fredag 7 september 12 OpenID Connect

Transcription

1 OpenID Connect

2 OpenID Connect

3 Necessity for communication - information about the other part

4 Trust management not solved!

5 (1) OP discovery The user provides an identifier (for instance an address) Using Simple Web Discovery the OP is found $ curl -G principal=joe%40example.com&service=http%3a%2f %2Fopenid.net%2Fspecs%2Fconnect%2F1.0%2Fissuer {"locations":["

6 (2) OP functionality discovery $ curl -G -k {"registration_endpoint": " "userinfo_endpoint": " "token_endpoint": " "authorization_endpoint": " "end_session_endpoint": " "token_endpoint_auth_types_supported": ["client_secret_post", "client_secret_basic", "client_secret_jwt"], "jwk_url": " "user_id_types_supported": ["public"], "scopes_supported": ["openid", , profile, address, phone ], "version": "3.0", "response_types_supported": ["code", "token", "id_token", "code token", "code id_token", "token id_token", "code token id_token"], "issuer": " "acrs_supported": ["1","2"," "user_id_types_supported":["public", "pairwise"], }

7 (3) Dynamic registration POST application_name=oic+test+tool &application_type=web &redirect_uris= &type=client_associate

8 Registration result { } "client_id":"xgncoexaj3d2", "client_secret": "cf136dc3c1fd bb9c6cc9ecead", "expires_at":

9 Preliminaries done!

10 Flow differencies IdP AS UA 2 4 UA 6 OP SP RP SAML OpenID Connect

11 Authorization Request response_type This parameter controls the parameters returned in the response from the Authorization Endpoint. scope The values specify an additive list of voluntary Claims that are returned from the UserInfo Endpoint. client_id The OAuth 2.0 Client Identifier. redirect_uri A redirection URI where the response will be sent. state RECOMMENDED. An opaque value used to maintain state between the request and the callback nonce A random, unique string value used to mitigate replay attacks. prompt OPTIONAL. specifies whether the Authorization Server prompts the End-User for reauthentication and consent display OPTIONAL. A space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent. The possible values are: none, login, request OPTIONAL. An OpenID Request Object value. request_uri OPTIONAL. An URL that points to an OpenID Request Object. This is used to pass an OpenID Request Object by reference. id_token OPTIONAL. An ID Token passed to the Authorization server as a hint about the user's current or past authenticated session with the client. This SHOULD be present if prompt=none is sent.

12 Authorization Request response_type This parameter controls the parameters returned in the response from the Authorization Endpoint. scope The values specify an additive list of voluntary Claims that are returned from the UserInfo Endpoint. client_id The OAuth 2.0 Client Identifier. redirect_uri A redirection URI where the response will be sent. state RECOMMENDED. An opaque value used to maintain state between the request and the callback nonce A random, unique string value used to mitigate replay attacks

13 Access Token Request grant_type REQUIRED. "client_credentials"/ refresh_token. scope OPTIONAL. The scope of the access request refresh_token REQUIRED if refresh request. The refresh token issued to the client When using assertions as client credentials client_assertion_type REQUIRED. The format of the assertion as defined by the authorization server. The value MUST be an absolute URI. client_assertion REQUIRED. The assertion being used to authenticate the client.

14 AccessTokenResponse HTTP/ OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache { "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": "eyj0exaioijkv1qilcjhbgcioijiuzi1nij9.eyjpc3mioijodhrwol wvxc9zzxj2zxiuzxhhbxbszs5jb20ilcj1c2vyx2lkijoimjq4mjg5nzyxmdaxiiwiyxvkij oiahr0cdpcl1wvy2xpzw50lmv4yw1wbguuy29tiiwizxhwijoxmzexmjgxotcwfq.edesud0 vzdh3t1g3liatnorfaewyjurcepnxvtaaznq" }

15 Json Web Token (JWT) Header {"typ":"jwt","alg":"hs256"} Base64 encoding of the UTF-8 representation Second part When the JWT is signed, the JWT Second Part is the Encoded JWS Payload. When the JWT is encrypted, the JWT Second Part is the Encoded JWE Encrypted Key. Third part When the JWT is signed, the JWT Third Part is the Encoded JWS Signature. When the JWT is encrypted, the JWT Third Part is the Encoded JWE Ciphertext.

16 IdToken, metadata on the authentication { } iss : user_id : , aud : XgnCOEXAj3D2, exp : , nbf : , iat : , acr : 2, nonce : 0S6_WzA2Mj

17 UserInfo Request access_token REQUIRED. The Access Token obtained from an OpenID Connect Authorization Request. schema REQUIRED. The schema in which the data is to be returned. The only defined value is openid. id This identifier is reserved. It MUST be ignored by the endpoint when the openid schema is used.

18 UserInfoResponse normal claims { } "name#sv-se": "Jane Doe" "given_name": "Jane", "family_name": "Doe", " ": "janedoe@kodtest.se", verified : true, "picture": "

19 Aggregated claims Client Identitysource Informationsource { } "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "birthday": "01/01/2001", " ": "janedoe@example.com", "_claim_names": { "address": "src1", "phone_number": "src1", }, "_claim_sources": { "src1": {"JWT":"jwt_header.jwt_part2.jwt_part3"}, }

20 Distributed claims { } Client IdentitySource "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", Informationsource " ": "janedoe@example.com", "birthday": "01/01/2001", "_claim_names": { "payment_info": "src1", "shipping_address": "src1", "credit_score": "src2" }, "_claim_sources": { "src1": {"endpoint": " "src2": { "endpoint": " "access_token": "ksj3n283dke" } }

21 Using attribute authorities Client credentials flow POST Host: Authorization: Basic czzcagrsa3f0mzpnwdfmqmf0m2jw Content-Type: application/x-www-form-urlencoded grant_type=client_credentials&scope=xyz OP 8 9 RP

22 OpenID Connect

23 Client registration parameters type client_id client_secret access_token contacts application_type application_name logo_url redirect_uris token_endpoint_auth_type policy_url jwk_url jwk_encryption_url x509_url x509_encryption_url sector_identifier_url user_id_type require_signed_request_object userinfo_signed_response_alg userinfo_encrypted_response_alg userinfo_encrypted_response_enc userinfo_encrypted_response_int id_token_signed_response_alg id_token_encrypted_response_alg id_token_encrypted_response_enc id_token_encrypted_response_int default_max_age require_auth_time default_acr