Embed Size (px)
Citation preview
OpenID Connect and Mobile Applications David Chase
Implicit
• When using the Implicit Flow, all tokens are returned from the Authorization Endpoint; the Token Endpoint is not used.
• The Access Token and ID Token are returned directly to the Client
• The Authorization Server does not perform Client Authentication.
Copyright © 2015 Cloud Identity Summit. All rights reserved. 3
Implicit Flow
1. Client prepares an Authentication Request containing the desired request parameters.
2. Client sends the request to the Authorization Server. 3. Authorization Server Authenticates the End-User.
Copyright © 2015 Cloud Identity Summit. All rights reserved. 4
Implicit Flow Continued
4. Authorization Server obtains End-User Consent/Authorization.
5. Authorization Server sends the End-User back to the Client with an ID Token and, if requested, an Access Token.
6. Client validates the ID token and retrieves the End-User's Subject Identifier.
Copyright © 2015 Cloud Identity Summit. All rights reserved. 5
Prepare Authentication Request
• http://openid.net/specs/openid-connect-implicit-1_0.html#AuthenticationRequest
Copyright © 2015 Cloud Identity Summit. All rights reserved. 6
Preferences
• System Browser • Pros
• May have session • HTTPS is visible
• Con • Poor UX
Copyright © 2015 Cloud Identity Summit. All rights reserved. 7
AuthN & AuthZ
Copyright © 2015 Cloud Identity Summit. All rights reserved. 8
End User grants authZ
• http://openid.net/specs/openid-connect-implicit-1_0.html#ImplicitOK
Copyright © 2015 Cloud Identity Summit. All rights reserved. 9
Fragment handling
• http://openid.net/specs/openid-connect-implicit-1_0.html#ImplicitCallback
Copyright © 2015 Cloud Identity Summit. All rights reserved. 10
Validate the ID_token
• http://openid.net/specs/openid-connect-implicit-1_0.html#IDTokenValidation
Copyright © 2015 Cloud Identity Summit. All rights reserved. 11
Access Token Validation
• http://openid.net/specs/openid-connect-implicit-1_0.html#AccessTokenValidation
Copyright © 2015 Cloud Identity Summit. All rights reserved. 12
UserInfo Request
• http://openid.net/specs/openid-connect-implicit-1_0.html#UserInfoRequest
Copyright © 2015 Cloud Identity Summit. All rights reserved. 13
Standard Claims
• http://openid.net/specs/openid-connect-implicit-1_0.html#StandardClaims
Copyright © 2015 Cloud Identity Summit. All rights reserved. 14
Authorization Code
• NO NO NO NO! • Well… sorta
Copyright © 2015 Cloud Identity Summit. All rights reserved. 15
Hybrid Flow
• When using the Hybrid Flow, some tokens are returned from the Authorization Endpoint and others are returned from the Token Endpoint.
• An example use case is a native application which passes tokens to backend APIs.
Copyright © 2015 Cloud Identity Summit. All rights reserved. 16
Copyright © 2015 Cloud Identity Summit. All rights reserved. 17
Questions?
