openid connect
play

OpenID Connect fredag 7 september 12 OpenID Connect fredag 7 - PowerPoint PPT Presentation

Jan 25, 2024 •24 likes •254 views

OpenID Connect fredag 7 september 12 OpenID Connect fredag 7 september 12 Necessity for communication - information about the other part fredag 7 september 12 Trust management not solved! fredag 7 september 12 (1) OP discovery The user

  1. OpenID Connect fredag 7 september 12

  2. OpenID Connect fredag 7 september 12

  3. Necessity for communication - information about the other part fredag 7 september 12

  4. Trust management not solved! fredag 7 september 12

  5. (1) OP discovery The user provides an identifier ( for instance an email address ) roland@www.kodtest.se Using Simple W eb Discovery the OP is found $ curl -G https://www.kodtest.se/.well-known/simple-web-discovery? principal=joe%40example.com&service=http%3A%2F %2Fopenid.net%2Fspecs%2Fconnect%2F1.0%2Fissuer {"locations":["https://www.kodtest.se:8088"]} fredag 7 september 12

  6. (2) OP functionality discovery $ curl -G -k https://www.kodtest.se:8088/.well-known/openid-configuration {"registration_endpoint": "https://www.kodtest.se:8088/registration", "userinfo_endpoint": "https://www.kodtest.se:8088/userinfo", "token_endpoint": "https://www.kodtest.se:8088/token", "authorization_endpoint": "https://www.kodtest.se:8088/authorization", "end_session_endpoint": "https://www.kodtest.se:8088/end_session", "token_endpoint_auth_types_supported": ["client_secret_post", "client_secret_basic", "client_secret_jwt"], "jwk_url": "https://www.kodtest.se:8088/static/jwk.json", "user_id_types_supported": ["public"], "scopes_supported": ["openid", ”email”, ”profile”, ”address”, ”phone”], "version": "3.0", "response_types_supported": ["code", "token", "id_token", "code token", "code id_token", "token id_token", "code token id_token"], "issuer": "https://www.kodtest.se:8088/", "acrs_supported": ["1","2","http://id.incommon.org/assurance/bronze"], "user_id_types_supported":["public", "pairwise"], } fredag 7 september 12

  7. (3) Dynamic registration POST https://www.kodtest.se:8088/registratio n application_name=OIC+test+tool &application_type=web &redirect_uris=https://smultron.catalogix.se/authz_cb &type=client_associate &contact=roland@example.com fredag 7 september 12

  8. Registration result { "client_id":"XgnCOEXAj3D2", "client_secret": "cf136dc3c1fd9153029bb9c6cc9ecead", "expires_at":2893276800 } fredag 7 september 12

  9. Preliminaries done! fredag 7 september 12

  10. Flow differencies AS IdP 5 4 3 3 4 2 UA 6 OP UA 1 2 7 1 9 8 SP RP SAML OpenID Connect fredag 7 september 12

  11. Authorization Request response_type This parameter controls the parameters returned in the response from the Authorization Endpoint. scope The values specify an additive list of voluntary Claims that are returned from the UserInfo Endpoint. client_id The OAuth 2.0 Client Identifier. redirect_uri A redirection URI where the response will be sent. state RECOMMENDED. An opaque value used to maintain state between the request and the callback nonce A random, unique string value used to mitigate replay attacks. prompt OPTIONAL. specifies whether the Authorization Server prompts the End-User for reauthentication and consent display OPTIONAL. A space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent. The possible values are: none, login, request OPTIONAL. An OpenID Request Object value. request_uri OPTIONAL. An URL that points to an OpenID Request Object. This is used to pass an OpenID Request Object by reference. id_token OPTIONAL. An ID Token passed to the Authorization server as a hint about the user's current or past authenticated session with the client. This SHOULD be present if prompt=none is sent. fredag 7 september 12

  12. Authorization Request response_type This parameter controls the parameters returned in the response from the Authorization Endpoint. scope The values specify an additive list of voluntary Claims that are returned from the UserInfo Endpoint. client_id The OAuth 2.0 Client Identifier. redirect_uri A redirection URI where the response will be sent. state RECOMMENDED. An opaque value used to maintain state between the request and the callback nonce A random, unique string value used to mitigate replay attacks fredag 7 september 12

