OpenID Connect Update and Discussion
description
Transcript of OpenID Connect Update and Discussion
![Page 1: OpenID Connect Update and Discussion](https://reader036.fdocuments.in/reader036/viewer/2022062814/56816711550346895ddb78eb/html5/thumbnails/1.jpg)
OpenID Connect Update and Discussion
Mountain View Summit – September 12, 2011
Mike Jones – MicrosoftJohn Bradley – Independent
Nat Sakimura – Nomura Research Institute
![Page 2: OpenID Connect Update and Discussion](https://reader036.fdocuments.in/reader036/viewer/2022062814/56816711550346895ddb78eb/html5/thumbnails/2.jpg)
Working Together
OpenID Connect
![Page 3: OpenID Connect Update and Discussion](https://reader036.fdocuments.in/reader036/viewer/2022062814/56816711550346895ddb78eb/html5/thumbnails/3.jpg)
Presentation Overview
• Recent Timeline• OpenID Connect Design Criteria• OpenID Connect Overview• Developer Feedback Incorporated• Next Steps• Resources• Open Discussion
![Page 4: OpenID Connect Update and Discussion](https://reader036.fdocuments.in/reader036/viewer/2022062814/56816711550346895ddb78eb/html5/thumbnails/4.jpg)
Recent Timeline
• Weekly spec calls began, January 2011• Open issued closed at IIW, May 2011• Result branded “OpenID Connect”, May 2011• Developer feedback, May 2011 to present• Functionally complete specs, July 2011• Formal issue tracking began, July 2011• Interop testing, September 2011• Simpler specs published incorporating developer
feedback, September 2011
![Page 5: OpenID Connect Update and Discussion](https://reader036.fdocuments.in/reader036/viewer/2022062814/56816711550346895ddb78eb/html5/thumbnails/5.jpg)
Design Criteria
Easy Things Easy
Harder Things Possible
Modular Design
![Page 6: OpenID Connect Update and Discussion](https://reader036.fdocuments.in/reader036/viewer/2022062814/56816711550346895ddb78eb/html5/thumbnails/6.jpg)
Easy Things Easy
Standard UserInfo for Simple “Connect” Ability
Designed to Work Well on Mobile Phones
![Page 7: OpenID Connect Update and Discussion](https://reader036.fdocuments.in/reader036/viewer/2022062814/56816711550346895ddb78eb/html5/thumbnails/7.jpg)
How We Make It Easy
• Build on OAuth 2.0• Use JavaScript Object Notation (JSON) data
structures• Can only build functionality that you need
• Goal: Easy implementation on all modern web platforms
![Page 8: OpenID Connect Update and Discussion](https://reader036.fdocuments.in/reader036/viewer/2022062814/56816711550346895ddb78eb/html5/thumbnails/8.jpg)
Harder Things Possible
Claims Aggregation
Distributed Claims
Encrypted Claims
![Page 9: OpenID Connect Update and Discussion](https://reader036.fdocuments.in/reader036/viewer/2022062814/56816711550346895ddb78eb/html5/thumbnails/9.jpg)
Connect Overview
![Page 10: OpenID Connect Update and Discussion](https://reader036.fdocuments.in/reader036/viewer/2022062814/56816711550346895ddb78eb/html5/thumbnails/10.jpg)
Basic Client Profile
• Single, simple, self-contained client spec• All you need for web-based RP utilizing pre-
configured set of OPs
• http://openid.net/specs/openid-connect-basic-1_0.html
![Page 11: OpenID Connect Update and Discussion](https://reader036.fdocuments.in/reader036/viewer/2022062814/56816711550346895ddb78eb/html5/thumbnails/11.jpg)
Discovery & Registration
• Enables dynamic configurations in which sets of OPs and RPs are not pre-configured– Necessary for “open” deployments
• Discovery enables RPs to learn about OP endpoints
• Registration enables RPs to use OPs they are not pre-registered with
• http://openid.net/specs/openid-connect-discovery-1_0.html• http://openid.net/specs/openid-connect-registration-1_0.html
![Page 12: OpenID Connect Update and Discussion](https://reader036.fdocuments.in/reader036/viewer/2022062814/56816711550346895ddb78eb/html5/thumbnails/12.jpg)
Messages & Standard
• Messages spec defines data formats exchanged in OpenID Connect messages
• Standard spec is HTTP binding for Messages• (Basic is profile of Messages and Standard)• Needed for OPs, native client apps, and RPs needing
functionality not in Basic– E.g., claims not in default UserInfo set
• http://openid.net/specs/openid-connect-messages-1_0.html• http://openid.net/specs/openid-connect-standard-1_0.html
