpenID

Bridging OpenID and SAML 2.0 Andreas kre Solberg andreas@uninett.no Terminology OpenID Terminology OpenID OpenID OpenID Consumer Identity Provider SAML 2.0 Terminology SAML 2.0 SAML 2.0 Service Provider Identity Provider What is

427 views • 16 slides
Research on OpenID and its integration within the GravityZoo framework Jarno van de Moosdijk

Research on OpenID and its integration within the GravityZoo framework Jarno van de Moosdijk

Research on OpenID and its integration within the GravityZoo framework Jarno van de Moosdijk 1/14 Research questions How does OpenID work? What are the requirements for integrating OpenID into the GravityZoo framework? How mobile

268 views • 14 slides
Subverting OpenID: Intro to Net::OpenID::Server Abram Hindle Kitchener/Waterloo Perl Mongers

Subverting OpenID: Intro to Net::OpenID::Server Abram Hindle Kitchener/Waterloo Perl Mongers

Subverting OpenID: Intro to Net::OpenID::Server Subverting OpenID: Intro to Net::OpenID::Server Abram Hindle Kitchener/Waterloo Perl Mongers Canada http://softwareprocess.es/ abram.hindle@softwareprocess.es Abram Hindle 1 Subverting

391 views • 21 slides
OpenID OpenID and SAML and SAML Fiona Culloch, EDINA Fiona Culloch, EDINA EuroCAMP, Stockholm,

OpenID OpenID and SAML and SAML Fiona Culloch, EDINA Fiona Culloch, EDINA EuroCAMP, Stockholm,

Shib Shibbolet oleth Develo Developmen ent a t and Su d Supp pport Services t Services OpenID OpenID and SAML and SAML Fiona Culloch, EDINA Fiona Culloch, EDINA EuroCAMP, Stockholm, 7 May 2008 EuroCAMP, Stockholm, 7 May 2008 Shib

666 views • 20 slides
Integrating OpenID with proxy re-encryption to enhance privacy in cloud-based identity services

Integrating OpenID with proxy re-encryption to enhance privacy in cloud-based identity services

Outline Introduction Support technologies Privacy-preserving IDaaS system Conclusions Integrating OpenID with proxy re-encryption to enhance privacy in cloud-based identity services David Nu nez , Isaac Agudo, and Javier Lopez Network,

422 views • 24 slides
Towards an OpenID -based solution to the Social Network Interoperability problem M. Mostarda,

Towards an OpenID -based solution to the Social Network Interoperability problem M. Mostarda,

W3C Workshop on the Future of Social Networking, Barcelona January 2009 Towards an OpenID -based solution to the Social Network Interoperability problem M. Mostarda, D. Palmisano, F. Zani, S. Tripodi About Us We are proud member of the W3C

252 views • 21 slides
MONASH CONNECT www.monash.edu/connect Phone: +61 3 9902 6011 MONASH CONNECT SERVICE OVERVIEW

MONASH CONNECT www.monash.edu/connect Phone: +61 3 9902 6011 MONASH CONNECT SERVICE OVERVIEW

MONASH CONNECT MONASH CONNECT www.monash.edu/connect Phone: +61 3 9902 6011 MONASH CONNECT SERVICE OVERVIEW Monash Connect is part of the Student Services Division and is the first point of contact for all students at Monash University for

849 views • 7 slides
SFM-11:CONNECT Summer School, Bertinoro, June 2011 EU-FP7: CONNECT LSCITS/PSS

SFM-11:CONNECT Summer School, Bertinoro, June 2011 EU-FP7: CONNECT LSCITS/PSS

SFM-11:CONNECT Summer School, Bertinoro, June 2011 EU-FP7: CONNECT LSCITS/PSS VERIWARE Overview Lecture 1 (9am-11am) Introduction to Modelling and Quantitative Verification Marta Kwiatkowska Invited lecture: Christel

1.99k views • 173 slides
OpenID in domain registry CZ.NIC - http://www.nic.cz Ondrej Filip / ondrej.filip @nic.cz Dec 8

OpenID in domain registry CZ.NIC - http://www.nic.cz Ondrej Filip / ondrej.filip @nic.cz Dec 8

OpenID in domain registry CZ.NIC - http://www.nic.cz Ondrej Filip / ondrej.filip @nic.cz Dec 8 2010, Cartagena, Colombia ccNSO Meeting 1 Everybody experienced this ... 2 3 N O I T A S R S T A S I P G / E E M R A N U .

