introduction to openid connect
play

Introduction to OpenID Connect October 23, 2018 Michael B. Jones - PowerPoint PPT Presentation

Nov 15, 2023 •252 likes •831 views

Introduction to OpenID Connect October 23, 2018 Michael B. Jones Identity Standards Architect Microsoft Working Together OpenID Connect What is OpenID Connect? Simple identity layer on top of OAuth 2.0 Enables RPs to verify identity

  1. Introduction to OpenID Connect October 23, 2018 Michael B. Jones Identity Standards Architect – Microsoft

  2. Working Together OpenID Connect

  3. What is OpenID Connect? • Simple identity layer on top of OAuth 2.0 • Enables RPs to verify identity of end-user • Enables RPs to obtain basic profile info • REST/JSON interfaces → low barrier to entry • Described at http://openid.net/connect/

  4. You’re Probably Already Using OpenID Connect! • If you have an Android phone or log in at AOL, Deutsche Telekom, Google, Microsoft, NEC, NTT, Salesforce, Softbank, Symantec, Verizon, or Yahoo! Japan, you’re already using OpenID Connect – Many other sites and apps large and small also use OpenID Connect

  5. OpenID Connect Range • Spans use cases, scenarios – Internet, Enterprise, Mobile, Cloud • Spans security & privacy requirements – From non-sensitive information to highly secure • Spans sophistication of claims usage – From basic default claims to specific requested claims to collecting claims from multiple sources • Maximizes simplicity of implementations – Uses existing IETF specs: OAuth 2.0, JWT, etc. – Lets you build only the pieces you need

  6. Numerous Awards • OpenID Connect won 2012 European Identity Award for Best Innovation/New Standard – http://openid.net/2012/04/18/openid-connect- wins-2012-european-identity-and-cloud-award/ • OAuth 2.0 won in 2013 • JSON Web Token (JWT) & JOSE won in 2014 • OpenID Certification program won 2018 Identity Innovation Award – http://openid.net/2018/03/29/openid-certification- program-wins-2018-identity-innovation-award/

  7. Presentation Overview • Introduction • Design Philosophy • Timeline • A Look Under the Covers • Overview of OpenID Connect Specs • More OpenID Connect Specs • OpenID Certification • Resources

  8. Design Philosophy Keep Simple Things Simple Make Complex Things Possible

  9. Keep Simple Things Simple UserInfo endpoint for simple claims about user Designed to work well on mobile phones

  10. How We Made It Simple • Built on OAuth 2.0 • Uses JavaScript Object Notation (JSON) • You can build only the pieces that you need • Goal: Easy implementation on all modern development platforms

  11. Make Complex Things Possible Encrypted Claims Aggregated Claims Distributed Claims

  12. Key Differences from OpenID 2.0 • Support for native client applications • Identifiers using e-mail address format • UserInfo endpoint for simple claims about user • Designed to work well on mobile phones • Uses JSON/REST, rather than XML • Support for encryption and higher LOAs • Support for distributed and aggregated claims • Support for session management, including logout • Support for self-issued identity providers

  13. OpenID Connect Timeline • Artifact Binding working group formed, Mar 2010 • Major design issues closed at IIW, May 2011 – Result branded “OpenID Connect” • Functionally complete specs, Jul 2011 • 5 rounds of interop testing between 2011 and 2013 – Specifications refined after each round of interop testing • Won Best New Standard award at EIC, April 2012 • Final specifications approved, February 2014 • Errata set 1 approved November, 2014 • Form Post Response Mode spec approved, April 2015 • OpenID 2.0 to Connect Migration spec approved, April 2015 • OpenID Provider Certification launched, April 2015 • Relying Party Certification launched, December 2016 • Logout Implementer’s Drafts approved, March 2017 • OpenID Certification program won Best Identity Innovation award, March 2018

  14. A Look Under the Covers • ID Token • Claims Requests • UserInfo Claims • Example Protocol Messages

  15. ID Token • JWT representing logged-in session • Claims: – iss – Issuer – sub – Identifier for subject (user) – aud – Audience for ID Token – iat – Time token was issued – exp – Expiration time – nonce – Mitigates replay attacks

