More Related Content Similar to OpenID Connect Demo at OpenID Tech Night (20) OpenID Connect Demo at OpenID Tech Night1. OpenID Connect
デモンストレーション
福家 大輔
dfuke@pingidentity.com
Ping Identity Corporation
Web: https://www.pingidentity.jp
1 Copyright ©2012 Ping Identity Corporation. All rights reserved.
2. OpenID Connect についてのさわり
• OpenID Connect Workshop
…
3 Copyright ©2012 Ping Identity Corporation. All rights reserved.
3. Elevator Pitch
OpenID Connect is an identity
layer built on top of OAuth 2.0,
which offers secure API and
federated sign-on services to
clients using a single REST-
based mechanism
http://www.flickr.com/photos/joits/3214054244
4 Copyright ©2012 Ping Identity Corporation. All rights reserved.
4. Differentiators
• From OpenID 2.0:
– Simplied Discovery Mechanism
– Ability to achieve all levels of assurance in
one protocol
• From SAML:
– Simplified assertion format
– Focus on both web and native applications
• From OAuth 2.0:
– Validates identity of user to the client
– Profiles use of encryption, signing, token
formats, objects returned from endpoints
– Dynamic Client Registration
• From all: OpenID Connect REQUIRES TLS
http://www.flickr.com/photos/40348123@N02/399634890
7
5 Copyright ©2012 Ping Identity Corporation. All rights reserved.
5. OAuth Protocol Is the Base
+--------+ +---------------+
| |--(A)------- Authorization Grant --------->| |
| | | |
| |<-(B)----------- Access Token -------------| |
| | & Refresh Token | |
| | | |
| | +----------+ | |
| |--(C)---- Access Token ---->| | | |
| | | | | |
| |<-(D)- Protected Resource --| Resource | | Authorization |
| Client | | Server | | Server |
| |--(E)---- Access Token ---->| | | |
| | | | | |
| |<-(F)- Invalid Token Error -| | | |
| | +----------+ | |
| | | |
| |--(G)----------- Refresh Token ----------->| |
| | | |
| |<-(H)----------- Access Token -------------| |
+--------+ & Optional Refresh Token +---------------+
8 Copyright ©2012 Ping Identity Corporation. All rights reserved.
6. OpenID Connect Overlays
RP OP
+--------+ +---------------+
| |--(A)------- Authorization Grant --------->| |
| | Scope: openid | |
| |<-(B)----------- Access Token -------------| |
| | & Refresh Token | |
| | & ID Token | |
| | +----------+ | |
| |--(C)---- Access Token ---->| | | |
| | | User Info | | |
| |<-(D)- Protected Resource --| Resource | | Authorization |
| Client | | Server | | Server |
| |--(E)---- Access Token ---->| | | |
| | | | | |
| |<-(F)- Invalid Token Error -| | | |
| | +----------+ | |
| | | |
| |--(G)----------- Refresh Token ----------->| |
| | | |
| |<-(H)----------- Access Token -------------| |
+--------+ & Optional Refresh Token +---------------+
9 Copyright ©2012 Ping Identity Corporation. All rights reserved.
7. Spec Family
10 Copyright ©2012 Ping Identity Corporation. All rights reserved.
8. Spec Family
• Minimal Profiles for Simple Relying Parties
– Basic Client (code flow)
– Implicit Client (token flow)
• Complete Profiles for OpenID Providers & Complex RPs
– Messages
– Standard (HTTP Binding)
• Additional Functionality
– Discovery
– Dynamic Client Registration
– Session Management
11 Copyright ©2012 Ping Identity Corporation. All rights reserved.
9. デモについて
• 弊社CTO、Patrick HardingがCIS2012で行ったデモ
– WebApp
– MobileApp
• 想定シナリオ
• 株式トレーダー向けサイトでの株式取引を行う
• 登場人物
• StockExport
• 株式のトレーダー向けサイト
• 証券会社の提供するAPIを用いて株式の取引を行う
• WebAppとMobileAppを提供
• idTrade
• 株式取引APIを提供する証券会社
• 認証・認可にOpenID Connectを利用
12 Copyright ©2012 Ping Identity Corporation. All rights reserved.
10. WebAppデモ
idTrade
OpenID Connect provider
API platform
Authentication OAuth 2.0 UserInfo TradeInfo
Service authZ OAuth2.0 OAuth 2.0
(1st mile) service resource resource
service service
h :/ ta . i gbc
tpi rdp l so
t / d e na .
