Upload
masaru-kurahayashi
View
238
Download
2
Embed Size (px)
Citation preview
ID & IT Management Conference 2016
Standard-based Identity (1)
2016/9/16
kura
ID /
OpenID ID
@kura_lab
1.
2. ID
3.
4.
5. OpenID Connect
6.
3
ID
ID
4
ID
6
ID
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
SAML 2.0OpenID 1.0
OpenID 2.0OAuth 1.0
OAuth 2.0OpenID Connect
2015
2016
SAML 1.x
7
ID
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
SAML 2.0OpenID 1.0
OpenID 2.0OAuth 1.0
OAuth 2.0OpenID Connect
2015
2016
SAML 1.x
OASIS
8
ID
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
SAML 2.0OpenID 1.0
OpenID 2.0OAuth 1.0
OAuth 2.0OpenID Connect
2015
2016
SAML 1.x
SAML
9
ID
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
SAML 2.0OpenID
OpenID 2.0OAuth 1.0
OAuth 2.0OpenID Connect
2015
2016
SAML 1.x
OpenID
10
ID
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
SAML 2.0OpenID 1.0
OpenID 2.0OAuth 1.0
OAuth 2.0OpenID Connect
2015
2016
SAML 1.x
OpenIDDeprecated
11
ID
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
SAML 2.0OpenID 1.0
OpenID 2.0OAuth 1.0
OAuth 2.0OpenID Connect
2015
2016
SAML 1.x
OpenID IETFInformational
12
ID
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
SAML 2.0OpenID 1.0
OpenID 2.0OAuth 1.0
OAuth 2.0OpenID Connect
2015
2016
SAML 1.x
IETFStandards TrackRFC
13
ID
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
SAML 2.0OpenID 1.0
OpenID 2.0OAuth 1.0
OAuth 2.0OpenID Connect
2015
2016
SAML 1.x
OpenID
14
ID
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
SAML 2.0OpenID 1.0
OpenID 2.0OAuth 1.0
OAuth 2.0OpenID Connect
2015
2016
SAML 1.x
SAML
SAML=Security Assertion Markup Language
SOAPXML
16
OpenID
OpenID
OpenID AX
SOAPXML
17
OAuth 1.0OAuth 2.0
Web API
REST APIJSON
OAuth
18
OpenID Connect
OAuth 2.0
REST APIJSON
19
SSO
ID
21
SAMLOpenID OpenID Connect
OAuth
OAuth
OpenID2015GoogleOpenID Connect
22
SAML 2.0OpenID Connect
Azure AD
Google Apps
23
OpenID 2.0OpenID Connect
Google Identity PlatformGO
Yahoo! ID
24
SAMLOAuthOpenID Connect
OpenID
25
SAML
REST APIJSONOpenID ConnectOAuth
IDOpenID ConnectSCIM
26
SCIM
System for Cross-domain Identity Management
ID
/
REST APIJSON
27
Web APIOAuth 2.0
OpenID Connect
28
OpenID Connect
OpenID Connect Authorization Code Flow
IdPRPEnd-UserUserInfo Endpoint
Start OpenID Connect
31
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Start OpenID Connect
32
33
HTTP/1.1 302 FoundLocation: https://server.example.com/authorize?response_type=code&scope=openid%20profile%20email&client_id=s6BhdRkqt3&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Authorization Request
34
HTTP/1.1 302 FoundLocation: https://server.example.com/authorize?response_type=code&scope=openid%20profile%20email&client_id=s6BhdRkqt3&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Authorization Request
Authorization Code Flow code
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Start OpenID Connect
35
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Login / Consent
Start OpenID Connect
36
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Start OpenID Connect
37
38
HTTP/1.1 302 FoundLocation: https://client.example.org/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=af0ifjsldkj
Authorization Response
39
HTTP/1.1 302 FoundLocation: https://client.example.org/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=af0ifjsldkj
Authorization Response
Authorization Code Flow
40
HTTP/1.1 302 FoundLocation: https://client.example.org/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=af0ifjsldkj
Authorization Response
Authorization Code
41
HTTP/1.1 302 FoundLocation: https://client.example.org/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=af0ifjsldkj
Authorization Response
State
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Start OpenID Connect
42
43
POST /token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencodedAuthorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Token Request
44
POST /token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencodedAuthorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Token Request
Basic base64_encode(Client_ID . : . Secret);