  16. ID Token Claims Example { "iss": "https://server.example.com", "sub": "248289761001", "aud": "0acf77d4-b486-4c99-bd76-074ed6a64ddf", "iat": 1311280970, "exp": 1311281970, "nonce": "n-0S6_WzA2Mj" }

  17. Claims Requests • Basic requests made using OAuth scopes: – openid – Declares request is for OpenID Connect – profile – Requests default profile info – email – Requests email address & verification status – address – Requests postal address – phone – Requests phone number & verification status – offline_access – Requests Refresh Token issuance • Requests for individual claims can be made using JSON “ claims ” request parameter

  18. UserInfo Claims • sub • gender • birthdate • name • locale • given_name • zoneinfo • family_name • updated_at • middle_name • email • nickname • email_verified • preferred_username • phone_number • profile • phone_number_verified • picture • address • website

  19. UserInfo Claims Example { "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "email": "janedoe@example.com", "email_verified": true, "picture": "http://example.com/janedoe/me.jpg" }

  20. Authorization Request Example https://server.example.com/authorize ?response_type=id_token%20token &client_id=0acf77d4-b486-4c99-bd76-074ed6a64ddf &redirect_uri=https%3A%2F%2Fclient.example.com%2Fcb &scope=openid%20profile &state=af0ifjsldkj &nonce=n-0S6_WzA2Mj

  21. Authorization Response Example HTTP/1.1 302 Found Location: https://client.example.com/cb #access_token=mF_9.B5f-4.1JqM &token_type=bearer &id_token=eyJhbGzI1NiJ9.eyJz9Glnw9J.F9-V4IvQ0Z &expires_in=3600 &state=af0ifjsldkj

  22. UserInfo Request Example GET /userinfo HTTP/1.1 Host: server.example.com Authorization: Bearer mF_9.B5f-4.1JqM

  23. OpenID Connect Specs Overview

  24. Additional Final Specifications (1 of 2) • OpenID 2.0 to OpenID Connect Migration – Defines how to migrate from OpenID 2.0 to OpenID Connect • Has OpenID Connect identity provider also return OpenID 2.0 identifier, enabling account migration – http://openid.net/specs/openid-connect-migration-1_0.html – Completed April 2015 – Google shut down OpenID 2.0 support in April 2015 – Yahoo, others also plan to replace OpenID 2.0 with OpenID Connect

  25. Additional Final Specifications (2 of 2) • OAuth 2.0 Form Post Response Mode – Defines how to return OAuth 2.0 Authorization Response parameters (including OpenID Connect Authentication Response parameters) using HTML form values auto-submitted by the User Agent using HTTP POST – A “form post” binding, like SAML and WS -Federation • An alternative to fragment encoding – http://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html – Completed April 2015 – In production use by Microsoft, Ping Identity

  26. Session Management / Logout (works in progress) • Three approaches being pursued by the working group: – Session Management • http://openid.net/specs/openid-connect-session-1_0.html • Uses HTML5 postMessage to communicate state change messages between OP and RP iframes – Front-Channel Logout • http://openid.net/specs/openid-connect-frontchannel-1_0.html • Uses HTTP GET to load image or iframe, triggering logout (similar to SAML, WS-Federation) – Back-Channel Logout • http://openid.net/specs/openid-connect-backchannel-1_0.html • Server-to-communication not using the browser • Can be used by native applications, which have no active browser • Unfortunately, no one approach best for all use cases • Became Implementer’s Drafts in March 2017 – Working group decided this year to advance them to Final Specification status

  27. Federation Specification (work in progress) • Roland Hedberg created OpenID Connect Federation specification – http://openid.net/specs/openid-connect-federation-1_0.html • Enables establishment and maintenance of multi-party federations using OpenID Connect • Defines hierarchical JSON-based metadata structures for federation participants • Still under active development – Please review! • Prototype implementations being interop tested w/ each other

