1. @nov
Identity in Your Device

2. OS, Browser, Mobile Apps

3. Self-Issued OpenID Provider
Personal OP that issues self-signed ID Tokens
No central IdP servers
Defined in OpenID Connect Messages
http://j.mp/self-issued
Available any apps / devices with secure strage
e.g. iOS app with Keychain

4. 1) Launches “openid://?client_id=client://callback&..”
No discovery (static OP config)
No client registration (client_id = redirect_uri)
2) End-user approval
3) Self-issued ID Token generation
Generate RSA key pair on the device (only once)
“sub” is automatically calculated by the public key
4) Back to “client://callback#id_token=...”
No API available, thus No Access Token
5) ID Token Verification

5. Static OP Config

6. The sub (subject) Claim value is
the base64url encoded SHA-256 hash of
the concatenation of the bytes of
the UTF-8 representations of
the base64url encoded key values
in the sub_jwk Claim.
OpenID Connect Messages
dra,18 Section 6.5

8. JWK - JSON Web Key

9. “sub” calculated from JWK
Hash of them

10. Self-Issued ID Token

11. Device specific key pair
↓
Device specific ID Token

12. No verified emails
No verified profile

13. Holder of Key

14. twitter.com/nov
slideshare.net/matake
github.com/nov