SlideShare a Scribd company logo

OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAuth 2.0

Download as PPTX, PDF
Brian Campbell
Brian Campbell

OpenID Connect is a simple single sign-on and identity layer built on OAuth 2.0, designed to streamline user authentication without the complexities of managing passwords. It allows developers to easily identify users across diverse applications while shifting the complexity of identity management to the identity provider. The presentation outlines the basic client profile, emphasizing the streamlined process for securely obtaining user identity information.

SoftwareTechnology
1 of 41
Downloaded 483 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
OpenID Connect a simple[sic] single sign-on & identity layer on top of OAuth 2.0 Brian Campbell @__b_c Copyright © 2014 Brian Campbell. All rights reserved.
Copyright © 2014 Brian Campbell. All rights reserved. 2 Agenda • Introductions • Framing the Problem • OpenID Connect as an Emergent Solution • Nuts & Bolts: The Basic Client Profile • Random Thoughts
Copyright © 2014 Brian Campbell. All rights reserved. 3 Who Dat? Brian Campbell Some Meaningless Title & 10+ years @ Used to write a lot of code Now active in standards development Identity is ubiquitous. Regardless of the kind of applications you develop you will, at some point, almost certainly have to deal with identifying users of the app. Yet it's seldom a central part of the app’s value proposition and rarely a core competency for developers. Wouldn’t it be nice to outsource user authentication and free yourself from the liability and complexity of storing and managing passwords? OpenID Connect, just ratified earlier this year and backed by some big industry names, is emerging as the go to standard way to do exactly that. Connect allows you to easily and securely get an answer to the question: “What is the identity of the person currently using this browser or native app?” Unlike some of it’s predecessors, however, Connect has roots spanning the consumer, SaaS and enterprise space and is better suited to serve a diverse set of deployments. Come find out more about Connect in this talk from a seasoned veteran of the prestigious basement conference rooms at GlueCon. Cardboard box
Copyright © 2014 Brian Campbell. All rights reserved. 4 Speaker Credentials
Copyright © 2014 Brian Campbell. All rights reserved. 5 Speaker Credentials
Copyright © 2014 Brian Campbell. All rights reserved. 6 Speaker Credentials Prominently mentioned on the second to last page that nobody will ever read just before the copyright notices
Copyright © 2014 Brian Campbell. All rights reserved. 7 Agenda • Introductions • Framing the Problem • OpenID Connect as an Emergent Solution • Nuts & Bolts: The Basic Client Profile • Random Thoughts
Copyright © 2014 Brian Campbell. All rights reserved. 8 Passwords are Broken For Users Death by a Thousand Passwords true story: “holyfucknotanotherfuckingpassword1”
Copyright © 2014 Brian Campbell. All rights reserved. 9 Passwords are Broken For Users What? A Well Regarded Fortune 500 Financial Services Company
Copyright © 2014 Brian Campbell. All rights reserved. 10 Passwords also Broken for Service Providers • Hell on user registration conversion rates • Managing passwords is hard – Just ask Adobe or LinkedIn or Kickstarter or…
Copyright © 2014 Brian Campbell. All rights reserved. 11 Agenda • Introductions • Framing the Problem • OpenID Connect as an Emergent Solution • Nuts & Bolts: The Basic Client Profile • Random Thoughts
Copyright © 2014 Brian Campbell. All rights reserved. 12 Introducing OpenID Connect • Easily and securely get an answer to the question: “What is the identity of the person currently using this browser or native app?” – Without taking on the responsibility of storing and managing passwords, which is nice • Built on top of OAuth 2.0 using familiar and widely available stuff like JSON and HTTP • Adds an ID Token (JWT) for user authentication to the client • API access and SSO together
Copyright © 2014 Brian Campbell. All rights reserved. 13 Unlike Predecessors
Copyright © 2014 Brian Campbell. All rights reserved. 14 OAuth 2.0 In A Nutshell Client Resource Server Authorization Server Authorization Endpoint Token Endpoint Important Stuff Where the magic happens
Copyright © 2014 Brian Campbell. All rights reserved. 15 OAuth 2.0 JOSE WebFinger OpenID Connect
Copyright © 2014 Brian Campbell. All rights reserved. 16 OpenID Connect is built on OAuth 2.0 Discovery Client Relying Party Resource Server Authorization Server Identity Provider or IDP or OpenID Provider or OP Authorization Endpoint Token Endpoint Important Stuff Userinfo Endpoint Registration Endpoint JWKS Endpoint JWKS Endpoint Validate (JWT) ID Token /.well-known /webfinger /openid-configuration Check Session IFrame End Session Endpoint
Copyright © 2014 Brian Campbell. All rights reserved. 17 Didn’t Someone Say “Simple”? • It wasn’t me • It’s not simple, it’s complicated • But the burden of complexity has been shifted to the Identity Provider, where it’s more appropriate • Many deployments can be à la carte Mr. Boombastic https://www.flickr.com/photos/67589493@N00/166195826 (cropped) https://creativecommons.org/licenses/by/2.0/
Copyright © 2014 Brian Campbell. All rights reserved. 18 Agenda • Introductions • Framing the Problem • OpenID Connect as an Emergent Solution • Nuts & Bolts: The Basic Client Profile • Random Thoughts
Copyright © 2014 Brian Campbell. All rights reserved. 19 Basic Client • OpenID Connect Basic Client Implementer's Guide 1.0 – http://openid.net/specs/openid-connect-basic-1_0.html • “a subset of the OpenID Connect Core 1.0 specification that is designed to be easy to read and implement for basic Web-based Relying Parties using the OAuth Authorization Code Flow.”
Copyright © 2014 Brian Campbell. All rights reserved. 20 Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request
Copyright © 2014 Brian Campbell. All rights reserved. 21 Basic Client Flow End-User / Browser Client Auth Server https://connect-interop.pinglabs.org:9031/as/authorization.oauth2? client_id=some-client-identifier& response_type=code& scope=openid profile email address phone& state=meh234& redirect_uri=https://client.example.io/cb Redirect w/ Authentication Request Authentication Request not encoded for readability