361 views • 22 slides
The Web of Things Breakout session on service descriptions Dave Raggett, W3C 1/27 The Web of

The Web of Things Breakout session on service descriptions Dave Raggett, W3C 1/27 The Web of

The Web of Things Breakout session on service descriptions Dave Raggett, W3C 1/27 The Web of Things A huge variety of potential application domains including ... 2/27 Perils of Fragmentation Advances in electronics enabling low cost

557 views • 27 slides
NoSQL The SQL Way PostgreSQL JSON Features PGConf.de 2018 Stefanie Janine Stlting PostgreSQL

NoSQL The SQL Way PostgreSQL JSON Features PGConf.de 2018 Stefanie Janine Stlting PostgreSQL

NoSQL The SQL Way PostgreSQL JSON Features PGConf.de 2018 Stefanie Janine Stlting PostgreSQL Consulting @sjstoelting mail@stefanie-stoelting.de Sources Are On GitHub JSON JavaScript Object Notation Man muss sich nicht um das Encoding

755 views • 50 slides
Scripting And Integration with oVirt Oved Ourfali, ovedo@redhat.com Senior Software Engineer,

Scripting And Integration with oVirt Oved Ourfali, ovedo@redhat.com Senior Software Engineer,

Scripting And Integration with oVirt Oved Ourfali, ovedo@redhat.com Senior Software Engineer, Red-Hat CloudOpen Europe - October 2013 1 Agenda Part 1 REST-based APIs Introduction oVirt API oVirt Shell (CLI) (Demo) oVirt SDK Deltacloud

2.07k views • 120 slides
CS 403X Mobile and Ubiquitous Computing Lecture 5: Web Services, Broadcast Receivers, Tracking

CS 403X Mobile and Ubiquitous Computing Lecture 5: Web Services, Broadcast Receivers, Tracking

CS 403X Mobile and Ubiquitous Computing Lecture 5: Web Services, Broadcast Receivers, Tracking Location, SQLite Databases Emmanuel Agu Web Services What are Web Services? Means to call a remote method or operation that's not tied to a specific

898 views • 75 slides
Collecting Data from Foursquare API Kotrotsios Ioannis ikotrots@cs.uoi.gr Location-based

Collecting Data from Foursquare API Kotrotsios Ioannis ikotrots@cs.uoi.gr Location-based

Collecting Data from Foursquare API Kotrotsios Ioannis ikotrots@cs.uoi.gr Location-based Online Social Networks Applications which allow users to interact, share their locations, meet up, recommend places based on their physical

530 views • 24 slides
JavaServer Pages (JSP) The Context The Presentation Layer of a Web App the graphical (web)

JavaServer Pages (JSP) The Context The Presentation Layer of a Web App the graphical (web)

JavaServer Pages (JSP) The Context The Presentation Layer of a Web App the graphical (web) user interface frequent design changes usually, dynamically generated HTML pages Should we use servlets? No (not directly)

507 views • 27 slides
Objectives Servlets Review JSPs Web Application Organization Apr 30, 2019 Sprenkle -

Objectives Servlets Review JSPs Web Application Organization Apr 30, 2019 Sprenkle -

Objectives Servlets Review JSPs Web Application Organization Apr 30, 2019 Sprenkle - CS335 1 Servlets Review What is the servlet life cycle? Init parameters Where are init parameters defined? How do we access a

164 views • 13 slides
Log4j 2 in Web Applications Log4j 2 in Web Applications A Deeper Look at Effective Java EE

Log4j 2 in Web Applications Log4j 2 in Web Applications A Deeper Look at Effective Java EE

Log4j 2 in Web Applications Log4j 2 in Web Applications A Deeper Look at Effective Java EE Logging A Deeper Look at Effective Java EE Logging Manual: http://logging.apache.org/log4j/2.x/manual/webapp.html Nick Williams

307 views • 11 slides

More recommend