@weeUnquietMind

presents

An Introduction to the Emerging JSON-Based

Identity and Security Protocols
Glue Conference 2013
Brian Campbell

slides: http://is.gd/1qoMXG

As
As Portfolio
Portfolio Architect
Architect for
for Ping
Ping Identity,
Identity, Brian
Brian Campbell
Campbell aspires
aspires to
to one
one day
day know
know what
what aa
Portfolio
Portfolio Architect
Architect actually
actually does
does for
for aa living.
living. In
In the
the meantime,
meantime, he
he tries
tries to
to make
make himself
himself
useful
useful by
by building
building software
software systems
systems such
such as
as Pings
Pings flagship
flagship product
product PingFederate.
PingFederate.
When
When not
not making
making himself
himself useful,
useful, he
he contributes
contributes to
to various
various identity
identity and
and security
security
standards
standards including
including aa two-year
two-year stint
stint as
as co-chair
co-chair of
of the
the OASIS
OASIS Security
Security Services
Services
Technical
Technical Committee
Committee (SAML)
(SAML) and
and aa current
current focus
focus on
on OAuth
OAuth 2.0,
2.0, JOSE
JOSE and
and OpenID
OpenID
Connect.
Connect. He
He holds
holds aa B.A.,
B.A., magna
magna cum
cum laude,
laude, in
in Computer
Computer Science
Science from
from Amherst
Amherst
College
College in
in Massachusetts.
Massachusetts. Despite
Despite spending
spending four
four years
years in
in the
the state,
state, he
he has
has to
to look
look up
up
how
how to
to spell
spell "Massachusetts"
"Massachusetts" every
every time
time he
he writes
writes it.
it.

Agenda
Backstory
With a Quick SAML Intro/Refresher

URL Safe Base 64 Encoding

JOSE Intro

JWS
JWE (just a wee bit)
JWT
JWK

A slice of OAuth 2.0

A bit of OpenID Connect

SC NE
H W
O
O
L

Technical Overview of the new(ish) JSON-Based

Protocols

Quick SAML Refresher

Security Assertion Markup Language

XML-based framework that allows identity and
security information to be shared across
security domains
Primarily used for cross domain Web browser
single sign-on
Assertion is a (usually signed, sometimes
encrypted) security token
Enterprisy Reputation
Paying my bills for nearly a decade

at
y
l
Ju
t
s
a
L
th e

one of the leading visionaries and analysts in the

computer industry declared that

SAML
is

DEAD!
Craig Burton

e
l
i
h
w
n e
a
Me at th

WTF SAML is dead?

Ive got a mortgage to
pay

Beer is still
alive
though
5

*Disclaimer: I work with these guys

The News Traveled Fast Beyond the Conference Walls

SAML

Death isnt So Bad

"on your deathbed, you will receive total
consciousness."

Some Qualification / Clarification was Offered

Burton said: SAML is the Windows XP of Identity.
No funding. No innovation. People still use it. But it
has no future. And added, There is no future for
SAML. No one is putting money into SAML
development. NO ONE is writing new SAML code.
SAML is dead.
And then he reiterated for the hard of
understanding: SAML is dead does not mean
SAML is bad. SAML is dead does not mean SAML
isnt useful. SAML is dead means SAML is not the
future.

http://blogs.kuppingercole.com/kearns/2012/07/31/the-deathand-life-of-a-protocol
/

and Ive got 29 years of mortgage

payments left and kids in private school so
maybe I should find out what *is* the future

The Future
European Identity and Cloud Conference:
Best Innovation/New Standard in Information Security went to OpenID Connect for
Providing the Consumerization of SAML. Driving the adoption of federation and making
this much simpler.
OpenID Connect is a simple JSON/REST-based interoperable identity protocol built on top
of the OAuth 2.0 family of specifications. Its design philosophy is make simple things
simple and make complicated things possible.

*Disclaimer: I also work with this

guy
8

three nerds holding a blurry piece of paper...

WebFinger

base64url

Its like regular base64 but better!

Both are a means of encoding binary data in an ASCII
string format
Each 6 bits -> 1 character
3 bytes -> 4 characters

Uses a URL safe alphabet rather than the almost

URL safe alphabet of regular base64
- rather than +
_ rather than /
Padding = is typically omitted

A remaining unreserved URI character: .

