CIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn Fay

OpenID Connect Workshop Part 1: Challenges for mobile B. Allyn Fay

Introduction

•  What is OpenID Connect •  Conformance and Interop •  How does it differ from OAuth •  Profiles for mobile •  High level challenges

Copyright © 2015 Cloud Identity Summit. All rights reserved. 3

Why OpenID Connect?

•  OpenID Connect logically combines the functionality of SAML and OAuth

•  SAML has limited support for dynamic trust and attribute sharing mechanisms have not been widely deployed

•  OAuth has emerged as a powerful authorization mechanism, but has no explicit concept of identity

•  OpenID Connect addresses the limitations of SAML and OAuth with a modern REST and JSON based architecture

Copyright © 2015 Cloud Identity Summit. All rights reserved. 4

So what’s the deal with mobile?

•  High level mobile challenges

Copyright © 2015 Cloud Identity Summit. All rights reserved. 5

What’s New: Conformance and Interop

Copyright © 2015 Cloud Identity Summit. All rights reserved. 6

•  OIDF self certification •  Current implementations

•  Google Authentication Service •  AWS Cognito •  MSFT? •  SFDC?

Copyright © 2015 Cloud Identity Summit . All rights reserved. 7

OAuth 2.0 Overview

AUTHORIZATION SERVER

Token Endpoint Authorization Endpoint

RESOURCE SERVER

Important Stuff

CLIENT Where the

magic happens

Use an access token

Get an access token

OpenID Connect Protocols

Copyright © 2015 Cloud Identity Summit. All rights reserved. 8

•  Graphic goes here

Copyright © 2015 Cloud Identity Summit . All rights reserved. 9

OIDC 1.0 Overview AUTHORIZATION

SERVER

RESOURCE SERVER

•  Important Stuff

CLIENT

Get an access token and an

ID token (JWT) •  Registration endpoint •  /.well-known

/webfinger /openid-configuration

•  Check session Iframe •  End session endpoint

•  Token endpoint •  Authorization

endpoint •  JWKS endpoint

Userinfo endpoint Use an access token

AuthN vs. AuthZ and OIDC features

•  ID Tokens •  User Info •  Endpoint Discovery •  Web Keys •  Session Management •  Dynamic Registration

Copyright © 2015 Cloud Identity Summit. All rights reserved. 10

OIDC Flows

•  Basic •  Implicit •  Hybrid

Copyright © 2015 Cloud Identity Summit. All rights reserved. 11

OIDC Basic Client

•  OpenID Connect Basic Client Implementer’s Guide 1.0 •  http://openid.net/specs/openid-connect-basic-1_0.html

•  “a subset of the OpenID Connect Core 1.0 specification that is designed to be easy to read and implement for basic Web-based Relying Parties using the OAuth Authorization Code Flow.”

Copyright © 2015 Cloud Identity Summit. All rights reserved. 12

OIDC Basic Client Flow

•  Logical graphic goes here

Copyright © 2015 Cloud Identity Summit. All rights reserved. 13

OIDC Implicit Client

•  OpenID Connect Basic Client Implementer’s Guide 1.0 •  http://openid.net/specs/openid-connect-basic-1_0.html

•  “a subset of the OpenID Connect Core 1.0 specification that is designed to be easy to read and implement for basic Web-based Relying Parties using the OAuth Authorization Code Flow.”

Copyright © 2015 Cloud Identity Summit. All rights reserved. 14

OIDC Implicit Client Flow

•  Graphic goes here

Copyright © 2015 Cloud Identity Summit. All rights reserved. 15

Why OIDC for mobile

•  OAuth is “bad” •  OIDC is a real spec •  OS Level integration

•  ID Tokens from Google Play •  Token Agent

Copyright © 2015 Cloud Identity Summit. All rights reserved. 16

Mobile Challenges

•  Security •  Pixie – Why we need it •  Dynamic client registration

•  Webview vs. system browser •  Shared sessions •  Account chooser

Copyright © 2015 Cloud Identity Summit. All rights reserved. 17

Copyright © 2015 Cloud Identity Summit. All rights reserved. 18

Questions?