iiw 16th report at #idcon
DESCRIPTION
TRANSCRIPT
![Page 1: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/1.jpg)
IIW #16 Report@nov
![Page 2: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/2.jpg)
![Page 3: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/3.jpg)
![Page 4: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/4.jpg)
![Page 5: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/5.jpg)
![Page 6: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/6.jpg)
![Page 7: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/7.jpg)
![Page 8: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/8.jpg)
![Page 9: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/9.jpg)
![Page 10: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/10.jpg)
![Page 11: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/11.jpg)
![Page 12: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/12.jpg)
http://iiw.idcommons.net/IIW_16_Notes
![Page 13: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/13.jpg)
Mobile SSO - Enterprise
Sascha Preibisch, Layer7
Similar Talk
http://www.slideshare.net/rnewton/xapp-sso-flascellescsa2013
Concept
Store ID Token in “Shared Keychain”
Only for iOS apps
Generate RSA key pair on client side (OPTIONAL)
During white-listed apps by admin
“msso” scope for SSO-enabled ID Token
![Page 14: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/14.jpg)
A1 A2
Local Keychain Local KeychainShared Keychain
AccessToken
AccessToken
ID Token
ID Token+
Access Token
ID Token
AccessToken1
2 2 3
4
5
![Page 15: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/15.jpg)
A1
Local Keychain Shared Keychain
AccessToken
ID Token
ID Token+
Access Token
B1NG
1
2 2
![Page 16: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/16.jpg)
Mobile SSO - Device to Browser
George Fletcher, AOL
Similar Talk
http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20121231/002768.html
Concept
“websso” scope
Down scope via token refresh
Pass an ID Token in native app to browser & skip login
![Page 17: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/17.jpg)
Auth @ Google - Next 5 Years
Eric Sachs, Google
Reference
https://docs.google.com/document/d/1r9qnZUehCbtkQR86Wp-sJR2Zu6sHx47queuqmegW2PY
Summary
![Page 18: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/18.jpg)
Past 5 years
Risk-based
2-factor authentication
OpenID
No new passwords!
OAuth
No password sharing!
![Page 19: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/19.jpg)
Good News
![Page 20: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/20.jpg)
Bad News
OpenID Migration is hard
Usability
Account linking issues
https://docs.google.com/document/pub?id=1O7jyQLb7dW6EnJrFsWZDyh0Yq0aFJU5UJ4i5QzYlTjU
Account Recovery is their achilles heel
![Page 21: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/21.jpg)
Next 5 years
Setup, not Sign-in
Reduce Bearer Tokens
Smarter Hardware
Beyond Bootstrapping
Advanced Combination
![Page 22: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/22.jpg)
Setup, not Sign-in
Login Once Login Each Time
![Page 23: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/23.jpg)
Setup, not Sign-in
Login Once Login Once
OS LevelAccountManager
![Page 24: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/24.jpg)
Reduce Bearer Tokens
Bearer Tokens?
OAuth 2.0 access tokens
JWT bearer tokens
..and session cookies!
![Page 25: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/25.jpg)
Reduce Bearer Tokens
CookieID
Self-signed Cookie (probably, like self-issued IdP’s ID Token?)
http://tools.ietf.org/html/dra8-balfanz-tls-channelid
Already available on Chrome
![Page 26: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/26.jpg)
chrome://settings/cookies
![Page 27: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/27.jpg)
Smarter Hardware
![Page 28: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/28.jpg)
Smarter Hardware
![Page 29: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/29.jpg)
Smarter Hardware
authorize a new device by having an existingdevice talk to it via a cryptographic protocol
![Page 30: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/30.jpg)
Smarter Hardware
authorize a new device by having an existingdevice talk to it via a cryptographic protocol
?
![Page 31: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/31.jpg)
Smarter Hardware
U2F (Universal Second Factor)
Open ecosystem of small robust “keychain devices”
FIDO Alliance
http://www.fidoalliance.org
![Page 32: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/32.jpg)
OAuth & JOSE @ BlueButton+
Justin Richer, MITRE
Actual title was “Blue Button and Patient Health Records using OAuth , JOSE”
Reference
http://blue-button.github.io/blue-button-plus-pull/
Concept
OAuth 2.0 Dynamic Client Registration use-case
“Trusted Registration”
![Page 33: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/33.jpg)
BlueButton
ref) http://www.healthit.gov/patients-families/blue-button/about-blue-button
“Blue Button” is a way for you to get easy, secure online access to your health information....America’s health care system is rapidly going digital, and health care providers, insurance companies and others are starting to give patients and consumers access to their health information electronically through “Blue Button”.
![Page 34: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/34.jpg)
BlueButton+ Pull API
OAuth2 API for RESTful access to patient data and bootstrapping DIRECT-based
information exchangeref) http://blue-button.github.io/blue-button-plus-pull/
![Page 35: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/35.jpg)
Registry
AuthZ & ResourceServer
Resource Owner
Client
![Page 36: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/36.jpg)
Client “class” and “instance”
“class” is registered to the registry
Registration method is out of scope (e.g. manual)
Establish “registration_jwt” as a JWT Bearer token
“instance” is dynamically registered to the authorization server
OAuth 2.0 Dynamic Client Registration
“registration_jwt” token for “Trusted Registration”
![Page 37: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/37.jpg)
Registry
AuthZ & ResourceServer
Resource Owner
Client
TrustRegister“class”
Register“instance”
![Page 38: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/38.jpg)
Discovery
Registry Discovery @ Registry
Get Registry Endpoints, Public Keys etc.
Providers Discovery @ Registry
Get Trusted Providers List
Provider Discovery @ Provider
Get Single Provider Metadata
Apps Discovery @ Registry
Get Trusted Apps List
![Page 39: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/39.jpg)
Registry
AuthZ & ResourceServer
Resource Owner
Client
Discovery
Discovery
‣Registry Metadata‣Trusted Providers‣Trusted Apps
‣Provider Metadata
![Page 40: IIW 16th Report at #idcon](https://reader034.vdocuments.net/reader034/viewer/2022051209/54920e6eac795920288b468e/html5/thumbnails/40.jpg)
[appendix]
Push Authorizationhttp://blue-button.github.io/blue-button-plus-pull/#push-authorization