WHAT WILL WE COVER
• OpenID Connect Overview • Relation to OAuth 2.0 • Relation to SAML • Relation to JSON Web Tokens • How complex is a basic client/RP
Copyright © 2015 Cloud Identity Summit. All rights reserved. 3
WHAT WILL WE COVER
• Extreme features • AC\DC • Authentication Context • Signed Requests • Claims • Proof of Possession tokens
Copyright © 2015 Cloud Identity Summit. All rights reserved. 4
Basic Connect Flow (code)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 5
Web Server
Relying Party (Client)
User Agent RO
Authorization Server
AuthZ Endpoint
Token Endpoint
code
code
Authentication Happens…
access token(s)
USE the token
User Info Endpoint (Resource Server)
scope=openid
Id_token access token
JSON Claims
Relation to OAuth 2.0
• Connect is a profile of OAuth • It allows all the OAuth 2 semantics in the same flow
Copyright © 2015 Cloud Identity Summit. All rights reserved. 6
Relation to SAML • Similar semantics for the id_token and SAML
assertion. • Signed Requests and responses. • Front Channel and artifact flows. • Authentication context (acr and amr) • Force re-authentication (prompt=login, max_age)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 7
Relation to JSON Web Tokens
• Id_tokens are JSON Web Tokens (RFC7519) • They are signed by JWS (RFC7515) • They are encrypted by JWE (RFC7516) • They are part of JW-* (Forcing Vittorio to get a new
number plate) • They support POP via a cnf element
Copyright © 2015 Cloud Identity Summit. All rights reserved. 8
Current native app Connect Flow
Copyright © 2015 Cloud Identity Summit. All rights reserved. 10
Phone
Native App (Client)
Authorization Server
AuthZ Endpoint
Token Endpoint
Resource Server
UA
Authentication Happens…
code
Request
code
tokens
USE the token
Current native app Connect Flow
Copyright © 2015 Cloud Identity Summit. All rights reserved. 11
Phone
Native App (Client)
SaaS Authorization Server
AuthZ Endpoint
Token Endpoint
Resource Server
Resource Server
UA
SaaS Native App (Client)
UA
Request
USE the token
code
code tokens
Authentication Happens…
Implications
• Employee bears burden of authenticating/authorizing each native application separately
• Even if done infrequently, may be unacceptable • Enterprise is removed from authorizing employee's
use of native Applications.
Copyright © 2015 Cloud Identity Summit. All rights reserved. 12
SYSTEM BROWSER + ACDC
• IOS 9 adds a new feature at 23min in video
Copyright © 2015 Cloud Identity Summit. All rights reserved. 13
Connect Flow (ACDC) Enterprise (iOS9:)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 14
Phone
Native App (Client)
Enterprise AS
AuthZ Endpoint
Token Endpoint
Resource Server
Request System Browser
Authentication Happens…
Request ACDC code_verifier
ACDC
Connect Flow (ACDC) Enterprise (iOS9:)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 15
Phone
Native App (Client)
Enterprise AS
AuthZ Endpoint
Token Endpoint
Resource Server
System Browser
Request ACDC code_challenge
ACDC
ACDC code_verifier Tokens RT & AT
USE the token
Connect Flow (ACDC) Enterprise (iOS9:)
Copyright © 2015 Cloud Identity Summit. All rights reserved. 16
Phone
Native App (Client)
Enterprise AS
AuthZ Endpoint
Token Endpoint
SaaS Resource Server
System Browser
Request ACDC code_challenge
ACDC
USE the token
SaaS Native App (Client)
SaaS AS Token Endpoint
Tokens RT & AT
ACDC code_verifier
Revoke Tokens
Error Re-Auth
Request ACDC
NAPPS Connect Flow (ACDC) Enterprise
Copyright © 2015 Cloud Identity Summit. All rights reserved. 17
Phone
Native App (Client)
Enterprise AS
AuthZ Endpoint
Token Endpoint
Resource Server
Request Token Agent (TA)
Authentication Happens…
Request ACDC code_verifier
code
code RT
UA
NAPPS Connect Flow (ACDC) Enterprise
Copyright © 2015 Cloud Identity Summit. All rights reserved. 18
Phone
Native App (Client)
Enterprise AS
AuthZ Endpoint
Token Endpoint
Resource Server
Token Agent (TA)
Request ACDC code_challenge
RT ACDC ACDC
ACDC code_verifier Tokens RT & AT
USE the token
NAPPS Connect Flow (ACDC) Enterprise
Copyright © 2015 Cloud Identity Summit. All rights reserved. 19
Phone
Native App (Client)
Enterprise AS
AuthZ Endpoint
Token Endpoint
SaaS Resource Server
Token Agent (TA)
Request ACDC code_challenge
RT ACDC ACDC
USE the token
SaaS Native App (Client)
SaaS AS Token Endpoint
Tokens RT & AT
ACDC code_verifier
Revoke Tokens
Error Re-Auth
NAPPS Advantages
• Employee performs explicit authentication & authorization only for the TA – results in tokens issued down to the TA like any OAuth/OIDC client
• Other apps able to benefit from this TA authentication for their own – TA tokens used to obtain application tokens
• User can enjoy SSO across those native applications
Copyright © 2015 Cloud Identity Summit. All rights reserved. 20
Proof Key for Code Exchange (PKCE)
• IETF spec in IESG review. • Protects against interception of code or ACDC by
malicious applications on the device. • Currently deployed by DT, Google, Ping to mitigate
against ongoing attacks. • Two currently defined levels of security
Copyright © 2015 Cloud Identity Summit. All rights reserved. 21
Authorization Cross Domain Code (ACDC)
• OIDF Specification • Supports Native Token Agents • Supports Browser flows for app fallback • Requires PKCE • Can be used by Enterprise or Social providers
Copyright © 2015 Cloud Identity Summit. All rights reserved. 22
Native Account Chooser
• Web based version run by OIDF • Native Version new to Android (Smart Lock) • Allows applications to discover federated accounts
Copyright © 2015 Cloud Identity Summit. All rights reserved. 23
NAPPS Connect Flow (ACDC) Social
Copyright © 2015 Cloud Identity Summit. All rights reserved. 24
Phone Social AS
AuthZ Endpoint
Token Endpoint
SaaS Resource Server
Social Provider (TA)
Request ACDC code_challenge
RT ACDC ACDC
USE the token
SaaS Native App (Client)
App AS Token Endpoint
Tokens RT & AT
ACDC code_verifier
Revoke Tokens
Error Re-Auth
IdP initiated Login
• The spec allows a third party to initiate login. • This requires an extra round trip to conform to
OAuth for IdP initiated. • There is a OAuth AS initiated flow proposed in the
JWT encoded-state draft that proposes a way to do it without a extra round trip.
Copyright © 2015 Cloud Identity Summit. All rights reserved. 25
QUESTIONS?
Thank You!
John Bradley [email protected]
Copyright © 2015 Cloud Identity Summit. All rights reserved. 26