openid connect - a simple[sic] single sign-on & identity layer on top of oauth 2.0

OpenID Connect

a simple[sic] single sign-on & identity layer on top of OAuth 2.0

Brian Campbell@__b_c

Copyright © 2014 Brian Campbell. All rights reserved.

Copyright © 2014 Brian Campbell. All rights reserved. 2

Agenda

• Introductions• Framing the Problem• OpenID Connect as an Emergent Solution • Nuts & Bolts: The Basic Client Profile• Random Thoughts

Copyright © 2014 Brian Campbell. All rights reserved. 3

Who Dat?Brian CampbellSome Meaningless Title & 10+ years @

Used to write a lot of code Now active in standards development

Identity is ubiquitous. Regardless of the kind of applications you develop you will, at some point, almost certainly have to deal with identifying users of the app. Yet it's seldom a central part of the app’s value proposition and rarely a core competency for developers. Wouldn’t it be nice to outsource user authentication and free yourself from the liability and complexity of storing and managing passwords? OpenID Connect, just ratified earlier this year and backed by some big industry names, is emerging as the go to standard way to do exactly that. Connect allows you to easily and securely get an answer to the question: “What is the identity of the person currently using this browser or native app?” Unlike some of it’s predecessors, however, Connect has roots spanning the consumer, SaaS and enterprise space and is better suited to serve a diverse set of deployments. Come find out more about Connect in this talk from a seasoned veteran of the prestigious basement conference rooms at GlueCon.

Cardboard box

Copyright © 2014 Brian Campbell. All rights reserved. 4

Speaker Credentials

Copyright © 2014 Brian Campbell. All rights reserved. 5

Speaker Credentials

Copyright © 2014 Brian Campbell. All rights reserved. 6

Speaker Credentials

Prominently mentioned on the second to last page that nobody will ever read just before the copyright notices

Copyright © 2014 Brian Campbell. All rights reserved. 7

Agenda

• Introductions• Framing the Problem• OpenID Connect as an Emergent Solution • Nuts & Bolts: The Basic Client Profile• Random Thoughts

Copyright © 2014 Brian Campbell. All rights reserved. 8

Passwords are Broken For Users

Death by a Thousand Passwordstrue story: “holyfucknotanotherfuckingpassword1”

PASSWORD FATIGUE

Copyright © 2014 Brian Campbell. All rights reserved. 9

Passwords are Broken For Users

What?

A Well Regarded Fortune 500 Financial Services Company

Copyright © 2014 Brian Campbell. All rights reserved. 10

Passwords also Broken for Service Providers

• Hell on user registration conversion rates

• Managing passwords is hard– Just ask Adobe or LinkedIn

or Kickstarter or…

Copyright © 2014 Brian Campbell. All rights reserved. 11

Agenda

• Introductions• Framing the Problem• OpenID Connect as an Emergent Solution • Nuts & Bolts: The Basic Client Profile• Random Thoughts

Copyright © 2014 Brian Campbell. All rights reserved. 12

Introducing OpenID Connect• Easily and securely get an answer to the

question: “What is the identity of the person currently using this browser or native app?”– Without taking on the responsibility of storing and

managing passwords, which is nice• Built on top of OAuth 2.0 using familiar and

widely available stuff like JSON and HTTP• Adds an ID Token (JWT) for user authentication

to the client• API access and SSO together

Copyright © 2014 Brian Campbell. All rights reserved. 13

Unlike Predecessors

Connect isn’t broken for mobile

Copyright © 2014 Brian Campbell. All rights reserved. 14

OAuth 2.0 In A Nutshell

Client

ResourceServer

Get an access token

Use an access token

AuthorizationServer

Authorization Endpoint

Token Endpoint

Important Stuff

Where the magic

happens

Copyright © 2014 Brian Campbell. All rights reserved. 15

OAuth 2.0

JOSE WebFinger

OpenIDConnect

Copyright © 2014 Brian Campbell. All rights reserved. 16

OpenID Connect is built on OAuth 2.0

Discovery

ClientRelying Party

ResourceServer

Get an access token

& an ID Token (JWT)

Use an access token

AuthorizationServer

Identity Provider orIDP or

OpenID Provider orOP

Authorization Endpoint

Token Endpoint

Important Stuff

Userinfo Endpoint

Registration Endpoint

JWKS Endpoint

JWKS Endpoint

Validate (JWT)

ID Token

/.well-known /webfinger /openid-configuration

Check Session IFrame

End Session Endpoint

Copyright © 2014 Brian Campbell. All rights reserved. 17

Didn’t Someone Say “Simple”?• It wasn’t me

• It’s not simple, it’s complicated• But the burden of complexity has been shifted

to the Identity Provider, where it’s more appropriate

• Many deployments can be à la carte

Mr. Boombastichttps://www.flickr.com/photos/67589493@N00/166195826

(cropped)https://creativecommons.org/licenses/by/2.0/

Copyright © 2014 Brian Campbell. All rights reserved. 18

Agenda

• Introductions• Framing the Problem• OpenID Connect as an Emergent Solution • Nuts & Bolts: The Basic Client Profile• Random Thoughts

Copyright © 2014 Brian Campbell. All rights reserved. 19

Basic Client• OpenID Connect Basic Client Implementer's

Guide 1.0 – http://openid.net/specs/openid-connect-basic-1_0.html

• “a subset of the OpenID Connect Core 1.0 specification that is designed to be easy to read and implement for basic Web-based Relying Parties using the OAuth Authorization Code Flow.”

