iiw 16th report at #idcon
DESCRIPTION
TRANSCRIPT
IIW #16 Report@nov
http://iiw.idcommons.net/IIW_16_Notes
Mobile SSO - Enterprise
Sascha Preibisch, Layer7
Similar Talk
http://www.slideshare.net/rnewton/xapp-sso-flascellescsa2013
Concept
Store ID Token in “Shared Keychain”
Only for iOS apps
Generate RSA key pair on client side (OPTIONAL)
During white-listed apps by admin
“msso” scope for SSO-enabled ID Token
A1 A2
Local Keychain Local KeychainShared Keychain
AccessToken
AccessToken
ID Token
ID Token+
Access Token
ID Token
AccessToken1
2 2 3
4
5
A1
Local Keychain Shared Keychain
AccessToken
ID Token
ID Token+
Access Token
B1NG
1
2 2
Mobile SSO - Device to Browser
George Fletcher, AOL
Similar Talk
http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20121231/002768.html
Concept
“websso” scope
Down scope via token refresh
Pass an ID Token in native app to browser & skip login
Auth @ Google - Next 5 Years
Eric Sachs, Google
Reference
https://docs.google.com/document/d/1r9qnZUehCbtkQR86Wp-sJR2Zu6sHx47queuqmegW2PY
Summary
Past 5 years
Risk-based
2-factor authentication
OpenID
No new passwords!
OAuth
No password sharing!
Good News
Bad News
OpenID Migration is hard
Usability
Account linking issues
https://docs.google.com/document/pub?id=1O7jyQLb7dW6EnJrFsWZDyh0Yq0aFJU5UJ4i5QzYlTjU
Account Recovery is their achilles heel
Next 5 years
Setup, not Sign-in
Reduce Bearer Tokens
Smarter Hardware
Beyond Bootstrapping
Advanced Combination
Setup, not Sign-in
Login Once Login Each Time
Setup, not Sign-in
Login Once Login Once
OS LevelAccountManager
Reduce Bearer Tokens
Bearer Tokens?
OAuth 2.0 access tokens
JWT bearer tokens
..and session cookies!
Reduce Bearer Tokens
CookieID
Self-signed Cookie (probably, like self-issued IdP’s ID Token?)
http://tools.ietf.org/html/dra8-balfanz-tls-channelid
Already available on Chrome
chrome://settings/cookies
Smarter Hardware
Smarter Hardware
Smarter Hardware
authorize a new device by having an existingdevice talk to it via a cryptographic protocol
Smarter Hardware
authorize a new device by having an existingdevice talk to it via a cryptographic protocol
?
Smarter Hardware
U2F (Universal Second Factor)
Open ecosystem of small robust “keychain devices”
FIDO Alliance
http://www.fidoalliance.org
OAuth & JOSE @ BlueButton+
Justin Richer, MITRE
Actual title was “Blue Button and Patient Health Records using OAuth , JOSE”
Reference
http://blue-button.github.io/blue-button-plus-pull/
Concept
OAuth 2.0 Dynamic Client Registration use-case
“Trusted Registration”
BlueButton
ref) http://www.healthit.gov/patients-families/blue-button/about-blue-button
“Blue Button” is a way for you to get easy, secure online access to your health information....America’s health care system is rapidly going digital, and health care providers, insurance companies and others are starting to give patients and consumers access to their health information electronically through “Blue Button”.
BlueButton+ Pull API
OAuth2 API for RESTful access to patient data and bootstrapping DIRECT-based
information exchangeref) http://blue-button.github.io/blue-button-plus-pull/
Registry
AuthZ & ResourceServer
Resource Owner
Client
Client “class” and “instance”
“class” is registered to the registry
Registration method is out of scope (e.g. manual)
Establish “registration_jwt” as a JWT Bearer token
“instance” is dynamically registered to the authorization server
OAuth 2.0 Dynamic Client Registration
“registration_jwt” token for “Trusted Registration”
Registry
AuthZ & ResourceServer
Resource Owner
Client
TrustRegister“class”
Register“instance”
Discovery
Registry Discovery @ Registry
Get Registry Endpoints, Public Keys etc.
Providers Discovery @ Registry
Get Trusted Providers List
Provider Discovery @ Provider
Get Single Provider Metadata
Apps Discovery @ Registry
Get Trusted Apps List
Registry
AuthZ & ResourceServer
Resource Owner
Client
Discovery
Discovery
‣Registry Metadata‣Trusted Providers‣Trusted Apps
‣Provider Metadata
[appendix]
Push Authorizationhttp://blue-button.github.io/blue-button-plus-pull/#push-authorization