Presentation is loading. Please wait.

Presentation is loading. Please wait.

OpenID Connect Update May 14, 2013 Dr. Michael B. Jones Identity Standards Architect – Microsoft.

Published byGervais Green Modified over 9 years ago

Similar presentations

Presentation on theme: "OpenID Connect Update May 14, 2013 Dr. Michael B. Jones Identity Standards Architect – Microsoft."— Presentation transcript:

1 OpenID Connect Update May 14, 2013 Dr. Michael B. Jones Identity Standards Architect – Microsoft

2 Working Together OpenID Connect

3 Working Group Members Key working group participants: – Nat Sakimura – Nomura Research Institute – Japan – John Bradley – Ping Identity – Chile – Breno de Medeiros – Google – US – Axel Nennker – Deutsche Telekom – Germany – Torsten Lodderstedt – Deutsche Telekom – Germany – Roland Hedberg – Umeå University – Sweden – Andreas Åkre Solberg – UNINETT – Norway – Chuck Mortimore – Salesforce – US – George Fletcher – AOL – US – Justin Richer – Mitre – US – Nov Matake – Independent – Japan – Mike Jones – Microsoft – US By no means an exhaustive list!

4 OpenID Connect Intro Simple identity layer on top of OAuth 2.0 Enables clients to verify identity of end-user Enables clients to obtain basic profile info REST/JSON interfaces → low barrier to entry

5 OpenID Connect Range Spans use cases, scenarios – Internet, Enterprise, Mobile, Cloud Spans security & privacy requirements – From non-sensitive information to highly secure Spans sophistication of claims usage – From basic default claims to specific requested claims to aggregated and distributed claims Maximizes simplicity of implementations – Uses existing IETF specs: OAuth 2.0, JWT, etc. – Lets you build only the pieces you need

6 Key Diffs from OpenID 2.0 Support for native client applications Identifiers using e-mail address format UserInfo endpoint for simple claims about user Designed to work well on mobile phones Uses JSON/REST, rather than XML Support for encryption and higher LOAs Support for distributed and aggregated claims Support for session management, including logout Support for self-issued identity providers

7 Presentation Overview Introduction Design Philosophy A Look Under the Covers Overview of Connect Specs Underpinnings Timeline Open Issues Next Steps Resources

8 Design Philosophy Simple Things SimpleComplex Things Possible

9 Simple Things Simple UserInfo endpoint for simple claims about user Designed to work well on mobile phones

10 How We Make It Simple Build on OAuth 2.0 Use JavaScript Object Notation (JSON) Build only the pieces that you need Goal: Easy implementation on all modern development platforms

11 Complex Things Possible Encrypted ClaimsAggregated ClaimsDistributed Claims

12 Connect Interop Status About to begin 5 th round of interop testing Interop data at http://osis.idcommons.net/http://osis.idcommons.net/ By the numbers: – 13 implementations participating 66 cross-solution test results recorded – 110 feature tests defined 1,260 feature test results recorded – 93 members of interop mailing list 752 messages to interop mailing list

13 A Look Under the Covers ID Token Claims Requests UserInfo Claims Example Protocol Messages

14 ID Token JWT representing logged-in session Claims: – iss – Issuer – sub – Identifier for subject (user) – aud – Audience for ID Token – iat – Time token was issued – exp – Expiration time – nonce – Mitigates replay attacks

15 ID Token Claims Example { "iss": "https://server.example.com", "sub": "248289761001", "aud": "0acf77d4-b486-4c99-bd76-074ed6a64ddf", "iat": 1311280970, "exp": 1311281970, "nonce": "n-0S6_WzA2Mj" }

16 Claims Requests Basic requests made using OAuth scopes: – openid – Declares request is for OpenID Connect – profile – Requests default profile info – email – Requests email address & verification status – address – Requests postal address – phone – Requests phone number & verification status – offline_access – Requests Refresh Token issuance Requests for individual claims can be made using JSON “claims” request parameter

17 UserInfo Claims sub name given_name family_name middle_name nickname preferred_username profile picture website gender birthdate locale zoneinfo updated_at email email_verified phone_number phone_number_verified address

18 UserInfo Claims Example { "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "email": "janedoe@example.com", "email_verified": true, "picture": "http://example.com/janedoe/me.jpg" }

19 Authorization Request Example https://server.example.com/authorize ?response_type=token%20id_token &client_id=0acf77d4-b486-4c99-bd76-074ed6a64ddf &redirect_uri=https%3A%2F%2Fclient.example.com%2Fcb &scope=openid%20profile &state=af0ifjsldkj &nonce=n-0S6_WzA2Mj

20 Authorization Response Example HTTP/1.1 302 Found Location: https://client.example.com/cb #access_token=mF_9.B5f-4.1JqM &token_type=bearer &id_token=eyJhbGzI1NiJ9.eyJz9Glnw9J.F9-V4IvQ0Z &expires_in=3600 &state=af0ifjsldkj