Miep
ol a
b p
Ot 2 c n
A . le
u 0i t
h
Sc x r
t k pt
o Ee
Mobile app
Web app
OpenID Connect OpenID Connect
relying party relying party
OAuth 2.0 client
OAuth 2.0 client
StockExpert
13 Copyright ©2012 Ping Identity Corporation. All rights reserved.
11. WebAppデモ
idTrade
OpenID Connect provider
API platform
Authentication OAuth 2.0 UserInfo Portfolio
Service authZ OAuth2.0 OAuth 2.0
(1st mile) service resource resource
service service
1. Request
h :/ ta . i gbc
tpi rdp l so
t / d e na .
Miep
ol a
b p
Ot 2 c n
A . le
u 0i t
h
Sc x r
t k pt
o Ee 2. Code
Mobile app
Web app
OpenID Connect OpenID Connect
relying party relying party
OAuth 2.0 client
OAuth 2.0 client
StockExpert
14 Copyright ©2012 Ping Identity Corporation. All rights reserved.
12. WebAppデモ
idTrade
OpenID Connect provider
API platform
Authentication OAuth 2.0 UserInfo Portfolio
Service authZ OAuth2.0 OAuth 2.0
(1st mile) service resource resource
service service
1. Request 3. Code
h :/ ta . i gbc
tpi rdp l so
t / d e na .
Miep
ol a
4. Access
b p
Ot 2 c n
A . le
u 0i t
h
Sc x r
t k pt
o Ee 2. Code Token &
id_token
Mobile app
Web app
OpenID Connect OpenID Connect
relying party relying party
OAuth 2.0 client
OAuth 2.0 client
StockExpert
15 Copyright ©2012 Ping Identity Corporation. All rights reserved.
13. WebAppデモ
idTrade
OpenID Connect provider
API platform
Authentication OAuth 2.0 UserInfo Portfolio
Service authZ OAuth2.0 OAuth 2.0
(1st mile) service resource resource
service service
5. Access
1. Request 3. Code Token
h :/ ta . i gbc
tpi rdp l so
t / d e na .
Miep
ol a
4. Access
b p
Ot 2 c n
A . le
u 0i t
h
Sc x r
t k pt
o Ee 2. Code Token & 6.User info
id_token
Mobile app
Web app
OpenID Connect OpenID Connect
relying party relying party
OAuth 2.0 client
OAuth 2.0 client
StockExpert
16 Copyright ©2012 Ping Identity Corporation. All rights reserved.
14. WebAppデモ
idTrade
OpenID Connect provider
API platform
Authentication OAuth 2.0 UserInfo Portfolio
Service authZ OAuth2.0 OAuth 2.0
(1st mile) service resource resource
service service
5. Access
h :/ ta . i gbc
tpi rdp l so
t / d e na .
Token
Miep
ol a
b p
Ot 2 c n
A . le
u 0i t
h
Sc x r
t k pt
o Ee
6. API Content
Mobile app
Web app
OpenID Connect OpenID Connect
relying party relying party
OAuth 2.0 client
OAuth 2.0 client
StockExpert
17 Copyright ©2012 Ping Identity Corporation. All rights reserved.
15. WebAppデモ
Basic Client Profile Flow used at Web App (response type: code)
StockExpert
OP Authorization
Browser Web App (RP) OP UserInfo Endpoint Other APIs
Service
Clicks
Front Sign-in
Channel 1. OpenID Connect Basic Profile authorization request - response type=code scope=openid
AuthN/Consent OP Session Created
2. AuthZ code returned from OP
C
Back 3. AuthZ code traded for id_token and access token
C
Channel
I T 4. Possible call to userinfo endpoint to populate session
T
RP Session Created
Content Front
Returned
API calls Back
T
as needed
OpenID Connect OAuth 2.0 OAuth 2.0
Note: Token Refresh not Shown
I ID Token C AuthZ Code T Access Token
18 Copyright ©2012 Ping Identity Corporation. All rights reserved.
16. MobileAppデモ
idTrade
OpenID Connect provider
API platform
Authentication OAuth 2.0 UserInfo Portfolio
Service authZ OAuth2.0 OAuth 2.0
(1st mile) service resource resource
service service
h :/ ta . i gbc
tpi rdp l so
t / d e na .
