Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Key Points

  1. OpenId is an authentication only solution
  2. OpenId is authentication only, can use OAuth2 for authorization
  3. OpenId Connect is current version
  4. Openid Connect ( OIDC ) can interface with DIDs for authentication
  5. OAuth2 implementations provide both authentication and authorization
  6. OAuth2 can grant more authority to an application than needed to authenticate an identity
  7. Pure identity providers only authenticate an identity to a client application for a purpose based on a request from a principal ( an entity or user )

References

...

Widget Connector
urlhttps://www.youtube.com/watch?v=996OiexHze0&t=18s

...

https://speakerdeck.com/nbarbettini/oauth-and-openid-connect-in-plain-english

OAuth_and_OpenID_Connect_in_plain_English_v1.6__KCDC_.pdf

...

An Illustrated Guide to OAuth and OpenID Connect.pdf

https://developer.okta.com/blog/2019/10/21/illustrated-guide-to-oauth-and-oidc

...

https://identity.foundation/did-siop/

...

Self-Issued OpenID Connect Provider DID Profile

DIF Working Group Draft

...

https://justinsecurity.medium.com/xyz-compatibility-with-oauth-2-f7b490be536d

Medium article comparing GNAP and OAuth2

...

https://fusionauth.io/blog/2021/01/07/gnap-next-gen-oauth/

GNAP - next gen OAuth2

...

Key Concepts

OpenID and OAuth2 use cases

OpenID for authentication

OAuth2 for delegated authorization

Image Removed

OAuth2

https://en.wikipedia.org/wiki/OAuth

OAuth can be used as an authorizing mechanism to consume secured RSS/ATOM feeds. Consumption of RSS/ATOM feeds that require authentication has always been an issue. For example, an RSS feed from a secured Google Site could not have been consumed using Google Reader. Instead, three-legged OAuth would have been used to authorize that RSS client to access the feed from the Google Site. It can also be used as a means to login without creating an account on any site and all the benefits of the host of the OAuth system.

OpenID

OpenID is for authentication only

Image Removed

Image Removed

OpenID with OAuth Delegated Resource Access

Image Removed

Image Removed

Image Removed

Image Removed

OpenID vs. pseudo-authentication using OAuth

OAuth is an authorization protocol, rather than an authentication protocol. Using OAuth on its own as an authentication method may be referred to as pseudo-authentication.[citation needed] The following diagrams highlight the differences between using OpenID (specifically designed as an authentication protocol) and OAuth for authentication.

The communication flow in both processes is similar:

  1. (Not pictured) The user requests a resource or site login from the application.
  2. The site sees that the user is not authenticated. It formulates a request for the identity provider, encodes it, and sends it to the user as part of a redirect URL.
  3. The user's browser requests the redirect URL for the identity provider, including the application's request
  4. If necessary, the identity provider authenticates the user (perhaps by asking them for their username and password)
  5. Once the identity provider is satisfied that the user is sufficiently authenticated, it processes the application's request, formulates a response, and sends that back to the user along with a redirect URL back to the application.
  6. The user's browser requests the redirect URL that goes back to the application, including the identity provider's response
  7. The application decodes the identity provider's response, and carries on accordingly.
  8. (OAuth only) The response includes an access token which the application can use to gain direct access to the identity provider's services on the user's behalf.

The crucial difference is that in the OpenID authentication use case, the response from the identity provider is an assertion of identity; while in the OAuth authorization use case, the identity provider is also an API p

OpenId vs OAuth2 - comparison flows for authentication

https://en.wikipedia.org/wiki/OAuth#/media/File:OpenIDvs.Pseudo-AuthenticationusingOAuth.svg

OpenID vs. pseudo-authentication using OAuthImage Removed

Compare OAuth2 and OIDC

compare oauth2 and oidc - 2022 **

OAuth_and_OpenID_Connect_in_plain_English_v1.6__KCDC_.pdf file

Potential Value Opportunities

OpenId for Authentication 

https://en.wikipedia.org/wiki/OpenID

OpenID is an open standard and decentralized authentication protocol.