Copyright © 2014 Brian Campbell. All rights reserved. 22 Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User
Copyright © 2014 Brian Campbell. All rights reserved. 23 Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User
Copyright © 2014 Brian Campbell. All rights reserved. 24 Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User Obtain User Consent
Copyright © 2014 Brian Campbell. All rights reserved. 25 Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User Obtain User Consent
Copyright © 2014 Brian Campbell. All rights reserved. 26 Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User Obtain User Consent Redirect w/ Authentication Response Authentication Response w/ code
Copyright © 2014 Brian Campbell. All rights reserved. 27 Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User Obtain User Consent Redirect w/ Authentication Response Authentication Response w/ code https://client.example.io/cb? state=meh234& code=JbXAZUzro_ka3htpQSePwxOMjTfQX8RxmRELgiP1
Copyright © 2014 Brian Campbell. All rights reserved. 28 Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User Obtain User Consent Redirect w/ Authentication Response Authentication Response w/ code Token Request w/ code
Copyright © 2014 Brian Campbell. All rights reserved. 29 Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User Obtain User Consent Redirect w/ Authentication Response Authentication Response w/ code Token Request w/ code POST /as/token.oauth2 HTTP/1.1 Host: connect-interop.pinglabs.org:9031 Content-Length: 185 Content-Type: application/x-www-form-urlencoded client_id=some-client-identifier& grant_type=authorization_code& client_secret=super-duper-password& redirect_uri=https://client.example.io/cb& code=JbXAZUzro_ka3htpQSePwxOMjTfQX8RxmRELgiP1 not encoded for readability
Copyright © 2014 Brian Campbell. All rights reserved. 30 Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User Obtain User Consent Redirect w/ Authentication Response Authentication Response w/ code Token Request w/ code Token Response w/ access & ID token
Copyright © 2014 Brian Campbell. All rights reserved. 31 Basic Client Flow End-User / Browser Token Response w/ access & ID token Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User Obtain User Consent Redirect w/ Authentication Response Authentication Response w/ code Token Request w/ code HTTP/1.1 200 OK Date: Tue, 13 May 2014 15:43:14 GMT Cache-Control: no-cache, no-store Pragma: no-cache max-age: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: application/json;charset=UTF-8 Expires: Thu, 01 Jan 1970 00:00:00 GMT Transfer-Encoding: chunked {"token_type":"Bearer", "expires_in":600, "id_token":"eyJhbGciOiJub25lIn0.eyJzdWIiOiIxMDAxIiwiYXVkIjoic 29tZS1jbGllbnQtaWRlbnRpZmllciIsImp0aSI6Ijc2UnJHdkM1bDNRT 1BPMDVwTGpVdmEiLCJpc3MiOiJodHRwczpcL1wvY29ubmVjdC1p bnRlcm9wLnBpbmdsYWJzLm9yZzo5MDMxIiwiaWF0IjoxMzk5OTk 1Nzg1LCJleHAiOjEzOTk5OTYzODV9.", "access_token":"zfrQZYtamGHS6ZYXdSV4Yo"}
Copyright © 2014 Brian Campbell. All rights reserved. 32 Token Response w/ access & ID token Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User Obtain User Consent Redirect w/ Authentication Response Authentication Response w/ code Token Request w/ code eyJhbGciOiJub25lIn0. eyJzdWIiOiIxMDAxIiwiYXVkIjoic29tZS1jbGllbnQtaWRlbnRpZmllciI sImp0aSI6Ijc2UnJHdkM1bDNRT1BPMDVwTGpVdmEiLCJpc3MiOiJ odHRwczpcL1wvY29ubmVjdC1pbnRlcm9wLnBpbmdsYWJzLm9yZ zo5MDMxIiwiaWF0IjoxMzk5OTk1Nzg1LCJleHAiOjEzOTk5OTYzOD V9. {"alg":"none”} {"sub":"1001", "aud":"some-client-identifier", "jti":"76RrGvC5l3QOPO05pLjUva", "iss":"https://connect-interop.pinglabs.org:9031", "iat":1399995785, "exp":1399996385}
Copyright © 2014 Brian Campbell. All rights reserved. 33 Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User Obtain User Consent Redirect w/ Authentication Response Authentication Response w/ code Token Request w/ code Token Response w/ access & ID token User Info Request w/ access token
Copyright © 2014 Brian Campbell. All rights reserved. 34 Token Response w/ access & ID token Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User Obtain User Consent Redirect w/ Authentication Response Authentication Response w/ code Token Request w/ code GET /idp/userinfo.openid HTTP/1.1 Host: connect-interop.pinglabs.org:9031 Accept: */* Authorization: Bearer zfrQZYtamGHS6ZYXdSV4Yo User Info Request w/ access token
Copyright © 2014 Brian Campbell. All rights reserved. 35 Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User Obtain User Consent Redirect w/ Authentication Response Authentication Response w/ code Token Request w/ code Token Response w/ access & ID token User Info Response User Info Request w/ access token
Copyright © 2014 Brian Campbell. All rights reserved. 36 User Info Request w/ access token Token Response w/ access & ID token Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User Obtain User Consent Redirect w/ Authentication Response Authentication Response w/ code Token Request w/ code User Info Response HTTP/1.1 200 OK Date: Tue, 13 May 2014 15:44:13 GMT Content-Type: application/json;charset=UTF-8 {"sub": "1001", "name": "Joe Doe", "given_name": "Joe", "family_name": "Doe", "preferred_username": "joe", "email": "joe.doe@pinglabs.org", "picture": "http://farm8.staticflickr.com/7224/7395022014_1f6f3b33c8_m.jpg", "address":{"formatted":"1234 South North Street, Amherst, MA 01002"}, "phone_number":"+1 (413) 867-5309"}
Copyright © 2014 Brian Campbell. All rights reserved. 37 That was Simple? • There are a lot of lines… • But from the Client’s perspective – Send the user off somewhere – Wait for them to show up on a callback – Make two simple HTTPS calls and validate some data – Done
Copyright © 2014 Brian Campbell. All rights reserved. 38 Agenda • Introductions • Framing the Problem • OpenID Connect as an Emergent Solution • Nuts & Bolts: The Basic Client Profile • Random Thoughts
Copyright © 2014 Brian Campbell. All rights reserved. 39 It’s Not All Rainbows & Unicorns • SAML’s IDP initiated POST is easily the most successful SSO deployment for the enterprise market • Some impedance mismatch as Connect doesn’t have straightforward equivalents
Copyright © 2014 Brian Campbell. All rights reserved. 40 Tweet Bait https://twitter.com/cloud_opinion/status/459481058480648193 one picture of a goat
Copyright © 2014 Brian Campbell. All rights reserved. 41 I’m Done.

