SlideShare a Scribd company logo

OpenID Foundation Workshop at EIC2017

Download as PPTX, PDF
Bjorn Hjelm
Bjorn Hjelm

An update on MODRNA (Mobile Profile of OpenID Connect) WG at OpenID Foundation Workshop during EIC 2017 (https://www.kuppingercole.com/events/eic2017-oidf).

1 of 11
MODRNA WG The interface of MODRNA (Mobile Profile of OpenID Connect) and GSMA Mobile Connect May 9, 2017 Bjorn Hjelm Verizon Torsten Lodderstedt YES Europe AG http://openid.net/wg/mobile/
Purpose • GSMA created Mobile Connect for secure universal digital authentication leveraging OpenID Connect. • OpenID Foundation MODRNA WG created to support this evolution. – Stands for Mobile Operator Discovery, Registration, aNd Authentication – Developing (1) a profile of and (2) an extension to OpenID Connect for use by MNOs providing identity services. – Serve as technical input to Mobile Connect development. – OIDFs IPR framework ensures that all specifications can can be freely implemented. – WG members from OpenID community as well as MNOs. • Deutsche Telekom, Ping Identity, Orange, Verizon Wireless, Telefonica, Telenor, Telstra, GlobalSign.
What is Mobile Connect? • Mobile phone number as user identifier • Mobile phone as authenticator • MNO as authentication/identity provider • Replace passwords and hardware security tokens
Example Use Case
Mobile Connect Services Enablers
Mobile Connect Reference Architecture 2. The service provider requests the authenticating operator from the API Exchange. 3. The service provider makes a request for authentication. 4. The operator selects the appropriate authenticator depending on the request for assurance and capabilities 1. The user clicks on a Mobile Connect button to access a service. • SIM Applet • USSD • SMS • Smartphone App • FIDO MNO Service access request Authentication Service Provider Authentication request Authentication server Identity Gateway MNO Discovery
MODRNA WG 2. The service provider requests the authenticating operator from the API Exchange. 3. The service provider makes a request for authentication. 4. The operator selects the appropriate authenticator depending on the request for assurance and capabilities 1. The user clicks on a Mobile Connect button to access a service. • SIM Applet • USSD • SMS • Smartphone App • FIDO MNO Service access request Authentication Service Provider Authentication request Authentication server Identity Gateway MNO Discovery 1 2 3 Set up credentials
MODRNA Specifications • Discovery – http://openid.net/specs/openid-connect-modrna-authentication-1_0.html – Dedicated discovery service – Account Chooser integration • Client Registration – http://openid.net/wordpress-content/uploads/2014/04/draft-mobile- registration-01.html – OIDC Dynamic Client Registration with software statements (RFC 7591) – Mandatory claims in the statements – Signature algorithms – Lifecycle management, e.g. revocation of statements/blocking of RPs • Authentication – http://openid.net/wordpress-content/uploads/2014/04/draft-mobile- discovery-01.html – ACR values – Additional parameters
Auxiliary MODRNA Work • Client Initiated Backchannel Authentication – http://openid.net/specs/openid-connect-modrna-client-initiated- backchannel-authentication-1_0.html – Mechanism to perform authentication (out-of-band) when there is no user agent available and the authentication process needs to initiated via server-to- server communication • User Questioning API – http://openid.net/specs/openid-connect-user-questioning-api-1_0.html – Mechanism to perform transaction authorizations. Define additional OpenID Connect endpoint (Resource Server) that RP would use (server-to-server) to initiate transaction authorization processes • Account Porting – http://openid.net/specs/openid-connect-account-porting-1_0.html – Mechanism to allow the migration of user account from old to new OP – Protocol allowing new OP to obtain the necessary user data from the old OP and provide every RP with the necessary data to migrate the RP's local user account data in a secure way
MODRNA WG Status • Following four specifications moved to Implementer’s Draft – MODRNA Authentication Profile – Account Porting – User Questioning API – Client Initiated Backchannel Authentication • Based on discussions with GSMA, new work initiated on Synchronous and Asynchronous JSON Web Token (JWT) Assertion Profile for OAuth 2.0 Authorization Grants – Specification defines the use of a JSON Web Token (JWT) Bearer Token as a mean for requesting an OAuth 2.0 access token in a synchronous and asynchronous way • Collaboration with GSMA continues and next joint MODRNA – GSMA technical workshop planned for May 11-12 in Amsterdam – Focus on backchannel authentication use cases and proposals
Thank you http://openid.net/wg/mobile/