Promoted by the non-profit OpenID Foundation, it allows users to be authenticated by co-operating sites (known as relying parties, or RP) using a third-party service, eliminating the need for webmasters to provide their own ad hoc login systems, and allowing users to log into multiple unrelated websites without having to have a separate identity and password for each.[1]

Users create accounts by selecting an OpenID identity provider, and then use those accounts to sign onto any website that accepts OpenID authentication. Several large organizations either issue or accept OpenIDs on their websites according to the OpenID Foundation.[2]

The OpenID standard provides a framework for the communication that must take place between the identity provider and the OpenID acceptor (the "relying party").[3] An extension to the standard (the OpenID Attribute Exchange) facilitates the transfer of user attributes, such as name and gender, from the OpenID identity provider to the relying party (each relying party may request a different set of attributes, depending on its requirements).[4]

The OpenID protocol does not rely on a central authority to authenticate a user's identity. Moreover, neither services nor the OpenID standard may mandate a specific means by which to authenticate users, allowing for approaches ranging from the common (such as passwords) to the novel (such as smart cards or biometrics).

The term OpenID may also refer to an identifier as specified in the OpenID standard; these identifiers take the form of a unique Uniform Resource Identifier (URI), and are managed by some "OpenID provider" that handles authentication.[1]

Image Removed

Image Removed

Image Removed

Web Authorization Protocol provides an authorization model for a principal to access an application service 

http://www.potaroo.net/ietf/html/ids-wg-oauth.html

OAuth2 for Authorized Resource Access

OAuth2 use cases

Image Removed

OAuth2 Delegated Authorization Resource Access Flow

Image Removed

OAuth2 Steps

...

Table of Contents

Key Points

  1. OpenId is an authentication only solution
  2. OpenId is authentication only, can use OAuth2 for authorization
  3. OpenId Connect is current version
  4. Openid Connect ( OIDC ) can interface with DIDs for authentication
  5. OAuth2 implementations provide both authentication and authorization
  6. OAuth2 can grant more authority to an application than needed to authenticate an identity
  7. Pure identity providers only authenticate an identity to a client application for a purpose based on a request from a principal ( an entity or user )


References

Reference_description_with_linked_URLs______________________________________Notes___________________________________________________________________
https://wiki.hyperledger.org/display/IWG/Identity+StandardsIdentity Standards List from 2019 - summary info
https://aaronparecki.com/oauth-2-simplified/Good overview of OAuth2 - basic flows - recommend starting here
https://en.wikipedia.org/wiki/OAuthCompare OpenId and OAuth2 for authentication - note risk differences
https://en.wikipedia.org/wiki/OpenIDOpenId summary info
https://oauth.net/2/OAuth2 frameworks listed
http://www.potaroo.net/ietf/html/ids-wg-oauth.htmlIETF protocols for OAuth2 and application requirements for authentication, authorization


Widget Connector
urlhttps://www.youtube.com/watch?v=996OiexHze0&t=18s
OAuth OpenId overview - youtube

https://speakerdeck.com/nbarbettini/oauth-and-openid-connect-in-plain-english

OAuth_and_OpenID_Connect_in_plain_English_v1.6__KCDC_.pdf

OAuth OpenId overview - slide deck

An Illustrated Guide to OAuth and OpenID Connect.pdf

https://developer.okta.com/blog/2019/10/21/illustrated-guide-to-oauth-and-oidc

OAuth2 and OpenId ( OIDC ) in pictures **
https://openid.net/developers/specs/OpenID specs list
https://openid.net/specs/openid-connect-core-1_0.htmlOpenID Connect Core
https://www.nginx.com/blog/implementing-openid-connect-authentication-
kubernetes-okta-and-nginx-ingress-controller/?utm_medium=owned-social&utm_source=linkedin&utm_campaign=nx_pgkub
OpenID tutorial using Okta, Nginx, Kubernetes ** Raible
compare oauth2 and oidc - 2022 **


https://identity.foundation/did-siop/


Self-Issued OpenID Connect Provider DID Profile

DIF Working Group Draft







https://developers.google.com/identityGoogle Identity Platform
https://developers.google.com/identity/protocols/oauth2/openid-connectGoogle OpenID Connect
https://developers.google.com/identity/protocols/oauth2/openid-connect#javaGoogle identity platform based on OpenID
https://developers.google.com/identity/protocols/oauth2Using OAuth2 to access Google APIs 
https://developers.google.com/oauthplayground/Google OAuth2 developers playground - interactive


