OIDF fed Virt WS - OpenID
Transcript of OIDF fed Virt WS - OpenID
![Page 1: OIDF fed Virt WS - OpenID](https://reader030.fdocuments.in/reader030/viewer/2022041219/625146bdd3c351056606ab26/html5/thumbnails/1.jpg)
Roland Hedberg, 28 October 2020
OIDC federations
�1
![Page 2: OIDF fed Virt WS - OpenID](https://reader030.fdocuments.in/reader030/viewer/2022041219/625146bdd3c351056606ab26/html5/thumbnails/2.jpg)
What we’re not trying to solveOne RP to one OP One RP to many OPs Many RPs to one OP
![Page 3: OIDF fed Virt WS - OpenID](https://reader030.fdocuments.in/reader030/viewer/2022041219/625146bdd3c351056606ab26/html5/thumbnails/3.jpg)
What we do want to solveMany RPs to many OPs (multilateral federation)
![Page 4: OIDF fed Virt WS - OpenID](https://reader030.fdocuments.in/reader030/viewer/2022041219/625146bdd3c351056606ab26/html5/thumbnails/4.jpg)
What the OIDC federation specification adds
• Entity statements
• Trusted 3rd party (trust anchor)
• Trust chains
• Explicit/automatic client registration
• Metadata policies
![Page 5: OIDF fed Virt WS - OpenID](https://reader030.fdocuments.in/reader030/viewer/2022041219/625146bdd3c351056606ab26/html5/thumbnails/5.jpg)
Entity statementIs a JSON Web Token
• iss
• sub
• iat
• exp
• aud
• authority_hints
• jwks
• metadata
• metadata_policy
• constraints
• crit
• policy_crit
![Page 6: OIDF fed Virt WS - OpenID](https://reader030.fdocuments.in/reader030/viewer/2022041219/625146bdd3c351056606ab26/html5/thumbnails/6.jpg)
• A federation can be shallow (leaf entity immediately below trust anchor) or deep (one or more intermediates between the leaf entity and the trust anchor).
Federation structure
![Page 7: OIDF fed Virt WS - OpenID](https://reader030.fdocuments.in/reader030/viewer/2022041219/625146bdd3c351056606ab26/html5/thumbnails/7.jpg)
1.Start with a self-signed entity statement about an entity.
2.Use the authority_hints in the entity statement to find superiors.
3.Ask the superiors for their information, about the issuer of the entity statement, in the format of an entity statement.
4.If the superior is the trust anchor. -BREAK
5.GOTO 2
Trust Chain Collection
![Page 8: OIDF fed Virt WS - OpenID](https://reader030.fdocuments.in/reader030/viewer/2022041219/625146bdd3c351056606ab26/html5/thumbnails/8.jpg)
Trust Chain Verification
![Page 9: OIDF fed Virt WS - OpenID](https://reader030.fdocuments.in/reader030/viewer/2022041219/625146bdd3c351056606ab26/html5/thumbnails/9.jpg)
Explicit client registration
• Like OIDC core dynamic client registration but with entity statements instead of metadata.
• Both request (metadata) and response (metadata_policy) uses entity statements.
![Page 10: OIDF fed Virt WS - OpenID](https://reader030.fdocuments.in/reader030/viewer/2022041219/625146bdd3c351056606ab26/html5/thumbnails/10.jpg)
Automatic client registration
• First message sent from the RP to the OP is an authentication request (not counting the provider information discovery).
• The authentication request contains a request object by value, by reference or by using PAR.
• The client_id in the authentication request is the RP’s entity_id.
• Using the entity_id the OP can fetch and verify the RP’s metadata as described earlier.
• Once it has the RP’s metadata it can verify the signature of the request object.
![Page 11: OIDF fed Virt WS - OpenID](https://reader030.fdocuments.in/reader030/viewer/2022041219/625146bdd3c351056606ab26/html5/thumbnails/11.jpg)
Interoperability testing 1&2Setup
FO
ORG1 ORG2
RPe RPa OPidpy
OPshib
OPc2id
![Page 12: OIDF fed Virt WS - OpenID](https://reader030.fdocuments.in/reader030/viewer/2022041219/625146bdd3c351056606ab26/html5/thumbnails/12.jpg)
Interoperability testing - OPsRP used = oidcrp
IdPy C2ID SHIBBOLETH
Entity statements
Trust chain collection
Trust chain validation
Explicit client registration
Automatic client registation
Metadata policies