SlideShare a Scribd company logo

OpenID Connect Demo at OpenID Tech Night

Daisuke Fuke, profile picture
Daisuke Fuke

OpenID Connect is an identity layer built on top of OAuth 2.0 that offers secure API and federated sign-on services to clients using a single REST-based mechanism. The document discusses OpenID Connect demonstrations of a web application and mobile application for a stock trading site. It shows the user flows and interactions between the applications and an OpenID Connect provider and API platform for authentication, authorization, and accessing user and portfolio information.

Technology
1 of 20
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
OpenID Connect デモンストレーション 福家 大輔 dfuke@pingidentity.com Ping Identity Corporation Web: https://www.pingidentity.jp 1 Copyright ©2012 Ping Identity Corporation. All rights reserved.
OpenID Connect についてのさわり • OpenID Connect Workshop … 3 Copyright ©2012 Ping Identity Corporation. All rights reserved.
Elevator Pitch OpenID Connect is an identity layer built on top of OAuth 2.0, which offers secure API and federated sign-on services to clients using a single REST- based mechanism http://www.flickr.com/photos/joits/3214054244 4 Copyright ©2012 Ping Identity Corporation. All rights reserved.
Differentiators • From OpenID 2.0: – Simplied Discovery Mechanism – Ability to achieve all levels of assurance in one protocol • From SAML: – Simplified assertion format – Focus on both web and native applications • From OAuth 2.0: – Validates identity of user to the client – Profiles use of encryption, signing, token formats, objects returned from endpoints – Dynamic Client Registration • From all: OpenID Connect REQUIRES TLS http://www.flickr.com/photos/40348123@N02/399634890 7 5 Copyright ©2012 Ping Identity Corporation. All rights reserved.
OAuth Protocol Is the Base +--------+ +---------------+ | |--(A)------- Authorization Grant --------->| | | | | | | |<-(B)----------- Access Token -------------| | | | & Refresh Token | | | | | | | | +----------+ | | | |--(C)---- Access Token ---->| | | | | | | | | | | |<-(D)- Protected Resource --| Resource | | Authorization | | Client | | Server | | Server | | |--(E)---- Access Token ---->| | | | | | | | | | | |<-(F)- Invalid Token Error -| | | | | | +----------+ | | | | | | | |--(G)----------- Refresh Token ----------->| | | | | | | |<-(H)----------- Access Token -------------| | +--------+ & Optional Refresh Token +---------------+ 8 Copyright ©2012 Ping Identity Corporation. All rights reserved.
OpenID Connect Overlays RP OP +--------+ +---------------+ | |--(A)------- Authorization Grant --------->| | | | Scope: openid | | | |<-(B)----------- Access Token -------------| | | | & Refresh Token | | | | & ID Token | | | | +----------+ | | | |--(C)---- Access Token ---->| | | | | | | User Info | | | | |<-(D)- Protected Resource --| Resource | | Authorization | | Client | | Server | | Server | | |--(E)---- Access Token ---->| | | | | | | | | | | |<-(F)- Invalid Token Error -| | | | | | +----------+ | | | | | | | |--(G)----------- Refresh Token ----------->| | | | | | | |<-(H)----------- Access Token -------------| | +--------+ & Optional Refresh Token +---------------+ 9 Copyright ©2012 Ping Identity Corporation. All rights reserved.
Spec Family 10 Copyright ©2012 Ping Identity Corporation. All rights reserved.
Spec Family • Minimal Profiles for Simple Relying Parties – Basic Client (code flow) – Implicit Client (token flow) • Complete Profiles for OpenID Providers & Complex RPs – Messages – Standard (HTTP Binding) • Additional Functionality – Discovery – Dynamic Client Registration – Session Management 11 Copyright ©2012 Ping Identity Corporation. All rights reserved.