GNAP - an OAuth2 replacement ?

https://justinsecurity.medium.com/xyz-compatibility-with-oauth-2-f7b490be536d

Medium article comparing GNAP and OAuth2

Medium article comparing GNAP and OAuth2

https://fusionauth.io/blog/2021/01/07/gnap-next-gen-oauth/

GNAP - next gen OAuth2

GNAP - next gen OAuth2
ietf-org/archive/id/draft-ietf-gnap-core-protocol-02IETF GNAP spec draft




Key Concepts


OpenID and OAuth2 use cases

OpenID for authentication

OAuth2 for delegated authorization

Image Added


OAuth2

https://en.wikipedia.org/wiki/OAuth

OAuth can be used as an authorizing mechanism to consume secured RSS/ATOM feeds. Consumption of RSS/ATOM feeds that require authentication has always been an issue. For example, an RSS feed from a secured Google Site could not have been consumed using Google Reader. Instead, three-legged OAuth would have been used to authorize that RSS client to access the feed from the Google Site. It can also be used as a means to login without creating an account on any site and all the benefits of the host of the OAuth system.

OpenID

OpenID is for authentication only


Image Added


Image Added


OpenID with OAuth Delegated Resource Access


Image Added



Image Added


Image Added



Image Added



OpenID vs. pseudo-authentication using OAuth

OAuth is an authorization protocol, rather than an authentication protocol. Using OAuth on its own as an authentication method may be referred to as pseudo-authentication.[citation needed] The following diagrams highlight the differences between using OpenID (specifically designed as an authentication protocol) and OAuth for authentication.

The communication flow in both processes is similar:

  1. (Not pictured) The user requests a resource or site login from the application.
  2. The site sees that the user is not authenticated. It formulates a request for the identity provider, encodes it, and sends it to the user as part of a redirect URL.
  3. The user's browser requests the redirect URL for the identity provider, including the application's request
  4. If necessary, the identity provider authenticates the user (perhaps by asking them for their username and password)
  5. Once the identity provider is satisfied that the user is sufficiently authenticated, it processes the application's request, formulates a response, and sends that back to the user along with a redirect URL back to the application.
  6. The user's browser requests the redirect URL that goes back to the application, including the identity provider's response
  7. The application decodes the identity provider's response, and carries on accordingly.
  8. (OAuth only) The response includes an access token which the application can use to gain direct access to the identity provider's services on the user's behalf.

The crucial difference is that in the OpenID authentication use case, the response from the identity provider is an assertion of identity; while in the OAuth authorization use case, the identity provider is also an API p

OpenId vs OAuth2 - comparison flows for authentication

https://en.wikipedia.org/wiki/OAuth#/media/File:OpenIDvs.Pseudo-AuthenticationusingOAuth.svg

OpenID vs. pseudo-authentication using OAuthImage Added


Compare OAuth2 and OIDC

compare oauth2 and oidc - 2022 **

OAuth_and_OpenID_Connect_in_plain_English_v1.6__KCDC_.pdf file



Authentication and Authorizing for WebService/REST API Calls

https://dzone.com/articles/authentication-and-authorizing-for-webservice-rest?edition=596291




Potential Value Opportunities


OpenId for Authentication 

https://en.wikipedia.org/wiki/OpenID

OpenID is an open standard and decentralized authentication protocol.