  13. Access Token Request grant_type REQUIRED. "client_credentials"/”refresh_token”. scope OPTIONAL. The scope of the access request refresh_token REQUIRED if ‘refresh request’. The refresh token issued to the client. ------------------------------------------- When using assertions as client credentials client_assertion_type REQUIRED. The format of the assertion as defined by the authorization server. The value MUST be an absolute URI. client_assertion REQUIRED. The assertion being used to authenticate the client. fredag 7 september 12

  14. AccessTokenResponse HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache { "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOl wvXC9zZXJ2ZXIuZXhhbXBsZS5jb20iLCJ1c2VyX2lkIjoiMjQ4Mjg5NzYxMDAxIiwiYXVkIj oiaHR0cDpcL1wvY2xpZW50LmV4YW1wbGUuY29tIiwiZXhwIjoxMzExMjgxOTcwfQ.eDesUD0 vzDH3T1G3liaTNOrfaeWYjuRCEPNXVtaazNQ" } fredag 7 september 12

  15. Json Web Token (JWT) • Header • { "typ":"JWT","alg":"HS256" } • Base64 encoding of the UTF - 8 representation • Second part • When the JWT is signed, the JWT Second Part is the Encoded JWS Payload. When the JWT is encrypted, the JWT Second Part is the Encoded JWE Encrypted Key. • Third part • When the JWT is signed, the JWT Third Part is the Encoded JWS Signature. When the JWT is encrypted, the JWT Third Part is the Encoded JWE Ciphertext. fredag 7 september 12

  16. IdToken, metadata on the authentication { ” iss ”: ”https://www.kodtest.se:8088/”, ”user_id”:”24400320”, ” aud ”:”XgnCOEXAj3D2”, ” exp ”:1320502962, ” nbf ”:1320502902, ”iat”: 1320502000, ” acr ”: 2, ” nonce ”:”0S6_WzA2Mj” } fredag 7 september 12

  17. UserInfo Request access_token REQUIRED. The Access Token obtained from an OpenID Connect Authorization Request. schema REQUIRED. The schema in which the data is to be returned. The only defined value is openid . id This identifier is reserved. It MUST be ignored by the endpoint when the openid schema is used. fredag 7 september 12

  18. UserInfoResponse normal claims { "name#sv-se": "Jane Doe" "given_name": "Jane", "family_name": "Doe", "email": "janedoe@kodtest.se", ”verified”: true, "picture": "http://kodtest.se/janedoe/me.jpg" } fredag 7 september 12

  19. Aggregated claims Client Identitysource Informationsource { "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "birthday": "01/01/2001", "email": "janedoe@example.com", "_claim_names": { "address": "src1", "phone_number": "src1", }, "_claim_sources": { "src1": {"JWT":"jwt_header.jwt_part2.jwt_part3"}, } } fredag 7 september 12

  20. Distributed claims Client IdentitySource { "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", Informationsource "email": "janedoe@example.com", "birthday": "01/01/2001", "_claim_names": { "payment_info": "src1", "shipping_address": "src1", "credit_score": "src2" }, "_claim_sources": { "src1": {"endpoint": "https://bank.example.com/claimsource"} "src2": { "endpoint": "https://creditagency.example.com/claimshere", "access_token": "ksj3n283dke" } } } fredag 7 september 12

  21. Using attribute authorities • Client credentials flow OP POST 8 9 Host: www.kodtest.se Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded RP grant_type=client_credentials&scope=xyz fredag 7 september 12

  22. OpenID Connect fredag 7 september 12

  23. Client registration parameters type client_id client_secret access_token contacts application_type application_name logo_url redirect_uris token_endpoint_auth_type policy_url jwk_url jwk_encryption_url x509_url x509_encryption_url sector_identifier_url user_id_type require_signed_request_object userinfo_signed_response_alg userinfo_encrypted_response_alg userinfo_encrypted_response_enc userinfo_encrypted_response_int id_token_signed_response_alg id_token_encrypted_response_alg id_token_encrypted_response_enc id_token_encrypted_response_int default_max_age require_auth_time default_acr fredag 7 september 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction to OpenID Connect October 23, 2018 Michael B. Jones Identity Standards Architect

