standard-based identity (1)

ID & IT Management Conference 2016

Standard-based Identity (1)

2016/9/16

kura

ID /

OpenID ID

@kura_lab

1.

2. ID

3.

4.

5. OpenID Connect

6.

3

ID

ID

4

6

ID

2005

2006

2007

2008

2009

2010

2011

2012

2013

2014

SAML 2.0OpenID 1.0

OpenID 2.0OAuth 1.0

OAuth 2.0OpenID Connect

2015

2016

SAML 1.x

7

ID

2005

2006

2007

2008

2009

2010

2011

2012

2013

2014

SAML 2.0OpenID 1.0

OpenID 2.0OAuth 1.0


2015

2016

SAML 1.x

OASIS

8

ID

2005

2006

2007

2008

2009

2010

2011

2012

2013

2014

SAML 2.0OpenID 1.0

OpenID 2.0OAuth 1.0


2015

2016

SAML 1.x

SAML

9

ID

2005

2006

2007

2008

2009

2010

2011

2012

2013

2014

SAML 2.0OpenID

OpenID 2.0OAuth 1.0


2015

2016

SAML 1.x

OpenID

10

ID

2005

2006

2007

2008

2009

2010

2011

2012

2013

2014

SAML 2.0OpenID 1.0

OpenID 2.0OAuth 1.0


2015

2016

SAML 1.x

OpenIDDeprecated

11

ID

2005

2006

2007

2008

2009

2010

2011

2012

2013

2014

SAML 2.0OpenID 1.0

OpenID 2.0OAuth 1.0


2015

2016

SAML 1.x

OpenID IETFInformational

12

ID

2005

2006

2007

2008

2009

2010

2011

2012

2013

2014

SAML 2.0OpenID 1.0

OpenID 2.0OAuth 1.0


2015

2016

SAML 1.x

IETFStandards TrackRFC

13

ID

2005

2006

2007

2008

2009

2010

2011

2012

2013

2014

SAML 2.0OpenID 1.0

OpenID 2.0OAuth 1.0


2015

2016

SAML 1.x

OpenID

14

ID

2005

2006

2007

2008

2009

2010

2011

2012

2013

2014

SAML 2.0OpenID 1.0

OpenID 2.0OAuth 1.0


2015

2016

SAML 1.x

SAML

SAML=Security Assertion Markup Language

SOAPXML

16

OpenID

OpenID

OpenID AX

SOAPXML

17

OAuth 1.0OAuth 2.0

Web API

REST APIJSON

OAuth

18

OpenID Connect

OAuth 2.0

REST APIJSON

19

SSO

ID

21

SAMLOpenID OpenID Connect

OAuth

OAuth

OpenID2015GoogleOpenID Connect

22

SAML 2.0OpenID Connect

Azure AD

Google Apps

23

OpenID 2.0OpenID Connect

Google Identity PlatformGO

Yahoo! ID

24

SAMLOAuthOpenID Connect

OpenID

25

SAML

REST APIJSONOpenID ConnectOAuth

IDOpenID ConnectSCIM

26

SCIM

System for Cross-domain Identity Management

ID

/

REST APIJSON

27

Web APIOAuth 2.0

OpenID Connect

28

OpenID Connect

OpenID Connect Authorization Code Flow

IdPRPEnd-UserUserInfo Endpoint

Start OpenID Connect

31

IdPRPEnd-User

Authorization Request (Redirect)

UserInfo Endpoint


32

33

HTTP/1.1 302 FoundLocation: https://server.example.com/authorize?response_type=code&scope=openid%20profile%20email&client_id=s6BhdRkqt3&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb

Authorization Request

34

HTTP/1.1 302 FoundLocation: https://server.example.com/authorize?response_type=code&scope=openid%20profile%20email&client_id=s6BhdRkqt3&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb

Authorization Request

Authorization Code Flow code

IdPRPEnd-User


UserInfo Endpoint


35

IdPRPEnd-User


UserInfo Endpoint

Login / Consent


36

IdPRPEnd-User


UserInfo Endpoint

Authorization Code (Redirect)

Login / Consent


37

38

HTTP/1.1 302 FoundLocation: https://client.example.org/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=af0ifjsldkj

Authorization Response

39



Authorization Code Flow

40



Authorization Code

41



State

IdPRPEnd-User


UserInfo Endpoint


Login / Consent

Token Request


42

43

POST /token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencodedAuthorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb

Token Request

44



Token Request

Basic base64_encode(Client_ID . : . Secret);

45



Token Request

Authorization Code

46



Token Request

SecretAuthorization Code POST

IdPRPEnd-User


UserInfo Endpoint


Login / Consent

Token Request

Access Token / Refresh Token / ID Token


47

48

HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma: no-cache

{ "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiAibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-cwhJ3LO-p146waJMzqg" }

Token Response

49



Token Response

JSON

50



Token Response

Access TokenRefresh Token

51



Token ResponseAccess TokenBearer

Authorization: Bearer



Token Response

ID Token

52

IdPRPEnd-User


UserInfo Endpoint


Login / Consent

Token Request



53

IdPRPEnd-User


UserInfo Endpoint


Login / Consent

Token Request


Resource Access

Resource


54

IdPRPEnd-User


UserInfo Endpoint


Login / Consent

Token Request


Resource Access

Resource


55

GET /userinfo HTTP/1.1 Host: server.example.com Authorization: Bearer SlAV32hkKGsegsef

UserInfo Request

56

GET /userinfo HTTP/1.1 Host: server.example.com Authorization: Bearer SlAV32hkKGsegsef

UserInfo Request

Bearer Authorization: Bearer

57

IdPRPEnd-User


UserInfo Endpoint


Login / Consent

Token Request


Resource Access

Resource


58

HTTP/1.1 200 OKContent-Type: application/json

{ "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "picture": http://example.com/janedoe/me.jpg, "email": "[email protected]" }

UserInfo Response

59



UserInfo Response

JSON

60



UserInfo Response

openid

61



UserInfo Response

profile

62



UserInfo Response

email

63

scope

sub -

name profile

given_name profile

family_name profile

middle_name profile

nickname profile

preferred_username profile

scope

profile profile URL

picture profile URL

website profile URL

email email

email_verified email

gender profile

birthdate profile

64

scope

zoneinfo profile

locale profile

phone_number phone

phone_number_verified phone

address address

updated_at profile

65

1. ID

SAML 2.0

OpenID Connect

2.

SOAPXMLREST APIJSON

67

3.

4. OpenID Connect

Web

Location

Authorization

HTTPS

68

standard-based identity (1)

Internet