Copyright © 2014 Brian Campbell. All rights reserved. 20

Basic Client Flow

End-User / Browser

Client Auth Server

Redirect w/ Authentication Request

Authentication Request

Copyright © 2014 Brian Campbell. All rights reserved. 21

Basic Client Flow

End-User / Browser

Client Auth Server

https://connect-interop.pinglabs.org:9031/as/authorization.oauth2?client_id=some-client-identifier&response_type=code&scope=openid profile email address phone&state=meh234&redirect_uri=https://client.example.io/cb

Redirect w/ Authentication Request

Authentication Request

not encoded for readability

Copyright © 2014 Brian Campbell. All rights reserved. 22

Basic Client Flow

End-User / Browser

Client Auth Server

Redirect w/ Authentication Request

Authentication Request

Authenticate End-User

Copyright © 2014 Brian Campbell. All rights reserved. 23

Basic Client Flow

End-User / Browser

Client Auth Server

Redirect w/ Authentication Request

Authentication Request

Authenticate End-User

Copyright © 2014 Brian Campbell. All rights reserved. 24

Basic Client Flow

End-User / Browser

Client Auth Server

Redirect w/ Authentication Request

Authentication Request

Authenticate End-User

Obtain User Consent

Copyright © 2014 Brian Campbell. All rights reserved. 25

Basic Client Flow

End-User / Browser

Client Auth Server

Redirect w/ Authentication Request

Authentication Request

Authenticate End-User

Obtain User Consent

Copyright © 2014 Brian Campbell. All rights reserved. 26

Basic Client Flow

End-User / Browser

Client Auth Server

Redirect w/ Authentication Request

Authentication Request

Authenticate End-User

Obtain User Consent

Redirect w/ Authentication Response

Authentication Response w/ code

Copyright © 2014 Brian Campbell. All rights reserved. 27

Basic Client Flow

End-User / Browser

Client Auth Server

Redirect w/ Authentication Request

Authentication Request

Authenticate End-User

Obtain User Consent

Redirect w/ Authentication Response

Authentication Response w/ code

https://client.example.io/cb?state=meh234&code=JbXAZUzro_ka3htpQSePwxOMjTfQX8RxmRELgiP1

Copyright © 2014 Brian Campbell. All rights reserved. 28

Basic Client Flow

End-User / Browser

Client Auth Server

Redirect w/ Authentication Request

Authentication Request

Authenticate End-User

Obtain User Consent

Redirect w/ Authentication Response

Authentication Response w/ codeToken Request w/ code

Copyright © 2014 Brian Campbell. All rights reserved. 29

Basic Client Flow

End-User / Browser

Client Auth Server

Redirect w/ Authentication Request

Authentication Request

Authenticate End-User

Obtain User Consent

Redirect w/ Authentication Response

Authentication Response w/ codeToken Request w/ code

POST /as/token.oauth2 HTTP/1.1Host: connect-interop.pinglabs.org:9031Content-Length: 185Content-Type: application/x-www-form-urlencoded

client_id=some-client-identifier&grant_type=authorization_code&client_secret=super-duper-password&redirect_uri=https://client.example.io/cb&code=JbXAZUzro_ka3htpQSePwxOMjTfQX8RxmRELgiP1

not encoded for readability

Copyright © 2014 Brian Campbell. All rights reserved. 30

Basic Client Flow

End-User / Browser

Client Auth Server

Redirect w/ Authentication Request

Authentication Request

Authenticate End-User

Obtain User Consent

Redirect w/ Authentication Response

Authentication Response w/ codeToken Request w/ code

Token Response w/ access & ID token

Copyright © 2014 Brian Campbell. All rights reserved. 31

Basic Client Flow

End-User / Browser

Token Response w/ access & ID token

Client Auth Server

Redirect w/ Authentication Request

Authentication Request

Authenticate End-User

Obtain User Consent

Redirect w/ Authentication Response

Authentication Response w/ codeToken Request w/ code

HTTP/1.1 200 OKDate: Tue, 13 May 2014 15:43:14 GMTCache-Control: no-cache, no-storePragma: no-cachemax-age: Thu, 01 Jan 1970 00:00:00 GMTContent-Type: application/json;charset=UTF-8Expires: Thu, 01 Jan 1970 00:00:00 GMTTransfer-Encoding: chunked

