CIS13: Introduction to OpenID Connect

Connect OpenID

OpenID Connect

Nat Sakimura

Chairman

Senior Researcher

C6b. New School Identity Frameworks Panel

Foundation

Connect OpenID

OAuth 2.0

Identity Layer on top of

Base Protocol

Connect OpenID

Q Identity

Connect OpenID

Identity = set of attributes related to an entity [iso 29115]

Connect OpenID

Entity Identity

Connect OpenID

Entity

Human Machine Service

Connect OpenID

No direct way to perceive

Human

Connect OpenID

Blond/grey

Silver frame glasses

6’5” tall

Connect OpenID

Entity

Identity

Identity

Sex

Mail

height

Boy Friend

Sex height

Real Name

Self Recognition

Delta between Self and 3rd Party Recognition　= interpersonal problem

Delta between Self and 3rd Party Recognition= interpersonal problem

Role

Relationship

3rd Party Recognition

Relationship

Friends

Boss

Self Recognition 3rd Party

Recognition

Street Address

Nickname

Birthday

Street Address

Employee number

licnese

performance

Connect OpenID

Man

Identity

Identity

Identity

Connect OpenID

Man

Work

Husband

Father

Connect OpenID

daughter mother

wife

girl friend

collea-gue

boss

community member friend

Woman

Connect OpenID

YOU

Identity

A

Identity

B

Identity

C

Site A

Site B

Site C

Connect OpenID

Q Why not just OAuth?

Connect OpenID

OAuth is an Access Granting Protocol

Betty’s Profile

Alice Cindy

Cindy ≠ Betty Alice ≠ Betty

Connect OpenID

Facebook extends OAuth with “signed request”

“ID Token” in OpenID Connect

Connect OpenID

Token Swap Attack

Connect OpenID

Login with Amazon

Connect OpenID

http://blog.chromium.org/2013/07/richer-access-to-google-services-and.html?m=1

Connect OpenID

Signed Request •  Works only with

a single identity provider

•  Proprietary signature format

ID Token

•  Works with multiple identity providers

•  IETF JSON Web Signature

Connect OpenID

ID Token Claims Example { "iss": "https://server.example.com",

"sub": "248289761001", "aud": "0acf77d4-b486-4c99-bd76-074ed6a64ddf",

"iat": 1311280970,

"exp": 1311281970, "nonce": "n-0S6_WzA2Mj"

}

Connect OpenID

Stick with OpenID Connect and not “OAuth Authentication”

Connect OpenID

An Identity Layer provides:

•  is the user that got authenticated Who • was he authenticated Where

• was he authenticated When • was he authenticated How •  attributes he can give you What •  he is providing them Why

Connect OpenID

Interoperable

Simple &

Mobile Friendly

Secure

Flexible

Connect OpenID

Interoperable

Simple &

Mobile Friendly

Secure

Flexible

Connect OpenID

Interoperable

Simple &

Mobile Friendly

Secure

Flexible

Connect OpenID

Interoperable

Simple &

Mobile Friendly

Secure

Flexible

Connect OpenID

Interoperable

Simple &

Mobile Friendly

Secure

Flexible

Connect OpenID

Interoperable

•  openid, profile, email, address, phone Standard scopes

•  Request object and claims Method to ask for

more granular claims

•  Info about the authenticated user ID Token

•  Get attributes about the user •  Translate the tokens UserInfo endpoint

Connect OpenID

Simple & Mobile Friendly

JSON Based

REST Friendly

In simplest cases, just copy and paste

Mobile & App Friendly

e.g., ID Token is signed JSON { "iss": "https://client.example.com", ”sub": "24400320", "aud": "s6BhdRkqt3", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "auth_time": 1311280969, "acr": "2", "at_hash":

"MTIzNDU2Nzg5MDEyMzQ1Ng" }

Connect OpenID

Secure

•  ISO/IEC 29115 Entity Authentication Assurance

•  Choice of crypto

LoA1

LoA2

LoA3 LoA4

Connect OpenID

Flexible

• Through Request Object (JSON) • Data Minimization

Granular Request

• Does not disclose data recipients to data sources

Aggregated Claims

• Decentralized Data Storage Distributed

Claims

Connect OpenID

Choice of your provider

Can be Google, eBay, AOL, Deutsche Telecom etc.

Can be your Phone => Self-Issued Provider

Connect OpenID

Details

Connect OpenID

Name: Alice de Wonderland Mail: [email protected] Notary: Google.

Official Google

Seal 株式会 社グー

グル印

Name: Alice de Wonderland Mail: [email protected] Notary: Google.