Introduction to OpenID Connect October 23, 2018 Michael B. Jones Identity Standards Architect

Introduction to OpenID Connect October 23, 2018 Michael B. Jones Identity Standards Architect Microsoft Working Together OpenID Connect What is OpenID Connect? Simple identity layer on top of OAuth 2.0 Enables RPs to verify identity

831 views • 56 slides
CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID

CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID

CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID Connect. However, unlike OpenID Connect, there is direct Relying Party to OpenID Provider communication without redirects through the user's browser.

505 views • 17 slides
OpenID Connect & OAuth 2.0 Server for the Enterprise Your enterprise server for single

OpenID Connect & OAuth 2.0 Server for the Enterprise Your enterprise server for single

OpenID Connect & OAuth 2.0 Server for the Enterprise Your enterprise server for single identity sign-on provision identity API access federation management The four Connect2id server pillars Based on the latest standards OpenID

580 views • 26 slides
openid connect all the things @pquerna CTO, ScaleFT CoreOS Fest 2017 - 2017-07-01 Problem -

openid connect all the things @pquerna CTO, ScaleFT CoreOS Fest 2017 - 2017-07-01 Problem -

openid connect all the things @pquerna CTO, ScaleFT CoreOS Fest 2017 - 2017-07-01 Problem - More Client Devices per-Human - Many Cloud Accounts - More Apps: yay k8s - More Distributed Teams - VPNs arent fun - Legacy Solutions

788 views • 32 slides
OpenID Connect Authentication in iRODS Kyle Ferriter kferriter@renci.org Renaissance Computing

OpenID Connect Authentication in iRODS Kyle Ferriter kferriter@renci.org Renaissance Computing

OpenID Connect Authentication in iRODS Kyle Ferriter kferriter@renci.org Renaissance Computing Institute (RENCI) UNC - Chapel Hill Context and Use Case NIH Data Commons Web application - CommonsShare.org Compute Platform and

318 views • 11 slides
Fediz OIDC CXF Powered OpenId Connect Server Sergey Beryozkin Dr Colm O hEgeartaigh Talend

Fediz OIDC CXF Powered OpenId Connect Server Sergey Beryozkin Dr Colm O hEgeartaigh Talend

Fediz OIDC CXF Powered OpenId Connect Server Sergey Beryozkin Dr Colm O hEgeartaigh Talend Introduction to Apache CXF Production quality framework for creating Java JAX-RS 2.0 and JAX-WS services Widely used and integrated into

1.01k views • 27 slides
Leveraging OpenID To connect Vehicle to the Cloud ALS 2017 Tokyo Fulup Ar Foll Lead Architect

Leveraging OpenID To connect Vehicle to the Cloud ALS 2017 Tokyo Fulup Ar Foll Lead Architect

Leveraging OpenID To connect Vehicle to the Cloud ALS 2017 Tokyo Fulup Ar Foll Lead Architect fulup@iot.bzh Who Are We ? Securing AGL V2C with OpenIDconnect May-2017 2 V2C Multiple Requirements Car to Cloud Telematics Car

605 views • 16 slides
Bridging OpenID and SAML 2.0 Andreas kre Solberg andreas@uninett.no Terminology OpenID

Bridging OpenID and SAML 2.0 Andreas kre Solberg andreas@uninett.no Terminology OpenID

Bridging OpenID and SAML 2.0 Andreas kre Solberg andreas@uninett.no Terminology OpenID Terminology OpenID OpenID OpenID Consumer Identity Provider SAML 2.0 Terminology SAML 2.0 SAML 2.0 Service Provider Identity Provider What is

427 views • 16 slides
Research on OpenID and its integration within the GravityZoo framework Jarno van de Moosdijk

