SlideShare a Scribd company logo

CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

CloudIDSummit, profile picture
CloudIDSummit

The document discusses the advantages of using OpenID Connect over traditional SAML for authentication and API authorization, highlighting its single flow that allows both identity assertion and security tokens to be returned together. It outlines the processes for authorization requests, token responses, and key components such as access tokens and refresh tokens, emphasizing enhanced mobile and REST compatibility. Additionally, it contrasts OAuth 2 with OpenID Connect by noting the extra request for the 'openid' scope and the inclusion of an ID token.

Technology
1 of 19
Downloaded 39 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
pingidentity.com
CONSOLIDATING AUTHENTICATION AND API AUTHORIZATION USING OPENID CONNECT John Bradley Copyright © 2014 Ping Identity Corp.All rights reserved. 2Confidential — do not distribute
SAML SOAP WS-* SAML Web SSO SAML SOAP WS-* Typical SAML Deployment model Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 3
Typical SAML Deployment model Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 4 • Two flows – One using Web SSO for Authentication. – One call to a STS to exchange authentication token for security token. – Typically no user consent. – Not mobile friendly.
OpenID Connect OpenID Connect Deployment model Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 5 OAuth 2
OpenID Connect Deployment model Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 6 • Single flow – One request returns both Identity Assertion and security token for access. – Opportunity for user consent for API and login in a single interface. – Mobile/REST friendly.
Connect Rolls Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 7 • Authorization Server (IdP) – Authorization endpoint – Token endpoint • Client (SP) • Resource Server (API)
Authentication & Authorization request Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 8 • The basic OAuth Authorization request contains a list of scopes (resources) that the client is requesting access to. • Connect adds a single scope to the request called “openid” that causes the Identity assertion to be returned.
Authorization Response Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 9 • The Authorization server response is standard OAuth • The Authorization server returns a single use artifact called a code. • This prevents PII leakage via the browser, and prevents large redirect URI that cause problems in some browsers.
Request for tokens Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 10 • The client uses its credentials to make a direct authenticated request to the Authorization Server with the code received from the Authorization server via the users browser. • This is a simple http POST request. • This request is standard OAuth.
Token Response Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 11 • Standard OAuth response containing – Refresh Token – Access Token – JWT id_token (Connect extension to OAuth)
Identity Assertion Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 12 • JWT Contains –  Audience –  Issuer –  Subject –  Issued At –  Expiry –  Other optional claims like Authentication context.
Refresh Token Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 13 • Used to make additional requests for access tokens. – Allows access tokens to be short lived. – Allows Authorization server to revoke API access by not granting new access tokens. – Revoked refresh tokens cause the client to attempt reauthorization by the Resource owner (user).
Access Token Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 14 • The token is added to REST calls to a Resource server’s API. – The token can be a signed JWT – The token can be opaque and introspected via callback to the Authorization server.
Delta between Oauth 2 and Connect to add basic Authentication Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 15 • One additional scope requested “openID” • One additional parameter returned id_token.
Native Applications Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 16 • Many social native applications use the id_token from a login at google to authenticate to their own API.
Using the id_token as an assertion Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 17 Native App Authorization server App API Server AS Resource Server Request Access and ID Tokens Access Token ID Token
NAPPS Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 18 Token Agent Authorization server App API Server AS Resource Server Authentication Request Refresh Token Access Token ID Token Native App Request Token Request Access & ID Tokens Access & ID Tokens
QUESTIONS? John Bradley @ve7jtb Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 19

More Related Content

PDF
Single Sign On with OAuth and OpenID
Gasperi Jerome
 
PPTX
CIS 2012 - Going Mobile with PingFederate and OAuth 2
scotttomilson
 
PDF
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CloudIDSummit
 
PDF
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
 
PPTX
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
PPTX
Workshop: Advanced Federation Use-Cases with PingFederate
Craig Wu
 
PPTX
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
PPTX
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
Single Sign On with OAuth and OpenID
Gasperi Jerome
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
scotttomilson
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CloudIDSummit
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
 
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
Workshop: Advanced Federation Use-Cases with PingFederate
Craig Wu
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 

What's hot (20)

PDF
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
Salesforce Developers
 
PPTX
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
PPTX
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
PDF
OpenID Connect Explained
Vladimir Dzhuvinov
 
PDF
CIS13: Introduction to OAuth 2.0
CloudIDSummit
 
PPT
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
PDF
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
PDF
OpenID Connect - An Emperor or Just New Cloths?
Oliver Pfaff
 
PPTX
OpenID Connect 1.0 Explained
Eugene Siow
 
PDF
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 
PPTX
Single-Page-Application & REST security
Igor Bossenko
 
PPTX
Why Assertion-based Access Token is preferred to Handle-based one?
Hitachi, Ltd. OSS Solution Center.
 
