self isssued-idp
TRANSCRIPT
![Page 1: Self isssued-idp](https://reader034.vdocuments.us/reader034/viewer/2022042518/5560c0a5d8b42aef3b8b52f5/html5/thumbnails/1.jpg)
@nov
Identity in Your Device
![Page 2: Self isssued-idp](https://reader034.vdocuments.us/reader034/viewer/2022042518/5560c0a5d8b42aef3b8b52f5/html5/thumbnails/2.jpg)
OS, Browser, Mobile Apps
![Page 3: Self isssued-idp](https://reader034.vdocuments.us/reader034/viewer/2022042518/5560c0a5d8b42aef3b8b52f5/html5/thumbnails/3.jpg)
Self-Issued OpenID Provider
Personal OP that issues self-signed ID Tokens
No central IdP servers
Defined in OpenID Connect Messages
http://j.mp/self-issued
Available any apps / devices with secure strage
e.g. iOS app with Keychain
![Page 4: Self isssued-idp](https://reader034.vdocuments.us/reader034/viewer/2022042518/5560c0a5d8b42aef3b8b52f5/html5/thumbnails/4.jpg)
1) Launches “openid://?client_id=client://callback&..”
No discovery (static OP config)
No client registration (client_id = redirect_uri)
2) End-user approval
3) Self-issued ID Token generation
Generate RSA key pair on the device (only once)
“sub” is automatically calculated by the public key
4) Back to “client://callback#id_token=...”
No API available, thus No Access Token
5) ID Token Verification
![Page 5: Self isssued-idp](https://reader034.vdocuments.us/reader034/viewer/2022042518/5560c0a5d8b42aef3b8b52f5/html5/thumbnails/5.jpg)
Static OP Config
![Page 6: Self isssued-idp](https://reader034.vdocuments.us/reader034/viewer/2022042518/5560c0a5d8b42aef3b8b52f5/html5/thumbnails/6.jpg)
The sub (subject) Claim value isthe base64url encoded SHA-256 hash of
the concatenation of the bytes ofthe UTF-8 representations of
the base64url encoded key valuesin the sub_jwk Claim.
OpenID Connect Messagesdra,18 Section 6.5
![Page 7: Self isssued-idp](https://reader034.vdocuments.us/reader034/viewer/2022042518/5560c0a5d8b42aef3b8b52f5/html5/thumbnails/7.jpg)
![Page 8: Self isssued-idp](https://reader034.vdocuments.us/reader034/viewer/2022042518/5560c0a5d8b42aef3b8b52f5/html5/thumbnails/8.jpg)
JWK - JSON Web Key
![Page 9: Self isssued-idp](https://reader034.vdocuments.us/reader034/viewer/2022042518/5560c0a5d8b42aef3b8b52f5/html5/thumbnails/9.jpg)
“sub” calculated from JWK
Hash of them
![Page 10: Self isssued-idp](https://reader034.vdocuments.us/reader034/viewer/2022042518/5560c0a5d8b42aef3b8b52f5/html5/thumbnails/10.jpg)
Self-Issued ID Token
![Page 11: Self isssued-idp](https://reader034.vdocuments.us/reader034/viewer/2022042518/5560c0a5d8b42aef3b8b52f5/html5/thumbnails/11.jpg)
Device specific key pair↓
Device specific ID Token
![Page 12: Self isssued-idp](https://reader034.vdocuments.us/reader034/viewer/2022042518/5560c0a5d8b42aef3b8b52f5/html5/thumbnails/12.jpg)
No verified emailsNo verified profile
![Page 13: Self isssued-idp](https://reader034.vdocuments.us/reader034/viewer/2022042518/5560c0a5d8b42aef3b8b52f5/html5/thumbnails/13.jpg)
Holder of Key
![Page 14: Self isssued-idp](https://reader034.vdocuments.us/reader034/viewer/2022042518/5560c0a5d8b42aef3b8b52f5/html5/thumbnails/14.jpg)
twitter.com/nov
slideshare.net/matake
github.com/nov