Research on OpenID and its integration within the GravityZoo framework Jarno van de Moosdijk

Research on OpenID and its integration within the GravityZoo framework Jarno van de Moosdijk 1/14 Research questions How does OpenID work? What are the requirements for integrating OpenID into the GravityZoo framework? How mobile

268 views • 14 slides
Subverting OpenID: Intro to Net::OpenID::Server Abram Hindle Kitchener/Waterloo Perl Mongers

Subverting OpenID: Intro to Net::OpenID::Server Abram Hindle Kitchener/Waterloo Perl Mongers

Subverting OpenID: Intro to Net::OpenID::Server Subverting OpenID: Intro to Net::OpenID::Server Abram Hindle Kitchener/Waterloo Perl Mongers Canada http://softwareprocess.es/ abram.hindle@softwareprocess.es Abram Hindle 1 Subverting

391 views • 21 slides
OpenID OpenID and SAML and SAML Fiona Culloch, EDINA Fiona Culloch, EDINA EuroCAMP, Stockholm,

OpenID OpenID and SAML and SAML Fiona Culloch, EDINA Fiona Culloch, EDINA EuroCAMP, Stockholm,

Shib Shibbolet oleth Develo Developmen ent a t and Su d Supp pport Services t Services OpenID OpenID and SAML and SAML Fiona Culloch, EDINA Fiona Culloch, EDINA EuroCAMP, Stockholm, 7 May 2008 EuroCAMP, Stockholm, 7 May 2008 Shib

666 views • 20 slides
Towards an OpenID -based solution to the Social Network Interoperability problem M. Mostarda,

Towards an OpenID -based solution to the Social Network Interoperability problem M. Mostarda,

W3C Workshop on the Future of Social Networking, Barcelona January 2009 Towards an OpenID -based solution to the Social Network Interoperability problem M. Mostarda, D. Palmisano, F. Zani, S. Tripodi About Us We are proud member of the W3C

252 views • 21 slides
MONASH CONNECT www.monash.edu/connect Phone: +61 3 9902 6011 MONASH CONNECT SERVICE OVERVIEW

MONASH CONNECT www.monash.edu/connect Phone: +61 3 9902 6011 MONASH CONNECT SERVICE OVERVIEW

MONASH CONNECT MONASH CONNECT www.monash.edu/connect Phone: +61 3 9902 6011 MONASH CONNECT SERVICE OVERVIEW Monash Connect is part of the Student Services Division and is the first point of contact for all students at Monash University for

849 views • 7 slides
OpenID in domain registry CZ.NIC - http://www.nic.cz Ondrej Filip / ondrej.filip @nic.cz Dec 8

OpenID in domain registry CZ.NIC - http://www.nic.cz Ondrej Filip / ondrej.filip @nic.cz Dec 8

OpenID in domain registry CZ.NIC - http://www.nic.cz Ondrej Filip / ondrej.filip @nic.cz Dec 8 2010, Cartagena, Colombia ccNSO Meeting 1 Everybody experienced this ... 2 3 N O I T A S R S T A S I P G / E E M R A N U .

361 views • 22 slides
ACTS Initiative and Synergies with CDS Connect: Discussion with CDS Connect Workgroup (WG) May

ACTS Initiative and Synergies with CDS Connect: Discussion with CDS Connect Workgroup (WG) May

ACTS Initiative and Synergies with CDS Connect: Discussion with CDS Connect Workgroup (WG) May 16, 2019 Goals/Agenda Provide ACTS overview for WG Discuss ACTS interplay with CDC Connect How can what CDS Connect is doing

197 views • 15 slides
Integrating OpenID with proxy re-encryption to enhance privacy in cloud-based identity services

Integrating OpenID with proxy re-encryption to enhance privacy in cloud-based identity services

Outline Introduction Support technologies Privacy-preserving IDaaS system Conclusions Integrating OpenID with proxy re-encryption to enhance privacy in cloud-based identity services David Nu nez , Isaac Agudo, and Javier Lopez Network,

422 views • 24 slides
Shahram Hadian Born in Iran Proud U.S. Citizen Transformational Life Change 1999