More Related Content

OpenID Foundation Workshop at EIC2017

  • 1. MODRNA WG The interface of MODRNA (Mobile Profile of OpenID Connect) and GSMA Mobile Connect May 9, 2017 Bjorn Hjelm Verizon Torsten Lodderstedt YES Europe AG http://openid.net/wg/mobile/
  • 2. Purpose • GSMA created Mobile Connect for secure universal digital authentication leveraging OpenID Connect. • OpenID Foundation MODRNA WG created to support this evolution. – Stands for Mobile Operator Discovery, Registration, aNd Authentication – Developing (1) a profile of and (2) an extension to OpenID Connect for use by MNOs providing identity services. – Serve as technical input to Mobile Connect development. – OIDFs IPR framework ensures that all specifications can can be freely implemented. – WG members from OpenID community as well as MNOs. • Deutsche Telekom, Ping Identity, Orange, Verizon Wireless, Telefonica, Telenor, Telstra, GlobalSign.
  • 3. What is Mobile Connect? • Mobile phone number as user identifier • Mobile phone as authenticator • MNO as authentication/identity provider • Replace passwords and hardware security tokens
  • 6. Mobile Connect Reference Architecture 2. The service provider requests the authenticating operator from the API Exchange. 3. The service provider makes a request for authentication. 4. The operator selects the appropriate authenticator depending on the request for assurance and capabilities 1. The user clicks on a Mobile Connect button to access a service. • SIM Applet • USSD • SMS • Smartphone App • FIDO MNO Service access request Authentication Service Provider Authentication request Authentication server Identity Gateway MNO Discovery
  • 7. MODRNA WG 2. The service provider requests the authenticating operator from the API Exchange. 3. The service provider makes a request for authentication. 4. The operator selects the appropriate authenticator depending on the request for assurance and capabilities 1. The user clicks on a Mobile Connect button to access a service. • SIM Applet • USSD • SMS • Smartphone App • FIDO MNO Service access request Authentication Service Provider Authentication request Authentication server Identity Gateway MNO Discovery 1 2 3 Set up credentials
  • 8. MODRNA Specifications • Discovery – http://openid.net/specs/openid-connect-modrna-authentication-1_0.html – Dedicated discovery service – Account Chooser integration • Client Registration – http://openid.net/wordpress-content/uploads/2014/04/draft-mobile- registration-01.html – OIDC Dynamic Client Registration with software statements (RFC 7591) – Mandatory claims in the statements – Signature algorithms – Lifecycle management, e.g. revocation of statements/blocking of RPs • Authentication – http://openid.net/wordpress-content/uploads/2014/04/draft-mobile- discovery-01.html – ACR values – Additional parameters
  • 9. Auxiliary MODRNA Work • Client Initiated Backchannel Authentication – http://openid.net/specs/openid-connect-modrna-client-initiated- backchannel-authentication-1_0.html – Mechanism to perform authentication (out-of-band) when there is no user agent available and the authentication process needs to initiated via server-to- server communication • User Questioning API – http://openid.net/specs/openid-connect-user-questioning-api-1_0.html – Mechanism to perform transaction authorizations. Define additional OpenID Connect endpoint (Resource Server) that RP would use (server-to-server) to initiate transaction authorization processes • Account Porting – http://openid.net/specs/openid-connect-account-porting-1_0.html – Mechanism to allow the migration of user account from old to new OP – Protocol allowing new OP to obtain the necessary user data from the old OP and provide every RP with the necessary data to migrate the RP's local user account data in a secure way
  • 10. MODRNA WG Status • Following four specifications moved to Implementer’s Draft – MODRNA Authentication Profile – Account Porting – User Questioning API – Client Initiated Backchannel Authentication • Based on discussions with GSMA, new work initiated on Synchronous and Asynchronous JSON Web Token (JWT) Assertion Profile for OAuth 2.0 Authorization Grants – Specification defines the use of a JSON Web Token (JWT) Bearer Token as a mean for requesting an OAuth 2.0 access token in a synchronous and asynchronous way • Collaboration with GSMA continues and next joint MODRNA – GSMA technical workshop planned for May 11-12 in Amsterdam – Focus on backchannel authentication use cases and proposals