デモについて • 弊社CTO、Patrick HardingがCIS2012で行ったデモ – WebApp – MobileApp • 想定シナリオ • 株式トレーダー向けサイトでの株式取引を行う • 登場人物 • StockExport • 株式のトレーダー向けサイト • 証券会社の提供するAPIを用いて株式の取引を行う • WebAppとMobileAppを提供 • idTrade • 株式取引APIを提供する証券会社 • 認証・認可にOpenID Connectを利用 12 Copyright ©2012 Ping Identity Corporation. All rights reserved.
WebAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo TradeInfo Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service h :/ ta . i gbc tpi rdp l so t / d e na . Miep ol a b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 13 Copyright ©2012 Ping Identity Corporation. All rights reserved.
WebAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 1. Request h :/ ta . i gbc tpi rdp l so t / d e na . Miep ol a b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee 2. Code Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 14 Copyright ©2012 Ping Identity Corporation. All rights reserved.
WebAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 1. Request 3. Code h :/ ta . i gbc tpi rdp l so t / d e na . Miep ol a 4. Access b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee 2. Code Token & id_token Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 15 Copyright ©2012 Ping Identity Corporation. All rights reserved.
WebAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 5. Access 1. Request 3. Code Token h :/ ta . i gbc tpi rdp l so t / d e na . Miep ol a 4. Access b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee 2. Code Token & 6.User info id_token Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 16 Copyright ©2012 Ping Identity Corporation. All rights reserved.
WebAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 5. Access h :/ ta . i gbc tpi rdp l so t / d e na . Token Miep ol a b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee 6. API Content Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 17 Copyright ©2012 Ping Identity Corporation. All rights reserved.
WebAppデモ Basic Client Profile Flow used at Web App (response type: code) StockExpert OP Authorization Browser Web App (RP) OP UserInfo Endpoint Other APIs Service Clicks Front Sign-in Channel 1. OpenID Connect Basic Profile authorization request - response type=code scope=openid AuthN/Consent OP Session Created 2. AuthZ code returned from OP C Back 3. AuthZ code traded for id_token and access token C Channel I T 4. Possible call to userinfo endpoint to populate session T RP Session Created Content Front Returned API calls Back T as needed OpenID Connect OAuth 2.0 OAuth 2.0 Note: Token Refresh not Shown I ID Token C AuthZ Code T Access Token 18 Copyright ©2012 Ping Identity Corporation. All rights reserved.
MobileAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service h :/ ta . i gbc tpi rdp l so t / d e na . Miep ol a b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 19 Copyright ©2012 Ping Identity Corporation. All rights reserved.
MobileAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 1. Request 2. Access Token h :/ ta . i gbc tpi rdp l so t / d e na . & ID Token Miep ol a b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 20 Copyright ©2012 Ping Identity Corporation. All rights reserved.
MobileAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 1. Request 2. Access Token 4. User info h :/ ta . i gbc tpi rdp l so t / d e na . & ID Token 3. Miep ol a b p Access Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee Token Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 21 Copyright ©2012 Ping Identity Corporation. All rights reserved.
MobileAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 1. Access h :/ ta . i gbc tpi rdp l so t / d e na . Token Miep ol a b p Ot 2 c n A . le u 0i t h 2. API Content Sc x r t k pt o Ee Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 22 Copyright ©2012 Ping Identity Corporation. All rights reserved.
おわり 23 Copyright ©2012 Ping Identity Corporation. All rights reserved.

