SlideShare a Scribd company logo

OpenID Connect Demo at OpenID Tech Night

Daisuke Fuke
Daisuke Fuke
Technology
1 of 20
OpenID Connect デモンストレーション 福家 大輔 dfuke@pingidentity.com Ping Identity Corporation Web: https://www.pingidentity.jp 1 Copyright ©2012 Ping Identity Corporation. All rights reserved.
OpenID Connect についてのさわり • OpenID Connect Workshop … 3 Copyright ©2012 Ping Identity Corporation. All rights reserved.
Elevator Pitch OpenID Connect is an identity layer built on top of OAuth 2.0, which offers secure API and federated sign-on services to clients using a single REST- based mechanism http://www.flickr.com/photos/joits/3214054244 4 Copyright ©2012 Ping Identity Corporation. All rights reserved.
Differentiators • From OpenID 2.0: – Simplied Discovery Mechanism – Ability to achieve all levels of assurance in one protocol • From SAML: – Simplified assertion format – Focus on both web and native applications • From OAuth 2.0: – Validates identity of user to the client – Profiles use of encryption, signing, token formats, objects returned from endpoints – Dynamic Client Registration • From all: OpenID Connect REQUIRES TLS http://www.flickr.com/photos/40348123@N02/399634890 7 5 Copyright ©2012 Ping Identity Corporation. All rights reserved.
OAuth Protocol Is the Base +--------+ +---------------+ | |--(A)------- Authorization Grant --------->| | | | | | | |<-(B)----------- Access Token -------------| | | | & Refresh Token | | | | | | | | +----------+ | | | |--(C)---- Access Token ---->| | | | | | | | | | | |<-(D)- Protected Resource --| Resource | | Authorization | | Client | | Server | | Server | | |--(E)---- Access Token ---->| | | | | | | | | | | |<-(F)- Invalid Token Error -| | | | | | +----------+ | | | | | | | |--(G)----------- Refresh Token ----------->| | | | | | | |<-(H)----------- Access Token -------------| | +--------+ & Optional Refresh Token +---------------+ 8 Copyright ©2012 Ping Identity Corporation. All rights reserved.
OpenID Connect Overlays RP OP +--------+ +---------------+ | |--(A)------- Authorization Grant --------->| | | | Scope: openid | | | |<-(B)----------- Access Token -------------| | | | & Refresh Token | | | | & ID Token | | | | +----------+ | | | |--(C)---- Access Token ---->| | | | | | | User Info | | | | |<-(D)- Protected Resource --| Resource | | Authorization | | Client | | Server | | Server | | |--(E)---- Access Token ---->| | | | | | | | | | | |<-(F)- Invalid Token Error -| | | | | | +----------+ | | | | | | | |--(G)----------- Refresh Token ----------->| | | | | | | |<-(H)----------- Access Token -------------| | +--------+ & Optional Refresh Token +---------------+ 9 Copyright ©2012 Ping Identity Corporation. All rights reserved.
Spec Family 10 Copyright ©2012 Ping Identity Corporation. All rights reserved.
Spec Family • Minimal Profiles for Simple Relying Parties – Basic Client (code flow) – Implicit Client (token flow) • Complete Profiles for OpenID Providers & Complex RPs – Messages – Standard (HTTP Binding) • Additional Functionality – Discovery – Dynamic Client Registration – Session Management 11 Copyright ©2012 Ping Identity Corporation. All rights reserved.
デモについて • 弊社CTO、Patrick HardingがCIS2012で行ったデモ – WebApp – MobileApp • 想定シナリオ • 株式トレーダー向けサイトでの株式取引を行う • 登場人物 • StockExport • 株式のトレーダー向けサイト • 証券会社の提供するAPIを用いて株式の取引を行う • WebAppとMobileAppを提供 • idTrade • 株式取引APIを提供する証券会社 • 認証・認可にOpenID Connectを利用 12 Copyright ©2012 Ping Identity Corporation. All rights reserved.
WebAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo TradeInfo Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service h :/ ta . i gbc tpi rdp l so t / d e na . Miep ol a b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 13 Copyright ©2012 Ping Identity Corporation. All rights reserved.
WebAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 1. Request h :/ ta . i gbc tpi rdp l so t / d e na . Miep ol a b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee 2. Code Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 14 Copyright ©2012 Ping Identity Corporation. All rights reserved.
WebAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 1. Request 3. Code h :/ ta . i gbc tpi rdp l so t / d e na . Miep ol a 4. Access b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee 2. Code Token & id_token Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 15 Copyright ©2012 Ping Identity Corporation. All rights reserved.
WebAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 5. Access 1. Request 3. Code Token h :/ ta . i gbc tpi rdp l so t / d e na . Miep ol a 4. Access b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee 2. Code Token & 6.User info id_token Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 16 Copyright ©2012 Ping Identity Corporation. All rights reserved.
WebAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 5. Access h :/ ta . i gbc tpi rdp l so t / d e na . Token Miep ol a b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee 6. API Content Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 17 Copyright ©2012 Ping Identity Corporation. All rights reserved.
WebAppデモ Basic Client Profile Flow used at Web App (response type: code) StockExpert OP Authorization Browser Web App (RP) OP UserInfo Endpoint Other APIs Service Clicks Front Sign-in Channel 1. OpenID Connect Basic Profile authorization request - response type=code scope=openid AuthN/Consent OP Session Created 2. AuthZ code returned from OP C Back 3. AuthZ code traded for id_token and access token C Channel I T 4. Possible call to userinfo endpoint to populate session T RP Session Created Content Front Returned API calls Back T as needed OpenID Connect OAuth 2.0 OAuth 2.0 Note: Token Refresh not Shown I ID Token C AuthZ Code T Access Token 18 Copyright ©2012 Ping Identity Corporation. All rights reserved.
MobileAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service h :/ ta . i gbc tpi rdp l so t / d e na . Miep ol a b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 19 Copyright ©2012 Ping Identity Corporation. All rights reserved.
MobileAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 1. Request 2. Access Token h :/ ta . i gbc tpi rdp l so t / d e na . & ID Token Miep ol a b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 20 Copyright ©2012 Ping Identity Corporation. All rights reserved.
MobileAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 1. Request 2. Access Token 4. User info h :/ ta . i gbc tpi rdp l so t / d e na . & ID Token 3. Miep ol a b p Access Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee Token Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 21 Copyright ©2012 Ping Identity Corporation. All rights reserved.
MobileAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 1. Access h :/ ta . i gbc tpi rdp l so t / d e na . Token Miep ol a b p Ot 2 c n A . le u 0i t h 2. API Content Sc x r t k pt o Ee Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 22 Copyright ©2012 Ping Identity Corporation. All rights reserved.
おわり 23 Copyright ©2012 Ping Identity Corporation. All rights reserved.