This will be important later

JOSE

Javascript Object Signing and Encryption

IETF Working Group

JWS
JWE
JWK
JWA

JWS

JSON Web Signature

A way of representing content secured with a digital
signature or MAC using JSON data structures and
base64url encoding
Encoded segment are concatenated with a .

Intended for space constrained environments such

as HTTP Authorization headers and URI query
parameters
Conceptually Simple:
Header.Payload.Signature

JWS Header
JWS Header
A bit of JSON that describes the digital signature or MAC operation applied to create the JWS
Signature value

Reserved Header Parameter Names

alg: Algorithm

HMAC using SHA-XXX: HS256, HS384, HS512

RSA using SHA-XXX: RS256, RS384, RS512
ECDSA using P-XXX and SHA-XXX: ES256, ES384, ES512 (P-521)
None
Also extensible

kid: Key ID
jku: JWK Set URL
jwk: JSON Web Key
x5u: X.509 URL
x5t: X.509 Certificate Thumbprint
x5c: X.509 Certificate Chain
typ: Type
cty: Content Type

Header Example
I signed this thing with RSA-SHA256 using key ID of 9er and you can find the corresponding
public key at https://www.example.com/jwk
{"alg":"RS256", "kid":9er", "jwk:"https://www.example.com/ jwk"}

JWS Example
Payload -> U SA # 1!
base64urlencoded payload -> VVN BICM xIQ

Example

H eader (going to sign w ith ECD SA P-256 SH A-256) -> {"alg":"ES256"}

base64urlencoded header -> eyJhbG ciO iJFU zI1N iJ9
Secured Input -> eyJhbG ciO iJFU zI1N iJ9.VVN BICM xIQ
base64urlencoded signature over the Secured Input
-> Y3xO w O 2E99asvYvm AB-r37ikzgIzC6Kgu04_kBVrPizicW Z4lYTk3b7g5uH z0r6bi1U 0Tg4eFw ZW PAelrM M zk
JW S Com pact Serialization ->
eyJhbG ciO iJFU zI1N iJ9.VVN BICM xIQ .Y3xO w O 2E99asvYvm ABr37ikzgIzC6Kgu04_kBVrPizicW Z4lYTk3b7g5uH z0r6bi1U 0Tg4eFw ZW PAelrM M zkw

W hich you can think of sort of like:

{"alg":"ES256"}.U SA # 1!.< SIG N ATU RE>

Some Strengths of JWS

Simple [Relatively]
Compact
No canonicalization
Entirely Web Safe Alphabet

JWE

JSON Web Encryption

Similar in motivation and design to JWS but for encrypting
content
Header.EncryptedKey.InitializationVector.Ciphertext.AuthenticationTag

More complicated
More headers

alg: Algorithm (key wrap or agreement)

enc: Encryption Method (Authenticated Encryption only)
zip: Compression Algorithm
And more

More options and variations

More parts

JWT

JSON Web Token

Suggested pronunciation: "jot
Compact URL-safe means of representing
claims to be transferred between two parties
A JWT is a JWS and/or JWE
With JSON claims as the payload

JWT Claims

A piece of information asserted about a subject (or the JWT itself).

Here, Claims are represented name/value pairs, consisting of a
Claim Name and a Claim Value (which can be any JSON object).
Reserved Claim Names

iss: Issuer
sub: Subject
aud: Audience
exp: Expiration Time
nbf: Not Before
iat: Issued At
jti: JWT ID
typ: Type

JWT Example
The JSO N claim s of a JW T saying that the subject is Brian,the JW T w as issued by
https://idp.exam ple.com ,expires at such and such a tim e,and is intended for
consum ption by https://sp.exam ple.org (+ a few other things) w ould look like this:
{
"iss":"https:\/\/idp.exam ple.com ",
"exp":1357255788,
"aud":"https:\/\/sp.exam ple.org",
"jti":"tm YvYVU 2x8LvN 72B5Q _EacH ._5A,
"acr":"2",
"sub":"Brian
}

Example

W hich becom es the JW S payload.