Promoted by the non-profit OpenID Foundation, it allows users to be authenticated by co-operating sites (known as relying parties, or RP) using a third-party service, eliminating the need for webmasters to provide their own ad hoc login systems, and allowing users to log into multiple unrelated websites without having to have a separate identity and password for each.[1]

Users create accounts by selecting an OpenID identity provider, and then use those accounts to sign onto any website that accepts OpenID authentication. Several large organizations either issue or accept OpenIDs on their websites according to the OpenID Foundation.[2]

The OpenID standard provides a framework for the communication that must take place between the identity provider and the OpenID acceptor (the "relying party").[3] An extension to the standard (the OpenID Attribute Exchange) facilitates the transfer of user attributes, such as name and gender, from the OpenID identity provider to the relying party (each relying party may request a different set of attributes, depending on its requirements).[4]

The OpenID protocol does not rely on a central authority to authenticate a user's identity. Moreover, neither services nor the OpenID standard may mandate a specific means by which to authenticate users, allowing for approaches ranging from the common (such as passwords) to the novel (such as smart cards or biometrics).

The term OpenID may also refer to an identifier as specified in the OpenID standard; these identifiers take the form of a unique Uniform Resource Identifier (URI), and are managed by some "OpenID provider" that handles authentication.[1]


Image Added



Image Added


Image Added






Web Authorization Protocol provides an authorization model for a principal to access an application service 

http://www.potaroo.net/ietf/html/ids-wg-oauth.html


OAuth2 for Authorized Resource Access


OAuth2 use cases

Image Added



OAuth2 Delegated Authorization Resource Access Flow


Image Added


OAuth2 Steps


OAuth 2.0 Device Authorization GrantOAuth 2.0 Security Best Current PracticeJSON Web Token Best Current PracticesJWT Response for OAuth Token Introspection
OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key Distribution



draft-ietf-oauth-pop-key-distribution-07.txt

Date:27/03/2019




Working Group:Web Authorization Protocol (oauth)

Formats:txt xml


RFC 6750 specified the bearer token concept for securing access to protected resources. Bearer tokens need to be protected in transit as well as at rest. When a client requests access to a protected resource it hands-over the bearer token to the resource server. The OAuth 2.0 Proof-of-Possession security concept extends bearer token security and requires the client to demonstrate possession of a key when accessing a protected resource.

OAuth 2.0 Token Exchange



draft-ietf-oauth-token-exchange-16.txt

Date:

Authors:

Working Group:Web Authorization Protocol (oauth)

Formats:xml txt


This specification defines a protocol for an HTTP- and JSON- based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation.

The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)



draft-ietf-oauth-jwsreq-17.txt

Date:21/10/2018

Authors:Nat Sakimura, John Bradley

Working Group:Web Authorization Protocol (oauth)

Formats:txt xml
RFC 6750 specified the bearer token concept for securing access to protected resources. Bearer tokens need to be protected in transit as well as at rest. When a client requests access to a protected resource it hands-over the bearer token to the resource server. The OAuth 2.0 Proof-of-Possession security concept extends bearer token security and requires the client to demonstrate possession of a key when accessing a protected resource.


OAuth 2.0 Token Exchangedraft-ietf-oauth-token-exchange-16.txtDate:Authors:Working Group:Web Authorization Protocol (oauth)Formats:xml txtThis specification defines a protocol for an HTTP- and JSON- based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation.The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)draft-ietf-oauth-jwsreq-17.txtDate:21/10/2018Authors:Nat Sakimura, John BradleyThe authorization request in OAuth 2.0 described in RFC 6749 utilizes query parameter serialization, which means that Authorization Request parameters are encoded in the URI of the request and sent through user agents such as web browsers. While it is easy to implement, it means that (a) the communication through the user agents are not integrity protected and thus the parameters can be tainted, and (b) the source of the communication is not authenticated. Because of these weaknesses, several attacks to the protocol have now been put forward. This document introduces the ability to send request parameters in a JSON Web Token (JWT) instead, which allows the request to be signed with JSON Web Signature (JWS) and encrypted with JSON Web Encryption (JWE) so that the integrity, source authentication and confidentiality property of the Authorization Request is attained. The request can be sent by value or by reference.