45
POST /token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencodedAuthorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Token Request
Authorization Code
46
POST /token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencodedAuthorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
Token Request
SecretAuthorization Code POST
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Access Token / Refresh Token / ID Token
Start OpenID Connect
47
48
HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma: no-cache
{ "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiAibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-cwhJ3LO-p146waJMzqg" }
Token Response
49
HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma: no-cache
{ "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiAibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-cwhJ3LO-p146waJMzqg" }
Token Response
JSON
50
HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma: no-cache
{ "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiAibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-cwhJ3LO-p146waJMzqg" }
Token Response
Access TokenRefresh Token
51
HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma: no-cache
{ "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiAibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-cwhJ3LO-p146waJMzqg" }
Token ResponseAccess TokenBearer
Authorization: Bearer
HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma: no-cache
{ "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": eyJhbGciOi6IjFlOWdkazcifQ.eyJewogImlzc6ICJzZCaGRSa3F0MyIsCiAibm9uY2UiOiODA5NzAKfQ.eyJggW8hZ16IcmD3HP99Obi1PRs-cwhJ3LO-p146waJMzqg" }
Token Response
ID Token
52
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Access Token / Refresh Token / ID Token
Start OpenID Connect
53
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Access Token / Refresh Token / ID Token
Resource Access
Resource
Start OpenID Connect
54
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Access Token / Refresh Token / ID Token
Resource Access
Resource
Start OpenID Connect
55
GET /userinfo HTTP/1.1 Host: server.example.com Authorization: Bearer SlAV32hkKGsegsef
UserInfo Request
56
GET /userinfo HTTP/1.1 Host: server.example.com Authorization: Bearer SlAV32hkKGsegsef
UserInfo Request
Bearer Authorization: Bearer
57
IdPRPEnd-User
Authorization Request (Redirect)
UserInfo Endpoint
Authorization Code (Redirect)
Login / Consent
Token Request
Access Token / Refresh Token / ID Token
Resource Access
Resource
Start OpenID Connect
58
HTTP/1.1 200 OKContent-Type: application/json
{ "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "picture": http://example.com/janedoe/me.jpg, "email": "[email protected]" }
UserInfo Response
59
HTTP/1.1 200 OKContent-Type: application/json
{ "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "picture": http://example.com/janedoe/me.jpg, "email": "[email protected]" }
UserInfo Response
JSON
60
HTTP/1.1 200 OKContent-Type: application/json
{ "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "picture": http://example.com/janedoe/me.jpg, "email": "[email protected]" }
UserInfo Response
openid
61
HTTP/1.1 200 OKContent-Type: application/json
{ "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "picture": http://example.com/janedoe/me.jpg, "email": "[email protected]" }
UserInfo Response
profile
62
HTTP/1.1 200 OKContent-Type: application/json
{ "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "picture": http://example.com/janedoe/me.jpg, "email": "[email protected]" }
UserInfo Response
63
scope
sub -
name profile
given_name profile
family_name profile
middle_name profile
nickname profile
preferred_username profile
scope
profile profile URL
picture profile URL
website profile URL
email email
email_verified email
gender profile
birthdate profile
64
scope
zoneinfo profile
locale profile
phone_number phone
phone_number_verified phone
address address
updated_at profile
65
1. ID
SAML 2.0
OpenID Connect
2.
SOAPXMLREST APIJSON
67
3.
4. OpenID Connect
Web
Location
Authorization
HTTPS
68
69