SAML Authentication

1.  Who are you. Get me a referral letter. Do not forget about Your email!

2. Plz write me a referral letter。

3. Here you are

Alice

4. Here is the certificate.

notary

Eve

Official Google

Seal

Connect OpenID

1.  Who are YOU? Give me a valet key to your house. Then I will trust that you are the owner of the house.

2. Can you give me a valet key to my house?

3. Here you are!

Alice

4. Her is the key!

Pseudo-Authentication using OAuth

Apartment Controller

Eve

Connect OpenID

OpenID Connect Authentication

1.  Who are you. Get me a referral letter. Do not forget about Your email!

2. Give Eve the locker Key and a referral letter.

3. Here you are!

Alice

4. Here you are

Date：2011/5/15 11:00:04 Level of Assurance：2 Verifier：Google

Official Google

Seal

Butler

Locker Locker

Eve

Date：2011/5/15 11:00:04 Level of Assurance：2 Verifier：Google

Official Google

Seal

Connect OpenID

OpenID Connect's Clams aggregation and distributed claims.

Name: Alice de Wanderland DoB: 1989/3/3 Sex: F Address: 135 Broadway., NY, NY

NY City Official

Seal

Locker

UserInfo Endpoint

Site X

Site Y Site Z

Eve

Connect OpenID

Applying it to Enterprise model

Connect OpenID

Entity

Identity

Identity

Sex

Mail

height

Boy Friend

Sex height

Real Name

Self Recognition

Delta between Self and 3rd Party Recognition　= interpersonal problem

Delta between Self and 3rd Party Recognition= interpersonal problem

Role

Relationship

3rd Party Recognition

Relationship

Friends

Boss

Self Recognition 3rd Party

Recognition

Street Address

Nickname

Birthday

Street Address

Employee number

licnese

performance

Connect OpenID

Real Name

Professional qualification

department

Geo-location

Employee number

Entity Identity Resource

Authentication

Policy Enforcement

Rules

Connect OpenID

ABAC (Attribute Based Access Control)

Based on SP800-162 figure on page viii

identity Resource

Rules

Connect OpenID

Real Name

Professional qualification

department

Geo-location

Employee number

Entity Identity

Resource

Authentication PEP

PDP

PAP

Boss Metadata

Log Log

Connect OpenID

Q What kind of “Identity” (set of attributes)

an enterprise needs?

Connect OpenID

Current Standard Claims wont do

Connect OpenID

UserInfo Claims

•  sub •  name •  given_name •  family_name •  middle_name •  nickname •  preferred_username •  profile •  picture •  website

•  gender •  birthdate •  locale •  zoneinfo •  updated_at •  email •  email_verified •  phone_number •  phone_number_verified •  address

Connect OpenID

UserInfo Claims Example { "sub": "248289761001",

"name": "Jane Doe", "given_name": "Jane",

"family_name": "Doe",

"email": "[email protected]", "email_verified": true,

"picture": "http://example.com/janedoe/me.jpg"

}

Connect OpenID

Perhaps we need standard “enterprise” claims

Connect OpenID

SCIM?

Connect OpenID

SCIM Enterprise User Schema Extension

•  employeeNumber –  Numeric or alphanumeric identifier assigned to a person, typically

based on order of hire or association with an organization. •  costCenter

–  Identifies the name of a cost center. organization Identifies the name of an organization.

•  division –  Identifies the name of a division.

•  department –  Identifies the name of a department.

•  manager –  The User's manager. A complex type that optionally allows Service

Providers to represent organizational hierarchy by referencing the "id" attribute of another User.

Connect OpenID

Not Quite.

Connect OpenID

Perhaps we need standard “enterprise” claims

Connect OpenID

Q When shall I start using OpenID Connect?

Connect OpenID

Timeline

2nd Implementers Draft Public Review (45

days)

2nd Implementers

Draft Vote (14 days)

Final Review (60 days) Final

We are here! December

2013

Connect OpenID

Q uestions?

Connect OpenID

OAuth and OpenID Connect: In the Trenches

Wednesday, July 10, 4:00 – 5:30 PM Salon C/D/E

to be continued at …

Connect OpenID

Details …

Connect OpenID

Working Together

OpenID Connect

Connect OpenID

Working Group Members •  Key working group participants:

–  Nat Sakimura – Nomura Research Institute – Japan –  John Bradley – Ping Identity – Chile –  Breno de Medeiros – Google – US –  Axel Nennker – Deutsche Telekom – Germany –  Torsten Lodderstedt – Deutsche Telekom – Germany –  Roland Hedberg – Umeå University – Sweden –  Andreas Åkre Solberg – UNINETT – Norway –  Chuck Mortimore – Salesforce – US –  Brian Campbell – Ping Identity – US –  George Fletcher – AOL – US –  Justin Richer – Mitre – US –  Nov Matake – Independent – Japan –  Mike Jones – Microsoft – US

•  By no means an exhaustive list!