More Related Content

Viewers also liked (20)

PDF
Shingo Yamanaka, OIDF-J - OpenID TechNight #9
OpenID Foundation Japan
 
PDF
TechNight #12: Cloud Identity Summit 2014 @ Monteray 概要と主要トピック
Daisuke Fuke
 
PPTX
Taste of Failure is Key for Sustainable Success
VSR *
 
PPTX
Project Management is the Catalyst to transform India into a Global Leader in...
VSR *
 
PPTX
Identity assurance & the market for verified attributes
James Varga
 
PPTX
Cloud & Mobility Goldmines
VSR *
 
PPTX
Digital Rights Management
NextLabs, Inc.
 
PPTX
Responsible Global Spend - Sample Program and Timeline
Bill Kohnen
 
PDF
AGLEA SAP Security Analyzer SoD Remediation SoX authorization
Massimo Manara
 
PPTX
Advanced Authorization for SAP Global Deployments Part III of III
NextLabs, Inc.
 
PDF
OpenID TechNight - Ping Identity 製品紹介
Daisuke Fuke
 
PDF
CIS13: Next Generation Privileged Identity Management: A Market Overview
CloudIDSummit
 
PPT
SharePoint Business Track Part 1 of 2
NextLabs, Inc.
 
PDF
Digital in store for dummies
Paolo Maioli
 
PDF
CIS13: Intelligence-Driven IAM: The Next Generation of Identity and Access Go...
CloudIDSummit
 
PPTX
Colin Glynn, Rolls-Royce plc Presentation
Amy Jacobs MA BA Hons
 
PDF
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CloudIDSummit
 
PPTX
Fédération d'identité, séminaire du 27 novembre 2014
e-Xpert Solutions SA
 
PDF
Self Branding of Project Manager.. What & How?
VSR *
 
PPT
Retail ERP Solution -SOD Technologies Pvt Ltd
Sodtech
 
Shingo Yamanaka, OIDF-J - OpenID TechNight #9
OpenID Foundation Japan
 
TechNight #12: Cloud Identity Summit 2014 @ Monteray 概要と主要トピック
Daisuke Fuke
 
Taste of Failure is Key for Sustainable Success
VSR *
 
Project Management is the Catalyst to transform India into a Global Leader in...
VSR *
 
Identity assurance & the market for verified attributes
James Varga
 
Cloud & Mobility Goldmines
VSR *
 
Digital Rights Management
NextLabs, Inc.
 
Responsible Global Spend - Sample Program and Timeline
Bill Kohnen
 
AGLEA SAP Security Analyzer SoD Remediation SoX authorization
Massimo Manara
 
Advanced Authorization for SAP Global Deployments Part III of III
NextLabs, Inc.
 
OpenID TechNight - Ping Identity 製品紹介
Daisuke Fuke
 
CIS13: Next Generation Privileged Identity Management: A Market Overview
CloudIDSummit
 
SharePoint Business Track Part 1 of 2
NextLabs, Inc.
 
Digital in store for dummies
Paolo Maioli
 
CIS13: Intelligence-Driven IAM: The Next Generation of Identity and Access Go...
CloudIDSummit
 
Colin Glynn, Rolls-Royce plc Presentation
Amy Jacobs MA BA Hons
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CloudIDSummit
 
Fédération d'identité, séminaire du 27 novembre 2014
e-Xpert Solutions SA
 
Self Branding of Project Manager.. What & How?
VSR *
 
Retail ERP Solution -SOD Technologies Pvt Ltd
Sodtech
 

Similar to OpenID Connect Demo at OpenID Tech Night (20)

PPTX
Making Sense of API Access Control
CA API Management
 
PPTX
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
PDF
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 
PDF
OAuth 2.0 Updates #technight in Osaka
Nov Matake
 
PDF
OAuth 2.0 Updates #technight
Nov Matake
 
PDF
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
KEY
OpenID vs OAuth - Identity on the Web
Richard Metzler
 
PPTX
Enterprise Access Control Patterns for Rest and Web APIs
CA API Management
 
PDF
Draft Ietf Oauth V2 12
Vishal Shah
 
PDF
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
PDF
testupload
admiralderp
 
PDF
When and Why Would I use Oauth2?
Dave Syer
 
PDF
OpenID and OAuth
Andrea Chiodoni
 
PPT
Oauth
立晨 代
 
PDF
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer
 
PDF
How PayPal uses Open Identity
PayPal
 
PDF
Securing APIs
WSO2
 
KEY
OAuth using PHP5
Nurulazrad Murad
 
PPTX
A recipe for standards-based Cloud IdM
Paul Madsen
 
PPTX
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
Making Sense of API Access Control
CA API Management
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 
OAuth 2.0 Updates #technight in Osaka
Nov Matake
 
OAuth 2.0 Updates #technight
Nov Matake
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
OpenID vs OAuth - Identity on the Web
Richard Metzler
 
Enterprise Access Control Patterns for Rest and Web APIs
CA API Management
 
Draft Ietf Oauth V2 12
Vishal Shah
 
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
testupload
admiralderp
 
When and Why Would I use Oauth2?
Dave Syer
 
OpenID and OAuth
Andrea Chiodoni
 
Oauth
立晨 代
 
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer
 
How PayPal uses Open Identity
PayPal
 
Securing APIs
WSO2
 
OAuth using PHP5
Nurulazrad Murad
 
A recipe for standards-based Cloud IdM
Paul Madsen
 
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
Ad

Recently uploaded (20)

