Upload
leonard-moustacchis
View
34
Download
0
Embed Size (px)
Citation preview
© 2016 ForgeRock. All rights reserved.
1er Décembre 2016La Source @ Le Tank22 bis rue des Taillandiers, Paris
© 2016 ForgeRock. All rights reserved.
COMMENT ÇA MARCHE: OPENID CONNECT FOURNISSEUR
D’IDENTITÉ UNIVERSEL DE GOOGLE À FRANCECONNECT
© 2016 ForgeRock. All rights reserved.
Fourniseurs d’identités utilisateur
© 2016 ForgeRock. All rights reserved.
What is the question?
I want users to get an easy access to my system, however:● I want to retreive user information.
● I also do not want my users to have to remember and enter yet another set of credentials.
We can achieve this using federation.
SAML and OIDC are both types of federation ( though not the only types ).
MyService
© 2016 ForgeRock. All rights reserved.
Why not SAML?
• SAML ( Security Assertion Markup Language ) is a standard which enables a user to authenticate once and access multiple web sites across different networks
• XML and SOAP based• The SAML standard defines two different types of provider:
• Identity Provider (IdP): Authenticates users and stores user credentials.• Service Provider (SP): Where authenticated users go to consume services.
• A circle of trust is a set of IdPs and SPs that have been configured to trust SAML assertions generated by each other.
Circle of Trust
SP
IdP
SP
SP
SP
© 2016 ForgeRock. All rights reserved.
Introducing OIDC
OpenID Connect ( OIDC ) is built on OAuth2 and adds authentication functionality ( whereas OAuth2 is only for delegated access) Like SAML it solves the problem of accessing different sites without introducing yet another set of credentials.
You may have seen one of these buttons, they use OIDC.
Sites can be OpenID certified
© 2016 ForgeRock. All rights reserved.
Why OIDC?OIDC offers additional functionality over and above SAML:
● Dynamic registration & discovery: Discovery enables client applications to automatically register themselves with the OIDC server.
● RESTful services: JSON based services that can be utilised by mobile apps and micro services
● Easy to consume tokens: OIDC utilises JWT’s ( JSON Web Tokens )
● Endpoints: That can flexibly return claims about the end user● Use of custom claims● Enable Consent● Enable Authorization● Easy to configure
© 2016 ForgeRock. All rights reserved.
OIDC Flows
There are three OIDC flows for authentication, these are a subset of OAuth2 flows:
● Authorization Code Flow
● Implicit Flow
● Hybrid Flow
We are going to look at the Authorization Code Flow
© 2016 ForgeRock. All rights reserved.
OIDC Authorization Code FlowRelying Party User OpenID
ProviderToken
EndpointUserInfo Endpoint
Authorization code requestAuthenticate end user
User consent *
Redirect with....
...authorization code
Exchange code for tokens
Access Token & ID Token
(Optional) Access token
(Optional) Userinfo response
Access protected resource
* Unless already granted
© 2016 ForgeRock. All rights reserved.
Access Token, ID Token, UserInfo
© 2016 ForgeRock. All rights reserved.
Hub FranceConnect
© 2016 ForgeRock. All rights reserved.
FranceConnect Hub
Leo
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
What’s The Flowww?
• Browser-based Applications• Implicit flow for JavaScript-based application or a “traditional” server-
rendered web application. • Increase security with the authorization code flow – or hybrid flow.
• Mobile Native Applications• Authorization code flow with a direct connection to the token
endpoint• Micro services
• Authorization code flow
© 2016 ForgeRock. All rights reserved.
OIDC flow functionnal matrix