@nov

Identity in Your Device

OS, Browser, Mobile Apps

Self-Issued OpenID Provider

Personal OP that issues self-signed ID Tokens

No central IdP servers

Defined in OpenID Connect Messages

http://j.mp/self-issued

Available any apps / devices with secure strage

e.g. iOS app with Keychain

1) Launches “openid://?client_id=client://callback&..”

No discovery (static OP config)

No client registration (client_id = redirect_uri)

2) End-user approval

3) Self-issued ID Token generation

Generate RSA key pair on the device (only once)

“sub” is automatically calculated by the public key

4) Back to “client://callback#id_token=...”

No API available, thus No Access Token

5) ID Token Verification

Static OP Config

The sub (subject) Claim value isthe base64url encoded SHA-256 hash of

the concatenation of the bytes ofthe UTF-8 representations of

the base64url encoded key valuesin the sub_jwk Claim.

OpenID Connect Messagesdra,18 Section 6.5

JWK - JSON Web Key

“sub” calculated from JWK

Hash of them

Self-Issued ID Token

Device specific key pair↓

Device specific ID Token

No verified emailsNo verified profile

Holder of Key

twitter.com/nov

slideshare.net/matake

github.com/nov