Introduction to OpenID Connect
-
Upload
nat-sakimura -
Category
Technology
-
view
124 -
download
2
description
Transcript of Introduction to OpenID Connect
Connect OpenID
OpenID Connect
Nat Sakimura
Chairman
Senior Researcher
C6b. New School Identity Frameworks Panel
Foundation
Connect OpenID
OAuth 2.0
Identity Layer on top of
Base Protocol
Connect OpenID
Q Identity
Connect OpenID
Identity = set of attributes related to an entity [iso 29115]
Connect OpenID
Entity Identity
Connect OpenID
Entity
Human Machine Service
Connect OpenID
No direct way to perceive
Human
Connect OpenID
Blond/grey
Silver frame glasses
6’5” tall
Connect OpenID
Entity
Identity
Identity
Sex
height
Boy Friend
Sex height
Real Name
Self Recognition
Delta between Self and 3rd Party Recognition = interpersonal problem
Delta between Self and 3rd Party Recognition= interpersonal problem
Role
Relationship
3rd Party Recognition
Relationship
Friends
Boss
Self Recognition 3rd Party
Recognition
Street Address
Nickname
Birthday
Street Address
Employee number
licnese
performance
Connect OpenID
Man
Identity
Identity
Identity
Connect OpenID
Man
Work
Husband
Father
Connect OpenID
daughter mother
wife
girl friend
collea-gue
boss
community member friend
Woman
Connect OpenID
YOU
Identity
A
Identity
B
Identity
C
Site A
Site B
Site C
Connect OpenID
Q Why not just OAuth?
Connect OpenID
OAuth is an Access Granting Protocol
Betty’s Profile
Alice Cindy
Cindy ≠ Betty Alice ≠ Betty
Connect OpenID
Facebook extends OAuth with “signed request”
“ID Token” in OpenID Connect
Connect OpenID
Token Swap Attack
Connect OpenID
Login with Amazon
Connect OpenID
http://blog.chromium.org/2013/07/richer-access-to-google-services-and.html?m=1
Connect OpenID
Signed Request • Works only with
a single identity provider
• Proprietary signature format
ID Token
• Works with multiple identity providers
• IETF JSON Web Signature
Connect OpenID
ID Token Claims Example { "iss": "https://server.example.com",
"sub": "248289761001", "aud": "0acf77d4-b486-4c99-bd76-074ed6a64ddf",
"iat": 1311280970,
"exp": 1311281970, "nonce": "n-0S6_WzA2Mj"
}
Connect OpenID
Stick with OpenID Connect and not “OAuth Authentication”
Connect OpenID
An Identity Layer provides:
• is the user that got authenticated Who • was he authenticated Where
• was he authenticated When • was he authenticated How • attributes he can give you What • he is providing them Why
Connect OpenID
Interoperable
Simple &
Mobile Friendly
Secure
Flexible
Connect OpenID
Interoperable
Simple &
Mobile Friendly
Secure
Flexible
Connect OpenID
Interoperable
Simple &
Mobile Friendly
Secure
Flexible
Connect OpenID
Interoperable
Simple &
Mobile Friendly
Secure
Flexible
Connect OpenID
Interoperable
Simple &
Mobile Friendly
Secure
Flexible
Connect OpenID
Interoperable
• openid, profile, email, address, phone Standard scopes
• Request object and claims Method to ask for
more granular claims
• Info about the authenticated user ID Token
• Get attributes about the user • Translate the tokens UserInfo endpoint
Connect OpenID
Simple & Mobile Friendly
JSON Based
REST Friendly
In simplest cases, just copy and paste
Mobile & App Friendly
e.g., ID Token is signed JSON { "iss": "https://client.example.com", ”sub": "24400320", "aud": "s6BhdRkqt3", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "auth_time": 1311280969, "acr": "2", "at_hash":
"MTIzNDU2Nzg5MDEyMzQ1Ng" }
Connect OpenID
Secure
• ISO/IEC 29115 Entity Authentication Assurance
• Choice of crypto
LoA1
LoA2
LoA3 LoA4
Connect OpenID
Flexible
• Through Request Object (JSON) • Data Minimization
Granular Request
• Does not disclose data recipients to data sources
Aggregated Claims
• Decentralized Data Storage Distributed
Claims
Connect OpenID
Choice of your provider
Can be Google, eBay, AOL, Deutsche Telecom etc.
Can be your Phone => Self-Issued Provider
Connect OpenID
Details
Connect OpenID
Name: Alice de Wonderland Mail: [email protected] Notary: Google.
Official Google
Seal 株式会 社グー
グル印
Name: Alice de Wonderland Mail: [email protected] Notary: Google.