OAuth 2.0 Device Authorization Grant



draft-ietf-oauth-device-flow-15.txt

Date:

Authors:

Working Group:Web Authorization Protocol (oauth)

Formats:txt xml


The authorization request in OAuth 2.0 described in RFC 6749 utilizes query parameter serialization, which means that Authorization Request parameters are encoded in the URI of the request and sent through user agents such as web browsers. While it is easy to implement, it means that (a) the communication through the user agents are not integrity protected and thus the parameters can be tainted, and (b) the source of the communication is not authenticated. Because of these weaknesses, several attacks to the protocol have now been put forward. This document introduces the ability to send request parameters in a JSON Web Token (JWT) instead, which allows the request to be signed with JSON Web Signature (JWS) and encrypted with JSON Web Encryption (JWE) so that the integrity, source authentication and confidentiality property of the Authorization Request is attained. The request can be sent by value or by reference.Device Authorization Grant is designed for internet- connected devices that either lack a browser to perform a user-agent based authorization, or are input-constrained to the extent that requiring the user to input text in order to authenticate during the authorization flow is impractical. It enables OAuth clients on such devices (like smart TVs, media consoles, digital picture frames, and printers) to obtain user authorization to access protected resources without using an on-device user-agent.

OAuth 2.0 Security Best Current Practice



draft-ietf-oauth-security-topics-12.txt

Date:08/03/2019

Authors:

Working Group:Web Authorization Protocol (oauth)

Formats:xml txt


This document describes best current security practice for OAuth 2.0. It updates and extends the OAuth 2.0 Security Threat Model to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0.

OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens



draft-ietf-oauth-devicemtls-flow-1514.txt

Date:11/04/2019

Authors:Brian Campbell, John Bradley, Nat Sakimura, Torsten Lodderstedt

Working Group:Web Authorization Protocol (oauth)

Formats:txt xml
The OAuth 2.0 Device Authorization Grant is designed for internet- connected devices that either lack a browser to perform a user-agent based authorization, or are input-constrained to the extent that requiring the user to input text in order to authenticate during the authorization flow is impractical. It enables OAuth clients on such devices (like smart TVs, media consoles, digital picture frames, and printers) to obtain user authorization to access protected resources without using an on-device user-agent.


This document describes OAuth client authentication and certificate- bound access and refresh tokens using mutual Transport Layer Security (TLS) authentication with X.509 certificates. OAuth clients are provided a mechanism for authentication to the authorization server using mutual TLS, based on either self-signed certificates or public key infrastructure (PKI). OAuth authorization servers are provided a mechanism for binding access tokens to a client's mutual TLS certificate, and OAuth protected resources are provided a method for ensuring that such an access token presented to it was issued to the client presenting the token.

JSON Web Token Best Current Practices



draft-ietf-oauth-securityjwt-topicsbcp-1205.txt

Date:0816/0304/2019

Authors:

Working Group:Web Authorization Protocol (oauth)

Formats:xml txt
This document describes best current security practice for OAuth 2.0. It updates and extends the OAuth 2.0 Security Threat Model to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0.OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokensdraft-ietf-oauth-mtls-14.txtDate:11/04/2019Authors:Brian Campbell, John Bradley, Nat Sakimura, Torsten LodderstedtWorking Group:Web Authorization Protocol (oauth)Formats:txt xmlThis document describes OAuth client authentication and certificate- bound access and refresh tokens using mutual Transport Layer Security (TLS) authentication with X.509 certificates. OAuth clients are provided a mechanism for authentication to the authorization server using mutual TLS, based on either self-signed certificates or public key infrastructure (PKI). OAuth authorization servers are provided a mechanism for binding access tokens to a client's mutual TLS certificate, and OAuth protected resources are provided a method for ensuring that such an access token presented to it was issued to the client presenting the token.


JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security tokens that contain a set of claims that can be signed and/or encrypted. JWTs are being widely used and deployed as a simple security token format in numerous protocols and applications, both in the area of digital identity, and in other application areas. The goal of this Best Current Practices document is to provide actionable guidance leading to secure implementation and deployment of JWTs.