PPTX
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
PDF
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 
PPTX
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
PDF
GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdf
Luiz Carneiro
 
PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PDF
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
PDF
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
PDF
Per Axbom: The spectacular lies of maps
Nexer Digital
 
PDF
Market Insight : ETH Dominance Returns
CIFDAQ
 
PPTX
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
PDF
Generative AI vs Predictive AI-The Ultimate Comparison Guide
Lily Clark
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PDF
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
PDF
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
PPTX
Simple and concise overview about Quantum computing..pptx
mughal641
 
PPTX
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
PDF
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
PDF
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
PPTX
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdf
Luiz Carneiro
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
Per Axbom: The spectacular lies of maps
Nexer Digital
 
Market Insight : ETH Dominance Returns
CIFDAQ
 
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
Generative AI vs Predictive AI-The Ultimate Comparison Guide
Lily Clark
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
Simple and concise overview about Quantum computing..pptx
mughal641
 
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
Ad

OpenID Connect Demo at OpenID Tech Night

  • 1. OpenID Connect デモンストレーション 福家 大輔 [email protected] Ping Identity Corporation Web: https://www.pingidentity.jp 1 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 2. OpenID Connect についてのさわり • OpenID Connect Workshop … 3 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 3. Elevator Pitch OpenID Connect is an identity layer built on top of OAuth 2.0, which offers secure API and federated sign-on services to clients using a single REST- based mechanism http://www.flickr.com/photos/joits/3214054244 4 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 4. Differentiators • From OpenID 2.0: – Simplied Discovery Mechanism – Ability to achieve all levels of assurance in one protocol • From SAML: – Simplified assertion format – Focus on both web and native applications • From OAuth 2.0: – Validates identity of user to the client – Profiles use of encryption, signing, token formats, objects returned from endpoints – Dynamic Client Registration • From all: OpenID Connect REQUIRES TLS http://www.flickr.com/photos/40348123@N02/399634890 7 5 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 5. OAuth Protocol Is the Base +--------+ +---------------+ | |--(A)------- Authorization Grant --------->| | | | | | | |<-(B)----------- Access Token -------------| | | | & Refresh Token | | | | | | | | +----------+ | | | |--(C)---- Access Token ---->| | | | | | | | | | | |<-(D)- Protected Resource --| Resource | | Authorization | | Client | | Server | | Server | | |--(E)---- Access Token ---->| | | | | | | | | | | |<-(F)- Invalid Token Error -| | | | | | +----------+ | | | | | | | |--(G)----------- Refresh Token ----------->| | | | | | | |<-(H)----------- Access Token -------------| | +--------+ & Optional Refresh Token +---------------+ 8 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 6. OpenID Connect Overlays RP OP +--------+ +---------------+ | |--(A)------- Authorization Grant --------->| | | | Scope: openid | | | |<-(B)----------- Access Token -------------| | | | & Refresh Token | | | | & ID Token | | | | +----------+ | | | |--(C)---- Access Token ---->| | | | | | | User Info | | | | |<-(D)- Protected Resource --| Resource | | Authorization | | Client | | Server | | Server | | |--(E)---- Access Token ---->| | | | | | | | | | | |<-(F)- Invalid Token Error -| | | | | | +----------+ | | | | | | | |--(G)----------- Refresh Token ----------->| | | | | | | |<-(H)----------- Access Token -------------| | +--------+ & Optional Refresh Token +---------------+ 9 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 7. Spec Family 10 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 8. Spec Family • Minimal Profiles for Simple Relying Parties – Basic Client (code flow) – Implicit Client (token flow) • Complete Profiles for OpenID Providers & Complex RPs – Messages – Standard (HTTP Binding) • Additional Functionality – Discovery – Dynamic Client Registration – Session Management 11 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 9. デモについて • 弊社CTO、Patrick HardingがCIS2012で行ったデモ – WebApp – MobileApp • 想定シナリオ • 株式トレーダー向けサイトでの株式取引を行う • 登場人物 • StockExport • 株式のトレーダー向けサイト • 証券会社の提供するAPIを用いて株式の取引を行う • WebAppとMobileAppを提供 • idTrade • 株式取引APIを提供する証券会社 • 認証・認可にOpenID Connectを利用 12 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 10. WebAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo TradeInfo Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service h :/ ta . i gbc tpi rdp l so t / d e na . Miep ol a b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 13 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 11. WebAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 1. Request h :/ ta . i gbc tpi rdp l so t / d e na . Miep ol a b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee 2. Code Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 14 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 12. WebAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 1. Request 3. Code h :/ ta . i gbc tpi rdp l so t / d e na . Miep ol a 4. Access b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee 2. Code Token & id_token Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 15 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 13. WebAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 5. Access 1. Request 3. Code Token h :/ ta . i gbc tpi rdp l so t / d e na . Miep ol a 4. Access b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee 2. Code Token & 6.User info id_token Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 16 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 14. WebAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 5. Access h :/ ta . i gbc tpi rdp l so t / d e na . Token Miep ol a b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee 6. API Content Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 17 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 15. WebAppデモ Basic Client Profile Flow used at Web App (response type: code) StockExpert OP Authorization Browser Web App (RP) OP UserInfo Endpoint Other APIs Service Clicks Front Sign-in Channel 1. OpenID Connect Basic Profile authorization request - response type=code scope=openid AuthN/Consent OP Session Created 2. AuthZ code returned from OP C Back 3. AuthZ code traded for id_token and access token C Channel I T 4. Possible call to userinfo endpoint to populate session T RP Session Created Content Front Returned API calls Back T as needed OpenID Connect OAuth 2.0 OAuth 2.0 Note: Token Refresh not Shown I ID Token C AuthZ Code T Access Token 18 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 16. MobileAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service h :/ ta . i gbc tpi rdp l so t / d e na . Miep ol a b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 19 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 17. MobileAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 1. Request 2. Access Token h :/ ta . i gbc tpi rdp l so t / d e na . & ID Token Miep ol a b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 20 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 18. MobileAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 1. Request 2. Access Token 4. User info h :/ ta . i gbc tpi rdp l so t / d e na . & ID Token 3. Miep ol a b p Access Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee Token Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 21 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 19. MobileAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 1. Access h :/ ta . i gbc tpi rdp l so t / d e na . Token Miep ol a b p Ot 2 c n A . le u 0i t h 2. API Content Sc x r t k pt o Ee Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 22 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 20. おわり 23 Copyright ©2012 Ping Identity Corporation. All rights reserved.

