Introduction: User Account Systems

The hack that makes Internet Identity possible

Which face are you presenting to the world?

Human -> Emails -> Local IDs -> Passwords

The Weakest link

So what happened in 2008?

Secure mashups

Chapter 1: Account Chooser

Requirements

The Account Chooser Experience

Central Account Chooser

Local Account Chooser

Local + Central

Email providers and Account Choosers

Passwords and Account Choosers

Chapter 2: Mobile/Desktop Apps

Chapter 3: What is an Identity Provider?

Chapter 4: Baby steps to passwordless login

Chapter 5: Identity Providers and Email Providers

Account Chooser without passwords

The Email Attribute

Full Rollout

Login with a button

Session Lifetime

Persistent or Session Cookies

Cookie lifetime

Single Sign Out

Chapter 6: Popular Identity Providers and Social Login

The good, the bad, and the ugly

Account Chooser and Popular Identity Providers

Login with a button

Account Linking Wizard

Chosen account has no IDP

IDPs that do not assert Email address

Per-RP IDs

Chapter 7: Consuming APIs

Chapter 8: Local Social Graph

Chapter 9: Certification of Providers

Chapter 10: Exposing APIs

Chapter 11: Relationship Managers

What are the advantages?

Examples

Chapter 12: Relationship Guides

Chapter 13: Identity Verification and Attribute Providers

Chapter 14: Stronger authentication for users

Phishing protection

Mixed Strong Authentication

Economics of consumer strong authentication

Chapter 15: Stronger authentication for robots

Robots and Dynamic Registration

Chapter 16: Conclusion

---

John Bradley / ve7jtb

written 2 hours ago

Yes the idea is that other flows like “JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0” can be used.

A extension document probably needs to be written for each additional flow.

Authorization Requests follow two main paths to obtain Access Tokens and ID Tokens, the Implicit Flow and the Authorization Code Flow.

Looks no. Draft should be slightly changed ?

This checkin is intended to be the last set of individual submissions of the JWS, JWE, and JWK drafts before they are refactored and submitted to the JOSE WG as working group drafts. The primary changes requested by the JOSE WG but not yet done are to break the algorithm profiles and identifiers out into a new spec and to rework the terminology in the signature spec to use different terms for digital signature and HMAC integrity operations.

See the Document History sections of each document for a detailed description of the changes made. These documents are available at:

• http://tools.ietf.org/html/draft-jones-simple-web-discovery-02
• http://tools.ietf.org/html/draft-jones-json-web-token-07
• http://tools.ietf.org/html/draft-jones-json-web-signature-04
• http://tools.ietf.org/html/draft-jones-json-web-encryption-02
• http://tools.ietf.org/html/draft-jones-json-web-key-03
• http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-03

HTML-formatted versions are available at:

• http://self-issued.info/docs/draft-jones-simple-web-discovery-02.html
• http://self-issued.info/docs/draft-jones-json-web-token-07.html
• http://self-issued.info/docs/draft-jones-json-web-signature-04.html
• http://self-issued.info/docs/draft-jones-json-web-encryption-02.html
• http://self-issued.info/docs/draft-jones-json-web-key-03.html
• http://self-issued.info/docs/draft-jones-oauth-jwt-bearer-03.html

Holder-of-Key JWS¶

by HDKNR

For higher LoA, OpenID Connect with JWS may support holder-of-key tokens, and Connect request may support TLS with client certificates. Mimicking some great SAML works is easy to do those : SAML V2.0 Holder-of-Key Assertion Profile Version 1.0 and SAML V2.0 Holder-of-Key Web Browser SSO Profile Version 1.0 .

JWS¶

JWS is easily extended to include a holder-of-key info, i,e, X.509 Data in SAML HoK. I’m not sure if we have to provide multiple X.509 Data in a single JWS token now. JWS Header may have “sbj”, which means “subject confirmation” and is equal to <saml:SubjectConfirmationData> in SAML HoK.

“sbj” claims contains JSON object in which describes a certificate for the “atesting entity”. “atesting entity” can be an End-User if the JWS token is an Identity Token(id_token) of Connect, also a Relying Party if the JWS token is Access Token(access_token) of OAuth.

JWS with “sbj” looks like this:

{ "alg": "RS256", "typ": "access_token", "x5u": "public key url for issuing party(authz server)", "sbj": { "x5c": "copy of OAuth client's certificate" } }

“sbj” must one of 4 claims if we follow the SAML HoK:

1. “x5c”

   Base64url encoding copy of atesting entity’s X.509 certificate.

2. “x5i”

   Copy of “Subject Key Identitier” in atesting entity’s X.509 certificate.

3. “x5s”

   Serial number isseud by a Certificate Authority in atesting entity’s X.509 certificate.

4. “x5n”

   Copy of “DN(Distinguished Name)” in atesting entity’s X.509 certificate.

“x5c” is best for server entities to validate holder-of-key, but too big for a JWS token. “x5i” > “x5s” > “x5n” may be the best order in rest. But “x5i” is only for certificates which inlcude extended parameter. So “x5s” may be MUST if entities in a OAuth/Connect circle support holder-of-key.

Endpoints¶

OAuth and Connect endpoints SHOULD accept TLS with client certifaictes if they supoort holder-of-key validation. Such endpoints may be Authorization endpoints, Token endpoints,Resource endpoints and Request Registraton endpoinst of Connect. Endpoints may simplly follow the SAML HoK tao.

Implict Flow¶

If the case is without a Request Registration of Connect, there is no chance for an issuer(Authz Server) to check the Relying Party’s client certificate for the Implicit Flow. If an issuer thinks of the registered certificate as the valid X.509 certificate, it may work.

If a case is for javascript access to resource with HoK-ed JWS access token, JWS ‘sbj‘ is for End-User(‘s User Agent). That needs some tricky selection flow at Authorization Endpoint.