More Related Content

What's hot (20)

PDF
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
MikeLeszcz
 
PPTX
OIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group Update
OpenIDFoundation
 
PDF
The “I” in API is for Identity (Nordic APIS April 2014)
Nordic APIs
 
PDF
OIDF Workshop 4/29/2019 -- OpenID Certification Update
OpenIDFoundation
 
PDF
OpenID Certification Program Update - 2018-04-02
MikeLeszcz
 
PPTX
OpenID Foundation MODRNA WG Update
Bjorn Hjelm
 
PDF
OpenID Foundation Workshop at EIC 2018 - OpenID Certification Update
MikeLeszcz
 
PDF
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CloudIDSummit
 
PPTX
APIdays London 2020: Toward certifying Financial-grade API security profile w...
Hitachi, Ltd. OSS Solution Center.
 
PDF
OAuth 2.0 Threat Landscapes
Prabath Siriwardena
 
PDF
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...
OpenIDFoundation
 
PDF
Message based microservices architectures driven with docker
Docker, Inc.
 
PDF
Strong Customer Authentication - All Your Questions Answered
WSO2
 
PPTX
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays
 
PDF
OBIE Directory Integration - A Technical Deep Dive
WSO2
 
PDF
CIS 2015 Extreme OpenID Connect - John Bradley
CloudIDSummit
 
PDF
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
Hitachi, Ltd. OSS Solution Center.
 
PDF
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Hitachi, Ltd. OSS Solution Center.
 