SAML Authentication
1. Who are you. Get me a referral letter. Do not forget about Your email!
2. Plz write me a referral letter。
3. Here you are
Alice
4. Here is the certificate.
notary
Eve
Official Google
Seal
Connect OpenID
1. Who are YOU? Give me a valet key to your house. Then I will trust that you are the owner of the house.
2. Can you give me a valet key to my house?
3. Here you are!
Alice
4. Her is the key!
Pseudo-Authentication using OAuth
Apartment Controller
Eve
Connect OpenID
OpenID Connect Authentication
1. Who are you. Get me a referral letter. Do not forget about Your email!
2. Give Eve the locker Key and a referral letter.
3. Here you are!
Alice
4. Here you are
Date:2011/5/15 11:00:04 Level of Assurance:2 Verifier:Google
Official Google
Seal
Butler
Locker Locker
Eve
Date:2011/5/15 11:00:04 Level of Assurance:2 Verifier:Google
Official Google
Seal
Connect OpenID
OpenID Connect's Clams aggregation and distributed claims.
Name: Alice de Wanderland DoB: 1989/3/3 Sex: F Address: 135 Broadway., NY, NY
NY City Official
Seal
Locker
UserInfo Endpoint
Site X
Site Y Site Z
Eve
Connect OpenID
Applying it to Enterprise model
Connect OpenID
Entity
Identity
Identity
Sex
height
Boy Friend
Sex height
Real Name
Self Recognition
Delta between Self and 3rd Party Recognition = interpersonal problem
Delta between Self and 3rd Party Recognition= interpersonal problem
Role
Relationship
3rd Party Recognition
Relationship
Friends
Boss
Self Recognition 3rd Party
Recognition
Street Address
Nickname
Birthday
Street Address
Employee number
licnese
performance
Connect OpenID
Real Name
Professional qualification
department
Geo-location
Employee number
Entity Identity Resource
Authentication
Policy Enforcement
Rules
Connect OpenID
ABAC (Attribute Based Access Control)
Based on SP800-162 figure on page viii
identity Resource
Rules
Connect OpenID
Real Name
Professional qualification
department
Geo-location
Employee number
Entity Identity
Resource
Authentication PEP
PDP
PAP
Boss Metadata
Log Log
Connect OpenID
Q What kind of “Identity” (set of attributes)
an enterprise needs?
Connect OpenID
Current Standard Claims wont do
Connect OpenID
UserInfo Claims
• sub • name • given_name • family_name • middle_name • nickname • preferred_username • profile • picture • website
• gender • birthdate • locale • zoneinfo • updated_at • email • email_verified • phone_number • phone_number_verified • address
Connect OpenID
UserInfo Claims Example { "sub": "248289761001",
"name": "Jane Doe", "given_name": "Jane",
"family_name": "Doe",
"email": "[email protected]", "email_verified": true,
"picture": "http://example.com/janedoe/me.jpg"
}
Connect OpenID
Perhaps we need standard “enterprise” claims
Connect OpenID
SCIM?
Connect OpenID
SCIM Enterprise User Schema Extension
• employeeNumber – Numeric or alphanumeric identifier assigned to a person, typically
based on order of hire or association with an organization. • costCenter
– Identifies the name of a cost center. organization Identifies the name of an organization.
• division – Identifies the name of a division.
• department – Identifies the name of a department.
• manager – The User's manager. A complex type that optionally allows Service
Providers to represent organizational hierarchy by referencing the "id" attribute of another User.
Connect OpenID
Not Quite.
Connect OpenID
Perhaps we need standard “enterprise” claims
Connect OpenID
Q When shall I start using OpenID Connect?
Connect OpenID
Timeline
2nd Implementers Draft Public Review (45
days)
2nd Implementers
Draft Vote (14 days)
Final Review (60 days) Final
We are here! December
2013
Connect OpenID
Q uestions?
Connect OpenID
OAuth and OpenID Connect: In the Trenches
Wednesday, July 10, 4:00 – 5:30 PM Salon C/D/E
to be continued at …
Connect OpenID
Details …
Connect OpenID
Working Together
OpenID Connect
Connect OpenID
Working Group Members • Key working group participants:
– Nat Sakimura – Nomura Research Institute – Japan – John Bradley – Ping Identity – Chile – Breno de Medeiros – Google – US – Axel Nennker – Deutsche Telekom – Germany – Torsten Lodderstedt – Deutsche Telekom – Germany – Roland Hedberg – Umeå University – Sweden – Andreas Åkre Solberg – UNINETT – Norway – Chuck Mortimore – Salesforce – US – Brian Campbell – Ping Identity – US – George Fletcher – AOL – US – Justin Richer – Mitre – US – Nov Matake – Independent – Japan – Mike Jones – Microsoft – US
• By no means an exhaustive list!