Recommended

Distributed Identities with OpenID
Distributed Identities with OpenIDDistributed Identities with OpenID
Distributed Identities with OpenID
Bastian Hofmann
 
Distributed Identities with OpenID
Distributed Identities with OpenIDDistributed Identities with OpenID
Distributed Identities with OpenID
Bastian Hofmann
 
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 20104. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
Fabrizio Volpe
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
Oliver Pfaff
 
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMTrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACM
hackingtrialpay
 
OAuth Base Camp
OAuth Base CampOAuth Base Camp
OAuth Base Camp
Oliver Pfaff
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 

Recommended

Distributed Identities with OpenID
Distributed Identities with OpenIDDistributed Identities with OpenID
Distributed Identities with OpenID
Bastian Hofmann
 
Distributed Identities with OpenID
Distributed Identities with OpenIDDistributed Identities with OpenID
Distributed Identities with OpenID
Bastian Hofmann
 
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 20104. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
Fabrizio Volpe
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
Oliver Pfaff
 
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMTrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACM
hackingtrialpay
 
OAuth Base Camp
OAuth Base CampOAuth Base Camp
OAuth Base Camp
Oliver Pfaff
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
Shingo Yamanaka, OIDF-J - OpenID TechNight #9
Shingo Yamanaka, OIDF-J - OpenID TechNight #9Shingo Yamanaka, OIDF-J - OpenID TechNight #9
Shingo Yamanaka, OIDF-J - OpenID TechNight #9
OpenID Foundation Japan
 
TechNight #12: Cloud Identity Summit 2014 @ Monteray 概要と主要トピック
TechNight #12: Cloud Identity Summit 2014 @ Monteray 概要と主要トピックTechNight #12: Cloud Identity Summit 2014 @ Monteray 概要と主要トピック
TechNight #12: Cloud Identity Summit 2014 @ Monteray 概要と主要トピック
Daisuke Fuke
 
Taste of Failure is Key for Sustainable Success
Taste of Failure is Key for Sustainable SuccessTaste of Failure is Key for Sustainable Success
Taste of Failure is Key for Sustainable Success
VSR *
 
Project Management is the Catalyst to transform India into a Global Leader in...
Project Management is the Catalyst to transform India into a Global Leader in...Project Management is the Catalyst to transform India into a Global Leader in...
Project Management is the Catalyst to transform India into a Global Leader in...
VSR *
 
Identity assurance & the market for verified attributes
Identity assurance & the market for verified attributesIdentity assurance & the market for verified attributes
Identity assurance & the market for verified attributes
James Varga
 
Cloud & Mobility Goldmines
Cloud & Mobility GoldminesCloud & Mobility Goldmines
Cloud & Mobility Goldmines
VSR *
 
Digital Rights Management
Digital Rights ManagementDigital Rights Management
Digital Rights Management
NextLabs, Inc.
 
Responsible Global Spend - Sample Program and Timeline
Responsible Global Spend - Sample Program and TimelineResponsible Global Spend - Sample Program and Timeline
Responsible Global Spend - Sample Program and Timeline
Bill Kohnen
 
AGLEA SAP Security Analyzer SoD Remediation SoX authorization
AGLEA SAP Security Analyzer SoD Remediation SoX authorizationAGLEA SAP Security Analyzer SoD Remediation SoX authorization
AGLEA SAP Security Analyzer SoD Remediation SoX authorization
Massimo Manara
 
Advanced Authorization for SAP Global Deployments Part III of III
Advanced Authorization for SAP Global Deployments Part III of IIIAdvanced Authorization for SAP Global Deployments Part III of III
Advanced Authorization for SAP Global Deployments Part III of III
NextLabs, Inc.
 
OpenID TechNight - Ping Identity 製品紹介
OpenID TechNight - Ping Identity 製品紹介OpenID TechNight - Ping Identity 製品紹介
OpenID TechNight - Ping Identity 製品紹介
Daisuke Fuke
 
CIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market OverviewCIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market Overview
CloudIDSummit
 
SharePoint Business Track Part 1 of 2
SharePoint Business Track Part 1 of 2SharePoint Business Track Part 1 of 2
SharePoint Business Track Part 1 of 2
NextLabs, Inc.
 
Digital in store for dummies
Digital in store for dummiesDigital in store for dummies
Digital in store for dummies
Paolo Maioli
 
CIS13: Intelligence-Driven IAM: The Next Generation of Identity and Access Go...
CIS13: Intelligence-Driven IAM: The Next Generation of Identity and Access Go...CIS13: Intelligence-Driven IAM: The Next Generation of Identity and Access Go...
CIS13: Intelligence-Driven IAM: The Next Generation of Identity and Access Go...
CloudIDSummit
 
Colin Glynn, Rolls-Royce plc Presentation
Colin Glynn, Rolls-Royce plc PresentationColin Glynn, Rolls-Royce plc Presentation
Colin Glynn, Rolls-Royce plc Presentation
Amy Jacobs MA BA Hons
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CloudIDSummit
 
