standard-based identity (1)
TRANSCRIPT
-
ID & IT Management Conference 2016
Standard-based Identity (1)
2016/9/16
-
kura
ID /
OpenID ID
@kura_lab
-
1.
2. ID
3.
4.
5. OpenID Connect
6.
3
-
ID
ID
4
-
ID
-
6
ID
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
SAML 2.0OpenID 1.0
OpenID 2.0OAuth 1.0
OAuth 2.0OpenID Connect
2015
2016
SAML 1.x
-
7
ID
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
SAML 2.0OpenID 1.0
OpenID 2.0OAuth 1.0
OAuth 2.0OpenID Connect
2015
2016
SAML 1.x
OASIS
-
8
ID
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
SAML 2.0OpenID 1.0
OpenID 2.0OAuth 1.0
OAuth 2.0OpenID Connect
2015
2016
SAML 1.x
SAML
-
9
ID
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
SAML 2.0OpenID
OpenID 2.0OAuth 1.0
OAuth 2.0OpenID Connect
2015
2016
SAML 1.x
OpenID
-
10
ID
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
SAML 2.0OpenID 1.0
OpenID 2.0OAuth 1.0
OAuth 2.0OpenID Connect
2015
2016
SAML 1.x
OpenIDDeprecated
-
11
ID
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
SAML 2.0OpenID 1.0
OpenID 2.0OAuth 1.0
OAuth 2.0OpenID Connect
2015
2016
SAML 1.x
OpenID IETFInformational
-
12
ID
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
SAML 2.0OpenID 1.0
OpenID 2.0OAuth 1.0
OAuth 2.0OpenID Connect
2015
2016
SAML 1.x
IETFStandards TrackRFC
-
13
ID
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
SAML 2.0OpenID 1.0
OpenID 2.0OAuth 1.0
OAuth 2.0OpenID Connect
2015
2016
SAML 1.x
OpenID
-
14
ID
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
SAML 2.0OpenID 1.0
OpenID 2.0OAuth 1.0
OAuth 2.0OpenID Connect
2015
2016
SAML 1.x
-
SAML
SAML=Security Assertion Markup Language
SOAPXML
16
-
OpenID
OpenID
OpenID AX
SOAPXML
17
-
OAuth 1.0OAuth 2.0
Web API
REST APIJSON
OAuth
18
-
OpenID Connect
OAuth 2.0
REST APIJSON
19
-
SSO
ID
21
-
SAMLOpenID OpenID Connect
OAuth
OAuth
OpenID2015GoogleOpenID Connect
22
-
SAML 2.0OpenID Connect
Azure AD
Google Apps
23
-
OpenID 2.0OpenID Connect
Google Identity PlatformGO
Yahoo! ID
24
-
SAMLOAuthOpenID Connect
OpenID
25
-
SAML
REST APIJSONOpenID ConnectOAuth
IDOpenID ConnectSCIM
26
-
SCIM
System for Cross-domain Identity Management
ID
/
REST APIJSON
27
-
Web APIOAuth 2.0
OpenID Connect
28
-
OpenID Connect
-
OpenID Connect Authorization Code Flow
-
IdPRPEnd-UserUserInfo Endpoint
Start OpenID Connect
31
-
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Start OpenID Connect
32
-
33
HTTP/1.1 302 FoundLocation: https://server.example.com/authorize?response_type=code&scope=openid%20profile%20email&client_id=s6BhdRkqt3&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Authorization Request
-
34
HTTP/1.1 302 FoundLocation: https://server.example.com/authorize?response_type=code&scope=openid%20profile%20email&client_id=s6BhdRkqt3&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Authorization Request
Authorization Code Flow code
-
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Start OpenID Connect
35
-
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Login / Consent
Start OpenID Connect
36
-
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Start OpenID Connect
37
-
38
HTTP/1.1 302 FoundLocation: https://client.example.org/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=af0ifjsldkj
Authorization Response
-
39
HTTP/1.1 302 FoundLocation: https://client.example.org/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=af0ifjsldkj
Authorization Response
Authorization Code Flow
-
40
HTTP/1.1 302 FoundLocation: https://client.example.org/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=af0ifjsldkj
Authorization Response
Authorization Code
-
41
HTTP/1.1 302 FoundLocation: https://client.example.org/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=af0ifjsldkj
Authorization Response
State
-
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Start OpenID Connect
42
-
43
POST /token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencodedAuthorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Token Request
-
44
POST /token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencodedAuthorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Token Request
Basic base64_encode(Client_ID . : . Secret);
-
45
POST /token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencodedAuthorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Token Request
Authorization Code
-
46
POST /token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencodedAuthorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Token Request
SecretAuthorization Code POST
-
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Access Token / Refresh Token / ID Token
Start OpenID Connect
47
-
48
HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma: no-cache
{ "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiAibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-cwhJ3LO-p146waJMzqg" }
Token Response
-
49
HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma: no-cache
{ "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiAibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-cwhJ3LO-p146waJMzqg" }
Token Response
JSON
-
50
HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma: no-cache
{ "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiAibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-cwhJ3LO-p146waJMzqg" }
Token Response
Access TokenRefresh Token
-
51
HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma: no-cache
{ "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiAibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-cwhJ3LO-p146waJMzqg" }
Token ResponseAccess TokenBearer
Authorization: Bearer
-
HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma: no-cache
{ "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiAibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-cwhJ3LO-p146waJMzqg" }
Token Response
ID Token
52
-
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Access Token / Refresh Token / ID Token
Start OpenID Connect
53
-
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Access Token / Refresh Token / ID Token
Resource Access
Resource
Start OpenID Connect
54
-
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Access Token / Refresh Token / ID Token
Resource Access
Resource
Start OpenID Connect
55
-
GET /userinfo HTTP/1.1 Host: server.example.com Authorization: Bearer SlAV32hkKGsegsef
UserInfo Request
56
-
GET /userinfo HTTP/1.1 Host: server.example.com Authorization: Bearer SlAV32hkKGsegsef
UserInfo Request
Bearer Authorization: Bearer
57
-
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Access Token / Refresh Token / ID Token
Resource Access
Resource
Start OpenID Connect
58
-
HTTP/1.1 200 OKContent-Type: application/json
{ "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "picture": http://example.com/janedoe/me.jpg, "email": "[email protected]" }
UserInfo Response
59
-
HTTP/1.1 200 OKContent-Type: application/json
{ "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "picture": http://example.com/janedoe/me.jpg, "email": "[email protected]" }
UserInfo Response
JSON
60
-
HTTP/1.1 200 OKContent-Type: application/json
{ "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "picture": http://example.com/janedoe/me.jpg, "email": "[email protected]" }
UserInfo Response
openid
61
-
HTTP/1.1 200 OKContent-Type: application/json
{ "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "picture": http://example.com/janedoe/me.jpg, "email": "[email protected]" }
UserInfo Response
profile
62
-
HTTP/1.1 200 OKContent-Type: application/json
{ "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "picture": http://example.com/janedoe/me.jpg, "email": "[email protected]" }
UserInfo Response
email
63
-
scope
sub -
name profile
given_name profile
family_name profile
middle_name profile
nickname profile
preferred_username profile
scope
profile profile URL
picture profile URL
website profile URL
email email
email_verified email
gender profile
birthdate profile
64
-
scope
zoneinfo profile
locale profile
phone_number phone
phone_number_verified phone
address address
updated_at profile
65
-
1. ID
SAML 2.0
OpenID Connect
2.
SOAPXMLREST APIJSON
67
-
3.
4. OpenID Connect
Web
Location
Authorization
HTTPS
68
-
69