Editor's Notes

  • #5: OpenID Connectのチョー概要について…OpenID Connect はOauthの上に建つアイデンティティレイヤです
  • #6: OpenID Connectと他のプロトコルの違いOpenIDとはシンプルなディスカバリーメカニズムLoAのすべてのレベルへの対応 SAMLとの違いはシンプルなアサーションフォーマットウェブとネイティブアプリへの対応 OAuth2.0との違いは、ユーザクライアントに依るアイデンティの検証エンドポイントから返されたオブジェクトに対する暗号化・署名・トークンの形式などのプロファイルダイナミックなクライアントの登録など
  • #14: idTrade:Identity Infrastructure: OpenID Connect Provider 1st mile authN serviceOAuth 2.0 ASOAuth 2.0 RS (userinfo)API PlatformIncludes OAuth 2.0-only resource servicesStock Expert:Web application that needs:SSOAPI Access
  • #15: Step 1: Request goes out, scope is “openid profile portfolio”This means the token you get can be used at the userinfo endpoint and at the portfolio endpointAn Authorization Code comes backShort lived tokenShould only be used onceShould be traded immediately
  • #16: Step 2:Authorization code traded for access token and idtokenin the BACK CHANNEL
  • #17: Step 3: Access token used to access user information
  • #18: Some time later (user may not be present) the portfolio API may be called.
  • #20: Pieces:Identity Infrastructure: OpenID Connect Provider 1st mile authN serviceOAuth 2.0 ASOAuth 2.0 RS (userinfo)API PlatformIncludes OAuth 2.0-only resource services