openid connect
play

OpenID Connect fredag 7 september 12 OpenID Connect fredag 7 - PowerPoint PPT Presentation

OpenID Connect fredag 7 september 12 OpenID Connect fredag 7 september 12 Necessity for communication - information about the other part fredag 7 september 12 Trust management not solved! fredag 7 september 12 (1) OP discovery The user


  1. OpenID Connect fredag 7 september 12

  2. OpenID Connect fredag 7 september 12

  3. Necessity for communication - information about the other part fredag 7 september 12

  4. Trust management not solved! fredag 7 september 12

  5. (1) OP discovery The user provides an identifier ( for instance an email address ) roland@www.kodtest.se Using Simple W eb Discovery the OP is found $ curl -G https://www.kodtest.se/.well-known/simple-web-discovery? principal=joe%40example.com&service=http%3A%2F %2Fopenid.net%2Fspecs%2Fconnect%2F1.0%2Fissuer {"locations":["https://www.kodtest.se:8088"]} fredag 7 september 12

  6. (2) OP functionality discovery $ curl -G -k https://www.kodtest.se:8088/.well-known/openid-configuration {"registration_endpoint": "https://www.kodtest.se:8088/registration", "userinfo_endpoint": "https://www.kodtest.se:8088/userinfo", "token_endpoint": "https://www.kodtest.se:8088/token", "authorization_endpoint": "https://www.kodtest.se:8088/authorization", "end_session_endpoint": "https://www.kodtest.se:8088/end_session", "token_endpoint_auth_types_supported": ["client_secret_post", "client_secret_basic", "client_secret_jwt"], "jwk_url": "https://www.kodtest.se:8088/static/jwk.json", "user_id_types_supported": ["public"], "scopes_supported": ["openid", ”email”, ”profile”, ”address”, ”phone”], "version": "3.0", "response_types_supported": ["code", "token", "id_token", "code token", "code id_token", "token id_token", "code token id_token"], "issuer": "https://www.kodtest.se:8088/", "acrs_supported": ["1","2","http://id.incommon.org/assurance/bronze"], "user_id_types_supported":["public", "pairwise"], } fredag 7 september 12

  7. (3) Dynamic registration POST https://www.kodtest.se:8088/registratio n application_name=OIC+test+tool &application_type=web &redirect_uris=https://smultron.catalogix.se/authz_cb &type=client_associate &contact=roland@example.com fredag 7 september 12

  8. Registration result { "client_id":"XgnCOEXAj3D2", "client_secret": "cf136dc3c1fd9153029bb9c6cc9ecead", "expires_at":2893276800 } fredag 7 september 12

  9. Preliminaries done! fredag 7 september 12

  10. Flow differencies AS IdP 5 4 3 3 4 2 UA 6 OP UA 1 2 7 1 9 8 SP RP SAML OpenID Connect fredag 7 september 12

  11. Authorization Request response_type This parameter controls the parameters returned in the response from the Authorization Endpoint. scope The values specify an additive list of voluntary Claims that are returned from the UserInfo Endpoint. client_id The OAuth 2.0 Client Identifier. redirect_uri A redirection URI where the response will be sent. state RECOMMENDED. An opaque value used to maintain state between the request and the callback nonce A random, unique string value used to mitigate replay attacks. prompt OPTIONAL. specifies whether the Authorization Server prompts the End-User for reauthentication and consent display OPTIONAL. A space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent. The possible values are: none, login, request OPTIONAL. An OpenID Request Object value. request_uri OPTIONAL. An URL that points to an OpenID Request Object. This is used to pass an OpenID Request Object by reference. id_token OPTIONAL. An ID Token passed to the Authorization server as a hint about the user's current or past authenticated session with the client. This SHOULD be present if prompt=none is sent. fredag 7 september 12

  12. Authorization Request response_type This parameter controls the parameters returned in the response from the Authorization Endpoint. scope The values specify an additive list of voluntary Claims that are returned from the UserInfo Endpoint. client_id The OAuth 2.0 Client Identifier. redirect_uri A redirection URI where the response will be sent. state RECOMMENDED. An opaque value used to maintain state between the request and the callback nonce A random, unique string value used to mitigate replay attacks fredag 7 september 12