Fédération d'identité, séminaire du 27 novembre 2014
Fédération d'identité, séminaire du 27 novembre 2014Fédération d'identité, séminaire du 27 novembre 2014
Fédération d'identité, séminaire du 27 novembre 2014
e-Xpert Solutions SA
 
Self Branding of Project Manager.. What & How?
Self Branding of Project Manager.. What & How?Self Branding of Project Manager.. What & How?
Self Branding of Project Manager.. What & How?
VSR *
 
Retail ERP Solution -SOD Technologies Pvt Ltd
Retail ERP Solution -SOD Technologies Pvt LtdRetail ERP Solution -SOD Technologies Pvt Ltd
Retail ERP Solution -SOD Technologies Pvt Ltd
Sodtech
 
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access ControlOAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
Microsoft Developer Network (MSDN) - Belgium and Luxembourg
 
OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...
OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...
OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...
Maarten Balliauw
 

More Related Content

Viewers also liked

Shingo Yamanaka, OIDF-J - OpenID TechNight #9
Shingo Yamanaka, OIDF-J - OpenID TechNight #9Shingo Yamanaka, OIDF-J - OpenID TechNight #9
Shingo Yamanaka, OIDF-J - OpenID TechNight #9
OpenID Foundation Japan
 
Project Management is the Catalyst to transform India into a Global Leader in...
Project Management is the Catalyst to transform India into a Global Leader in...Project Management is the Catalyst to transform India into a Global Leader in...
Project Management is the Catalyst to transform India into a Global Leader in...
VSR *
 
Cloud & Mobility Goldmines
Cloud & Mobility GoldminesCloud & Mobility Goldmines
Cloud & Mobility Goldmines
VSR *
 
OpenID TechNight - Ping Identity 製品紹介
OpenID TechNight - Ping Identity 製品紹介OpenID TechNight - Ping Identity 製品紹介
OpenID TechNight - Ping Identity 製品紹介
Daisuke Fuke
 
SharePoint Business Track Part 1 of 2
SharePoint Business Track Part 1 of 2SharePoint Business Track Part 1 of 2
SharePoint Business Track Part 1 of 2
NextLabs, Inc.
 
CIS13: Intelligence-Driven IAM: The Next Generation of Identity and Access Go...
CIS13: Intelligence-Driven IAM: The Next Generation of Identity and Access Go...CIS13: Intelligence-Driven IAM: The Next Generation of Identity and Access Go...
CIS13: Intelligence-Driven IAM: The Next Generation of Identity and Access Go...
CloudIDSummit
 

Viewers also liked (20)

Shingo Yamanaka, OIDF-J - OpenID TechNight #9
Shingo Yamanaka, OIDF-J - OpenID TechNight #9Shingo Yamanaka, OIDF-J - OpenID TechNight #9
Shingo Yamanaka, OIDF-J - OpenID TechNight #9
 
TechNight #12: Cloud Identity Summit 2014 @ Monteray 概要と主要トピック
TechNight #12: Cloud Identity Summit 2014 @ Monteray 概要と主要トピックTechNight #12: Cloud Identity Summit 2014 @ Monteray 概要と主要トピック
TechNight #12: Cloud Identity Summit 2014 @ Monteray 概要と主要トピック
 
Taste of Failure is Key for Sustainable Success
Taste of Failure is Key for Sustainable SuccessTaste of Failure is Key for Sustainable Success
Taste of Failure is Key for Sustainable Success
 
Project Management is the Catalyst to transform India into a Global Leader in...
Project Management is the Catalyst to transform India into a Global Leader in...Project Management is the Catalyst to transform India into a Global Leader in...
Project Management is the Catalyst to transform India into a Global Leader in...
 
