<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-2022-jp">
</head>
<body>
<div dir="auto" style="direction: ltr; margin: 0; padding: 0; font-family: sans-serif; font-size: 11pt; color: black; ">
I assume there are no IPR issues when presenting to this group?<span id="ms-outlook-android-cursor"></span><br>
<br>
</div>
<div dir="auto" style="direction: ltr; margin: 0; padding: 0; font-family: sans-serif; font-size: 11pt; color: black; ">
<span id="OutlookSignature">
<div dir="auto" style="direction: ltr; margin: 0; padding: 0; font-family: sans-serif; font-size: 11pt; color: black; ">
Get <a href="https://aka.ms/ghei36">Outlook for Android</a></div>
</span><br>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Openid-specs-fapi <openid-specs-fapi-bounces@lists.openid.net> on behalf of Travis Spencer via Openid-specs-fapi <openid-specs-fapi@lists.openid.net><br>
<b>Sent:</b> Tuesday, February 9, 2021 8:24:54 AM<br>
<b>To:</b> openid-specs-fapi@lists.openid.net <openid-specs-fapi@lists.openid.net><br>
<b>Cc:</b> Travis Spencer <travis@curity.io><br>
<b>Subject:</b> [Openid-specs-fapi] Presentation about hypermedia login API</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">In the summer, I emailed the list about working on a new protocol that<br>
would facilitate strong login without requiring a browser[1]. Since<br>
then, I've been talking with Mike Schwartz, Nat, and others about<br>
this. To move this conversation forward, I would like to talk through<br>
the following presentation[2] on tomorrow's Atlantic call. Please have<br>
a look beforehand if you have a moment.<br>
<br>
Talk to you all tomorrow.<br>
<br>
[1] <a href="https://lists.openid.net/pipermail/openid-specs-fapi/2020-August/002037.html">
https://lists.openid.net/pipermail/openid-specs-fapi/2020-August/002037.html</a><br>
[2] It's in Asciidoc format in case the syntax isn't familiar<br>
<br>
= Hypermedia Authentication API<br>
<br>
== Agenda<br>
<br>
* Requirements<br>
* Brief overview of solution<br>
* More info<br>
<br>
[small]#Slide 1#<br>
<br>
== Our Customers' Demands<br>
<br>
* Non-browser-based login and authorization<br>
* Integration between OP and RP on different domains without cookies<br>
* As secure as browser-based solution (or more so)<br>
* Existing deployments keep working as-is<br>
<br>
[small]#Slide 2#<br>
<br>
== OpenID Connect is a Hypermedia API<br>
<br>
* All Websites are hypermedia (i.e., REST) APIs, ∴ OpenID Connect is a<br>
hypermedia API<br>
* Simplify non-browser-based login and consent by:<br>
[arabic]<br>
.. Replace HTML hypermedia representation with JSON<br>
.. Attest to the client's provenance<br>
<br>
[small]#Slide 3#<br>
<br>
== App Provenance<br>
<br>
* Provenance == origin (i.e., provider) of RP<br>
* Traditionally verified by control of redirect URI<br>
* Provenance verification happens at flow's end<br>
* Deep linking required on mobile (PKCE isn't enough)<br>
* New tools available to ascertain origin on modern mobile devices<br>
<br>
[small]#Slide 4#<br>
<br>
== Proving Provenance<br>
<br>
* Modern mobile devices have Hardware Security Modules (HSM) built-in<br>
* Can be used to sign a challenge<br>
* Verifiable up to trusted root<br>
* DPoP allows all login API calls to be tied to attested RP<br>
* Establishes provenance prior to or instead of redirection<br>
<br>
[small]#Slide 5#<br>
<br>
== Flow Used to Prove Provenance<br>
<br>
[ditta]<br>
....<br>
Get<br>
+-(A)-Challenge----+<br>
Authorization<br>
| |<br>
Server<br>
v |<br>
+-------------------+<br>
+---------------+ (B) Request +------------+---+ v<br>
| +---------------+ |<br>
| +<--attestation---+<br>
+------(D)---->o-----| CAT endpoint | |<br>
| Attestation | | OAuth Client | Attestation |<br>
| +---------------+ |<br>
| System | | Application | |<br>
| |<br>
| +-------(C)------>+ +<--(E)-CAT----+<br>
| |<br>
+---------------+ Attestation +---+----+---+---+<br>
| |<br>
| ^ |<br>
| +---------------+ |<br>
| |<br>
+---(F)-CAT------>o------|Token endpoint | |<br>
| | |<br>
| +---------------+ |<br>
| +-(G)-AAT-------------+<br>
| |<br>
|<br>
| +---------------+ |<br>
<br>
+----(H)-AAT-------------->o------|Login endpoints| |<br>
<br>
| +---------------+ |<br>
<br>
+-------------------+<br>
....<br>
<br>
* CAT is sent to token endpoint using client assertion framework<br>
* API calls to login API are protected with sender-constrained access token<br>
<br>
[small]#Slide 6#<br>
<br>
== Adapting to First- or Third-party Provenance<br>
<br>
* Provenance establishes whether RP is from first- or third-party provider<br>
* OP can adapt login methods based on this<br>
* Hypermedia allows support for any kind of credential (incl. short-lived ones)<br>
** First-party: End user can provide all factors (same as OP in system browser)<br>
** Third-party: End user cannot provide all factors, consent may be<br>
verified out of band<br>
<br>
[small]#Slide 7#<br>
<br>
== More Info<br>
<br>
* Very short summary<br>
* See <a href="https://travisspencer.com/articles/hypermedia-api-resources/[my">https://travisspencer.com/articles/hypermedia-api-resources/[my</a><br>
website] for an ever-growing list of resources<br>
<br>
[small]#Slide 8#<br>
_______________________________________________<br>
Openid-specs-fapi mailing list<br>
Openid-specs-fapi@lists.openid.net<br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a><br>
</div>
</span></font></div>
</body>
</html>