PPTX
Cloud Native Application Development-build fast, low TCO, scalable & agile so...
Lucas Jellema
 
PPTX
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays
 
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
MikeLeszcz
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group Update
OpenIDFoundation
 
The “I” in API is for Identity (Nordic APIS April 2014)
Nordic APIs
 
OIDF Workshop 4/29/2019 -- OpenID Certification Update
OpenIDFoundation
 
OpenID Certification Program Update - 2018-04-02
MikeLeszcz
 
OpenID Foundation MODRNA WG Update
Bjorn Hjelm
 
OpenID Foundation Workshop at EIC 2018 - OpenID Certification Update
MikeLeszcz
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CloudIDSummit
 
APIdays London 2020: Toward certifying Financial-grade API security profile w...
Hitachi, Ltd. OSS Solution Center.
 
OAuth 2.0 Threat Landscapes
Prabath Siriwardena
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect for Identity As...
OpenIDFoundation
 
Message based microservices architectures driven with docker
Docker, Inc.
 
Strong Customer Authentication - All Your Questions Answered
WSO2
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays
 
OBIE Directory Integration - A Technical Deep Dive
WSO2
 
CIS 2015 Extreme OpenID Connect - John Bradley
CloudIDSummit
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
Hitachi, Ltd. OSS Solution Center.
 
Consideration on Holder-of-Key Bound Token < from Financial-grade API (FAPI) ...
Hitachi, Ltd. OSS Solution Center.
 
Cloud Native Application Development-build fast, low TCO, scalable & agile so...
Lucas Jellema
 
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays
 

Viewers also liked (9)

PPTX
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
PDF
Single Sign On with OAuth and OpenID
Gasperi Jerome
 
PDF
Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013
Justin Richer
 
PDF
OpenID Connect Explained
Vladimir Dzhuvinov
 
PDF
OpenID Authentication by example
Chris Vertonghen
 
PPTX
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
 
PDF
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 
PPTX
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
PDF
Introduction to OpenID Connect
Nat Sakimura
 
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
Single Sign On with OAuth and OpenID
Gasperi Jerome
 
Auth in the extended enterprise - Keynote for MIT Legal Hack A Thon 2013
Justin Richer
 
OpenID Connect Explained
Vladimir Dzhuvinov
 
OpenID Authentication by example
Chris Vertonghen
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
Introduction to OpenID Connect
Nat Sakimura
 
Ad

Similar to OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAuth 2.0 (20)

PPTX
Mobile Single Sign-On (Gluecon '15)
Brian Campbell
 
PPTX
Mobile SSO: are we there yet?
Brian Campbell
 
PDF
CIS 2015- Mobile SSO: Are We There Yet? - Brian Campbell
CloudIDSummit
 
PDF
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
CA API Management
 
PPTX
Denver Startup Week '15: Mobile SSO
Brian Campbell
 
PDF
Facebook & OAuth
Danny Deng
 
PPTX
How ANICO Brought Subsidiary Systems Together to Communicate with Policyholde...
Davalen LLC
 
PDF
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
CloudIDSummit
 
PDF
CIS 2015 Extreme OAuth - Paul Meyer
CloudIDSummit
 
PPTX
Managing Identity without Boundaries
Ping Identity
 
PDF
Demystifying Cloud Security
Ben Clay, CSP (IoT - Expert)
 
PPTX
Supercharging Optimizely Performance by Moving Decisions to the Edge
Optimizely
 
PDF
Patterns to Bring Enterprise and Social Identity to the Cloud
CA API Management
 
PPTX
Securing Microservices with Spring Cloud Security
Will Tran
 
PPTX
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
apidays
 
PDF
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer
 
PDF
apidays Paris 2022 - API design best practices, Ryan Clifford & Ros Bennis, F...
apidays
 
PDF
Ensure the security of your HCL environment by applying the Zero Trust princi...
Roland Driesen
 
PPTX
eFolder Partner Chat Webinar — ShadowProtect vs. Replibit: Factors to Consider
eFolder
 
PDF
Tracking license compliance made easy - intro to Grant (OSS)
Anchore
 
Mobile Single Sign-On (Gluecon '15)
Brian Campbell
 
Mobile SSO: are we there yet?
Brian Campbell
 
CIS 2015- Mobile SSO: Are We There Yet? - Brian Campbell
CloudIDSummit
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
CA API Management
 
Denver Startup Week '15: Mobile SSO
Brian Campbell
 
Facebook & OAuth
Danny Deng
 
How ANICO Brought Subsidiary Systems Together to Communicate with Policyholde...
Davalen LLC
 
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
CloudIDSummit
 
CIS 2015 Extreme OAuth - Paul Meyer
CloudIDSummit
 
Managing Identity without Boundaries
Ping Identity
 
Demystifying Cloud Security
Ben Clay, CSP (IoT - Expert)
 