Identity assurance & the market for verified attributes
Identity assurance & the market for verified attributesIdentity assurance & the market for verified attributes
Identity assurance & the market for verified attributes
 
Cloud & Mobility Goldmines
Cloud & Mobility GoldminesCloud & Mobility Goldmines
Cloud & Mobility Goldmines
 
Digital Rights Management
Digital Rights ManagementDigital Rights Management
Digital Rights Management
 
Responsible Global Spend - Sample Program and Timeline
Responsible Global Spend - Sample Program and TimelineResponsible Global Spend - Sample Program and Timeline
Responsible Global Spend - Sample Program and Timeline
 
AGLEA SAP Security Analyzer SoD Remediation SoX authorization
AGLEA SAP Security Analyzer SoD Remediation SoX authorizationAGLEA SAP Security Analyzer SoD Remediation SoX authorization
AGLEA SAP Security Analyzer SoD Remediation SoX authorization
 
Advanced Authorization for SAP Global Deployments Part III of III
Advanced Authorization for SAP Global Deployments Part III of IIIAdvanced Authorization for SAP Global Deployments Part III of III
Advanced Authorization for SAP Global Deployments Part III of III
 
OpenID TechNight - Ping Identity 製品紹介
OpenID TechNight - Ping Identity 製品紹介OpenID TechNight - Ping Identity 製品紹介
OpenID TechNight - Ping Identity 製品紹介
 
CIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market OverviewCIS13: Next Generation Privileged Identity Management: A Market Overview
CIS13: Next Generation Privileged Identity Management: A Market Overview
 
SharePoint Business Track Part 1 of 2
SharePoint Business Track Part 1 of 2SharePoint Business Track Part 1 of 2
SharePoint Business Track Part 1 of 2
 
Digital in store for dummies
Digital in store for dummiesDigital in store for dummies
Digital in store for dummies
 
CIS13: Intelligence-Driven IAM: The Next Generation of Identity and Access Go...
CIS13: Intelligence-Driven IAM: The Next Generation of Identity and Access Go...CIS13: Intelligence-Driven IAM: The Next Generation of Identity and Access Go...
CIS13: Intelligence-Driven IAM: The Next Generation of Identity and Access Go...
 
Colin Glynn, Rolls-Royce plc Presentation
Colin Glynn, Rolls-Royce plc PresentationColin Glynn, Rolls-Royce plc Presentation
Colin Glynn, Rolls-Royce plc Presentation
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
 
Fédération d'identité, séminaire du 27 novembre 2014
Fédération d'identité, séminaire du 27 novembre 2014Fédération d'identité, séminaire du 27 novembre 2014
Fédération d'identité, séminaire du 27 novembre 2014
 
Self Branding of Project Manager.. What & How?
Self Branding of Project Manager.. What & How?Self Branding of Project Manager.. What & How?
Self Branding of Project Manager.. What & How?
 
Retail ERP Solution -SOD Technologies Pvt Ltd
Retail ERP Solution -SOD Technologies Pvt LtdRetail ERP Solution -SOD Technologies Pvt Ltd
Retail ERP Solution -SOD Technologies Pvt Ltd
 

Similar to OpenID Connect Demo at OpenID Tech Night

Technical Background of VZ-ID
Technical Background of VZ-IDTechnical Background of VZ-ID
Technical Background of VZ-ID
Bastian Hofmann
 
Crossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialCrossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocial
Bastian Hofmann
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 

Similar to OpenID Connect Demo at OpenID Tech Night (20)

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access ControlOAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
 
OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...
OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...
OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...
 
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - W...
 
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access ControlOAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
 
How to create social apps for millions of users
How to create social apps for millions of users How to create social apps for millions of users
How to create social apps for millions of users
 
Oauth
OauthOauth
Oauth
 
Technical Background of VZ-ID
Technical Background of VZ-IDTechnical Background of VZ-ID
Technical Background of VZ-ID
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
Crossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocialCrossing the Boundaries of Web Applications with OpenSocial
Crossing the Boundaries of Web Applications with OpenSocial
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on Kubernetes
 
OpenSocial - Past, Present, Future
OpenSocial - Past, Present, FutureOpenSocial - Past, Present, Future
OpenSocial - Past, Present, Future
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWS
 
