idcom mini Vol.1で頭だしをするための資料

1. OpenID Connect
Aggregated and Distributed
Claims
@ritou
2012/11/29
idcon mini Vol.1

2. 内容
 仕様
 ユースケース
 意見交換
idcon mini Vol.1 - OpenID Connect Aggregated and Distributed Claims 2

3. 仕様
 Normal Claims
 Claims that are directly asserted by the OpenID Provider.
 Aggregated Claims
 Claims that are asserted by a Claims Provider other than the OpenID Provider
but are returned by OpenID Provider.
 Distributed Claims
 Claims that are asserted by a Claims Provider other than the OpenID Provider
but are returned as references by the OpenID Provider.
idcon mini Vol.1 - OpenID Connect Aggregated and Distributed Claims 3

4. idcon mini Vol.1 - OpenID Connect Aggregated and Distributed Claims 4

5. Aggregated Claims
idcon mini Vol.1 - OpenID Connect Aggregated and Distributed Claims 5

6. Distributed Claims
idcon mini Vol.1 - OpenID Connect Aggregated and Distributed Claims 6

7. Aggregated Claims
 OPが別のClaims Providerから受け取ってい  OPはJWT形式でUserInfoレスポンスに含む
たClaims {
{
"name": "Jane Doe",
"address": { …
"street_address": "1234 Hollywood Blvd.", "_claim_names": {
"locality": "Los Angeles",
"address": "src1",
"region": "CA", "phone_number": "src1“
"postal_code": "90210", },
"country": “US"},
"_claim_sources": {
"phone_number": "+1 (310) 123-4567" "src1": {"JWT":
} "jwt_header.jwt_part2.jwt_part3"}
}
}
idcon mini Vol.1 - OpenID Connect Aggregated and Distributed Claims 7

8. Distributed Claims
 OPが別のClaims Providerから受け取ってい  OPはEndpoint, AccessTokenをUserInfoレスポ
たClaims ンスに含む
例：公開情報 {…
{ "_claim_names": {
"address": { "address": "src1",
"street_address": "1234 Hollywood Blvd.", “credit_score": "src2“
"locality": "Los Angeles", },
"region": "CA", "_claim_sources": {
"postal_code": "90210", "src1": {"endpoint":
"https://addressbook.example.com/claims"},
"country": “US"},
} "src2": {"endpoint":
"https://credit.example.com/claims",
例：非公開情報 "access_token": "ksj3n283dke"}
｛"credit_score": "650"｝ }
}
idcon mini Vol.1 - OpenID Connect Aggregated and Distributed Claims 8

9. 特徴
 Aggregated Claims
 OPが動的に取得もしくはキャッシュしておく
 RPは一度のリソースアクセスで取得可能
 Distributed Claims
 OPはクレームの値を直接扱わない
 OPはアクセスしようとおもえばできる
 センシティブな情報を扱うのに適している？
 RPは複数のリソースアクセスが必要
idcon mini Vol.1 - OpenID Connect Aggregated and Distributed Claims 9

10. ユースケース : 多段 OpenID Connect
idcon mini Vol.1 - OpenID Connect Aggregated and Distributed Claims 10

11. ユースケースは他にもありそう
 企業内のシステム連携？
 人事データ、外部ASPサービス、個人のスケジュールやタスクとの連携
idcon mini Vol.1 - OpenID Connect Aggregated and Distributed Claims 11

12. 意見交換タイム
idcon mini Vol.1 - OpenID Connect Aggregated and Distributed Claims 12