  13. Access Token Request grant_type REQUIRED. "client_credentials"/”refresh_token”. scope OPTIONAL. The scope of the access request refresh_token REQUIRED if ‘refresh request’. The refresh token issued to the client. ------------------------------------------- When using assertions as client credentials client_assertion_type REQUIRED. The format of the assertion as defined by the authorization server. The value MUST be an absolute URI. client_assertion REQUIRED. The assertion being used to authenticate the client. fredag 7 september 12

  14. AccessTokenResponse HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache { "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOl wvXC9zZXJ2ZXIuZXhhbXBsZS5jb20iLCJ1c2VyX2lkIjoiMjQ4Mjg5NzYxMDAxIiwiYXVkIj oiaHR0cDpcL1wvY2xpZW50LmV4YW1wbGUuY29tIiwiZXhwIjoxMzExMjgxOTcwfQ.eDesUD0 vzDH3T1G3liaTNOrfaeWYjuRCEPNXVtaazNQ" } fredag 7 september 12

  15. Json Web Token (JWT) • Header • { "typ":"JWT","alg":"HS256" } • Base64 encoding of the UTF - 8 representation • Second part • When the JWT is signed, the JWT Second Part is the Encoded JWS Payload. When the JWT is encrypted, the JWT Second Part is the Encoded JWE Encrypted Key. • Third part • When the JWT is signed, the JWT Third Part is the Encoded JWS Signature. When the JWT is encrypted, the JWT Third Part is the Encoded JWE Ciphertext. fredag 7 september 12

  16. IdToken, metadata on the authentication { ” iss ”: ”https://www.kodtest.se:8088/”, ”user_id”:”24400320”, ” aud ”:”XgnCOEXAj3D2”, ” exp ”:1320502962, ” nbf ”:1320502902, ”iat”: 1320502000, ” acr ”: 2, ” nonce ”:”0S6_WzA2Mj” } fredag 7 september 12

  17. UserInfo Request access_token REQUIRED. The Access Token obtained from an OpenID Connect Authorization Request. schema REQUIRED. The schema in which the data is to be returned. The only defined value is openid . id This identifier is reserved. It MUST be ignored by the endpoint when the openid schema is used. fredag 7 september 12

  18. UserInfoResponse normal claims { "name#sv-se": "Jane Doe" "given_name": "Jane", "family_name": "Doe", "email": "janedoe@kodtest.se", ”verified”: true, "picture": "http://kodtest.se/janedoe/me.jpg" } fredag 7 september 12

  19. Aggregated claims Client Identitysource Informationsource { "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "birthday": "01/01/2001", "email": "janedoe@example.com", "_claim_names": { "address": "src1", "phone_number": "src1", }, "_claim_sources": { "src1": {"JWT":"jwt_header.jwt_part2.jwt_part3"}, } } fredag 7 september 12

  20. Distributed claims Client IdentitySource { "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", Informationsource "email": "janedoe@example.com", "birthday": "01/01/2001", "_claim_names": { "payment_info": "src1", "shipping_address": "src1", "credit_score": "src2" }, "_claim_sources": { "src1": {"endpoint": "https://bank.example.com/claimsource"} "src2": { "endpoint": "https://creditagency.example.com/claimshere", "access_token": "ksj3n283dke" } } } fredag 7 september 12

  21. Using attribute authorities • Client credentials flow OP POST 8 9 Host: www.kodtest.se Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded RP grant_type=client_credentials&scope=xyz fredag 7 september 12

  22. OpenID Connect fredag 7 september 12

  23. Client registration parameters type client_id client_secret access_token contacts application_type application_name logo_url redirect_uris token_endpoint_auth_type policy_url jwk_url jwk_encryption_url x509_url x509_encryption_url sector_identifier_url user_id_type require_signed_request_object userinfo_signed_response_alg userinfo_encrypted_response_alg userinfo_encrypted_response_enc userinfo_encrypted_response_int id_token_signed_response_alg id_token_encrypted_response_alg id_token_encrypted_response_enc id_token_encrypted_response_int default_max_age require_auth_time default_acr fredag 7 september 12

Recommend


More recommend