Professional Documents
Culture Documents
COM
OPENID CONNECT
Ping Identity Education
OAUTH REVIEW
§ Joe wants to
buy a song
from Tunes
Partner.
§ Joe wants to
pay with his
bank, IDTel.
- and -
“Thanks for your purchase, unknown I have no metrics on which types of people
buy this type of music
person!
Versus…
AND WHAT IF TUNES PARTNER WANTS
USER INFORMATION?
- and -
“Thanks for your purchase, unknown person! I have no metrics on which types of people buy
this type of music
Versus…
“Thanks for your purchase, Joe! - and - We should cater our marketing to 25+
males in the southern United States
AuthZ
Endpoint
Token
3rd
Party Endpoint Validation
Client Endpoint
AuthZ
"iss": "https://as.idtel.com",
User
Endpoint (‘issuer’. Did this come from the right
Token
authorization server (AS)?)
Endpoint
Validation
Endpoint
“user_id": "24400320",
3 rd Party
Client
(Which user did the AS authenticate?
Also called “sub” for “subject”. Will
decode to “joe”, for instance.)
HTTP/1.1 200 OK Content-Type: application/json Cache-
Control: no-store Pragma: no-cache
{ "aud": "s6BhdRkqt3",
"access_token":"SlAV32hkKG", Base64url
"token_type":"bearer", "expires_in":3600, (‘audience’. This should decode to
decode
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"id_token":"eyJ0 ... NiJ9.eyJ1c ...
“tunes_partner” – my client_id, so this
I6IjIifX0.DeWt4Qu .”
}
token was meant for me)
"iat": 1311280970
(‘issued at time’)
ID_TOKENS GIVE THE CLIENT THE USER_ID
§ “Profile” includes:
– the End-User's default profile Claims, which are: name,
family_name, given_name, middle_name, nickname,
preferred_username, profile, picture, website, gender, birthdate,
zoneinfo, locale, and updated_at.
Copyright © 2015 Ping Identity Corp. All rights reserved.
REQUESTING AN ID_TOKEN – OPENID
SCOPE
AUTHORIZE THE OPENID AND
PROFILE SCOPES
CLIENT REQUEST USER INFO, FOR
PROFILE SCOPE
{“sub”:”dflutie”,“birthdate”:“01/24/62”}
WEB APPLICATION WITH OPENID CONNECT: FLOW
• Issuing id tokens and claims to a web application
1
1) Web app launches browser,
AuthZ
Endpoint in which user authenticates
to the Authorization Server
Token
Endpoint (and grants authorization)
Validation UserInfo
Endpoint Endpoint
1
1) Web app launches browser,
AuthZ
2 Endpoint in which user authenticates
to the Authorization Server
Token
Endpoint (and grants authorization)
Validation UserInfo
2) Authorization server
Endpoint Endpoint returns Auth Code to web
app through browser
1
1) Web app launches browser,
AuthZ
2 Endpoint in which user authenticates
to the Authorization Server
Token
Endpoint (and grants authorization)
Validation UserInfo
2) Authorization server
3 Endpoint Endpoint returns Auth Code to web
app through browser
3) Web app exchanges code
for access token and id
token
1
AuthZ
2. OpenID Connect
Endpoint request:
Token
- Scope: openID
2
Endpoint Connect
- “I need the userID”
3
3. Client receives access
token and id token:
- Doesn’t use/need
access token
3rd Party
Client
PINGIDENTITY.COM