[WSO2Con USA 2018] Identity APIs is the New Black
[WSO2Con USA 2018] Identity APIs is the New Black[WSO2Con USA 2018] Identity APIs is the New Black
[WSO2Con USA 2018] Identity APIs is the New Black
 
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin BačovskýOSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
Five Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern IdentityFive Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern Identity
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
 

Recently uploaded

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

OpenID Connect Demo at OpenID Tech Night

  • 1. OpenID Connect デモンストレーション 福家 大輔 dfuke@pingidentity.com Ping Identity Corporation Web: https://www.pingidentity.jp 1 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 2. OpenID Connect についてのさわり • OpenID Connect Workshop … 3 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 3. Elevator Pitch OpenID Connect is an identity layer built on top of OAuth 2.0, which offers secure API and federated sign-on services to clients using a single REST- based mechanism http://www.flickr.com/photos/joits/3214054244 4 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 4. Differentiators • From OpenID 2.0: – Simplied Discovery Mechanism – Ability to achieve all levels of assurance in one protocol • From SAML: – Simplified assertion format – Focus on both web and native applications • From OAuth 2.0: – Validates identity of user to the client – Profiles use of encryption, signing, token formats, objects returned from endpoints – Dynamic Client Registration • From all: OpenID Connect REQUIRES TLS http://www.flickr.com/photos/40348123@N02/399634890 7 5 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 5. OAuth Protocol Is the Base +--------+ +---------------+ | |--(A)------- Authorization Grant --------->| | | | | | | |<-(B)----------- Access Token -------------| | | | & Refresh Token | | | | | | | | +----------+ | | | |--(C)---- Access Token ---->| | | | | | | | | | | |<-(D)- Protected Resource --| Resource | | Authorization | | Client | | Server | | Server | | |--(E)---- Access Token ---->| | | | | | | | | | | |<-(F)- Invalid Token Error -| | | | | | +----------+ | | | | | | | |--(G)----------- Refresh Token ----------->| | | | | | | |<-(H)----------- Access Token -------------| | +--------+ & Optional Refresh Token +---------------+ 8 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 6. OpenID Connect Overlays RP OP +--------+ +---------------+ | |--(A)------- Authorization Grant --------->| | | | Scope: openid | | | |<-(B)----------- Access Token -------------| | | | & Refresh Token | | | | & ID Token | | | | +----------+ | | | |--(C)---- Access Token ---->| | | | | | | User Info | | | | |<-(D)- Protected Resource --| Resource | | Authorization | | Client | | Server | | Server | | |--(E)---- Access Token ---->| | | | | | | | | | | |<-(F)- Invalid Token Error -| | | | | | +----------+ | | | | | | | |--(G)----------- Refresh Token ----------->| | | | | | | |<-(H)----------- Access Token -------------| | +--------+ & Optional Refresh Token +---------------+ 9 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 7. Spec Family 10 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 8. Spec Family • Minimal Profiles for Simple Relying Parties – Basic Client (code flow) – Implicit Client (token flow) • Complete Profiles for OpenID Providers & Complex RPs – Messages – Standard (HTTP Binding) • Additional Functionality – Discovery – Dynamic Client Registration – Session Management 11 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 9. デモについて • 弊社CTO、Patrick HardingがCIS2012で行ったデモ – WebApp – MobileApp • 想定シナリオ • 株式トレーダー向けサイトでの株式取引を行う • 登場人物 • StockExport • 株式のトレーダー向けサイト • 証券会社の提供するAPIを用いて株式の取引を行う • WebAppとMobileAppを提供 • idTrade • 株式取引APIを提供する証券会社 • 認証・認可にOpenID Connectを利用 12 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 10. WebAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo TradeInfo Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service h :/ ta . i gbc tpi rdp l so t / d e na . Miep ol a b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 13 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 11. WebAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 1. Request h :/ ta . i gbc tpi rdp l so t / d e na . Miep ol a b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee 2. Code Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 14 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 12. WebAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 1. Request 3. Code h :/ ta . i gbc tpi rdp l so t / d e na . Miep ol a 4. Access b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee 2. Code Token & id_token Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 15 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 13. WebAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 5. Access 1. Request 3. Code Token h :/ ta . i gbc tpi rdp l so t / d e na . Miep ol a 4. Access b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee 2. Code Token & 6.User info id_token Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 16 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 14. WebAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 5. Access h :/ ta . i gbc tpi rdp l so t / d e na . Token Miep ol a b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee 6. API Content Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 17 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 15. WebAppデモ Basic Client Profile Flow used at Web App (response type: code) StockExpert OP Authorization Browser Web App (RP) OP UserInfo Endpoint Other APIs Service Clicks Front Sign-in Channel 1. OpenID Connect Basic Profile authorization request - response type=code scope=openid AuthN/Consent OP Session Created 2. AuthZ code returned from OP C Back 3. AuthZ code traded for id_token and access token C Channel I T 4. Possible call to userinfo endpoint to populate session T RP Session Created Content Front Returned API calls Back T as needed OpenID Connect OAuth 2.0 OAuth 2.0 Note: Token Refresh not Shown I ID Token C AuthZ Code T Access Token 18 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 16. MobileAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service h :/ ta . i gbc tpi rdp l so t / d e na . Miep ol a b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 19 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 17. MobileAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 1. Request 2. Access Token h :/ ta . i gbc tpi rdp l so t / d e na . & ID Token Miep ol a b p Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 20 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 18. MobileAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 1. Request 2. Access Token 4. User info h :/ ta . i gbc tpi rdp l so t / d e na . & ID Token 3. Miep ol a b p Access Ot 2 c n A . le u 0i t h Sc x r t k pt o Ee Token Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 21 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 19. MobileAppデモ idTrade OpenID Connect provider API platform Authentication OAuth 2.0 UserInfo Portfolio Service authZ OAuth2.0 OAuth 2.0 (1st mile) service resource resource service service 1. Access h :/ ta . i gbc tpi rdp l so t / d e na . Token Miep ol a b p Ot 2 c n A . le u 0i t h 2. API Content Sc x r t k pt o Ee Mobile app Web app OpenID Connect OpenID Connect relying party relying party OAuth 2.0 client OAuth 2.0 client StockExpert 22 Copyright ©2012 Ping Identity Corporation. All rights reserved.
  • 20. おわり 23 Copyright ©2012 Ping Identity Corporation. All rights reserved.