![Page 13: OpenID Connect Update and Discussion](https://reader036.fdocuments.in/reader036/viewer/2022062814/56816711550346895ddb78eb/html5/thumbnails/13.jpg)
Session Management
• For OPs and RPs needing session management capabilities
• Example capability: Logout
• http://openid.net/specs/openid-connect-session-1_0.html
![Page 14: OpenID Connect Update and Discussion](https://reader036.fdocuments.in/reader036/viewer/2022062814/56816711550346895ddb78eb/html5/thumbnails/14.jpg)
Underpinnings
• OAuth 2.0 family of specs– OAuth 2.0 core– OAuth 2.0 bearer
• JWT family of specs– JSON Web Token (JWT)– JSON Web Signature (JWS)– JSON Web Encryption (JWE)– JSON Web Key (JWK)
• Simple Web Discovery (SWD)
![Page 15: OpenID Connect Update and Discussion](https://reader036.fdocuments.in/reader036/viewer/2022062814/56816711550346895ddb78eb/html5/thumbnails/15.jpg)
Developer Feedback Incorporated
• Asked for simpler, more modular specs– Basic Client spec a direct result of this feedback– Messages and Standard also a simpler factoring
• Asked for UserInfo schema to be more like Facebook Connect– Changed spelling of claim names from camelCase to
lowercase_with_underscores– Changed from Portable Contacts schema to current one
• Asked for more meaningful JSON identifiers– Changed OpenID identifiers to be full words, e.g.:
• “idt” -> “id_token”• “loc” -> “locale”
• Dozens of corrections and clarifications
![Page 16: OpenID Connect Update and Discussion](https://reader036.fdocuments.in/reader036/viewer/2022062814/56816711550346895ddb78eb/html5/thumbnails/16.jpg)
Connect Next Steps
• Discuss and close open issues at this Summit– Including those arising from interop work!
• Incorporate resolutions into specs• Membership vote on Implementers Drafts• Deployments• Incorporate feedback arising from deployments• Membership vote on Final Specifications
• Other Connect-related work happening in parallel
![Page 17: OpenID Connect Update and Discussion](https://reader036.fdocuments.in/reader036/viewer/2022062814/56816711550346895ddb78eb/html5/thumbnails/17.jpg)
Resources
• OpenID Connect Page– http://openid.net/connect/
• Artifact Binding Working Group Mailing List– http://lists.openid.net/mailman/listinfo/openid-specs-ab
• OpenID Connect Interop Mailing List– http://groups.google.com/group/openid-connect-interop
• Mike Jones’ Blog– http://self-issued.info/
![Page 18: OpenID Connect Update and Discussion](https://reader036.fdocuments.in/reader036/viewer/2022062814/56816711550346895ddb78eb/html5/thumbnails/18.jpg)
Open Discussion
Taking full advantage of us all being here!
![Page 19: OpenID Connect Update and Discussion](https://reader036.fdocuments.in/reader036/viewer/2022062814/56816711550346895ddb78eb/html5/thumbnails/19.jpg)
Backup Slides
![Page 20: OpenID Connect Update and Discussion](https://reader036.fdocuments.in/reader036/viewer/2022062814/56816711550346895ddb78eb/html5/thumbnails/20.jpg)
Connect Capabilities
• Dynamic Clients• Mobile Support• UserInfo Endpoint• Simple RPs• Session Management• OAuth 2 Integration• Use of JWTs and JSON data structures• Single Logout• Aggregated and Distributed Claims• Encrypted Claims
![Page 21: OpenID Connect Update and Discussion](https://reader036.fdocuments.in/reader036/viewer/2022062814/56816711550346895ddb78eb/html5/thumbnails/21.jpg)
Claims Aggregation
Data Source
Data Source
IdP RelyingParty
Signed Claims
![Page 22: OpenID Connect Update and Discussion](https://reader036.fdocuments.in/reader036/viewer/2022062814/56816711550346895ddb78eb/html5/thumbnails/22.jpg)
Distributed Claims
Data Source
Data Source
Data Source
IdP RelyingParty
Permission
Signed Claims
Better scalability, etc.
![Page 23: OpenID Connect Update and Discussion](https://reader036.fdocuments.in/reader036/viewer/2022062814/56816711550346895ddb78eb/html5/thumbnails/23.jpg)
Working Group Participants
• Key working group participants:– Nat Sakimura – Nomura Research Institute – Japan– John Bradley – Independent – Chile– Breno de Medeiros – Google – US– Paul Tarjan – Facebook – US– Axel Nennker – Deutsche Telekom – Germany– Kick Willemse – Independent – Netherlands– Chuck Mortimore – Salesforce – US– Mike Jones – Microsoft – US
• By no means an exhaustive list!