  28. What is OpenID Certification? • Enables OpenID Connect implementations to be certified as meeting the requirements of defined conformance profiles – Goal is to make high-quality, secure, interoperable OpenID Connect implementations the norm • An OpenID Certification has two components: – Technical evidence of conformance resulting from testing – Legal statement of conformance • Certified implementations can use the “OpenID Certified” logo

  29. What value does certification provide? • Technical: – Certification testing gives confidence that things will “just work” – No custom code required to integrate with implementation – Better for all parties – Relying parties explicitly asking identity providers to get certified • Business: – Enhances reputation of organization and implementation – Shows that organization is taking interop seriously – Customers may choose certified implementations over others

Recommend

OpenID Connect fredag 7 september 12 OpenID Connect fredag 7 september 12 Necessity for

OpenID Connect fredag 7 september 12 OpenID Connect fredag 7 september 12 Necessity for

OpenID Connect fredag 7 september 12 OpenID Connect fredag 7 september 12 Necessity for communication - information about the other part fredag 7 september 12 Trust management not solved! fredag 7 september 12 (1) OP discovery The user

254 views • 23 slides
CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID

CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID

CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID Connect. However, unlike OpenID Connect, there is direct Relying Party to OpenID Provider communication without redirects through the user's browser.

505 views • 17 slides
OpenID Connect & OAuth 2.0 Server for the Enterprise Your enterprise server for single

OpenID Connect & OAuth 2.0 Server for the Enterprise Your enterprise server for single

OpenID Connect & OAuth 2.0 Server for the Enterprise Your enterprise server for single identity sign-on provision identity API access federation management The four Connect2id server pillars Based on the latest standards OpenID

580 views • 26 slides
Fediz OIDC CXF Powered OpenId Connect Server Sergey Beryozkin Dr Colm O hEgeartaigh Talend

Fediz OIDC CXF Powered OpenId Connect Server Sergey Beryozkin Dr Colm O hEgeartaigh Talend

Fediz OIDC CXF Powered OpenId Connect Server Sergey Beryozkin Dr Colm O hEgeartaigh Talend Introduction to Apache CXF Production quality framework for creating Java JAX-RS 2.0 and JAX-WS services Widely used and integrated into

1.01k views • 27 slides
openid connect all the things @pquerna CTO, ScaleFT CoreOS Fest 2017 - 2017-07-01 Problem -

openid connect all the things @pquerna CTO, ScaleFT CoreOS Fest 2017 - 2017-07-01 Problem -

openid connect all the things @pquerna CTO, ScaleFT CoreOS Fest 2017 - 2017-07-01 Problem - More Client Devices per-Human - Many Cloud Accounts - More Apps: yay k8s - More Distributed Teams - VPNs arent fun - Legacy Solutions

788 views • 32 slides
OpenID Connect Authentication in iRODS Kyle Ferriter kferriter@renci.org Renaissance Computing

OpenID Connect Authentication in iRODS Kyle Ferriter kferriter@renci.org Renaissance Computing

OpenID Connect Authentication in iRODS Kyle Ferriter kferriter@renci.org Renaissance Computing Institute (RENCI) UNC - Chapel Hill Context and Use Case NIH Data Commons Web application - CommonsShare.org Compute Platform and

318 views • 11 slides
Leveraging OpenID To connect Vehicle to the Cloud ALS 2017 Tokyo Fulup Ar Foll Lead Architect

Leveraging OpenID To connect Vehicle to the Cloud ALS 2017 Tokyo Fulup Ar Foll Lead Architect

Leveraging OpenID To connect Vehicle to the Cloud ALS 2017 Tokyo Fulup Ar Foll Lead Architect fulup@iot.bzh Who Are We ? Securing AGL V2C with OpenIDconnect May-2017 2 V2C Multiple Requirements Car to Cloud Telematics Car

605 views • 16 slides
Bridging OpenID and SAML 2.0 Andreas kre Solberg andreas@uninett.no Terminology OpenID