Supercharging Optimizely Performance by Moving Decisions to the Edge
Optimizely
 
Patterns to Bring Enterprise and Social Identity to the Cloud
CA API Management
 
Securing Microservices with Spring Cloud Security
Will Tran
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
apidays
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer
 
apidays Paris 2022 - API design best practices, Ryan Clifford & Ros Bennis, F...
apidays
 
Ensure the security of your HCL environment by applying the Zero Trust princi...
Roland Driesen
 
eFolder Partner Chat Webinar — ShadowProtect vs. Replibit: Factors to Consider
eFolder
 
Tracking license compliance made easy - intro to Grant (OSS)
Anchore
 
Ad

More from Brian Campbell (13)

PPTX
The Burden of Proof
Brian Campbell
 
PPTX
Token Binding Identiverse 2018
Brian Campbell
 
PPTX
IAM Overview Identiverse 2018
Brian Campbell
 
PPTX
Identity and Access Management - RSA 2017 Security Foundations Seminar
Brian Campbell
 
PDF
OAuth 2.0 Token Exchange: An STS for the REST of Us
Brian Campbell
 
PPTX
I Left My JWT in San JOSE
Brian Campbell
 
PPTX
JOSE Can You See...
Brian Campbell
 
PPTX
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
Brian Campbell
 
PPTX
Hope or Hype: A Look at the Next Generation of Identity Standards
Brian Campbell
 
PPTX
Introduction to the Emerging JSON-Based Identity and Security Protocols
Brian Campbell
 
PPTX
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
Brian Campbell
 
PPTX
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
PDF
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
Brian Campbell
 
The Burden of Proof
Brian Campbell
 
Token Binding Identiverse 2018
Brian Campbell
 
IAM Overview Identiverse 2018
Brian Campbell
 
Identity and Access Management - RSA 2017 Security Foundations Seminar
Brian Campbell
 
OAuth 2.0 Token Exchange: An STS for the REST of Us
Brian Campbell
 
I Left My JWT in San JOSE
Brian Campbell
 
JOSE Can You See...
Brian Campbell
 
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
Brian Campbell
 
Hope or Hype: A Look at the Next Generation of Identity Standards
Brian Campbell
 
Introduction to the Emerging JSON-Based Identity and Security Protocols
Brian Campbell
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
Brian Campbell
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
Brian Campbell
 

Recently uploaded (20)

PPTX
OpenChain @ OSS NA - In From the Cold: Open Source as Part of Mainstream Soft...
Shane Coughlan
 
PDF
iTop VPN With Crack Lifetime Activation Key-CODE
utfefguu
 
PPTX
ChiSquare Procedure in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PDF
Odoo CRM vs Zoho CRM: Honest Comparison 2025
Odiware Technologies Private Limited
 
PPTX
Customise Your Correlation Table in IBM SPSS Statistics.pptx
Version 1 Analytics
 
PDF
vMix Pro 28.0.0.42 Download vMix Registration key Bundle
kulindacore
 
PDF
Driver Easy Pro 6.1.1 Crack Licensce key 2025 FREE
utfefguu
 
PDF
AOMEI Partition Assistant Crack 10.8.2 + WinPE Free Downlaod New Version 2025
bashirkhan333g
 
PPTX
Homogeneity of Variance Test Options IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PPTX
Home Care Tools: Benefits, features and more
Third Rock Techkno
 
PDF
AI + DevOps = Smart Automation with devseccops.ai.pdf
Devseccops.ai
 
PDF
IDM Crack with Internet Download Manager 6.42 Build 43 with Patch Latest 2025
bashirkhan333g
 
PPTX
Comprehensive Risk Assessment Module for Smarter Risk Management
EHA Soft Solutions
 
PDF
Empower Your Tech Vision- Why Businesses Prefer to Hire Remote Developers fro...
logixshapers59
 
PDF
Automate Cybersecurity Tasks with Python
VICTOR MAESTRE RAMIREZ
 
PDF
Top Agile Project Management Tools for Teams in 2025
Orangescrum
 
PPTX
Finding Your License Details in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PPTX
Agentic Automation Journey Session 1/5: Context Grounding and Autopilot for E...
klpathrudu
 
PDF
NEW-Viral>Wondershare Filmora 14.5.18.12900 Crack Free
sherryg1122g
 
PDF
MiniTool Partition Wizard Free Crack + Full Free Download 2025
bashirkhan333g
 
OpenChain @ OSS NA - In From the Cold: Open Source as Part of Mainstream Soft...
Shane Coughlan
 
iTop VPN With Crack Lifetime Activation Key-CODE
utfefguu
 
ChiSquare Procedure in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
Odoo CRM vs Zoho CRM: Honest Comparison 2025
Odiware Technologies Private Limited
 