JW S H eader saying its signed w ith ECD SA P-256 SH A-256 -> {"alg":"ES256"}
And the w hole JW T->
eyJhbG ciO iJFU zI1N iJ9.eyJpc3M iO iJodH Rw czpcL1w vaW Rw Lm V4YW 1w bG U uY29tIiw iZ
Xhw IjoxM zU 3M jU 1N zg4LCJhdW Q iO iJodH Rw czpcL1w vc3AuZXhhbXBsZS5vcm ciLCJqd
G kiO iJ0bVl2W VZVM ng4TH ZO N zJCN VFfRW FjSC5fN U EiLCJhY3IiO iIyIiw ic3ViIjoiQ nJpYW
4ifQ .2htJZO H buk2kpQ U nfw cLrfqtKuhY8vJP8KU 4O 9pFBiea4fvpU H Q K68M _yQ j74EiBH
ruaarD G npw aFrO tdbN 06A

JWT alongside a comparable SAML Assertion

eyJhbG ciO iJFU zI1N iJ9.
eyJpc3M iO iJodH Rw czpcL1w vaW Rw Lm V4YW 1w bG U uY29tIiw iZXhw IjoxM zU 3M jU 1N zg4LCJhdW Q iO iJodH Rw czpcL1w vc3AuZXhhbXBsZS5vcm ciLCJqdG ki
O iJ0bVl2W VZVM ng4TH ZO N zJCN VFfRW FjSC5fN U EiLCJhY3IiO iIyIiw ic3ViIjoiQ nJpYW 4ifQ .2htJZO H buk2kpQ U nfw cLrfqtKuhY8vJP8KU 4O 9pFBiea4fvpU H Q K
68M _yQ j74EiBH ruaarD G npw aFrO tdbN 06A
< Assertion Version= "2.0" IssueInstant= "2013-01-03T23:34:38.546Z ID = "oPm .D xO qT3ZZi83Iw uVr3x83xlr"
xm lns= "urn:oasis:nam es:tc:SAM L:2.0:assertion xm lns:ds= "http://w w w .w 3.org/2000/09/xm ldsig# ">
< Issuer> https://idp.exam ple.com < /Issuer>
< ds:Signature>
< ds:SignedInfo>
< ds:CanonicalizationM ethod Algorithm = "http://w w w .w 3.org/2001/10/xm l-exc-c14n# "/>
< ds:SignatureM ethod Algorithm = "http://w w w .w 3.org/2001/04/xm ldsig-m ore# ecdsa-sha256"/>
< ds:Reference U RI= "# oPm .D xO qT3ZZi83Iw uVr3x83xlr">
< ds:Transform s>
< ds:Transform Algorithm = "http://w w w .w 3.org/2000/09/xm ldsig# enveloped-signature"/>
< ds:Transform Algorithm = "http://w w w .w 3.org/2001/10/xm l-exc-c14n# "/>
< /ds:Transform s>
< ds:D igestM ethod Algorithm = "http://w w w .w 3.org/2001/04/xm lenc# sha256"/>
< ds:D igestValue> 8JT03jjlsqBgXhStxm D hs2zlCPsgM kM TC1lIK9g7e0o= < /ds:D igestValue>
< /ds:Reference>
< /ds:SignedInfo>
< ds:SignatureValue> SAXf8eCm TjuhV742blyvLvVum ZJ+ TqiG 3eM sRD U Q U 8RnN SspZzN J8M O U w ff
kT6kvAR3BXeVzob5p
08jsb99U JQ = = < /ds:SignatureValue>
< /ds:Signature>
< Subject>
< N am eID Form at= "urn:oasis:nam es:tc:SAM L:1.1:nam eid-form at:unspecifi
ed"> Brian< /N am eID >
< SubjectConfi
rm ation M ethod= "urn:oasis:nam es:tc:SAM L:2.0:cm :bearer">
< SubjectConfi
rm ationD ata N otO nO rAfter= "2013-01-03T23:39:38.552Z" Recipient= "https://sp.exam ple.org"/>
< /SubjectConfi
rm ation>
< /Subject>
< Conditions N otO nO rAfter= "2013-01-03T23:39:38.552Z" N otBefore= "2013-01-03T23:29:38.552Z">
< AudienceRestriction>
< Audience> https://sp.exam ple.org< /Audience>
< /AudienceRestriction>
< /Conditions>
< AuthnStatem ent AuthnInstant= "2013-01-03T23:34:38.483Z" SessionIndex= "oPm .D xO qT3ZZi83Iw uVr3x83xlr">
< AuthnContext>
< AuthnContextClassRef> 2< /AuthnContextClassRef>
< /AuthnContext>
< /AuthnStatem ent>
< /Assertion>

