cis 2015 openid connect workshop part 1: challenges for mobile - b. allyn fay
TRANSCRIPT
OpenID Connect Workshop Part 1: Challenges for mobile B. Allyn Fay
Introduction
• What is OpenID Connect • Conformance and Interop • How does it differ from OAuth • Profiles for mobile • High level challenges
Copyright © 2015 Cloud Identity Summit. All rights reserved. 3
Why OpenID Connect?
• OpenID Connect logically combines the functionality of SAML and OAuth
• SAML has limited support for dynamic trust and attribute sharing mechanisms have not been widely deployed
• OAuth has emerged as a powerful authorization mechanism, but has no explicit concept of identity
• OpenID Connect addresses the limitations of SAML and OAuth with a modern REST and JSON based architecture
Copyright © 2015 Cloud Identity Summit. All rights reserved. 4
So what’s the deal with mobile?
• High level mobile challenges
Copyright © 2015 Cloud Identity Summit. All rights reserved. 5
What’s New: Conformance and Interop
Copyright © 2015 Cloud Identity Summit. All rights reserved. 6
• OIDF self certification • Current implementations
• Google Authentication Service • AWS Cognito • MSFT? • SFDC?
Copyright © 2015 Cloud Identity Summit . All rights reserved. 7
OAuth 2.0 Overview
AUTHORIZATION SERVER
Token Endpoint Authorization Endpoint
RESOURCE SERVER
Important Stuff
CLIENT Where the
magic happens
Use an access token
Get an access token
OpenID Connect Protocols
Copyright © 2015 Cloud Identity Summit. All rights reserved. 8
• Graphic goes here
Copyright © 2015 Cloud Identity Summit . All rights reserved. 9
OIDC 1.0 Overview AUTHORIZATION
SERVER
RESOURCE SERVER
• Important Stuff
CLIENT
Get an access token and an
ID token (JWT) • Registration endpoint • /.well-known
/webfinger /openid-configuration
• Check session Iframe • End session endpoint
• Token endpoint • Authorization
endpoint • JWKS endpoint
Userinfo endpoint Use an access token
AuthN vs. AuthZ and OIDC features
• ID Tokens • User Info • Endpoint Discovery • Web Keys • Session Management • Dynamic Registration
Copyright © 2015 Cloud Identity Summit. All rights reserved. 10
OIDC Flows
• Basic • Implicit • Hybrid
Copyright © 2015 Cloud Identity Summit. All rights reserved. 11
OIDC Basic Client
• OpenID Connect Basic Client Implementer’s Guide 1.0 • http://openid.net/specs/openid-connect-basic-1_0.html
• “a subset of the OpenID Connect Core 1.0 specification that is designed to be easy to read and implement for basic Web-based Relying Parties using the OAuth Authorization Code Flow.”
Copyright © 2015 Cloud Identity Summit. All rights reserved. 12
OIDC Basic Client Flow
• Logical graphic goes here
Copyright © 2015 Cloud Identity Summit. All rights reserved. 13
OIDC Implicit Client
• OpenID Connect Basic Client Implementer’s Guide 1.0 • http://openid.net/specs/openid-connect-basic-1_0.html
• “a subset of the OpenID Connect Core 1.0 specification that is designed to be easy to read and implement for basic Web-based Relying Parties using the OAuth Authorization Code Flow.”
Copyright © 2015 Cloud Identity Summit. All rights reserved. 14
OIDC Implicit Client Flow
• Graphic goes here
Copyright © 2015 Cloud Identity Summit. All rights reserved. 15
Why OIDC for mobile
• OAuth is “bad” • OIDC is a real spec • OS Level integration
• ID Tokens from Google Play • Token Agent
Copyright © 2015 Cloud Identity Summit. All rights reserved. 16
Mobile Challenges
• Security • Pixie – Why we need it • Dynamic client registration
• Webview vs. system browser • Shared sessions • Account chooser
Copyright © 2015 Cloud Identity Summit. All rights reserved. 17
Copyright © 2015 Cloud Identity Summit. All rights reserved. 18
Questions?