Customise Your Correlation Table in IBM SPSS Statistics.pptx
Version 1 Analytics
 
vMix Pro 28.0.0.42 Download vMix Registration key Bundle
kulindacore
 
Driver Easy Pro 6.1.1 Crack Licensce key 2025 FREE
utfefguu
 
AOMEI Partition Assistant Crack 10.8.2 + WinPE Free Downlaod New Version 2025
bashirkhan333g
 
Homogeneity of Variance Test Options IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
Home Care Tools: Benefits, features and more
Third Rock Techkno
 
AI + DevOps = Smart Automation with devseccops.ai.pdf
Devseccops.ai
 
IDM Crack with Internet Download Manager 6.42 Build 43 with Patch Latest 2025
bashirkhan333g
 
Comprehensive Risk Assessment Module for Smarter Risk Management
EHA Soft Solutions
 
Empower Your Tech Vision- Why Businesses Prefer to Hire Remote Developers fro...
logixshapers59
 
Automate Cybersecurity Tasks with Python
VICTOR MAESTRE RAMIREZ
 
Top Agile Project Management Tools for Teams in 2025
Orangescrum
 
Finding Your License Details in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
Agentic Automation Journey Session 1/5: Context Grounding and Autopilot for E...
klpathrudu
 
NEW-Viral>Wondershare Filmora 14.5.18.12900 Crack Free
sherryg1122g
 
MiniTool Partition Wizard Free Crack + Full Free Download 2025
bashirkhan333g
 

OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAuth 2.0

  • 1. OpenID Connect a simple[sic] single sign-on & identity layer on top of OAuth 2.0 Brian Campbell @__b_c Copyright © 2014 Brian Campbell. All rights reserved.
  • 2. Copyright © 2014 Brian Campbell. All rights reserved. 2 Agenda • Introductions • Framing the Problem • OpenID Connect as an Emergent Solution • Nuts & Bolts: The Basic Client Profile • Random Thoughts
  • 3. Copyright © 2014 Brian Campbell. All rights reserved. 3 Who Dat? Brian Campbell Some Meaningless Title & 10+ years @ Used to write a lot of code Now active in standards development Identity is ubiquitous. Regardless of the kind of applications you develop you will, at some point, almost certainly have to deal with identifying users of the app. Yet it's seldom a central part of the app’s value proposition and rarely a core competency for developers. Wouldn’t it be nice to outsource user authentication and free yourself from the liability and complexity of storing and managing passwords? OpenID Connect, just ratified earlier this year and backed by some big industry names, is emerging as the go to standard way to do exactly that. Connect allows you to easily and securely get an answer to the question: “What is the identity of the person currently using this browser or native app?” Unlike some of it’s predecessors, however, Connect has roots spanning the consumer, SaaS and enterprise space and is better suited to serve a diverse set of deployments. Come find out more about Connect in this talk from a seasoned veteran of the prestigious basement conference rooms at GlueCon. Cardboard box
  • 4. Copyright © 2014 Brian Campbell. All rights reserved. 4 Speaker Credentials
  • 5. Copyright © 2014 Brian Campbell. All rights reserved. 5 Speaker Credentials
  • 6. Copyright © 2014 Brian Campbell. All rights reserved. 6 Speaker Credentials Prominently mentioned on the second to last page that nobody will ever read just before the copyright notices
  • 7. Copyright © 2014 Brian Campbell. All rights reserved. 7 Agenda • Introductions • Framing the Problem • OpenID Connect as an Emergent Solution • Nuts & Bolts: The Basic Client Profile • Random Thoughts
  • 8. Copyright © 2014 Brian Campbell. All rights reserved. 8 Passwords are Broken For Users Death by a Thousand Passwords true story: “holyfucknotanotherfuckingpassword1”
  • 9. Copyright © 2014 Brian Campbell. All rights reserved. 9 Passwords are Broken For Users What? A Well Regarded Fortune 500 Financial Services Company
  • 10. Copyright © 2014 Brian Campbell. All rights reserved. 10 Passwords also Broken for Service Providers • Hell on user registration conversion rates • Managing passwords is hard – Just ask Adobe or LinkedIn or Kickstarter or…
  • 11. Copyright © 2014 Brian Campbell. All rights reserved. 11 Agenda • Introductions • Framing the Problem • OpenID Connect as an Emergent Solution • Nuts & Bolts: The Basic Client Profile • Random Thoughts
  • 12. Copyright © 2014 Brian Campbell. All rights reserved. 12 Introducing OpenID Connect • Easily and securely get an answer to the question: “What is the identity of the person currently using this browser or native app?” – Without taking on the responsibility of storing and managing passwords, which is nice • Built on top of OAuth 2.0 using familiar and widely available stuff like JSON and HTTP • Adds an ID Token (JWT) for user authentication to the client • API access and SSO together