Connect OpenID

Design Philosophy

Simple Things Simple

Complex Things Possible

Connect OpenID

Simple Things Simple

UserInfo endpoint for simple claims about user

Designed to work well on mobile phones

Connect OpenID

How We Make It Simple

•  Build on OAuth 2.0 •  Use JavaScript Object Notation (JSON) •  Build only the pieces that you need

•  Goal: Easy implementation on all modern development platforms

Connect OpenID

Complex Things Possible

Encrypted Claims

Aggregated Claims

Distributed Claims

Connect OpenID

A Look Under the Covers

•  ID Token •  Claims Requests •  UserInfo Claims •  Example Protocol Messages

Connect OpenID

OpenID Connect Authentication

1.  Who are you. Get me a referral letter. Do not forget about Your email!

2. Give Eve the locker Key and a referral letter.

3. Here you are!

Alice

4. Here you are

Date：2011/5/15 11:00:04 Level of Assurance：2 Verifier：Google

Official Google

Seal

Butler

Locker Locker

Bob

Date：2011/5/15 11:00:04 Level of Assurance：2 Verifier：Google

Official Google

Seal

Access Token ID Token

Connect OpenID

ID Token •  JWT representing logged-in session •  Claims:

–  iss – Issuer –  sub – Identifier for subject (user) –  aud – Audience for ID Token –  iat – Time token was issued –  exp – Expiration time –  nonce – Mitigates replay attacks –  at_hash – Left hash of the access token –  azp – Authorized Party

Connect OpenID

ID Token Claims Example { "iss": "https://server.example.com",

"sub": "alice", "aud": "https://bob.example.com",

"iat": 1311280970,

"exp": 1311281970, "nonce": "n-0S6_WzA2Mj",

"at_hash": "MTIzNDU2Nzg5MDEyMzQ1Ng",

"azp": "https://cindy.example.com/" }

Connect OpenID

at_hash makes ID Token

a detached signature for the access token

Connect OpenID

azp allows token to be used by another party

Site X

Cindy

Bob

ID Token Access Token

Connect OpenID

Using Access Token only for Authentication is Dangerous.

1.  Who are you. Get me a referral letter. Do not forget about Your email!

2. Give Eve the locker Key and a referral letter.

3. Here you are!

Alice

4. Here you are

Butler

Access Token

Eve

Connect OpenID

OpenID Connect's Clams aggregation and distributed claims.

Name: Alice de Wanderland DoB: 1989/3/3 Sex: F Address: 135 Broadway., NY, NY

NY City Official

Seal

Locker

UserInfo Endpoint

Site X

Site Y Site Z

Bob

Connect OpenID

Aggregated Claims

Data Source

Data Source

Identity Provider

Relying Party

Signed Claims

Claim Values

Connect OpenID

Distributed Claims

Identity Provider

Signed Claims

Relying Party

Claim Refs

Data Source

Data Source

Connect OpenID

Claims Requests

•  Basic requests made using OAuth scopes: –  openid – Declares request is for OpenID Connect –  profile – Requests default profile info –  email – Requests email address & verification

status –  address – Requests postal address –  phone – Requests phone number & verification

status –  offline_access – Requests Refresh Token

issuance •  Requests for individual claims can be made

using JSON “claims” request parameter

Connect OpenID

Request Object

Connect OpenID

You can register it at registration time :

request_uri

Personally Recommended

Connect OpenID

Authorization Request Example

https://server.example.com/authorize

?response_type=token%20id_token

&client_id=0acf77d4-b486-4c99-bd76-074ed6a64ddf

&redirect_uri=https%3A%2F%2Fclient.example.com%2Fcb

&scope=openid%20profile

&state=af0ifjsldkj

&nonce=n-0S6_WzA2Mj

Connect OpenID

Authorization Response Example

HTTP/1.1 302 Found

Location: https://client.example.com/cb

#access_token=mF_9.B5f-4.1JqM

&token_type=bearer

&id_token=eyJhbGzI1NiJ9.eyJz9Glnw9J.F9-V4IvQ0Z

&expires_in=3600

&state=af0ifjsldkj

Connect OpenID

UserInfo Request Example

GET /userinfo?schema=openid HTTP/1.1 Host: server.example.com

Authorization: Bearer mF_9.B5f-4.1JqM

Connect OpenID

Connect Specs Overview

Connect OpenID

Resources •  OpenID Connect

–  http://openid.net/connect/ •  OpenID Connect Working Group Mailing List

–  http://lists.openid.net/mailman/listinfo/openid-specs-ab •  OpenID Connect Interop Wiki

–  http://osis.idcommons.net/ •  OpenID Connect Interop Mailing List

–  http://groups.google.com/group/openid-connect-interop •  Mike Jones’ Blog

–  http://self-issued.info/ •  Nat Sakimura’s Blog

–  http://nat.sakimura.org/ •  John Bradley’s Blog

–  http://www.thread-safe.com/

Connect OpenID

Current Status

•  Waiting for dependencies to be completed

•  JWS, JWE, JWA, JWK IETF JOSE

WG

•  JSON Web Token (JWT) IETF OAuth WG

•  WebFinger IETF Apps WG

Connect OpenID

Interop testing underway

AOL, Google, IBM, Layer 7, Mitre, NRI, @nov, Orange, eBay, Gluu, Ping Identity, GÉANT, @ritou, Emmanuel Raviart

120+ feature tests

14 implementations

Connect OpenID

Start Building

Connect OpenID

Start Building

Now!

Connect OpenID

http://nat.sakimura.org/