Editor's Notes

  1. OpenID Connectのチョー概要について…OpenID Connect はOauthの上に建つアイデンティティレイヤです
  2. OpenID Connectと他のプロトコルの違いOpenIDとはシンプルなディスカバリーメカニズムLoAのすべてのレベルへの対応 SAMLとの違いはシンプルなアサーションフォーマットウェブとネイティブアプリへの対応 OAuth2.0との違いは、ユーザクライアントに依るアイデンティの検証エンドポイントから返されたオブジェクトに対する暗号化・署名・トークンの形式などのプロファイルダイナミックなクライアントの登録など
  3. idTrade:Identity Infrastructure: OpenID Connect Provider 1st mile authN serviceOAuth 2.0 ASOAuth 2.0 RS (userinfo)API PlatformIncludes OAuth 2.0-only resource servicesStock Expert:Web application that needs:SSOAPI Access
  4. Step 1: Request goes out, scope is “openid profile portfolio”This means the token you get can be used at the userinfo endpoint and at the portfolio endpointAn Authorization Code comes backShort lived tokenShould only be used onceShould be traded immediately
  5. Step 2:Authorization code traded for access token and idtokenin the BACK CHANNEL
  6. Step 3: Access token used to access user information
  7. Some time later (user may not be present) the portfolio API may be called.
  8. Pieces:Identity Infrastructure: OpenID Connect Provider 1st mile authN serviceOAuth 2.0 ASOAuth 2.0 RS (userinfo)API PlatformIncludes OAuth 2.0-only resource services