Roland Hedberg, Umeå University
All you need to know about OpenID Connect, with concrete examples and hands-on demos that illustrate how OpenID Connect can be used in web and mobile scenarios.
3. ❖ The OAuth 2.0 authorization framework enables a
third-party application to obtain limited access to an
HTTP service, !
❖ either on behalf of a resource owner by orchestrating
an approval interaction between the resource owner
and the HTTP service, !
❖ or by allowing the third-party application to obtain
access on its own behalf.
15. Resource Access - details
Authorization Server
Resource Server
Client
Resource request/response
GET!
https://example.com/resource!
!
Header:!
! Authorization: ’Bearer s87BT60pp2UbNX2HnkWpfPfWNo9Gi7chACuWoa2IDND’!
16. The whole
Authorization Server
Resource Server
Client
Authorization request
Authorization Server
Resource Server
Client
Authorization response
Authorization Server
Resource Server
Client
Access token request
Authorization Server
Resource Server
Client
Access token response
Authorization Server
Resource Server
Client
Resource request/response
Authorization Server
Resource Server
Client
AUTHENTICATION HAPPENS
&
End-user consent/authorization
18. Implicit grant
Authorization Server
Resource Server
Client
Authorization request
Authorization Server
Resource Server
Client
Resource request/response
Authorization Server
Resource Server
Client
Authorization response
Authorization Server
Resource Server
Client
AUTHENTICATION HAPPENS
&
End-user consent/authorization
19. Resource Owner Password Credentials Grant
&
Client Credentials Grant
Authorization Server
Resource Server
Client
Access token request
Authorization Server
Resource Server
Client
Access token response
Authorization Server
Resource Server
Client
Resource request/response
21. ❖ OpenID Connect 1.0 is a simple identity layer on top of
the OAuth 2.0 protocol. !
❖ It enables Clients to verify the identity of the End-User
based on the authentication performed by an
Authorization Server, as well as to obtain basic profile
information about the End-User in an interoperable and
REST-like manner.
22. The differences
❖ Only authorization grant and implicit grant flows!
❖ Dynamic provider discovery and client registration!
❖ ID Token!
❖ Additions/Clarifications/Constrictions!
❖ UserInfo endpoint
33. Client registration response
❖ client_id!
❖ possibly client_secret and if so client_secret_experies_at!
❖ and the Authorization servers view of things
34. An Authorization Server
❖ MAY add fields the client didn’t include.!
❖ MAY reject or replace any of the Client's requested field
values and substitute them with suitable values.!
❖ MAY ignore values provided by the client, and MUST
ignore any fields sent by the Client that it does not
understand.
35. A Client can not
❖ modify a registration!
❖ delete a registration
38. JWT
❖ Jason Web Token!
❖ a compact URL-safe means of representing claims to be
transferred between two parties!
❖ Suggested pronunciation: ’jot’
39. JWS
represents content secured with digital signatures or
Message Authentication Codes (MACs) using JavaScript
Object Notation (JSON) based data structures.
JWE
represents encrypted content using JavaScript Object
Notation (JSON) based data structures.
40. JWK
a JavaScript Object Notation (JSON) data structure that
represents a cryptographic key
JWA
registers cryptographic algorithms and identifiers to be
used with the JSON Web Signature(JWS), JSON Web
Encryption (JWE), and JSON Web Key (JWK) specifications
41. ID Token
❖a security token that contains Claims about the
Authentication of an End-User by an Authorization
Server when using a Client, and potentially other
requested Claims. !
❖is represented as a JSON Web Token (JWT)
42. ID Token claims -required
❖ iss - Issuer Identifier for the Issuer of the response!
❖ sub - Subject Identifier!
❖ aud - Intended audience!
❖ exp - Expiration time!
❖ iat - Issued at!
❖ auth_time - Authentication time!
❖ nonce
43. ID Token claims - optional
❖ acr - Authentication Context Class Reference!
❖ amr - Authentication Method References!
❖ azp - Authorized party
48. End-user interactions
❖ display - How to display pages to End-User!
❖ prompt - If the End-User should be prompted for re-authentication/
consent!
❖ max_age - allowed max time since last authentication!
❖ ui_locales - End-User’s preferred languages and scripts!
❖ id_token_hint - ID Token previously issued !
❖ login_hint - login identifier the End-User might want to use!
❖ acr_values - requested Authentication Context Class Reference
values