Post on 24-May-2015
@nov
Identity in Your Device
OS, Browser, Mobile Apps
Self-Issued OpenID Provider
Personal OP that issues self-signed ID Tokens
No central IdP servers
Defined in OpenID Connect Messages
http://j.mp/self-issued
Available any apps / devices with secure strage
e.g. iOS app with Keychain
1) Launches “openid://?client_id=client://callback&..”
No discovery (static OP config)
No client registration (client_id = redirect_uri)
2) End-user approval
3) Self-issued ID Token generation
Generate RSA key pair on the device (only once)
“sub” is automatically calculated by the public key
4) Back to “client://callback#id_token=...”
No API available, thus No Access Token
5) ID Token Verification
Static OP Config
The sub (subject) Claim value isthe base64url encoded SHA-256 hash of
the concatenation of the bytes ofthe UTF-8 representations of
the base64url encoded key valuesin the sub_jwk Claim.
OpenID Connect Messagesdra,18 Section 6.5
JWK - JSON Web Key
“sub” calculated from JWK
Hash of them
Self-Issued ID Token
Device specific key pair↓
Device specific ID Token
No verified emailsNo verified profile
Holder of Key
twitter.com/nov
slideshare.net/matake
github.com/nov