openid connect federation
TRANSCRIPT
OpenID Connect FederationWorkshopUNINETT 6. oktober 2017
[email protected] Åkre Solberg
2
SAML 2.0SP
SAML 2.0SP
SAML 2.0SP
SAML 2.0IdP
SAML 2.0IdP
SAML 2.0IdP
SAML 2.0MetadataAggregate
3
SAML 2.0SP
SAML 2.0SP
SAML 2.0SP
SAML 2.0IdP
SAML 2.0IdP
SAML 2.0IdP
SAML 2.0MetadataAggregate
SAML 2.0MetadataAggregate
SAML 2.0MetadataAggregate
eduGAIN
4
OIDCClient
OIDCClient
OIDCClient
OIDCProvider
Self-serviceRegistry
5
OIDCClient
OIDCProvider
Discovery
Registration
Authentication request
Token request
Providermetadata
client config
Metadata
Express something about:
Client (an unregistered one)
Provider
Schema similar to:
OpenID Connect Discovery Response describes a provider
OpenID Connect Dynamic Client registration request describes a client
Using JWS to sign and chain trust to a common root
6
Signed metadata
7
Rolands OpenID Connect Federations
8
Nested metadata
Rolands OpenID Connect Federations
9
OIDCClient
OIDCProvider
Discovery
Registration
Authentication request
Token request
SignedProvidermetadatasigned client
metadataclientconfig
client_secret
Less state in clients
Complex to deal with expired
Possibility to use vanilla OIDC Core clients.
Use of asymmetric crypto
10
Proposed changes
11
12
13
14
15
16
17
18
19
OpenID Client requirements
100% vanilla OpenID Connect Core Client should interop with OIDC Fed Provider.
Restrictions on what part of [Core] to use. Typically client authentication using private_key_jwt
The client may want to filter / configure which OP to trust. This can typically be added as a hook in the Discovery process.
Will need to host a well-known static document at client hostname, pointing to a registry or other that issues a signed metadata statement about the client.
20
OpenID Provider requirements
Single hook where to validate and discover OIDC client metadata.
Typically implement the client configuration store getClientConfig(String client_id) getClientConfig(‘https://client.example.org’)
Will need to publish a signed Metadata Statement along with Provider config at well known location.
21
Nested MS versus flat list of signed MS. Pros cons?
22