OpenID Connect fredag 7 september 12 OpenID Connect fredag 7 - - PowerPoint PPT Presentation

OpenID Connect

fredag 7 september 12

OpenID Connect

fredag 7 september 12

Necessity for communication - information about the other part

fredag 7 september 12

Trust management not solved!

fredag 7 september 12

(1) OP discovery

The user provides an identifier (for instance an email address)

roland@www.kodtest.se

Using Simple W eb Discovery the OP is found

$ curl -G https://www.kodtest.se/.well-known/simple-web-discovery? principal=joe%40example.com&service=http%3A%2F %2Fopenid.net%2Fspecs%2Fconnect%2F1.0%2Fissuer {"locations":["https://www.kodtest.se:8088"]}

fredag 7 september 12

(2) OP functionality discovery

$ curl -G -k https://www.kodtest.se:8088/.well-known/openid-configuration {"registration_endpoint": "https://www.kodtest.se:8088/registration", "userinfo_endpoint": "https://www.kodtest.se:8088/userinfo", "token_endpoint": "https://www.kodtest.se:8088/token", "authorization_endpoint": "https://www.kodtest.se:8088/authorization", "end_session_endpoint": "https://www.kodtest.se:8088/end_session", "token_endpoint_auth_types_supported": ["client_secret_post", "client_secret_basic", "client_secret_jwt"], "jwk_url": "https://www.kodtest.se:8088/static/jwk.json", "user_id_types_supported": ["public"], "scopes_supported": ["openid", ”email”, ”profile”, ”address”, ”phone”], "version": "3.0", "response_types_supported": ["code", "token", "id_token", "code token", "code id_token", "token id_token", "code token id_token"], "issuer": "https://www.kodtest.se:8088/", "acrs_supported": ["1","2","http://id.incommon.org/assurance/bronze"], "user_id_types_supported":["public", "pairwise"], }

fredag 7 september 12

(3) Dynamic registration

POST https://www.kodtest.se:8088/registration

application_name=OIC+test+tool &application_type=web &redirect_uris=https://smultron.catalogix.se/authz_cb &type=client_associate &contact=roland@example.com

fredag 7 september 12

Registration result

{ "client_id":"XgnCOEXAj3D2", "client_secret": "cf136dc3c1fd9153029bb9c6cc9ecead", "expires_at":2893276800 }

fredag 7 september 12

Preliminaries done!

fredag 7 september 12

Flow differencies

UA SP IdP 1 2 4 3

SAML

OpenID Connect

UA RP AS 1 2 7 4 OP 3 5 6 8 9

fredag 7 september 12

Authorization Request

response_type This parameter controls the parameters returned in the response from the Authorization Endpoint. scope The values specify an additive list of voluntary Claims that are returned from the UserInfo Endpoint. client_id The OAuth 2.0 Client Identifier. redirect_uri A redirection URI where the response will be sent. state

• RECOMMENDED. An opaque value used to maintain state between the request and the callback

nonce A random, unique string value used to mitigate replay attacks. prompt

• OPTIONAL. specifies whether the Authorization Server prompts the End-User for reauthentication and consent

display

• OPTIONAL. A space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server

prompts the End-User for reauthentication and consent. The possible values are: none, login, request

• OPTIONAL. An OpenID Request Object value.

request_uri

• OPTIONAL. An URL that points to an OpenID Request Object. This is used to pass an OpenID Request Object by reference.

id_token

• OPTIONAL. An ID Token passed to the Authorization server as a hint about the user's current or past authenticated session

with the client. This SHOULD be present if prompt=none is sent.

fredag 7 september 12

Authorization Request

response_type This parameter controls the parameters returned in the response from the Authorization Endpoint. scope The values specify an additive list of voluntary Claims that are returned from the UserInfo Endpoint. client_id The OAuth 2.0 Client Identifier. redirect_uri A redirection URI where the response will be sent. state

• RECOMMENDED. An opaque value used to maintain state between the

request and the callback nonce A random, unique string value used to mitigate replay attacks

fredag 7 september 12

Access Token Request

grant_type

• REQUIRED. "client_credentials"/”refresh_token”.

scope

• OPTIONAL. The scope of the access request

refresh_token REQUIRED if ‘refresh request’. The refresh token issued to the client.