  • 13. Copyright © 2014 Brian Campbell. All rights reserved. 13 Unlike Predecessors
  • 14. Copyright © 2014 Brian Campbell. All rights reserved. 14 OAuth 2.0 In A Nutshell Client Resource Server Authorization Server Authorization Endpoint Token Endpoint Important Stuff Where the magic happens
  • 15. Copyright © 2014 Brian Campbell. All rights reserved. 15 OAuth 2.0 JOSE WebFinger OpenID Connect
  • 16. Copyright © 2014 Brian Campbell. All rights reserved. 16 OpenID Connect is built on OAuth 2.0 Discovery Client Relying Party Resource Server Authorization Server Identity Provider or IDP or OpenID Provider or OP Authorization Endpoint Token Endpoint Important Stuff Userinfo Endpoint Registration Endpoint JWKS Endpoint JWKS Endpoint Validate (JWT) ID Token /.well-known /webfinger /openid-configuration Check Session IFrame End Session Endpoint
  • 17. Copyright © 2014 Brian Campbell. All rights reserved. 17 Didn’t Someone Say “Simple”? • It wasn’t me • It’s not simple, it’s complicated • But the burden of complexity has been shifted to the Identity Provider, where it’s more appropriate • Many deployments can be à la carte Mr. Boombastic https://www.flickr.com/photos/67589493@N00/166195826 (cropped) https://creativecommons.org/licenses/by/2.0/
  • 18. Copyright © 2014 Brian Campbell. All rights reserved. 18 Agenda • Introductions • Framing the Problem • OpenID Connect as an Emergent Solution • Nuts & Bolts: The Basic Client Profile • Random Thoughts
  • 19. Copyright © 2014 Brian Campbell. All rights reserved. 19 Basic Client • OpenID Connect Basic Client Implementer's Guide 1.0 – http://openid.net/specs/openid-connect-basic-1_0.html • “a subset of the OpenID Connect Core 1.0 specification that is designed to be easy to read and implement for basic Web-based Relying Parties using the OAuth Authorization Code Flow.”
  • 20. Copyright © 2014 Brian Campbell. All rights reserved. 20 Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request
  • 21. Copyright © 2014 Brian Campbell. All rights reserved. 21 Basic Client Flow End-User / Browser Client Auth Server https://connect-interop.pinglabs.org:9031/as/authorization.oauth2? client_id=some-client-identifier& response_type=code& scope=openid profile email address phone& state=meh234& redirect_uri=https://client.example.io/cb Redirect w/ Authentication Request Authentication Request not encoded for readability
  • 22. Copyright © 2014 Brian Campbell. All rights reserved. 22 Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User
  • 23. Copyright © 2014 Brian Campbell. All rights reserved. 23 Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User
  • 24. Copyright © 2014 Brian Campbell. All rights reserved. 24 Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User Obtain User Consent
  • 25. Copyright © 2014 Brian Campbell. All rights reserved. 25 Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User Obtain User Consent
  • 26. Copyright © 2014 Brian Campbell. All rights reserved. 26 Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User Obtain User Consent Redirect w/ Authentication Response Authentication Response w/ code
  • 27. Copyright © 2014 Brian Campbell. All rights reserved. 27 Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User Obtain User Consent Redirect w/ Authentication Response Authentication Response w/ code https://client.example.io/cb? state=meh234& code=JbXAZUzro_ka3htpQSePwxOMjTfQX8RxmRELgiP1
  • 28. Copyright © 2014 Brian Campbell. All rights reserved. 28 Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User Obtain User Consent Redirect w/ Authentication Response Authentication Response w/ code Token Request w/ code
  • 29. Copyright © 2014 Brian Campbell. All rights reserved. 29 Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User Obtain User Consent Redirect w/ Authentication Response Authentication Response w/ code Token Request w/ code POST /as/token.oauth2 HTTP/1.1 Host: connect-interop.pinglabs.org:9031 Content-Length: 185 Content-Type: application/x-www-form-urlencoded client_id=some-client-identifier& grant_type=authorization_code& client_secret=super-duper-password& redirect_uri=https://client.example.io/cb& code=JbXAZUzro_ka3htpQSePwxOMjTfQX8RxmRELgiP1 not encoded for readability
  • 30. Copyright © 2014 Brian Campbell. All rights reserved. 30 Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User Obtain User Consent Redirect w/ Authentication Response Authentication Response w/ code Token Request w/ code Token Response w/ access & ID token