JWT
SAML

Examples

JWK

JSON Web Key

JSON representation of public keys with
some metadata
RSA & Elliptic Curve
JWK & JWK Set

JWK Parameters and Example

Common Parameters: "kty: Key Type, "use: Key Use, "alg: Algorithm, "kid: Key
ID
RSA: n: Modulus, e: Exponent
EC: crv: Curve (P-256, P-384, P-521), x: X Coordinate, y: Y Coordinate

{"keys":
[
{"kty":"EC",
"crv":"P-256",
"x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
"y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
"kid":9er"},
{"kty":"RSA",
"n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx
4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs
tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2
QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI
SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb
w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
"e":"AQAB",
"kid":7ish"}
]
}

Example

Side by Side JWK & X509

-----BEG IN CERTIFICATE----M IIC + D C CAeCgAw IBAgIG ATw F/lFLM A0G CSqG SIb3D Q EBBQ U AM D 0xCzAJBgN
VBAYT
AkFVM Rgw FgYD VQ Q KEw 9Ta3VsbCBhbm Q gQ m 9uZXM xFD ASBgN VBAM TC0Jy
aW FuJ3M g
S2V5M B4XD TEzM D Ew N D E0M zY1O FoXD TEzM D Ew N jE0M zY1O Fow PTELM AkG
A1U EBhM C
Q VU xG D AW BgN VBAoTD 1N rdW xsIG FuZC BCb25lczEU M BIG A1U EAxM LQ nJpYW
4ncyBL
ZXkw ggEiM A0G C SqG SIb3D Q EBAQ U AA4IBD w Aw ggEKAoIBAQ C D qklkcqEN pp
Pu6G o6
lCZuPR2KO l8uM bh4dk9YbZJKoeBAH 87VjLcbkw PFZXm YiU H FLnPkuIEf1q50D i
kP
BPm ARSPpO L+ 2ecU + zVO PW eeCuM tPcw 5thBO zZ+ D w lN aV7/A97M w hgqJkzO
jZN 7bp
rBAq79BS4l/EZ/H 7iD W dO a5dRSfRIZ8zG PO lbxM gtLlY3Y6Tgpw oam W gpEYKcl
7l
kw 4hU KhO G 8IV5rd3I96auG O iU z6j5W 9q3fRXxM SN 04TnP0TzZlxm W Q 7fv4jW
Pbql
3W 7H KcuslLD Jn35B9N Pqz72KE8KlrW eW nm A8oRnrKRQ Ypszm m 4/yScG 7q7v
SoN G W
rZIvAgM BAAEw D Q YJKoZIhvcN AQ EFBQ AD ggEBACRQ U N 7D lPD oM oikbD bD 87B
Z3FY5
3TYN aCs/TU ze7/T/I7qpozzIKU EhD tO U iajeyPIfEE5XFlx6N ixc3y7/z36eH m sm
{
e+ 6yim gpy3qxhqioupS0bat5U m 6EO R8oN bnu7FF9IjO C52yonEW O p6uTeTm f
"kty":"RSA",
g2LB
"n":"g6pJZH KhD aaT7uhqO pQ m bj0dijpfLjG 4eH ZPW G 2SSqH gQ B_O 1Yy3G 5M
m h1kvLM 5yVD keLO M xO rV09dBw 2FgVU 4gpfJW M G zw tVhFiM F5M fTtqy0ePiH F
D xW V5m IlBxS5z5LiBH 9audA4pD w T5gEU j6Ti_tnnFPs1Tj1nngrjLT3M O bYQ Ts2f
L6M 7
g8JTW le_w PezM IYKiZM zo2Te26aw Q Ku_Q U uJfxG fxjFs4BN inAkw Jsxgco0lQ W paoJD iA7sCH PM RpH RD LM rZhm 6FzG vJTjynhekIU V3c
4g1nTm uXU U n0SG fM xjzpW 8TILS5W N 2O k4KcKG ploKRG C nJe5ZM O IVCoThvC
c
Fea3dyPem rhjolM -o-Vvat30V8TEjdO E5z9E82ZcZlkO 37W Tf7m fnG xojAZ1nH 66zgLL2H fCem 9U Cz4ZZ3Q O w uyu0rVPuRD G gH FgG W nv
I1j26pd1uxynLrJSw yZ9-Q fTT6so=
9ihPCpa1nlp5gPKEZ6ykU G KbM 5puP8knBu6u70qD Rlq2SLw ",
-----EN D CERTIFICATE----"e":"AQ AB
}