Connect OpenID
Design Philosophy
Simple Things Simple
Complex Things Possible
Connect OpenID
Simple Things Simple
UserInfo endpoint for simple claims about user
Designed to work well on mobile phones
Connect OpenID
How We Make It Simple
• Build on OAuth 2.0 • Use JavaScript Object Notation (JSON) • Build only the pieces that you need
• Goal: Easy implementation on all modern development platforms
Connect OpenID
Complex Things Possible
Encrypted Claims
Aggregated Claims
Distributed Claims
Connect OpenID
A Look Under the Covers
• ID Token • Claims Requests • UserInfo Claims • Example Protocol Messages
Connect OpenID
OpenID Connect Authentication
1. Who are you. Get me a referral letter. Do not forget about Your email!
2. Give Eve the locker Key and a referral letter.
3. Here you are!
Alice
4. Here you are
Date:2011/5/15 11:00:04 Level of Assurance:2 Verifier:Google
Official Google
Seal
Butler
Locker Locker
Bob
Date:2011/5/15 11:00:04 Level of Assurance:2 Verifier:Google
Official Google
Seal
Access Token ID Token
Connect OpenID
ID Token • JWT representing logged-in session • Claims:
– iss – Issuer – sub – Identifier for subject (user) – aud – Audience for ID Token – iat – Time token was issued – exp – Expiration time – nonce – Mitigates replay attacks – at_hash – Left hash of the access token – azp – Authorized Party
Connect OpenID
ID Token Claims Example { "iss": "https://server.example.com",
"sub": "alice", "aud": "https://bob.example.com",
"iat": 1311280970,
"exp": 1311281970, "nonce": "n-0S6_WzA2Mj",
"at_hash": "MTIzNDU2Nzg5MDEyMzQ1Ng",
"azp": "https://cindy.example.com/" }
Connect OpenID
at_hash makes ID Token
a detached signature for the access token
Connect OpenID
azp allows token to be used by another party
Site X
Cindy
Bob
ID Token Access Token
Connect OpenID
Using Access Token only for Authentication is Dangerous.
1. Who are you. Get me a referral letter. Do not forget about Your email!
2. Give Eve the locker Key and a referral letter.
3. Here you are!
Alice
4. Here you are
Butler
Access Token
Eve
Connect OpenID
OpenID Connect's Clams aggregation and distributed claims.
Name: Alice de Wanderland DoB: 1989/3/3 Sex: F Address: 135 Broadway., NY, NY
NY City Official
Seal
Locker
UserInfo Endpoint
Site X
Site Y Site Z
Bob
Connect OpenID
Aggregated Claims
Data Source
Data Source
Identity Provider
Relying Party
Signed Claims
Claim Values
Connect OpenID
Distributed Claims
Identity Provider
Signed Claims
Relying Party
Claim Refs
Data Source
Data Source
Connect OpenID
Claims Requests
• Basic requests made using OAuth scopes: – openid – Declares request is for OpenID Connect – profile – Requests default profile info – email – Requests email address & verification
status – address – Requests postal address – phone – Requests phone number & verification
status – offline_access – Requests Refresh Token
issuance • Requests for individual claims can be made
using JSON “claims” request parameter
Connect OpenID
Request Object
Connect OpenID
You can register it at registration time :
request_uri
Personally Recommended
Connect OpenID
Authorization Request Example
https://server.example.com/authorize
?response_type=token%20id_token
&client_id=0acf77d4-b486-4c99-bd76-074ed6a64ddf
&redirect_uri=https%3A%2F%2Fclient.example.com%2Fcb
&scope=openid%20profile
&state=af0ifjsldkj
&nonce=n-0S6_WzA2Mj
Connect OpenID
Authorization Response Example
HTTP/1.1 302 Found
Location: https://client.example.com/cb
#access_token=mF_9.B5f-4.1JqM
&token_type=bearer
&id_token=eyJhbGzI1NiJ9.eyJz9Glnw9J.F9-V4IvQ0Z
&expires_in=3600
&state=af0ifjsldkj
Connect OpenID
UserInfo Request Example
GET /userinfo?schema=openid HTTP/1.1 Host: server.example.com
Authorization: Bearer mF_9.B5f-4.1JqM
Connect OpenID
Connect Specs Overview
Connect OpenID
Resources • OpenID Connect
– http://openid.net/connect/ • OpenID Connect Working Group Mailing List
– http://lists.openid.net/mailman/listinfo/openid-specs-ab • OpenID Connect Interop Wiki
– http://osis.idcommons.net/ • OpenID Connect Interop Mailing List
– http://groups.google.com/group/openid-connect-interop • Mike Jones’ Blog
– http://self-issued.info/ • Nat Sakimura’s Blog
– http://nat.sakimura.org/ • John Bradley’s Blog
– http://www.thread-safe.com/
Connect OpenID
Current Status
• Waiting for dependencies to be completed
• JWS, JWE, JWA, JWK IETF JOSE
WG
• JSON Web Token (JWT) IETF OAuth WG
• WebFinger IETF Apps WG
Connect OpenID
Interop testing underway
AOL, Google, IBM, Layer 7, Mitre, NRI, @nov, Orange, eBay, Gluu, Ping Identity, GÉANT, @ritou, Emmanuel Raviart
120+ feature tests
14 implementations
Connect OpenID
Start Building
Connect OpenID
Start Building
Now!
Connect OpenID
http://nat.sakimura.org/