  • 31. Copyright © 2014 Brian Campbell. All rights reserved. 31 Basic Client Flow End-User / Browser Token Response w/ access & ID token Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User Obtain User Consent Redirect w/ Authentication Response Authentication Response w/ code Token Request w/ code HTTP/1.1 200 OK Date: Tue, 13 May 2014 15:43:14 GMT Cache-Control: no-cache, no-store Pragma: no-cache max-age: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: application/json;charset=UTF-8 Expires: Thu, 01 Jan 1970 00:00:00 GMT Transfer-Encoding: chunked {"token_type":"Bearer", "expires_in":600, "id_token":"eyJhbGciOiJub25lIn0.eyJzdWIiOiIxMDAxIiwiYXVkIjoic 29tZS1jbGllbnQtaWRlbnRpZmllciIsImp0aSI6Ijc2UnJHdkM1bDNRT 1BPMDVwTGpVdmEiLCJpc3MiOiJodHRwczpcL1wvY29ubmVjdC1p bnRlcm9wLnBpbmdsYWJzLm9yZzo5MDMxIiwiaWF0IjoxMzk5OTk 1Nzg1LCJleHAiOjEzOTk5OTYzODV9.", "access_token":"zfrQZYtamGHS6ZYXdSV4Yo"}
  • 32. Copyright © 2014 Brian Campbell. All rights reserved. 32 Token Response w/ access & ID token Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User Obtain User Consent Redirect w/ Authentication Response Authentication Response w/ code Token Request w/ code eyJhbGciOiJub25lIn0. eyJzdWIiOiIxMDAxIiwiYXVkIjoic29tZS1jbGllbnQtaWRlbnRpZmllciI sImp0aSI6Ijc2UnJHdkM1bDNRT1BPMDVwTGpVdmEiLCJpc3MiOiJ odHRwczpcL1wvY29ubmVjdC1pbnRlcm9wLnBpbmdsYWJzLm9yZ zo5MDMxIiwiaWF0IjoxMzk5OTk1Nzg1LCJleHAiOjEzOTk5OTYzOD V9. {"alg":"none”} {"sub":"1001", "aud":"some-client-identifier", "jti":"76RrGvC5l3QOPO05pLjUva", "iss":"https://connect-interop.pinglabs.org:9031", "iat":1399995785, "exp":1399996385}
  • 33. Copyright © 2014 Brian Campbell. All rights reserved. 33 Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User Obtain User Consent Redirect w/ Authentication Response Authentication Response w/ code Token Request w/ code Token Response w/ access & ID token User Info Request w/ access token
  • 34. Copyright © 2014 Brian Campbell. All rights reserved. 34 Token Response w/ access & ID token Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User Obtain User Consent Redirect w/ Authentication Response Authentication Response w/ code Token Request w/ code GET /idp/userinfo.openid HTTP/1.1 Host: connect-interop.pinglabs.org:9031 Accept: */* Authorization: Bearer zfrQZYtamGHS6ZYXdSV4Yo User Info Request w/ access token
  • 35. Copyright © 2014 Brian Campbell. All rights reserved. 35 Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User Obtain User Consent Redirect w/ Authentication Response Authentication Response w/ code Token Request w/ code Token Response w/ access & ID token User Info Response User Info Request w/ access token
  • 36. Copyright © 2014 Brian Campbell. All rights reserved. 36 User Info Request w/ access token Token Response w/ access & ID token Basic Client Flow End-User / Browser Client Auth Server Redirect w/ Authentication Request Authentication Request Authenticate End-User Obtain User Consent Redirect w/ Authentication Response Authentication Response w/ code Token Request w/ code User Info Response HTTP/1.1 200 OK Date: Tue, 13 May 2014 15:44:13 GMT Content-Type: application/json;charset=UTF-8 {"sub": "1001", "name": "Joe Doe", "given_name": "Joe", "family_name": "Doe", "preferred_username": "joe", "email": "[email protected]", "picture": "http://farm8.staticflickr.com/7224/7395022014_1f6f3b33c8_m.jpg", "address":{"formatted":"1234 South North Street, Amherst, MA 01002"}, "phone_number":"+1 (413) 867-5309"}
  • 37. Copyright © 2014 Brian Campbell. All rights reserved. 37 That was Simple? • There are a lot of lines… • But from the Client’s perspective – Send the user off somewhere – Wait for them to show up on a callback – Make two simple HTTPS calls and validate some data – Done
  • 38. Copyright © 2014 Brian Campbell. All rights reserved. 38 Agenda • Introductions • Framing the Problem • OpenID Connect as an Emergent Solution • Nuts & Bolts: The Basic Client Profile • Random Thoughts
  • 39. Copyright © 2014 Brian Campbell. All rights reserved. 39 It’s Not All Rainbows & Unicorns • SAML’s IDP initiated POST is easily the most successful SSO deployment for the enterprise market • Some impedance mismatch as Connect doesn’t have straightforward equivalents
  • 40. Copyright © 2014 Brian Campbell. All rights reserved. 40 Tweet Bait https://twitter.com/cloud_opinion/status/459481058480648193 one picture of a goat
  • 41. Copyright © 2014 Brian Campbell. All rights reserved. 41 I’m Done.