openid connect - cs.auckland.ac.nz · openid connect muhammad rizwan asghar the university of...
TRANSCRIPT
![Page 1: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/1.jpg)
OpenID Connect
Muhammad Rizwan AsgharThe University of Auckland
September 24, 2015
For template of slides, thanks to kingsoftstore.com
![Page 2: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/2.jpg)
Overview
• Open ID Connect is an identity layer built on the top of OAuth 2.0
• It provides an open standard for interoperability
• Specifications launched on February 26, 2014
• Free
![Page 3: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/3.jpg)
Why OpenID Connect
• Lack of notion of identity management in OAuth 2.0
• No support of native applications in OpenID
![Page 4: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/4.jpg)
Basic Purpose
• It enables clients to verify the identity of End-Users
• End-Users are identified based on authentication performed by an Authorisation Server
• It also enables clients to obtain information about End-Users
![Page 5: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/5.jpg)
OpenID Connect
• For developing Internet identity ecosystems that are
• Secure
• Flexible
• Interoperable
• It offers not only authentication but also authorisation
•It supports a variety of use cases
![Page 6: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/6.jpg)
Main Building Blocks
• OpenID
• OAuth 2.0
• TLS/SSL
![Page 7: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/7.jpg)
Roles
• OpenID Provider (OP)• It offers authentication/authorisation
• Relying Party (RP)• A client that requires authentication and
authorisation
• End-User• A human participant who gets
authenticated and provides authorisation
![Page 8: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/8.jpg)
OP Examples
• Microsoft
• Running own OPs on• Web sites
• Personal devices
• E.g., mobile phones and tablets
![Page 9: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/9.jpg)
1 – Authentication Request
2 – Authentication & Authorisation
OpenID
Provider
(OP)
End-
User
OpenID Connect Flow
Relying
Party
(RP)
4 – UserInfo Request
3 – Authentication Response
5 – UserInfo Response
![Page 10: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/10.jpg)
Core Endpoints
• Authorisation endpoint• Authenticates End-Users and asks for their
consent for authorisation
• Token endpoint• Returns tokens if the client has been
authorised
• UserInfo endpoint• Hosts protected resources
![Page 11: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/11.jpg)
Flow Details
1. The RP (client) sends a request to the OP
2. The OP authenticates the End-User and obtains authorisation
3. The OP responds with • ID Token and
• Access Token
![Page 12: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/12.jpg)
Flow Details (2)
4. The RP can send a request with the Access Token to the OP
5. The RP receives Claims about the End-User
![Page 13: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/13.jpg)
Authentication Flows
• Authorisation code flow
• Implicit flow
• Hybrid flow
![Page 14: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/14.jpg)
Authentication Flows
Property Authorisation Code Flow
Implicit Flow
Hybrid Flow
All tokens returned from the Authorisation Endpoint
No Yes No
All tokens returned from the TokenEndpoint
Yes No No
Tokens not revealed to User Agents Yes No No
Client can be authenticated Yes No Yes
Refresh Token possible Yes No Yes
Communication in one round trip No Yes No
Most communication server-to-server
Yes No Varies
![Page 15: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/15.jpg)
Key Artefacts
• ID Token• Asserts the user’s identity
• Like a standard identity card that is digitally
signed
• Access Token• Used to get access to protected resources
![Page 16: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/16.jpg)
ID Token
• Asserts the user identity• The unique user identifier
• Specifies the authority• The OP URI
• The intended audience• The client
![Page 17: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/17.jpg)
ID Token (2)
• May specify how and when the user was authenticated
• Includes issue and expiration dates
• May contain additional information• User’s name
• User’s email
• …
![Page 18: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/18.jpg)
ID Token: Example
{
"iss": "https://server.example.com",
"sub": "24400320",
"aud": "s6BhdRkqt3",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970,
"auth_time": 1311280969,
…
}
![Page 19: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/19.jpg)
ID Token Security
• Digitally signed• Provider’s RSA key
• HMAC issued to the client during
registration
• May be encrypted
![Page 20: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/20.jpg)
Claims
• Claim• A piece of information asserted about an
