Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

Key Points

  1. OpenId is an authentication only solution
  2. OpenId is authentication only, can use OAuth2 for authorization
  3. OpenId Connect is current version
  4. Openid Connect ( OIDC ) can interface with DIDs for authentication
  5. OAuth2 implementations provide both authentication and authorization
  6. OAuth2 can grant more authority to an application than needed to authenticate an identity
  7. Pure identity providers only authenticate an identity to a client application for a purpose based on a request from a principal ( an entity or user )


References

Reference_description_with_linked_URLs______________________________________Notes___________________________________________________________________
https://wiki.hyperledger.org/display/IWG/Identity+StandardsIdentity Standards List from 2019 - summary info
https://aaronparecki.com/oauth-2-simplified/Good overview of OAuth2 - basic flows - recommend starting here
https://en.wikipedia.org/wiki/OAuthCompare OpenId and OAuth2 for authentication - note risk differences
https://en.wikipedia.org/wiki/OpenIDOpenId summary info
https://oauth.net/2/OAuth2 frameworks listed
http://www.potaroo.net/ietf/html/ids-wg-oauth.htmlIETF protocols for OAuth2 and application requirements for authentication, authorization


OAuth OpenId overview - youtube

https://speakerdeck.com/nbarbettini/oauth-and-openid-connect-in-plain-english

OAuth_and_OpenID_Connect_in_plain_English_v1.6__KCDC_.pdf

OAuth OpenId overview - slide deck

An Illustrated Guide to OAuth and OpenID Connect.pdf

https://developer.okta.com/blog/2019/10/21/illustrated-guide-to-oauth-and-oidc

OAuth2 and OpenId ( OIDC ) in pictures **
https://openid.net/developers/specs/OpenID specs list
https://openid.net/specs/openid-connect-core-1_0.htmlOpenID Connect Core
https://www.nginx.com/blog/implementing-openid-connect-authentication-
kubernetes-okta-and-nginx-ingress-controller/?utm_medium=owned-social&utm_source=linkedin&utm_campaign=nx_pgkub
OpenID tutorial using Okta, Nginx, Kubernetes ** Raible
compare oauth2 and oidc - 2022 **


https://identity.foundation/did-siop/


Self-Issued OpenID Connect Provider DID Profile

DIF Working Group Draft







https://developers.google.com/identityGoogle Identity Platform
https://developers.google.com/identity/protocols/oauth2/openid-connectGoogle OpenID Connect
https://developers.google.com/identity/protocols/oauth2/openid-connect#javaGoogle identity platform based on OpenID
https://developers.google.com/identity/protocols/oauth2Using OAuth2 to access Google APIs 
https://developers.google.com/oauthplayground/Google OAuth2 developers playground - interactive


GNAP - an OAuth2 replacement ?

https://justinsecurity.medium.com/xyz-compatibility-with-oauth-2-f7b490be536d

Medium article comparing GNAP and OAuth2

Medium article comparing GNAP and OAuth2

https://fusionauth.io/blog/2021/01/07/gnap-next-gen-oauth/

GNAP - next gen OAuth2

GNAP - next gen OAuth2
ietf-org/archive/id/draft-ietf-gnap-core-protocol-02IETF GNAP spec draft




Key Concepts


OpenID and OAuth2 use cases

OpenID for authentication

OAuth2 for delegated authorization


OAuth2

https://en.wikipedia.org/wiki/OAuth

OAuth can be used as an authorizing mechanism to consume secured RSS/ATOM feeds. Consumption of RSS/ATOM feeds that require authentication has always been an issue. For example, an RSS feed from a secured Google Site could not have been consumed using Google Reader. Instead, three-legged OAuth would have been used to authorize that RSS client to access the feed from the Google Site. It can also be used as a means to login without creating an account on any site and all the benefits of the host of the OAuth system.

OpenID

OpenID is for authentication only




OpenID with OAuth Delegated Resource Access









OpenID vs. pseudo-authentication using OAuth

OAuth is an authorization protocol, rather than an authentication protocol. Using OAuth on its own as an authentication method may be referred to as pseudo-authentication.[citation needed] The following diagrams highlight the differences between using OpenID (specifically designed as an authentication protocol) and OAuth for authentication.

