OpenID Connect: An Overview
Pat PattersonDeveloper Evangelist Architect
salesforce.com@metadaddy
What is OpenID Connect?
Simple Identity Layer for the Internet
[OpenID Connect] allows Clients to verify the identity of the End-User based on the
authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
What is OpenID Connect?
• Specification defined by OpenID Foundation ‘Connect’ Work Group–NRI, Ping Identity, Microsoft, Google,
Salesforce etc • Built on OAuth 2.0• REST-based• Successor to SAML?
OpenID Connect Status
• ‘Nearly complete’– Second set of OpenID Connect
Implementer’s Drafts approved in July, 2013– Interop testing under way–Waiting for dependencies to be
standardized• JWT, JWS etc
OpenID Connect Specification
• OpenID Connect 1.0 Specification– Core– Discovery (optional)– Dynamic Registration (optional)– Session Management (optional)– OAuth 2.0 Multiple Response Types
• Implementer’s Guides– Basic Client Profile– Implicit Client Profile
OpenID Connect Roles
Web-based, mobile, or JavaScript Clients verify the
identity of End-Users based on authentication performed by an
Authorization Server.
OpenID Connect Basic Client Profile
OpenID Connect Implicit Client Profile
OpenID Connect Token Response
{ "access_token":"SlAV32hkKG", "token_type":"Bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "id_token":"eyJ0 ... NiJ9.eyJ1c ... ZXso”}
• id_token is a JSON Web Token (JWT)– Signed, URL/filename-safe base64 encoded JSON data
OpenID Connect ID Token
{ "iss": "https://server.example.com", "sub": "24400320", "aud": "s6BhdRkqt3", "exp": 1311281970, "iat": 1311280970}
• Issuer, Subject, Audience, Expiry, Issued At• Also optional email, auth_time, nonce etc
Who is Deploying OpenID Connect?
• Services: Google, Salesforce, eBay, AOL, Deutsche Telekom, Orange
• Vendors: IBM, Microsoft, Ping Identity, Layer 7, ForgeRock, Gluu, MITRE, NRI
OpenID Connect in Action
• Client: Salesforce Community• Auth Server: Google• End User: Me!
Salesforce Community Login Page
Google Login Page
Google Authorization Page
Salesforce Community Home Page
Questions?Pat Patterson
Developer Evangelist Architectsalesforce.com@metadaddy