[Openid-specs-fapi] Presentation about hypermedia login API

Nat Sakimura nat at nat.consulting
Wed Feb 17 13:03:11 UTC 2021 

Sorry for not coming back earlier.
I have prepared a folder for this purpose.
https://bitbucket.org/openid/fapi/src/master/sg_hml/

Hopefully, you can start using it.

Best,

Nat

On Thu, Feb 11, 2021 at 12:50 AM Travis Spencer via Openid-specs-fapi <
openid-specs-fapi at lists.openid.net> wrote:

> Thank you all for the discussion today on the meeting. I really
> appreciated your time and inputs.
>
> Here's a nicer formatted version of the preso:
> https://travisspencer.com/articles/fapi-wg-preso/ It includes a small
> change to the last slide about next steps.
>
> Nat, you said I had the action item of creating the subgroup within
> FAPI to start drafting a doc (or two or three). Can you help me with
> the particulars of that?
>
> On Tue, Feb 9, 2021 at 5:24 PM Travis Spencer <travis at curity.io> wrote:
> >
> > In the summer, I emailed the list about working on a new protocol that
> > would facilitate strong login without requiring a browser[1]. Since
> > then, I've been talking with Mike Schwartz, Nat, and others about
> > this. To move this conversation forward, I would like to talk through
> > the following presentation[2] on tomorrow's Atlantic call. Please have
> > a look beforehand if you have a moment.
> >
> > Talk to you all tomorrow.
> >
> > [1]
> https://lists.openid.net/pipermail/openid-specs-fapi/2020-August/002037.html
> > [2] It's in Asciidoc format in case the syntax isn't familiar
> >
> > = Hypermedia Authentication API
> >
> > == Agenda
> >
> > * Requirements
> > * Brief overview of solution
> > * More info
> >
> > [small]#Slide 1#
> >
> > == Our Customers' Demands
> >
> > * Non-browser-based login and authorization
> > * Integration between OP and RP on different domains without cookies
> > * As secure as browser-based solution (or more so)
> > * Existing deployments keep working as-is
> >
> > [small]#Slide 2#
> >
> > == OpenID Connect is a Hypermedia API
> >
> > * All Websites are hypermedia (i.e., REST) APIs, ∴ OpenID Connect is a
> > hypermedia API
> > * Simplify non-browser-based login and consent by:
> > [arabic]
> > .. Replace HTML hypermedia representation with JSON
> > .. Attest to the client's provenance
> >
> > [small]#Slide 3#
> >
> > == App Provenance
> >
> > * Provenance == origin (i.e., provider) of RP
> > * Traditionally verified by control of redirect URI
> > * Provenance verification happens at flow's end
> > * Deep linking required on mobile (PKCE isn't enough)
> > * New tools available to ascertain origin on modern mobile devices
> >
> > [small]#Slide 4#
> >
> > == Proving Provenance
> >
> > * Modern mobile devices have Hardware Security Modules (HSM) built-in
> > * Can be used to sign a challenge
> > * Verifiable up to trusted root
> > * DPoP allows all login API calls to be tied to attested RP
> > * Establishes provenance prior to or instead of redirection
> >
> > [small]#Slide 5#
> >
> > == Flow Used to Prove Provenance
> >
> > [ditta]
> > ....
> >                                                         Get
> >                                                +-(A)-Challenge----+
> >     Authorization
> >                                                |                  |
> >        Server
> >                                                v                  |
> > +-------------------+
> > +---------------+   (B) Request   +------------+---+              v
> > | +---------------+ |
> > |               +<--attestation---+
> > +------(D)---->o-----|  CAT endpoint | |
> > |  Attestation  |                 |  OAuth Client  |  Attestation |
> > | +---------------+ |
> > |    System     |                 |  Application   |              |
> > |                   |
> > |               +-------(C)------>+                +<--(E)-CAT----+
> > |                   |
> > +---------------+   Attestation   +---+----+---+---+
> > |                   |
> >                                       |    ^   |
> > | +---------------+ |
> >                                       |    |
> > +---(F)-CAT------>o------|Token endpoint | |
> >                                       |    |                     |
> > | +---------------+ |
> >                                       |    +-(G)-AAT-------------+
> > |                   |
> >                                       |
> > | +---------------+ |
> >
> > +----(H)-AAT-------------->o------|Login endpoints| |
> >
> > | +---------------+ |
> >
> > +-------------------+
> > ....
> >
> > * CAT is sent to token endpoint using client assertion framework
> > * API calls to login API are protected with sender-constrained access
> token
> >
> > [small]#Slide 6#
> >
> > == Adapting to First- or Third-party Provenance
> >
> > * Provenance establishes whether RP is from first- or third-party
> provider
> > * OP can adapt login methods based on this
> > * Hypermedia allows support for any kind of credential (incl.
> short-lived ones)
> > ** First-party: End user can provide all factors (same as OP in system
> browser)
> > ** Third-party: End user cannot provide all factors, consent may be
> > verified out of band
> >
> > [small]#Slide 7#
> >
> > == More Info
> >
> > * Very short summary
> > * See https://travisspencer.com/articles/hypermedia-api-resources/[my
> > website] for an ever-growing list of resources
> >
> > [small]#Slide 8#
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>


-- 
Nat Sakimura
NAT.Consulting LLC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20210217/8e0226b9/attachment.html>

More information about the Openid-specs-fapi mailing list