21 UserInfo Request Example GET /userinfo?schema=openid HTTP/1.1 Host: server.example.com Authorization: Bearer mF_9.B5f-4.1JqM

22 Connect Specs Overview

23 Basic Client Profile Single, simple, self-contained Web client spec For clients using OAuth “code” flow All you need for Web server-based RP – Using pre-configured set of OPs http://openid.net/specs/openid-connect-basic-1_0.html

24 Implicit Client Profile Single, simple, self-contained Web client spec For clients using OAuth “implicit” flow All you need for user agent-based RPs – Using pre-configured set of OPs http://openid.net/specs/openid-connect-implicit-1_0.html

25 Discovery & Registration Enables dynamic configurations in which sets of OPs and RPs are not pre-configured – Necessary for open deployments Discovery enables RPs to learn about OP endpoints Dynamic registration enables RPs to use OPs they don’t have pre-existing relationships with http://openid.net/specs/openid-connect-discovery-1_0.html http://openid.net/specs/openid-connect-registration-1_0.html

26 Messages & Standard Messages spec defines data formats exchanged in OpenID Connect messages Standard spec is HTTP binding for Messages – (Basic and Implicit are profiles of Messages and Standard) Needed for OPs, native client apps, and RPs needing functionality not in Basic – E.g., requesting claims not in default UserInfo set http://openid.net/specs/openid-connect-messages-1_0.html http://openid.net/specs/openid-connect-standard-1_0.html

27 Session Management For OPs and RPs needing session management capabilities – Enables logout functionality – Enables account switching http://openid.net/specs/openid-connect-session-1_0.html

28 OAuth Response Types Defines and registers additional OAuth response types: – id_token – none And also defines and registers combinations of code, token, and id_token response types http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html

29 Underpinnings OAuth 2.0 family of specs – OAuth 2.0 Core – RFC 6749 – OAuth 2.0 Bearer – RFC 6750 – OAuth 2.0 Assertions – OAuth 2.0 JWT Assertions Profile JWT and JOSE family of specs – JSON Web Token (JWT) – JSON Web Signature (JWS) – JSON Web Encryption (JWE) – JSON Web Algorithms (JWA) – JSON Web Key (JWK) WebFinger discovery spec

30 Timeline Artifact Binding working group formed, Mar 2010 Major design issues closed at IIW, May 2011 – Result branded “OpenID Connect”, May 2011 Functionally complete specs, Jul 2011 2 nd interop testing round, Sep-Nov 2011 Simpler specs incorporating dev feedback, Oct 2011 Published First Implementer’s Drafts, Dec 2011 3 rd interop testing round, Feb 2012 to May 2012 OpenID Connect won Best Innovation/New Standard award at EIC, April 2012 Revised specs incorporating more feedback, June 2012 4 th interop testing round, June 2012 to May 2013 Second Implementers Drafts to be published, May 2013 5 th interop testing round to begin, May 2013 Working on stabilizing JOSE encryption spec (JWE), ongoing

31 Risks to Timely Completion Dependencies on IETF specs/processes – OAuth specifications: JWT, OAuth Assertions, OAuth JWT Assertions, OAuth Dynamic Registration – JOSE specifications: JWS, JWE, JWA, JWK – Discovery-related specifications: WebFinger, acct URI IETF could change/delay any of these

32 Primary IETF Open Issue draft-ietf-jose-json-web-encryption (JWE) – Some WG members still trying to change things – Stabilizing JWE the main dependency for finishing OpenID Connect Less risk of change for other dependencies

33 Next Steps Update specs for recent issue resolutions – Minor updates to both JOSE and Connect specs Publish new proposed implementer’s drafts – Not yet final because of IETF spec dependencies – Membership vote to approve them Create 5 th OpenID Connect Interop (OC5) Continued deployment and feedback Make determination that IETF dependencies stable Publish final specification drafts – Once dependencies are resolved – Membership vote to approve final specifications

34 Resources OpenID Connect – http://openid.net/connect/ http://openid.net/connect/ OpenID Connect Working Group Mailing List – http://lists.openid.net/mailman/listinfo/openid-specs-ab http://lists.openid.net/mailman/listinfo/openid-specs-ab OpenID Connect Interop Wiki – http://osis.idcommons.net/ http://osis.idcommons.net/ OpenID Connect Interop Mailing List – http://groups.google.com/group/openid-connect-interop http://groups.google.com/group/openid-connect-interop Mike Jones’ Blog – http://self-issued.info/ http://self-issued.info/ Nat Sakimura’s Blog – http://nat.sakimura.org/ http://nat.sakimura.org/ John Bradley’s Blog – http://www.thread-safe.com/ http://www.thread-safe.com/