{"token_type":"Bearer","expires_in":600,"id_token":"eyJhbGciOiJub25lIn0.eyJzdWIiOiIxMDAxIiwiYXVkIjoic29tZS1jbGllbnQtaWRlbnRpZmllciIsImp0aSI6Ijc2UnJHdkM1bDNRT1BPMDVwTGpVdmEiLCJpc3MiOiJodHRwczpcL1wvY29ubmVjdC1pbnRlcm9wLnBpbmdsYWJzLm9yZzo5MDMxIiwiaWF0IjoxMzk5OTk1Nzg1LCJleHAiOjEzOTk5OTYzODV9.","access_token":"zfrQZYtamGHS6ZYXdSV4Yo"}

Copyright © 2014 Brian Campbell. All rights reserved. 32

Token Response w/ access & ID token

Basic Client Flow

End-User / Browser

Client Auth Server

Redirect w/ Authentication Request

Authentication Request

Authenticate End-User

Obtain User Consent

Redirect w/ Authentication Response

Authentication Response w/ codeToken Request w/ code

eyJhbGciOiJub25lIn0.eyJzdWIiOiIxMDAxIiwiYXVkIjoic29tZS1jbGllbnQtaWRlbnRpZmllciIsImp0aSI6Ijc2UnJHdkM1bDNRT1BPMDVwTGpVdmEiLCJpc3MiOiJodHRwczpcL1wvY29ubmVjdC1pbnRlcm9wLnBpbmdsYWJzLm9yZzo5MDMxIiwiaWF0IjoxMzk5OTk1Nzg1LCJleHAiOjEzOTk5OTYzODV9.

{"alg":"none”}

{"sub":"1001", "aud":"some-client-identifier", "jti":"76RrGvC5l3QOPO05pLjUva", "iss":"https:\/\/connect-interop.pinglabs.org:9031", "iat":1399995785, "exp":1399996385}

Copyright © 2014 Brian Campbell. All rights reserved. 33

Basic Client Flow

End-User / Browser

Client Auth Server

Redirect w/ Authentication Request

Authentication Request

Authenticate End-User

Obtain User Consent

Redirect w/ Authentication Response

Authentication Response w/ codeToken Request w/ code

Token Response w/ access & ID token

User Info Request w/ access token

Copyright © 2014 Brian Campbell. All rights reserved. 34

Token Response w/ access & ID token

Basic Client Flow

End-User / Browser

Client Auth Server

Redirect w/ Authentication Request

Authentication Request

Authenticate End-User

Obtain User Consent

Redirect w/ Authentication Response

Authentication Response w/ codeToken Request w/ code

GET /idp/userinfo.openid HTTP/1.1Host: connect-interop.pinglabs.org:9031Accept: */*Authorization: Bearer zfrQZYtamGHS6ZYXdSV4Yo

User Info Request w/ access token

Copyright © 2014 Brian Campbell. All rights reserved. 35

Basic Client Flow

End-User / Browser

Client Auth Server

Redirect w/ Authentication Request

Authentication Request

Authenticate End-User

Obtain User Consent

Redirect w/ Authentication Response

Authentication Response w/ codeToken Request w/ code

Token Response w/ access & ID token

User Info Response

User Info Request w/ access token

Copyright © 2014 Brian Campbell. All rights reserved. 36

User Info Request w/ access token

Token Response w/ access & ID token

Basic Client Flow

End-User / Browser

Client Auth Server

Redirect w/ Authentication Request

Authentication Request

Authenticate End-User

Obtain User Consent

Redirect w/ Authentication Response

Authentication Response w/ codeToken Request w/ code

User Info Response

HTTP/1.1 200 OKDate: Tue, 13 May 2014 15:44:13 GMTContent-Type: application/json;charset=UTF-8

{"sub": "1001", "name": "Joe Doe", "given_name": "Joe", "family_name": "Doe", "preferred_username": "joe", "email": "joe.doe@pinglabs.org", "picture": "http://farm8.staticflickr.com/7224/7395022014_1f6f3b33c8_m.jpg", "address":{"formatted":"1234 South North Street, Amherst, MA 01002"}, "phone_number":"+1 (413) 867-5309"}

Copyright © 2014 Brian Campbell. All rights reserved. 37

That was Simple?• There are a lot of lines…

• But from the Client’s perspective– Send the user off somewhere – Wait for them to show up on a callback– Make two simple HTTPS calls and validate some

data – Done

Copyright © 2014 Brian Campbell. All rights reserved. 38

Agenda

• Introductions• Framing the Problem• OpenID Connect as an Emergent Solution • Nuts & Bolts: The Basic Client Profile• Random Thoughts

Copyright © 2014 Brian Campbell. All rights reserved. 39

It’s Not All Rainbows & Unicorns• SAML’s IDP initiated POST is easily the most

successful SSO deployment for the enterprise market

• Some impedance mismatch as Connect doesn’t have straightforward equivalents

Copyright © 2014 Brian Campbell. All rights reserved. 40

Tweet Bait

https://twitter.com/cloud_opinion/status/459481058480648193

one picture

of a goat

Copyright © 2014 Brian Campbell. All rights reserved. 41

I’m Done.