Resource Indicators for OAuth 2.0



draft-ietf-oauth-resource-indicators-02.txt

Date:28/01/2019

Authors:Brian Campbell, John Bradley, Hannes Tschofenig

Working Group:Web Authorization Protocol (oauth)

Formats:xml txt


An extension to the OAuth 2.0 Authorization Framework defining request parameters that enable a client to explicitly signal to an authorization server about the identity of the protected resource(s) to which it is requesting access.

JWT Response for OAuth Token Introspection



draft-ietf-oauth-jwt-introspection-bcpresponse-0502.txt

Date:1619/0402/2019

Authors:

Working Group:Web Authorization Protocol (oauth)

Formats:xml txt
JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security tokens that contain a set of claims that can be signed and/or encrypted. JWTs are being widely used and deployed as a simple security token format in numerous protocols and applications, both in the area of digital identity, and in other application areas. The goal of this Best Current Practices document is to provide actionable guidance leading to secure implementation and deployment of JWTs.Resource Indicators for OAuth 2.0draft-ietf-oauth-resource-indicators-02.txtDate:28/01/2019Authors:Brian Campbell, John Bradley, Hannes Tschofenig


Working Group:Web Authorization Protocol (oauth)Formats:xml txtAn extension to the OAuth 2.0 Authorization Framework defining request parameters that enable a client to explicitly signal to an authorization server about the identity of the protected resource(s) to which it is requesting access.This draft proposes an additional JSON Web Token (JWT) based response for OAuth 2.0 Token Introspection.

OAuth 2.0 for Browser-Based Apps



draft-ietf-oauth-browser-based-apps-01.txt

Date:

Authors:

Working Group:Web Authorization Protocol (oauth)

Formats:txt xml


OAuth 2.0 authorization requests from browser-based apps must be made using the authorization code grant with the PKCE extension, and should not be issued a client secret when registered. This specification details the security considerations that must be taken into account when developing browser-based applications, as well as best practices for how they can securely implement OAuth 2.0.

JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens



draft-ietf-oauth-jwtaccess-introspectiontoken-responsejwt-0200.txt

Date:1922/0204/2019

Authors:Vittorio Bertocci

Working Group:Formats:
This draft proposes an additional JSON Web Token (JWT) based response for OAuth 2.0 Token Introspection.OAuth 2.0 for Browser-Based Appsdraft-ietf-oauth-browser-based-apps-01.txtDate:Authors:Working Group:Web Authorization Protocol (oauth)Formats:txt xmlOAuth 2.0 authorization requests from browser-based apps must be made using the authorization code grant with the PKCE extension, and should not be issued a client secret when registered. This specification details the security considerations that must be taken into account when developing browser-based applications, as well as best practices for how they can securely implement OAuth 2.0.JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokensdraft-ietf-oauth-access-token-jwt-00.txtDate:22/04/2019Authors:Vittorio BertocciWorking Group:Web Authorization Protocol (oauth)Formats:xml txtThis specification defines a profile for issuing OAuth2 access tokens in JSON web token (JWT) format. Authorization servers and resource servers from different vendors can leverage this profile to issue and consume access tokens in interoperable manner.

Potential Challenges

...

Web Authorization Protocol (oauth)

Formats:xml txt


This specification defines a profile for issuing OAuth2 access tokens in JSON web token (JWT) format. Authorization servers and resource servers from different vendors can leverage this profile to issue and consume access tokens in interoperable manner.



Potential Challenges



Candidate Solutions


FIDO - all passwords replace by passkey from phone 


https://blog.google/technology/safety-security/one-step-closer-to-a-passwordless-future/


https://www.theverge.com/2022/5/5/23057646/apple-google-microsoft-passwordless-sign-in-fido


https://fidoalliance.org/what-is-fido/

the problem with passwords and impacts


FIDO

Based on free and open standards from the FIDO Alliance, FIDO Authentication enables password-only logins to be replaced with secure and fast login experiences across websites and apps

supported by Microsoft, Google, Apple

where is AWS?

combine FIDO passkey with MFA for secure access ?? ( theory, reality is if everything on phone there's a SPOF )






Step-by-step guide for Example

...