Examples

Certifi
cate:
D ata:
Version: 3 (0x2)
SerialN um ber:
01:3c:05:fe:51:4b
Signature Algorithm : sha1W ithRSAEncryption
Issuer: C= AU , O = Skulland Bones,C N = Brian's Key
Validity
N ot Before: Jan 4 14:36:58 2013 G M T
N ot After : Jan 6 14:36:58 2013 G M T
Subject: C = AU ,O = Skulland Bones, CN = Brian's Key
Subject Public Key Info:
Public Key Algorithm : rsaEncryption
RSA Public Key: (2048 bit)
M odulus (2048 bit):
00:83:aa:49:64:72:a1:0d:a6:93:ee:e8:6a:3a:94:
26:6e:3d:1d:8a:3a:5f:2e:31:b8:78:76:4f:58:6d:
92:4a:a1:e0:40:1f:ce:d5:8c:b7:1b:93:03:c5:65:
79:98:89:41:c5:2e:73:e4:b8:81:1f:d6:ae:74:0e:
29:0f:04:f9:80:45:23:e9:38:bf:b6:79:c5:3e:cd:
53:8f:59:e7:82:b8:cb:4f:73:0e:6d:84:13:b3:67:
e0:f0:94:d6:95:ef:f0:3d:ec:cc:21:82:a2:64:cc:
e8:d9:37:b6:e9:ac:10:2a:ef:d0:52:e2:5f:c4:67:
f1:fb:88:35:9d:39:ae:5d:45:27:d1:21:9f:33:18:
f3:a5:6f:13:20:b4:b9:58:dd:8e:93:82:9c:28:6a:
65:a0:a4:46:0a:72:5e:e5:93:0e:21:50:a8:4e:1b:
c2:15:e6:b7:77:23:de:9a:b8:63:a2:53:3e:a3:e5:
6f:6a:dd:f4:57:c4:c4:8d:d3:84:e7:3f:44:f3:66:
5c:66:59:0e:df:bf:88:d6:3d:ba:a5:dd:6e:c7:29:
cb:ac:94:b0:c9:9f:7e:41:f4:d3:ea:cf:bd:8a:13:
c2:a5:ad:67:96:9e:60:3c:a1:19:eb:29:14:18:a6:
cc:e6:9b:8f:f2:49:c1:bb:ab:bb:d2:a0:d1:96:ad:
92:2f
Exponent: 65537 (0x10001)
Signature Algorithm : sha1W ithR SAEncryption
24:50:50:de:c3:94:f0:e8:32:88:a4:6c:36:c3:f3:b0:59:dc:
56:39:dd:36:0d:68:2b:3f:4d:4c:de:ef:f4:ff
:23:ba:a9:a3:
3c:c8:29:41:21:0e:d3:94:89:a8:de:c8:f2:1f:10:4e:57:16:
5c:7a:36:2c:5c:df:2e:ff
:cf:7e:9e:1e:6b:26:7b:ee:b2:8a:
68:29:cb:7a:b1:86:a8:a8:ba:94:b4:6d:ab:79:52:6e:84:39:
1f:28:35:b9:ee:ec:51:7d:22:33:82:e7:6c:a8:9c:45:8e:a7:
ab:93:79:39:9f:83:62:c1:9a:1d:64:bc:b3:39:c9:50:e4:78:
b3:8c:c4:ea:d5:d3:d7:41:c3:61:60:55:4e:20:a5:f2:56:30:
6c:f0:b5:58:45:88:c1:79:31:f4:ed:ab:2d:1e:3e:21:c5:2f:
a3:3b:8c:5b:38:04:d8:a7:02:4c:09:b3:18:1c:a3:49:50:5a:
96:a8:24:38:80:ee:c0:87:3c:c4:69:1d:10:cb:32:b6:61:9b:
a1:73:1a:f2:53:8f:29:e1:7a:42:14:57:77:1c:59:37:fb:99:
f9:c6:c6:88:c0:67:59:c7:eb:ac:e0:2c:bd:87:7c:27:a6:f5:
40:b3:e1:96:77:40:ec:2e:ca:ed:2b:54:fb:91:0c:68:07:16:
01:96:9e:fa

JSON Web Key

JWKs can be

included in a JWS/JWE/JWT header

saved in a file
published at an HTTPS endpoint
used in place of self signed certificates

Some JOSE/JWT Implementations

Java

*Disclaimer: Im writing this one

https://bitbucket.org/b_c/jose4j

Ruby
https://github.com/nov/json-jwt

JavaScript
http://kjur.github.com/jsjws/

Perl
https://metacpan.org/module/JSON::WebToken

OAuth Basic Abstract Flow

oken
t
a
t
Ge

client: An application obtaining

authorization and making
protected resource requests.