The communication flow in both processes is similar:

  1. (Not pictured) The user requests a resource or site login from the application.
  2. The site sees that the user is not authenticated. It formulates a request for the identity provider, encodes it, and sends it to the user as part of a redirect URL.
  3. The user's browser requests the redirect URL for the identity provider, including the application's request
  4. If necessary, the identity provider authenticates the user (perhaps by asking them for their username and password)
  5. Once the identity provider is satisfied that the user is sufficiently authenticated, it processes the application's request, formulates a response, and sends that back to the user along with a redirect URL back to the application.
  6. The user's browser requests the redirect URL that goes back to the application, including the identity provider's response
  7. The application decodes the identity provider's response, and carries on accordingly.
  8. (OAuth only) The response includes an access token which the application can use to gain direct access to the identity provider's services on the user's behalf.

The crucial difference is that in the OpenID authentication use case, the response from the identity provider is an assertion of identity; while in the OAuth authorization use case, the identity provider is also an API p

OpenId vs OAuth2 - comparison flows for authentication

https://en.wikipedia.org/wiki/OAuth#/media/File:OpenIDvs.Pseudo-AuthenticationusingOAuth.svg

OpenID vs. pseudo-authentication using OAuth


Compare OAuth2 and OIDC

compare oauth2 and oidc - 2022 **

OAuth_and_OpenID_Connect_in_plain_English_v1.6__KCDC_.pdf file



Potential Value Opportunities


OpenId for Authentication 

https://en.wikipedia.org/wiki/OpenID

OpenID is an open standard and decentralized authentication protocol.

Promoted by the non-profit OpenID Foundation, it allows users to be authenticated by co-operating sites (known as relying parties, or RP) using a third-party service, eliminating the need for webmasters to provide their own ad hoc login systems, and allowing users to log into multiple unrelated websites without having to have a separate identity and password for each.[1]

Users create accounts by selecting an OpenID identity provider, and then use those accounts to sign onto any website that accepts OpenID authentication. Several large organizations either issue or accept OpenIDs on their websites according to the OpenID Foundation.[2]

The OpenID standard provides a framework for the communication that must take place between the identity provider and the OpenID acceptor (the "relying party").[3] An extension to the standard (the OpenID Attribute Exchange) facilitates the transfer of user attributes, such as name and gender, from the OpenID identity provider to the relying party (each relying party may request a different set of attributes, depending on its requirements).[4]

The OpenID protocol does not rely on a central authority to authenticate a user's identity. Moreover, neither services nor the OpenID standard may mandate a specific means by which to authenticate users, allowing for approaches ranging from the common (such as passwords) to the novel (such as smart cards or biometrics).

The term OpenID may also refer to an identifier as specified in the OpenID standard; these identifiers take the form of a unique Uniform Resource Identifier (URI), and are managed by some "OpenID provider" that handles authentication.[1]










Web Authorization Protocol provides an authorization model for a principal to access an application service 

http://www.potaroo.net/ietf/html/ids-wg-oauth.html


OAuth2 for Authorized Resource Access


OAuth2 use cases



OAuth2 Delegated Authorization Resource Access Flow



OAuth2 Steps


OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key Distribution


draft-ietf-oauth-pop-key-distribution-07.txt

Date:27/03/2019




Working Group:Web Authorization Protocol (oauth)

Formats:txt xml
RFC 6750 specified the bearer token concept for securing access to protected resources. Bearer tokens need to be protected in transit as well as at rest. When a client requests access to a protected resource it hands-over the bearer token to the resource server. The OAuth 2.0 Proof-of-Possession security concept extends bearer token security and requires the client to demonstrate possession of a key when accessing a protected resource.

OAuth 2.0 Token Exchange


draft-ietf-oauth-token-exchange-16.txt

Date:

Authors:

Working Group:Web Authorization Protocol (oauth)

Formats:xml txt
This specification defines a protocol for an HTTP- and JSON- based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation.

The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)


draft-ietf-oauth-jwsreq-17.txt

Date:21/10/2018

Authors:Nat Sakimura, John Bradley

Working Group:Web Authorization Protocol (oauth)

Formats:txt xml
The authorization request in OAuth 2.0 described in RFC 6749 utilizes query parameter serialization, which means that Authorization Request parameters are encoded in the URI of the request and sent through user agents such as web browsers. While it is easy to implement, it means that (a) the communication through the user agents are not integrity protected and thus the parameters can be tainted, and (b) the source of the communication is not authenticated. Because of these weaknesses, several attacks to the protocol have now been put forward. This document introduces the ability to send request parameters in a JSON Web Token (JWT) instead, which allows the request to be signed with JSON Web Signature (JWS) and encrypted with JSON Web Encryption (JWE) so that the integrity, source authentication and confidentiality property of the Authorization Request is attained. The request can be sent by value or by reference.