Miep
ol a
b p
Ot 2 c n
A . le
u 0i t
h
Sc x r
t k pt
o Ee
Mobile app
Web app
OpenID Connect OpenID Connect
relying party relying party
OAuth 2.0 client
OAuth 2.0 client
StockExpert
19 Copyright ©2012 Ping Identity Corporation. All rights reserved.
17. MobileAppデモ
idTrade
OpenID Connect provider
API platform
Authentication OAuth 2.0 UserInfo Portfolio
Service authZ OAuth2.0 OAuth 2.0
(1st mile) service resource resource
service service
1. Request 2. Access Token
h :/ ta . i gbc
tpi rdp l so
t / d e na .
& ID Token
Miep
ol a
b p
Ot 2 c n
A . le
u 0i t
h
Sc x r
t k pt
o Ee
Mobile app
Web app
OpenID Connect OpenID Connect
relying party relying party
OAuth 2.0 client
OAuth 2.0 client
StockExpert
20 Copyright ©2012 Ping Identity Corporation. All rights reserved.
18. MobileAppデモ
idTrade
OpenID Connect provider
API platform
Authentication OAuth 2.0 UserInfo Portfolio
Service authZ OAuth2.0 OAuth 2.0
(1st mile) service resource resource
service service
1. Request 2. Access Token 4. User info
h :/ ta . i gbc
tpi rdp l so
t / d e na .
& ID Token 3.
Miep
ol a
b p
Access
Ot 2 c n
A . le
u 0i t
h
Sc x r
t k pt
o Ee
Token
Mobile app
Web app
OpenID Connect OpenID Connect
relying party relying party
OAuth 2.0 client
OAuth 2.0 client
StockExpert
21 Copyright ©2012 Ping Identity Corporation. All rights reserved.
19. MobileAppデモ
idTrade
OpenID Connect provider
API platform
Authentication OAuth 2.0 UserInfo Portfolio
Service authZ OAuth2.0 OAuth 2.0
(1st mile) service resource resource
service service
1. Access
h :/ ta . i gbc
tpi rdp l so
t / d e na .
Token
Miep
ol a
b p
Ot 2 c n
A . le
u 0i t
h
2. API Content
Sc x r
t k pt
o Ee
Mobile app
Web app
OpenID Connect OpenID Connect
relying party relying party
OAuth 2.0 client
OAuth 2.0 client
StockExpert
22 Copyright ©2012 Ping Identity Corporation. All rights reserved.
20. おわり
23 Copyright ©2012 Ping Identity Corporation. All rights reserved.
Editor's Notes OpenID Connectのチョー概要について…OpenID Connect はOauthの上に建つアイデンティティレイヤです OpenID Connectと他のプロトコルの違いOpenIDとはシンプルなディスカバリーメカニズムLoAのすべてのレベルへの対応 SAMLとの違いはシンプルなアサーションフォーマットウェブとネイティブアプリへの対応 OAuth2.0との違いは、ユーザクライアントに依るアイデンティの検証エンドポイントから返されたオブジェクトに対する暗号化・署名・トークンの形式などのプロファイルダイナミックなクライアントの登録など idTrade:Identity Infrastructure: OpenID Connect Provider 1st mile authN serviceOAuth 2.0 ASOAuth 2.0 RS (userinfo)API PlatformIncludes OAuth 2.0-only resource servicesStock Expert:Web application that needs:SSOAPI Access Step 1: Request goes out, scope is “openid profile portfolio”This means the token you get can be used at the userinfo endpoint and at the portfolio endpointAn Authorization Code comes backShort lived tokenShould only be used onceShould be traded immediately Step 2:Authorization code traded for access token and idtokenin the BACK CHANNEL Step 3: Access token used to access user information Some time later (user may not be present) the portfolio API may be called. Pieces:Identity Infrastructure: OpenID Connect Provider 1st mile authN serviceOAuth 2.0 ASOAuth 2.0 RS (userinfo)API PlatformIncludes OAuth 2.0-only resource services