Client

Native app on mobile device

resource server (RS): A

server capable of accepting
and responding to protected
resource requests.
Protected APIs

authorization server (AS): A

server capable of issuing
tokens after successfully
authenticating the resource
owner and obtaining
authorization.

Authorization
Server

Use
a

Resource
Server

toke
n

A few other protocol terms

Access token (AT) Presented by client when
accessed protected resources at the RS
Refresh token (RT) - Allows clients to obtain a fresh
access token without re-obtaining authorization
Scope A permission (or set of permissions) defined
by the AS/RS
Authorization endpoint used by the client to obtain
authorization from the resource owner via user-agent
redirection
Token endpoint used for direct client to AS
communication
Authorization Code One time code issued by an
AS to be exchanged for an AT.

The OAuth 2.0 (RFC 6749)

Code Flow
a.k.a.

Authorization Code Grant Type

a.k.a.

Authorization Code Flow

a.k.a.

etc.

27

OAuth 2.0

Resource
Resource Server
Server
Protected
Resource(s)

Client
Client

Authorization
Authorization Server
Server
Token
Endpoint
Authorization
Endpoint

*Disclaimer: I also work with this

guy
28

Resource
Owner

OAuth 2.0

Authorization Request with

response_type=code

Resource
Resource Server
Server
Protected
Resource(s)

Client
Client

Authorization
Authorization Server
Server
Token
Endpoint
Authorization
Endpoint

29

Resource
Owner

OAuth 2.0

Authenticate and Approve

Resource
Resource Server
Server
Protected
Protected
Resource(s)
Resource(s)

Client
Client

Authorization
Authorization Server
Server
Token
Endpoint
Authorization
Endpoint

30

Resource
Owner

OAuth 2.0

Authorization Response +
code

Resource
Resource Server
Server
Protected
Resource(s)

Client
Client

Authorization
Authorization Server
Server
Token
Endpoint
Authorization
Endpoint

31

Resource
Owner

OAuth 2.0

Access Token Request with

authorization_code grant type
+ code
Client
Client

Resource
Resource Server
Server
Protected
Protected
Resource(s)
Resource(s)

Authorization
Authorization Server
Server
Token
Endpoint
Authorization
Endpoint

32

Resource
Owner

OAuth 2.0

Access Token Response with

Access Token (and maybe
Refresh)
Client
Client

Resource
Resource Server
Server
Protected
Protected
Resource(s)
Resource(s)

Authorization
Authorization Server
Server
Token
Endpoint
Authorization
Endpoint

33

Resource
Owner

OAuth 2.0

Use Access Token to access

Protected Resources

Resource
Resource Server
Server
Protected
Protected
Resource(s)
Resource(s)

Client
Client

Authorization
Authorization Server
Server
Token
Endpoint
Authorization
Endpoint

34

Resource
Owner

OpenID Connect is a
simple identity layer on top
of the OAuth 2.0 protocol.

35

OpenID Connect
Basic Client Profile
or
Code Flow

36

OAuth 2.0
OpenID Connect
Resource
Resource Server
Server
Protected
Resource(s)

Resource
Resource Server
Server

Client
Client //
Relying
Relying
Party
Party

User Info
Endpoint

Authorization
Authorization Server
Server //
Identity
Identity Provider
Provider //
Token
OpenID
OpenID Provider
Provider
Endpoint
Authorization
Endpoint

37

Resource
Owner / End-User

OAuth 2.0
OpenID Connect
Resource
Resource Server
Server

Authorization Request with

Protected
Resource(s)

response_type=code &
scope=openid profile email address phone
& maybe other new stuff, request[_uri], prompt,
nonce, etc.
Client
Client //
Relying
Relying
Party
Party