Entity
• Claim Provider• A server that can return Claims about an
Entity
• ID Token• Claims about the Authentication event
![Page 21: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/21.jpg)
Standard Claims
• Address Claim• Street address
• Locality
• Region
• Postal code
• Country
![Page 22: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/22.jpg)
Claim Types
• Normal Claims• Directly asserted by the OP
• Aggregated Claims• Asserted by a Claim Provider other than the
OP but returned by the OP
• Distributed Claims• Asserted by a Claim Provider other than the
OP but returned as references by the OP
![Page 23: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/23.jpg)
Normal Claim
• Name
• Given name
• Family name
• Picture
![Page 24: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/24.jpg)
Adoption
• Implemented worldwide by Internet and mobile companies
• Microsoft
• Deutsche Telekom
• Salesforce
• Ping Identity
• Nomura Research Institute
![Page 25: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/25.jpg)
Adoption (2)
• Mobile network operators
• Many more …
• It will be built into commercial products
• Implemented in open-source libraries for global deployment
![Page 26: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/26.jpg)
Products
• Google has provided OpenID Connect support since early 2013
• Example• Google+ Sign-In
• Link https://developers.google.com/+/api/openidconnect/
![Page 27: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/27.jpg)
Support
• System-level APIs built into Android
• Browsers• Mobile
• Desktop
![Page 28: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/28.jpg)
Integration with New Authentication Technologies
• To replace password-based authentication, new technologies are in progress
• New technologies can be adopted by OpenID Connect, e.g.,
• 2-factor authentication
• Biometrics
![Page 29: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/29.jpg)
What does OpenID Connect Solve
• It lets app/site developers authenticate users without owing/managing their passwords
• Developers know who is connected to their app/site
![Page 30: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/30.jpg)
Benefits
• It provides a standard way to outsource site and application login
• Easy to use
• Easy to implement and deploy
• Reliable and secure
• Efficient
• Interoperable
![Page 31: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/31.jpg)
Consent
• Before sharing personal information with RPs, OPs obtain End-Users’ consent
![Page 32: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/32.jpg)
Signing & Encryption
• Signing• Asymmetric: RSA or ECDSA
• Symmetric
• Encryption• Asymmetric: RSA
• Asymmetric: Elliptic curve
• Symmetric
![Page 33: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/33.jpg)
Security Considerations
• Request disclosure• Take appropriate protection measures
• Token manufacture/modification• Sign or use secure channel
• Server masquerading• A malicious server might masquerade
• Clients need to authenticate the server
![Page 34: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/34.jpg)
Privacy Considerations
• Personally Identifiable Information in UserInfo response
• Obtain End-Users’ consent
• Data access monitoring• Make End Users’ UserInfo access logs
available to them so that they can monitor
who accessed their data
![Page 35: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/35.jpg)
Summary
• OpenID Connect is an identity layer built on OAuth 2.0
• An open standard that provides interoperability
• It supports native and mobile apps
• Enables information sharing
• Data access monitoring
![Page 36: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/36.jpg)
![Page 37: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/37.jpg)
References• OpenID Connect Core 1.0, http://openid.net/specs/openid-connect-core-1_0.html
• OpenID Connect Work Group, http://openid.net/wg/connect/
• The OpenID Foundation Launches the OpenID Connect Standard, http://openid.net/2014/02/26/the-openid-foundation-launches-the-openid-connect-standard/
• Libraries, http://openid.net/developers/libraries/
![Page 38: OpenID Connect - cs.auckland.ac.nz · OpenID Connect Muhammad Rizwan Asghar The University of Auckland September 24, 2015 For template of slides, thanks to kingsoftstore.com](https://reader030.vdocuments.site/reader030/viewer/2022041209/5d67829c88c9931a568b904c/html5/thumbnails/38.jpg)
References (2)
• Google Identity Cookbook: OpenID Connect, https://developers.google.com/accounts/cookbook/technologies/OpenID-Connect
• Google Accounts Authentication and Authorization: Using OAuth 2.0 for Login (OpenID Connect), https://developers.google.com/accounts/docs/OAuth2Login
• Google+ Platform: People: getOpenIdConnect, https://developers.google.com/+/api/latest/people/getOpenIdConnect