Leveraging OpenID To connect Vehicle to the Cloud ALS 2017 Tokyo - PowerPoint PPT Presentation

Leveraging OpenID To connect Vehicle to the Cloud ALS 2017 Tokyo Fulup Ar Foll Lead Architect fulup@iot.bzh

Who Are We ? Securing AGL V2C with OpenIDconnect May-2017 2

V2C Multiple Requirements ● Car to Cloud ● Telematics ● Car sharing, Fleet management ● Profiling ● Real time Update Traffic/Map ● Cloud to Car ● User Preferences ● SOTA, Streaming Music, Traffic ● Car to Infrastructure ● Payment ● Car to City ● Car to Home Securing AGL V2C with OpenIDconnect May-2017 3

V2C MUST fix issues ● Potential open door for cyber-attack ? ● Who own and controls the data ? What’s about user privacy ? ● How to provide the right user experience with on time to the market innovations ? ● How to open popular to non-automotive services (Spotify, Facebook, Paypal, …) ● How to keep the service running for 25 years? ● ... ● Last but not least, where to find skill developers ? Securing AGL V2C with OpenIDconnect May-2017 4

AGL Microservices Architecture Entertainement Cluster Cloud Navigation Maintenance Portal My Car Portal Head Unix Service Know Bugs Paiement Direction Indication Carte handling Maintenances Subcriptions Localistion management Service Packs Preference POI Transport & ACL Transport & ACL Transport & ACL Geopositioning Preferences CAN-BUS Log Cluster Virtual Virtual Signal & Analytics Virtual Signal Signal Custumisation Gyro, Acelerometer CAN-BUS MongoDB Engine No-SQL Engine Engine-CAN-BUS CAN GPS Paiement Service Statistics & Analytics ABS LIN-BUS Multi ECU & Cloud Aware Architecture Securing AGL V2C with OpenIDconnect May-2017 5

AGL-DD API Description Model Securing AGL V2C with OpenIDconnect May-2017 6

OpenAPI Binding Description Securing AGL V2C with OpenIDconnect May-2017 7

AGL-DD Security Model Not ready yet for Cloud SaaS Application Framwork Live Cycle Management Log/Supervision Navigation MultiMedia Start,Stop,Pause,Install,Remove,... Cgroups Service Service Service NameSpace Carte handling Carte handling Media Player Containers POI management POI management Radio Interface etc... etc... etc... Transport + Acess Control Agent-2 Agent-3 Agent-4 MAC Car Environement Engine Remote Signal Enforcement CAN Bus-A CAN Bus-B Smart City Smack LIN Bus-A Cluster-Unit RVI ... Audio Cloud Distributed Application Architecture Securing AGL V2C with OpenIDconnect May-2017 8

Why OpenID Connect ? ● Inherit from SAML2 protocols models ● Over 10 years of lesson learn on massive deployment ● Support of privacy and data protection built in ● Simpler to deploy than SAML2 ● Low level based on REST, SSL, JSON ● High Level based on oAuth2, JWT (Json Web Token) ,JWS (Json Web Signature) ● Toolkit available in multiple languages ● Supported natively or flavoured by many internet providers (Facebook, Google, Paypal, …), but also by many governments ● Community ● Active & well known ● Open to custom profile ● Ready to work with AGL Securing AGL V2C with OpenIDconnect May-2017 9

OpenID members Companies involve OpenId Development Contributors included a diverse international representation of industry, academia and independent technology leaders: AOL, Deutsche Telekom, Facebook, Google, Microsoft, Mitre Corporation, mixi, Nomura Research Institute, Orange, PayPal, Ping Identity, Salesforce, Yahoo! Japan, among other individuals and organizations. Securing AGL V2C with OpenIDconnect May-2017 10

OpenID Simple Flow Slide Credit Nov Matake, OpenID Japan Securing AGL V2C with OpenIDconnect May-2017 11

OpenID Connect Detail Flow Slide credit axway.com Securing AGL V2C with OpenIDconnect May-2017 12

Global Architecture Local Binding Remote Binding (11) Forward AuthCode ws-client:tcp://hostname:port/MyAPI ws-server:tcp://hostname:port/MyAPI (1) Request API (13) Receive (2) Request AuthZ User Info (3) Forward (clientID@IDP, scope, ..) AuthZ Request (12) Provide (10) Forward AuthCode AuthCode (4) Request AuthZ on behalf Remote (clientID, scope, ..) Identity Agent (5) Redirect Authentication URL for User consent IDP (Identity Provider) e.g. www.mycarportal.net (7) Forward IDP redirect (9) Return AuthCode Consent/Authentication (7) User Consent/Authentication User UI Interaction Securing AGL V2C with OpenIDconnect May-2017 13

Data Model Identity Agent Data Structure (UsrID) Local User Profile (AppID) Local App Profile ● Name ● ClientID ● Email ● Autority, Scope ● Etc. ● Session Token/Timeout ● Persistant Data ● Etc. (FedID) IDP pseudonym ● usrID@IDP ● usrProfile@IDP ● AuthZ token ● Session Token/Timeout ● Etc. Securing AGL V2C with OpenIDconnect May-2017 14

Work To Be Done ● AGL Binding Protocol Extension ● Native integration of OpenID Connect ● Support for use interaction (consent, authentication) ● Access Controls ● LOA ● Hook for roles/group ● Link with existing privilege model ● Authentication ● Webview for Authentication/Consent ● Map authentication devices (NFC, FiDO) ● Define API for custom API Securing AGL V2C with OpenIDconnect May-2017 15

Further Information ● Specifications: http://openid.net/connect ● Introduction http://openid.net/connect/faq ● Deep dive in protocols: [Following videos are pretty technical, while they relates to one of pevious live project they may help to understand OpenID protocols. Please ignore 1 st videos which are related to the installation of the project, last ones demonstrate protocols through a live debug session] ● French http://breizhme.net/fr/video-technique (2 nd & 3 rd videos) ● English http://breizhme.net/en/ (last video) Warning : When searching for information you should be aware that OpenID- connect has 100% different from OpenID-v1/v2. Securing AGL V2C with OpenIDconnect May-2017 16