Resource
Resource Server
Server
User Info
Endpoint

Authorization
Authorization Server
Server //
Identity
Identity Provider
Provider //
Token
OpenID
OpenID Provider
Provider
Endpoint
Authorization
Endpoint

38

Resource
Owner / End-User

OAuth 2.0
OpenID Connect
Resource
Resource Server
Server

Authenticate and Approve

Protected
Resource(s)

Resource
Resource Server
Server

Client
Client //
Relying
Relying
Party
Party

User Info
Endpoint

Authorization
Authorization Server
Server //
Identity
Identity Provider
Provider //
Token
OpenID
OpenID Provider
Provider
Endpoint
Authorization
Endpoint

39

Resource
Owner / End-User

OAuth 2.0
OpenID Connect
Resource
Resource Server
Server

Authorization Response + code

Protected
Resource(s)

Resource
Resource Server
Server

Client
Client //
Relying
Relying
Party
Party

User Info
Endpoint

Authorization
Authorization Server
Server //
Identity
Identity Provider
Provider //
Token
OpenID
OpenID Provider
Provider
Endpoint
Authorization
Endpoint

40

Resource
Owner / End-User

OAuth 2.0
OpenID Connect
Resource
Resource Server
Server

Access Token Request with

authorization_code grant type
+ code
Client
Client //
Relying
Relying
Party
Party

Protected
Resource(s)

Resource
Resource Server
Server
User Info
Endpoint

Authorization
Authorization Server
Server //
Identity
Identity Provider
Provider //
Token
OpenID
OpenID Provider
Provider
Endpoint
Authorization
Endpoint

41

Resource
Owner / End-User

OAuth 2.0
OpenID Connect
Resource
Resource Server
Server

Access Token Response with

Access Token
+ ID Token (JWT)
Client
Client //
Relying
Relying
Party
Party

Protected
Resource(s)

Resource
Resource Server
Server
User Info
Endpoint

Authorization
Authorization Server
Server //
Identity
Identity Provider
Provider //
Token
OpenID
OpenID Provider
Provider
Endpoint
Authorization
Endpoint

42

Resource
Owner / End-User

OAuth 2.0
OpenID Connect
Resource
Resource Server
Server

Use Access Token to access

User Info Endpoint
Client
Client //
Relying
Relying
Party
Party

Protected
Resource(s)

Resource
Resource Server
Server
User Info
Endpoint

Authorization
Authorization Server
Server //
Identity
Identity Provider
Provider //
Token
OpenID
OpenID Provider
Provider
Endpoint
Authorization
Endpoint

43

Resource
Owner / End-User

OAuth 2.0
OpenID Connect
Resource
Resource Server
Server

User Info Endpoint returns

additional claims about (aboot)
the authenticated End-User.
Client
Client //
Relying
Relying
Party
Party

Protected
Resource(s)

Resource
Resource Server
Server
User Info
Endpoint

Authorization
Authorization Server
Server //
Identity
Identity Provider
Provider //
Token
OpenID
OpenID Provider
Provider
Endpoint
Authorization
Endpoint

44

Resource
Owner / End-User

OAuth 2.0
OpenID Connect
End-User is logged into the
Client/RP

Resource
Resource Server
Server
Protected
Resource(s)

Resource
Resource Server
Server

Client
Client //
Relying
Relying
Party
Party

User Info
Endpoint

Authorization
Authorization Server
Server //
Identity
Identity Provider
Provider //
Token
OpenID
OpenID Provider
Provider
Endpoint
Authorization
Endpoint

45

Resource
Owner / End-User

OAuth 2.0
OpenID Connect
Resource
Resource Server
Server

[Maybe] Use Access Token to

access additional Protected
Resources
Client
Client //
Relying
Relying
Party
Party

Protected
Resource(s)

Resource
Resource Server
Server
User Info
Endpoint

Authorization
Authorization Server
Server //
Identity
Identity Provider
Provider //
Token
OpenID
OpenID Provider
Provider
Endpoint
Authorization
Endpoint

46

Resource
Owner / End-User

e
l
p
m
i
S
47

g
i
r
,

?
t
h

Youve just been Introduced to some Emerging

JSON-Based Identity and Security Protocols

Any Questions?

SAML

Brian Campbell
@weeUnquietMind
Gluecon 2013
http://is.gd/1qoMXG