Bridging OpenID and SAML 2.0 Andreas kre Solberg andreas@uninett.no Terminology OpenID

Bridging OpenID and SAML 2.0 Andreas kre Solberg andreas@uninett.no Terminology OpenID Terminology OpenID OpenID OpenID Consumer Identity Provider SAML 2.0 Terminology SAML 2.0 SAML 2.0 Service Provider Identity Provider What is

427 views • 16 slides
Research on OpenID and its integration within the GravityZoo framework Jarno van de Moosdijk

Research on OpenID and its integration within the GravityZoo framework Jarno van de Moosdijk

Research on OpenID and its integration within the GravityZoo framework Jarno van de Moosdijk 1/14 Research questions How does OpenID work? What are the requirements for integrating OpenID into the GravityZoo framework? How mobile

268 views • 14 slides
Subverting OpenID: Intro to Net::OpenID::Server Abram Hindle Kitchener/Waterloo Perl Mongers

Subverting OpenID: Intro to Net::OpenID::Server Abram Hindle Kitchener/Waterloo Perl Mongers

Subverting OpenID: Intro to Net::OpenID::Server Subverting OpenID: Intro to Net::OpenID::Server Abram Hindle Kitchener/Waterloo Perl Mongers Canada http://softwareprocess.es/ abram.hindle@softwareprocess.es Abram Hindle 1 Subverting

391 views • 21 slides
OpenID OpenID and SAML and SAML Fiona Culloch, EDINA Fiona Culloch, EDINA EuroCAMP, Stockholm,

OpenID OpenID and SAML and SAML Fiona Culloch, EDINA Fiona Culloch, EDINA EuroCAMP, Stockholm,

Shib Shibbolet oleth Develo Developmen ent a t and Su d Supp pport Services t Services OpenID OpenID and SAML and SAML Fiona Culloch, EDINA Fiona Culloch, EDINA EuroCAMP, Stockholm, 7 May 2008 EuroCAMP, Stockholm, 7 May 2008 Shib

666 views • 20 slides
Integrating OpenID with proxy re-encryption to enhance privacy in cloud-based identity services

Integrating OpenID with proxy re-encryption to enhance privacy in cloud-based identity services

Outline Introduction Support technologies Privacy-preserving IDaaS system Conclusions Integrating OpenID with proxy re-encryption to enhance privacy in cloud-based identity services David Nu nez , Isaac Agudo, and Javier Lopez Network,

422 views • 24 slides
Towards an OpenID -based solution to the Social Network Interoperability problem M. Mostarda,

Towards an OpenID -based solution to the Social Network Interoperability problem M. Mostarda,

W3C Workshop on the Future of Social Networking, Barcelona January 2009 Towards an OpenID -based solution to the Social Network Interoperability problem M. Mostarda, D. Palmisano, F. Zani, S. Tripodi About Us We are proud member of the W3C

252 views • 21 slides
MONASH CONNECT www.monash.edu/connect Phone: +61 3 9902 6011 MONASH CONNECT SERVICE OVERVIEW

MONASH CONNECT www.monash.edu/connect Phone: +61 3 9902 6011 MONASH CONNECT SERVICE OVERVIEW

MONASH CONNECT MONASH CONNECT www.monash.edu/connect Phone: +61 3 9902 6011 MONASH CONNECT SERVICE OVERVIEW Monash Connect is part of the Student Services Division and is the first point of contact for all students at Monash University for

849 views • 7 slides
SFM-11:CONNECT Summer School, Bertinoro, June 2011 EU-FP7: CONNECT LSCITS/PSS

SFM-11:CONNECT Summer School, Bertinoro, June 2011 EU-FP7: CONNECT LSCITS/PSS

SFM-11:CONNECT Summer School, Bertinoro, June 2011 EU-FP7: CONNECT LSCITS/PSS VERIWARE Overview Lecture 1 (9am-11am) Introduction to Modelling and Quantitative Verification Marta Kwiatkowska Invited lecture: Christel