Shahram Hadian Born in Iran Proud U.S. Citizen Transformational Life Change 1999

Shahram Hadian Born in Iran Proud U.S. Citizen Transformational Life Change 1999 (Leaving Islam and becoming a Christian) Pastor: Truth in Love Christian Fellowship (Spokane Valley, WA) Former Police Officer, Teacher, Coach

246 views • 24 slides
Connected Bringing to your connected devices using the Yocto Project. Leon Anavi Philippe Coval

Connected Bringing to your connected devices using the Yocto Project. Leon Anavi Philippe Coval

Connected Bringing to your connected devices using the Yocto Project. Leon Anavi Philippe Coval Konsulko Group Samsung Open Source Group / SRUK leon.anavi@konsulko.com philippe.coval@osg.samsung.com leon@anavi.org 2016-01-31 FOSDEM 1

416 views • 28 slides
The Intersection Between Tax Law & Human Trafficking: Advice for Legal Practitioners John

The Intersection Between Tax Law & Human Trafficking: Advice for Legal Practitioners John

The Intersection Between Tax Law & Human Trafficking: Advice for Legal Practitioners John B. Snyder, III, Esq. - Director, Low-Income Taxpayer Clinic, University of Baltimore School of Law Elena Fowlkes, Esq. - Assistant Director,

436 views • 25 slides
Dr. Aloknath De, Corp VP and CTO, Samsung R&D India A.De 1 Internet of Things

Dr. Aloknath De, Corp VP and CTO, Samsung R&D India A.De 1 Internet of Things

Dr. Aloknath De, Corp VP and CTO, Samsung R&D India A.De 1 Internet of Things Introduction The Internet of Things (IoT) is the network of physical objects that contains embedded technology to communicate and sense or interact with the

948 views • 12 slides
( UEMEd or the Company) PROPOSED DISPOSAL OF 61.20% EQUITY INTEREST IN OPUS

( UEMEd or the Company) PROPOSED DISPOSAL OF 61.20% EQUITY INTEREST IN OPUS

UEM EDGENTA BERHAD ( UEMEd or the Company) PROPOSED DISPOSAL OF 61.20% EQUITY INTEREST IN OPUS INTERNATIONAL CONSULTANTS LIMITED (OIC) Empowered by science, inspired by humans Contents Section 1 Overview of the Proposed

344 views • 30 slides
Diving Group RNLN Dive into the future with the RNLN Royal Netherlands Navy Anton van Dijk 19

Diving Group RNLN Dive into the future with the RNLN Royal Netherlands Navy Anton van Dijk 19

Diving Group RNLN Dive into the future with the RNLN Royal Netherlands Navy Anton van Dijk 19 mei 2019 Introduction - LtCdr Anton van Dijk - RNLN since 1998 - Diving Officer since 2007 Royal Netherlands Navy 2 Diving Group RNLN 19 mei

421 views • 25 slides
Tokyo, September 14, 2020 OUTLINE OF THE MAIN REPORT SECTION 1 MACROECONOMIC PERFORMANCE AND

Tokyo, September 14, 2020 OUTLINE OF THE MAIN REPORT SECTION 1 MACROECONOMIC PERFORMANCE AND

Presenter: Dr. Chuku Chuku, OIC Manager, ECMR1 Tokyo, September 14, 2020 OUTLINE OF THE MAIN REPORT SECTION 1 MACROECONOMIC PERFORMANCE AND PROSPECTS SECTION 2 SOCIO-ECONOMIC IMPACTS OF COVID19 ON AFRICA SECTION 3 POLICY OPTIONS 2

217 views • 18 slides
ELEN E6884 - Topics in Signal Processing Recap Topic: Speech Recognition Gaussian Mixture

ELEN E6884 - Topics in Signal Processing Recap Topic: Speech Recognition Gaussian Mixture

Outline of Todays Lecture ELEN E6884 - Topics in Signal Processing Recap Topic: Speech Recognition Gaussian Mixture Models - A Gaussian Mixture Models - B Lecture 3

339 views • 13 slides

More recommend