OAuth 2.0 Device Authorization Grant


draft-ietf-oauth-device-flow-15.txt

Date:

Authors:

Working Group:Web Authorization Protocol (oauth)

Formats:txt xml
The OAuth 2.0 Device Authorization Grant is designed for internet- connected devices that either lack a browser to perform a user-agent based authorization, or are input-constrained to the extent that requiring the user to input text in order to authenticate during the authorization flow is impractical. It enables OAuth clients on such devices (like smart TVs, media consoles, digital picture frames, and printers) to obtain user authorization to access protected resources without using an on-device user-agent.

OAuth 2.0 Security Best Current Practice


draft-ietf-oauth-security-topics-12.txt

Date:08/03/2019

Authors:

Working Group:Web Authorization Protocol (oauth)

Formats:xml txt
This document describes best current security practice for OAuth 2.0. It updates and extends the OAuth 2.0 Security Threat Model to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0.

OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens


draft-ietf-oauth-mtls-14.txt

Date:11/04/2019

Authors:Brian Campbell, John Bradley, Nat Sakimura, Torsten Lodderstedt

Working Group:Web Authorization Protocol (oauth)

Formats:txt xml
This document describes OAuth client authentication and certificate- bound access and refresh tokens using mutual Transport Layer Security (TLS) authentication with X.509 certificates. OAuth clients are provided a mechanism for authentication to the authorization server using mutual TLS, based on either self-signed certificates or public key infrastructure (PKI). OAuth authorization servers are provided a mechanism for binding access tokens to a client's mutual TLS certificate, and OAuth protected resources are provided a method for ensuring that such an access token presented to it was issued to the client presenting the token.

JSON Web Token Best Current Practices


draft-ietf-oauth-jwt-bcp-05.txt

Date:16/04/2019

Authors:

Working Group:Web Authorization Protocol (oauth)

Formats:xml txt
JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security tokens that contain a set of claims that can be signed and/or encrypted. JWTs are being widely used and deployed as a simple security token format in numerous protocols and applications, both in the area of digital identity, and in other application areas. The goal of this Best Current Practices document is to provide actionable guidance leading to secure implementation and deployment of JWTs.

Resource Indicators for OAuth 2.0


draft-ietf-oauth-resource-indicators-02.txt

Date:28/01/2019

Authors:Brian Campbell, John Bradley, Hannes Tschofenig

Working Group:Web Authorization Protocol (oauth)

Formats:xml txt
An extension to the OAuth 2.0 Authorization Framework defining request parameters that enable a client to explicitly signal to an authorization server about the identity of the protected resource(s) to which it is requesting access.

JWT Response for OAuth Token Introspection


draft-ietf-oauth-jwt-introspection-response-02.txt

Date:19/02/2019

Authors:

Working Group:

Formats:
This draft proposes an additional JSON Web Token (JWT) based response for OAuth 2.0 Token Introspection.

OAuth 2.0 for Browser-Based Apps


draft-ietf-oauth-browser-based-apps-01.txt

Date:

Authors:

Working Group:Web Authorization Protocol (oauth)

Formats:txt xml
OAuth 2.0 authorization requests from browser-based apps must be made using the authorization code grant with the PKCE extension, and should not be issued a client secret when registered. This specification details the security considerations that must be taken into account when developing browser-based applications, as well as best practices for how they can securely implement OAuth 2.0.

JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens


draft-ietf-oauth-access-token-jwt-00.txt

Date:22/04/2019

Authors:Vittorio Bertocci

Working Group:Web Authorization Protocol (oauth)

Formats:xml txt
This specification defines a profile for issuing OAuth2 access tokens in JSON web token (JWT) format. Authorization servers and resource servers from different vendors can leverage this profile to issue and consume access tokens in interoperable manner.



Potential Challenges



Candidate Solutions



Step-by-step guide for Example



sample code block

sample code block
 



Recommended Next Steps



  • No labels