• When using assertions as client credentials

client_assertion_type

• REQUIRED. The format of the assertion as defined by the authorization server. The value

MUST be an absolute URI. client_assertion

• REQUIRED. The assertion being used to authenticate the client.

fredag 7 september 12

AccessTokenResponse

HTTP/1.1 200 OK

Content-Type: application/json Cache-Control: no-store Pragma: no-cache { "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOl wvXC9zZXJ2ZXIuZXhhbXBsZS5jb20iLCJ1c2VyX2lkIjoiMjQ4Mjg5NzYxMDAxIiwiYXVkIj

• iaHR0cDpcL1wvY2xpZW50LmV4YW1wbGUuY29tIiwiZXhwIjoxMzExMjgxOTcwfQ.eDesUD0

vzDH3T1G3liaTNOrfaeWYjuRCEPNXVtaazNQ" }

fredag 7 september 12

Json Web Token (JWT)

• Header
• {"typ":"JWT","alg":"HS256"}
• Base64 encoding of the UTF-8 representation
• Second part
• When the JWT is signed, the JWT Second Part is the Encoded JWS Payload.

When the JWT is encrypted, the JWT Second Part is the Encoded JWE Encrypted Key.

• Third part
• When the JWT is signed, the JWT Third Part is the Encoded JWS Signature.

When the JWT is encrypted, the JWT Third Part is the Encoded JWE Ciphertext.

fredag 7 september 12

IdToken, metadata on the authentication

{

”iss”: ”https://www.kodtest.se:8088/”, ”user_id”:”24400320”, ”aud”:”XgnCOEXAj3D2”, ”exp”:1320502962, ”nbf”:1320502902, ”iat”: 1320502000, ”acr”: 2, ”nonce”:”0S6_WzA2Mj”

}

fredag 7 september 12

UserInfo Request

access_token

• REQUIRED. The Access Token obtained from an OpenID Connect

Authorization Request. schema

• REQUIRED. The schema in which the data is to be returned. The only

defined value is openid. id This identifier is reserved. It MUST be ignored by the endpoint when the openid schema is used.

fredag 7 september 12

UserInfoResponse normal claims

{ "name#sv-se": "Jane Doe" "given_name": "Jane", "family_name": "Doe", "email": "janedoe@kodtest.se", ”verified”: true, "picture": "http://kodtest.se/janedoe/me.jpg" }

fredag 7 september 12

Identitysource Client Informationsource

Aggregated claims

{ "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "birthday": "01/01/2001", "email": "janedoe@example.com", "_claim_names": { "address": "src1", "phone_number": "src1", }, "_claim_sources": { "src1": {"JWT":"jwt_header.jwt_part2.jwt_part3"}, } }

fredag 7 september 12

IdentitySource Client Informationsource

Distributed claims

{ "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "email": "janedoe@example.com", "birthday": "01/01/2001", "_claim_names": { "payment_info": "src1", "shipping_address": "src1", "credit_score": "src2" }, "_claim_sources": { "src1": {"endpoint": "https://bank.example.com/claimsource"} "src2": { "endpoint": "https://creditagency.example.com/claimshere", "access_token": "ksj3n283dke" } } }

fredag 7 september 12

Using attribute authorities

• Client credentials flow

POST Host: www.kodtest.se Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=client_credentials&scope=xyz

RP OP 8 9

fredag 7 september 12

OpenID Connect

fredag 7 september 12

Client registration parameters

type client_id client_secret access_token contacts application_type application_name logo_url redirect_uris token_endpoint_auth_type policy_url jwk_url jwk_encryption_url x509_url x509_encryption_url sector_identifier_url user_id_type require_signed_request_object userinfo_signed_response_alg userinfo_encrypted_response_alg userinfo_encrypted_response_enc userinfo_encrypted_response_int id_token_signed_response_alg id_token_encrypted_response_alg id_token_encrypted_response_enc id_token_encrypted_response_int default_max_age require_auth_time default_acr

fredag 7 september 12