edu-id mobile app for smart environments

FHO Fachhochschule Ostschweiz

edu-ID Mobile App for Smart Environments@phish108 @htwblc!

What happened so far …

@phish108 @htwblc

Authorization is about Trust

OrganizationTrusted

User &App StoreTrusted

Mobile DeviceService Federation

Untrusted

Personal Data

Internet

@phish108 @htwblc

Use-case 1: Responsive Web-Apps (OpenID Connect / OAuth2 or SAML)

@phish108 @htwblc

Swiss Academic Domain(Organisation Trusted)

University Server

SWITCH Server

Internet Mobile Device(User and App Store Trusted)

EDUID Service

Academic Service

Web-App

@phish108 @htwblc

Use-case 2: Integrated Service (AppAuth)

Swiss Academic Domain(Organisation Trusted)

Mobile Device(User and App Store Trusted)

University Server

SWITCH Server

Internet

EDUID Service

Academic Service

Web-Browser

Third Party App

Inte

grat

ed S

ervic

e

@phish108 @htwblc

Use-case 3: EduID Mobile App(Token-agent assertions)

Swiss Academic Domain(Organisation Trusted)

University Server

SWITCH Server

Internet Mobile Device(User and App Store Trusted)

EDUID Service (OIDC AP)

Academic Service

EDUID Mobile App (Trust & Token Agent)

Third Party App

Exte

nd

ed

Tru

st

Do

ma

in

@phish108 @htwblc

EduID Mobile App Reference ArchitectureSwiss Academic Domain

(Organisation Trusted)

University Server

SWITCH Server

Internet Mobile Device(User and App Store Trusted)

EDUID Service (OIDC AP)

Academic Service

EDUID Mobile App (Trust & Token Agent)

Third Party App

OAuth2 Access Token

OAuth2 Access Token

Authorization Request

RFC 7521/7523 + RFC 7800 or App Auth

RFC 7521/7523 + RFC 7800 via RedirectURL

OIDC ID + OAuth2 Access Token

RFC 7521/7523 + RFC 7800+ OIDC Scope

OIDC ID + OAuth2 Access Token

OAuth2 Access Token

ACL Handling

1

234

5

@phish108 @htwblc

EduID Mobile App Implementation StatusSwiss Academic Domain

(Organisation Trusted)

University Server

SWITCH Server

Internet Mobile Device(User and App Store Trusted)

EDUID Service (OIDC AP)

Academic Service

EDUID Mobile App (Trust & Token Agent)

Third Party App

OAuth2 Access Token

OAuth2 Access Token

Authorization Request

RFC 7521/7523 + RFC 7800 or App Auth

RFC 7521/7523 + RFC 7800 via RedirectURL

OIDC ID + OAuth2 Access Token

RFC 7521/7523 + RFC 7800+ OIDC Scope

OIDC ID + OAuth2 Access Token

OAuth2 Access Token

ACL Handling

1

234

5

NAIL IntegrationiOS + Android

Cordova PluginMoodle OAuth2+ JWE Support

OAuth2 & OIDCFull-Stack Service

Node-OIDC-Provider Integration with LDAP Backend Support• ES2017 + NodeJS 8• LDAP-based User Management• LDAP-based Service/Federation Management• Separate Directory Organisation• Configurable Attribute Mapping• Full JOSE Support (strong JWE encryption covered)• OIDC certified - details at: github.com/panva/node-oidc-provider• OSS under MIT License

@phish108 @htwblc

OIDC Full Stack ImplementationFor all 3 Use-cases + Web-Service Integration

Further reading http://htw.ac/eduid-mobile @htwblc

http://htw.ac/blc-blog

FHO Fachhochschule Ostschweiz