Hope or Hype? A Look at the Next Generation of Identity Standards OpenID Connect, OAuth, JOSE and JWT may be the ne kids on the block but many experts and visionarie have already anointed them to replace SAML. Is th wheel being needlessly reinvented or is genuin progress on the horizon Brian Campbell CIS Napa July 2013 @__b_c background and layout of slides specially designed for @lpeterman & @NishantK
22
Embed
Hope or Hype: A Look at the Next Generation of Identity Standards
OpenID Connect, OAuth, JOSE and JWT may be the new kids on the block, but many experts and visionaries have already anointed them to replace SAML. Is the wheel being needlessly reinvented or is genuine progress on the horizon?
Brian Campbell, Portfolio Architect, Ping Identity
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Hope or Hype?A Look at the Next Generation of
Identity Standards
OpenID Connect, OAuth, JOSE and JWT may be the new kids on the block but many experts and visionaries have already
anointed them to replace SAML. Is the wheel being needlessly reinvented or is genuine progress on the horizon?
Brian Campbell
CIS Napa
July 2013
@__b_cbackground and layout of slides specially designed for
@lpeterman & @NishantK
BACKSTORYA Tale of Two (okay maybe more) Protocols
http://flic.kr/s/aHsjziVAwV
It was the best of times…
http://flic.kr/s/aHsjAP3nKo
SAML is DEAD!
it was the worst of times…
“Craig Burton is one of the
leading visionaries and analysts in the
computer industry.”*
* http://www.linkedin.com/in/burtonian
SAML
Stan and Kyle are fictional characters from the TV show South Park. I presume the show’s creators, Trey Parker & Matt Stone, are rich enough and busy enough
not to bother suing me over unlicensed use in some nerdy computer presentation.
* @dak3Burton quotes:• “SAML is the Windows XP of Identity. No funding. No innovation.
People still use it. But it has no future.”• “No one is putting money into SAML development. No one is
writing new SAML code. SAML is dead.”
it was the epoch of belief…
• OpenID Connect• simple JSON/REST-based interoperable identity protocol built on top of the OAuth
2.0 family of specifications. • design philosophy: “make simple things simple and make complicated things
possible.”• Wins 2012 European Identity and Cloud Award
• “OpenID Connect the award[ed] Best Innovation/New Standard this year. What’s most impressive is that this elegantly simple design resulted from the cooperation of such a diverse global set of contributors. I expect OpenID Connect to have a substantial positive impact on usable, secure identity solutions both for traditional computing platforms and mobile devices. My congratulations to the OpenID Foundation!” - Dave Kearns
• “spurs global economic growth by enabling simple and secure exchange of verified attributes from multiple sources at Internet scale.”
we were all going direct to Heaven, we were all going direct the other way
on your deathbed, you will receive total consciousness
*I did actually receive permission to use this photo
@JasonABonds
in short, the period was so far like the present period
Another Look
JOSEWebFinger
OAuth
Connect
OAuth Refresher
Client
ResourceServer
Get an access token
Use an access token
AuthorizationServer
Authorization Endpoint
Token Endpoint
Important Stuff
Where the magic
happens
Discovery
OpenID Connect is built on OAuth
ClientRelying Party
ResourceServer
Get an access token
& an ID Token (JWT)
Use an access token
AuthorizationServer
Identity Provider orIDP or
OpenID Provider orOP
Authorization Endpoint
Token Endpoint
Important Stuff
Userinfo Endpoint
Registration Endpoint
JWKS Endpoint
JWKS Endpoint
Validate (JWT)
ID Token
/.well-known /webfinger /openid-configuration
Check Session IFrame
End Session Endpoint
jot or not?
The JWTeyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg
The Header{"kid":"5","alg":"ES256"}
The Payload{"iss":"https:\/\/idp.example.com","exp":1357255788,"aud":"https:\/\/sp.example.org","jti":"tmYvYVU2x8LvN72B5Q_EacH._5A","acr":"2","sub":"Brian"}
• Why the ID Token?– Access Token is a message to the protected
resource about authorization– ID Token is a message to the client about user
authentication
• Motivation and consequence– Sharing/misusing a regular AT isn’t particularly
harmful or enticing– Unless it can be used to access at the client
• Which is exactly what the ID Token is for and it has built in protections
• Buy why two?– Connect didn’t really have the liberty to
encroach on the access token
two is better than one
• JSON based & more RESTafarian friendly
• Simplicity (esp. in JW* or JW[STEAK])• API & SSO together• Better support for mobile• Shifted burden of complexity• Webfinger based Discovery• Provider Configuration Info at a “well-
known” location• Defined interaction sequence for client
registration• Keys included with but decoupled from
discovery/registration • Totally new approach to SLO / session