This presentation provides a brief community update on the status of the Swiss edu-ID Mobile App project at the 2017 SWITCH edu-ID information workshop on 29. June 2017 at University of Berne.
It presents the use cases directly covered by the project as well as the reference architecture. It provides a bunch of links to the different resources related to the project.
3. Authorization is about Trust
Organization
Trusted
User &
App Store
Trusted
Mobile DeviceService Federation
Untrusted
Personal Data
Internet
@phish108 @htwblc
4. Use-case 1: Responsive Web-Apps
(OpenID Connect / OAuth2 or SAML)
@phish108 @htwblc
Swiss Academic Domain
(Organisation Trusted)
University Server
SWITCH Server
Internet Mobile Device
(User and App Store Trusted)
EDUID Service
Academic Service
Web-App
5. @phish108 @htwblc
Use-case 2: Integrated Service
(AppAuth)
Swiss Academic Domain
(Organisation Trusted)
Mobile Device
(User and App Store Trusted)
University Server
SWITCH Server
Internet
EDUID Service
Academic Service
Web-Browser
Third Party App
IntegratedService
6. @phish108 @htwblc
Use-case 3: EduID Mobile App
(Token-agent assertions)
Swiss Academic Domain
(Organisation Trusted)
University Server
SWITCH Server
Internet Mobile Device
(User and App Store Trusted)
EDUID Service
(OIDC AP)
Academic Service
EDUID Mobile App
(Trust & Token Agent)
Third Party App
ExtendedTrustDomain
7. @phish108 @htwblc
EduID Mobile App Reference Architecture
Swiss Academic Domain
(Organisation Trusted)
University Server
SWITCH Server
Internet Mobile Device
(User and App Store Trusted)
EDUID Service
(OIDC AP)
Academic Service
EDUID Mobile App
(Trust & Token Agent)
Third Party App
OAuth2 Access Token
OAuth2 Access Token
Authorization Request
RFC 7521/7523 + RFC 7800
or App Auth
RFC 7521/7523 + RFC 7800
via RedirectURL
OIDC ID + OAuth2 Access Token
RFC 7521/7523 + RFC 7800
+ OIDC Scope
OIDC ID + OAuth2 Access Token
OAuth2 Access Token
ACL Handling
1
234
5
8. @phish108 @htwblc
EduID Mobile App Implementation Status
Swiss Academic Domain
(Organisation Trusted)
University Server
SWITCH Server
Internet Mobile Device
(User and App Store Trusted)
EDUID Service
(OIDC AP)
Academic Service
EDUID Mobile App
(Trust & Token Agent)
Third Party App
OAuth2 Access Token
OAuth2 Access Token
Authorization Request
RFC 7521/7523 + RFC 7800
or App Auth
RFC 7521/7523 + RFC 7800
via RedirectURL
OIDC ID + OAuth2 Access Token
RFC 7521/7523 + RFC 7800
+ OIDC Scope
OIDC ID + OAuth2 Access Token
OAuth2 Access Token
ACL Handling
1
234
5
NAIL Integration
iOS + Android
Cordova Plugin
Moodle OAuth2
+ JWE Support
OAuth2 & OIDC
Full-Stack Service
9. Node-OIDC-Provider Integration with LDAP Backend Support
• ES2017 + NodeJS 8
• LDAP-based User Management
• LDAP-based Service/Federation Management
• Separate Directory Organisation
• Configurable Attribute Mapping
• Full JOSE Support (strong JWE encryption covered)
• OIDC certified - details at: github.com/panva/node-oidc-provider
• OSS under MIT License
@phish108 @htwblc
OIDC Full Stack Implementation
For all 3 Use-cases + Web-Service Integration