35 BACKUP SLIDES

36 Aggregated Claims Data Source Identity Provider Relying Party Signed Claims Claim Values

37 Distributed Claims Identity Provider Signed Claims Relying Party Claim Refs Data Source

38 Connect OAuth Specs draft-ietf-oauth-v2 – Now RFC 6749 draft-ietf-oauth-v2-bearer – Now RFC 6750 draft-ietf-oauth-urn-sub-ns – Now RFC 6755 draft-ietf-oauth-v2-threatmodel – Now RFC 6819 draft-ietf-oauth-assertions – Ready for WGLC draft-ietf-oauth-json-web-token – Ready for WGLC draft-ietf-oauth-oauth-jwt-bearer – Ready for WGLC draft-ietf-oauth-dyn-reg – In WGLC

39 Connect JOSE Specs draft-ietf-jose-json-web-signature – Ready for WGLC draft-ietf-jose-json-web-encryption – Ready for WGLC draft-ietf-jose-json-web-algorithms – Ready for WGLC draft-ietf-jose-json-web-key – Ready for WGLC

40 Connect Apps Area Specs draft-ietf-appsawg-webfinger – In IESG review draft-ietf-appsawg-acct-uri – In IESG review

41 Developer Feedback Incorporated Ask: Simpler, more modular specs – Created Basic Client Profile and Implicit Client Profile – Messages and Standard also simplified Ask: Enable single-sign-on without using UserInfo – Can now receive just an ID Token, if desired Ask: Remove Check ID endpoint – ID Token validation now done directly by RP Ask: Self-issued identity providers – Self-issued OP mechanisms defined Not a comprehensive list of feedback incorporated

Download ppt "OpenID Connect Update May 14, 2013 Dr. Michael B. Jones Identity Standards Architect – Microsoft."

Similar presentations

Secure RESTful Interface Profile Phase 1 Briefing

Secure RESTful Interface Profile Phase 1 Briefing
SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.

SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.
© 2014 The MITRE Corporation. All rights reserved. Mark Russell OAuth and OpenID Connect Risks and Vulnerabilities 12/3/2014 Approved for Public Release;

© 2014 The MITRE Corporation. All rights reserved. Mark Russell OAuth and OpenID Connect Risks and Vulnerabilities 12/3/2014 Approved for Public Release;
IETF OAuth Proof-of-Possession

IETF OAuth Proof-of-Possession
1 IETF OAuth Proof-of-Possession Hannes Tschofenig.

1 IETF OAuth Proof-of-Possession Hannes Tschofenig.
Hannes Tschofenig, Blaine Cook (IETF#79, Beijing).

Hannes Tschofenig, Blaine Cook (IETF#79, Beijing).
Mashing Up with User-Centric Identity America Online LLC John Panzer, Praveen Alavilli.

Mashing Up with User-Centric Identity America Online LLC John Panzer, Praveen Alavilli.
OpenID Connect Update and Discussion Mountain View Summit – September 12, 2011 Mike Jones – Microsoft John Bradley – Independent Nat Sakimura – Nomura.

OpenID Connect Update and Discussion Mountain View Summit – September 12, 2011 Mike Jones – Microsoft John Bradley – Independent Nat Sakimura – Nomura.
OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.

OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.
Proposed Documents for JOSE: JSON Web Signature (JWS) JSON Web Encryption (JWE) JSON Web Key (JWK) Mike Jones Standards Architect – Microsoft IETF 82 –

Proposed Documents for JOSE: JSON Web Signature (JWS) JSON Web Encryption (JWE) JSON Web Key (JWK) Mike Jones Standards Architect – Microsoft IETF 82 –
TATRC and MITRE to NwHIN Power Team 12 June 2013 RESTful Health Exchange (RHEx)

TATRC and MITRE to NwHIN Power Team 12 June 2013 RESTful Health Exchange (RHEx)
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
Identity Management Report By Jean Carreon and Marlon Gonzales.

Identity Management Report By Jean Carreon and Marlon Gonzales.
The Internet Identity Layer OpenID Connect Update for HIT Standards Committee’s Privacy and Security Workgroup Wednesday, March 12th from 10:00-2:45 PM.

The Internet Identity Layer OpenID Connect Update for HIT Standards Committee’s Privacy and Security Workgroup Wednesday, March 12th from 10:00-2:45 PM.
Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.

Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.
1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV BOF IETF-67 San Diego November 2006 Andrea Doherty.

1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV BOF IETF-67 San Diego November 2006 Andrea Doherty.
Openid Connect https://store.theartofservice.com/the-openid-connect-toolkit.html.

Openid Connect
Identity Management Hannes Tschofenig. Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication.

Identity Management Hannes Tschofenig. Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication.
IETF #91 OAuth Meeting Derek Atkins Hannes Tschofenig.

IETF #91 OAuth Meeting Derek Atkins Hannes Tschofenig.
Hannes Tschofenig, Blaine Cook. 6/4/2016 IETF #77, SAAG 2 The Problem.

Hannes Tschofenig, Blaine Cook. 6/4/2016 IETF #77, SAAG 2 The Problem.

Similar presentations

Ads by Google