1.99k views • 173 slides
OpenID in domain registry CZ.NIC - http://www.nic.cz Ondrej Filip / ondrej.filip @nic.cz Dec 8

OpenID in domain registry CZ.NIC - http://www.nic.cz Ondrej Filip / ondrej.filip @nic.cz Dec 8

OpenID in domain registry CZ.NIC - http://www.nic.cz Ondrej Filip / ondrej.filip @nic.cz Dec 8 2010, Cartagena, Colombia ccNSO Meeting 1 Everybody experienced this ... 2 3 N O I T A S R S T A S I P G / E E M R A N U .

361 views • 22 slides
ACTS Initiative and Synergies with CDS Connect: Discussion with CDS Connect Workgroup (WG) May

ACTS Initiative and Synergies with CDS Connect: Discussion with CDS Connect Workgroup (WG) May

ACTS Initiative and Synergies with CDS Connect: Discussion with CDS Connect Workgroup (WG) May 16, 2019 Goals/Agenda Provide ACTS overview for WG Discuss ACTS interplay with CDC Connect How can what CDS Connect is doing

197 views • 15 slides
Securing the Perimeter around Your Microservices Wojciech Lesniak AUTHOR @voit3k Module

Securing the Perimeter around Your Microservices Wojciech Lesniak AUTHOR @voit3k Module

Securing the Perimeter around Your Microservices Wojciech Lesniak AUTHOR @voit3k Module Overview Basic Certificates Tokens, JWT Oauth2, OpenID authentication Connect Identity provider Microservices API Gateway Challenges with Edge

1.02k views • 87 slides
OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com

OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com

OAuth 2.0 Security Reinforced Torsten Lodderstedt @tlodderstedt Daniel Fett @dfett42 yes.com AG The OAuth 2.0 Success Story Tremendous adoption since publication in 2012 Driven by large service providers and OpenID Connect

594 views • 30 slides
Macquarie Park Forum August 2017 Connect membership Growing influence Connect membership is

Macquarie Park Forum August 2017 Connect membership Growing influence Connect membership is

Macquarie Park Forum August 2017 Connect membership Growing influence Connect membership is growing steadily with three new members joining in Q1 FY18 Dexus Fujitsu - BSA Connect Member Connect Market Reach Share 64,652 46% Commuters

447 views • 16 slides
WELCOME! Please connect to the audio (either dial-in or connect by computer) and make sure your

WELCOME! Please connect to the audio (either dial-in or connect by computer) and make sure your

PHA HEALTH STRATEGIC PLANNING WORKSHOP WELCOME! Please connect to the audio (either dial-in or connect by computer) and make sure your team is prepared with the following: Printed copies of this worksheet for all those participating in the

1.05k views • 78 slides
Symcon Cloud Connect Cloud Connect Authentication Connect Client Goals Main goal: Building a

Symcon Cloud Connect Cloud Connect Authentication Connect Client Goals Main goal: Building a

Symcon Cloud Connect Cloud Connect Authentication Connect Client Goals Main goal: Building a reverse proxy tunneling service with an embedded SSH server and MySQL authentication Stretch goals: Beautifully rendered statistics dashboard

273 views • 4 slides
Connect SoCal PEIR Scoping Meeting Introduction Introduction

Connect SoCal PEIR Scoping Meeting Introduction Introduction

Connect SoCal PEIR Scoping Meeting Introduction Introduction Introduction Purpose of the Scoping Meeting Southern California Association of

515 views • 22 slides
Whats new since 2016 Tigran Mkrtchyan for dCache Team dCache User Workshop, Ume, Sweden

Whats new since 2016 Tigran Mkrtchyan for dCache Team dCache User Workshop, Ume, Sweden

Whats new since 2016 Tigran Mkrtchyan for dCache Team dCache User Workshop, Ume, Sweden What will be NOT covered with talks Changes in REST API New functionality in dCache-view CEPH HA-dCache Macaroons and OpenID-connect

267 views • 25 slides

More recommend