PDF
Enterprise Single Sign On
WSO2
 
PDF
Authentication and Authorization Architecture in the MEAN Stack
FITC
 
PPTX
OAuth2 & OpenID Connect
Marcin Wolnik
 
PDF
Spring security oauth2
axykim00
 
PPTX
OpenID Connect: An Overview
Pat Patterson
 
PPTX
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Will Tran
 
KEY
OpenID vs OAuth - Identity on the Web
Richard Metzler
 
PPTX
JWT SSO Inbound Authenticator
MifrazMurthaja
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
Salesforce Developers
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
OpenID Connect Explained
Vladimir Dzhuvinov
 
CIS13: Introduction to OAuth 2.0
CloudIDSummit
 
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
OpenID Connect - An Emperor or Just New Cloths?
Oliver Pfaff
 
OpenID Connect 1.0 Explained
Eugene Siow
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 
Single-Page-Application & REST security
Igor Bossenko
 
Why Assertion-based Access Token is preferred to Handle-based one?
Hitachi, Ltd. OSS Solution Center.
 
Enterprise Single Sign On
WSO2
 
Authentication and Authorization Architecture in the MEAN Stack
FITC
 
OAuth2 & OpenID Connect
Marcin Wolnik
 
Spring security oauth2
axykim00
 
OpenID Connect: An Overview
Pat Patterson
 
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA
Will Tran
 
OpenID vs OAuth - Identity on the Web
Richard Metzler
 
JWT SSO Inbound Authenticator
MifrazMurthaja
 
Ad

Similar to CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect (20)

PDF
The “I” in API is for Identity (Nordic APIS April 2014)
Nordic APIs
 
PDF
Who’s Knocking? Identity for APIs, Web and Mobile
Nordic APIs
 
PPTX
Securing ap is oauth and fine grained access control
AaronLieberman5
 
PDF
CIS 2015 Extreme OAuth - Paul Meyer
CloudIDSummit
 
PDF
Identity for IoT: An Authentication Framework for the IoT
AllSeen Alliance
 
PPTX
Intro to OAuth2 and OpenID Connect
LiamWadman
 
PDF
CIS 2015 Extreme OpenID Connect - John Bradley
CloudIDSummit
 
PPTX
Securing APIs with oAuth2
Michae Blakeney
 
PPTX
Creating a Sign On with Open id connect
Derek Binkley
 
PDF
Spring4 security oauth2
axykim00
 
PPTX
Configuring Single Sign-On (SSO) via Identity Management | MuleSoft Mysore Me...
MysoreMuleSoftMeetup
 
PPTX
Managing Identities in the World of APIs
Apigee | Google Cloud
 
PDF
Spring4 security oauth2
Sang Shin
 
PDF
CIS13: Federation Protocol Cross-Section
CloudIDSummit
 
PDF
Mobile Authentication - Onboarding, best practices & anti-patterns
Pieter Ennes
 
PPTX
OAuth2 and OpenID with Spring Boot
Geert Pante
 
PDF
Accessing APIs using OAuth on the federated (WordPress) web
Felix Arntz
 
PDF
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
PDF
Openstack identity protocols unconference
David Waite
 
PDF
Demystifying AuthN/AuthZ Using OIDC & OAuth2
NGINX, Inc.
 
The “I” in API is for Identity (Nordic APIS April 2014)
Nordic APIs
 
Who’s Knocking? Identity for APIs, Web and Mobile
Nordic APIs
 
Securing ap is oauth and fine grained access control
AaronLieberman5
 
CIS 2015 Extreme OAuth - Paul Meyer
CloudIDSummit
 
Identity for IoT: An Authentication Framework for the IoT
AllSeen Alliance
 
Intro to OAuth2 and OpenID Connect
LiamWadman
 
CIS 2015 Extreme OpenID Connect - John Bradley
CloudIDSummit
 
Securing APIs with oAuth2
Michae Blakeney
 
Creating a Sign On with Open id connect
Derek Binkley
 
Spring4 security oauth2
axykim00
 
Configuring Single Sign-On (SSO) via Identity Management | MuleSoft Mysore Me...
MysoreMuleSoftMeetup
 
Managing Identities in the World of APIs
Apigee | Google Cloud
 
Spring4 security oauth2
Sang Shin
 
CIS13: Federation Protocol Cross-Section
CloudIDSummit
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Pieter Ennes
 
OAuth2 and OpenID with Spring Boot
Geert Pante
 
Accessing APIs using OAuth on the federated (WordPress) web
Felix Arntz
 
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Openstack identity protocols unconference
David Waite
 
Demystifying AuthN/AuthZ Using OIDC & OAuth2
NGINX, Inc.
 
Ad

More from CloudIDSummit (20)

PPTX
CIS 2016 Content Highlights
CloudIDSummit
 
PPTX
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
CloudIDSummit
 
PDF
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CloudIDSummit
 
PDF
Mobile security, identity & authentication reasons for optimism 20150607 v2
CloudIDSummit
 
PDF
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CloudIDSummit
 
PDF
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CloudIDSummit
 
PDF
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CloudIDSummit
 
PDF
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CloudIDSummit
 
PDF
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CloudIDSummit
 
PDF
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CloudIDSummit
 
PDF
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CloudIDSummit
 
PDF
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CloudIDSummit
 
PDF
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CloudIDSummit
 
PDF
CIS 2015 The IDaaS Dating Game - Sean Deuby
CloudIDSummit
 
PDF
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CloudIDSummit
 
PDF
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
CloudIDSummit
 
PDF
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CloudIDSummit
 
PDF
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CloudIDSummit
 
PDF
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CloudIDSummit
 
PDF
CIS 2015 Identity Relationship Management in the Internet of Things
CloudIDSummit
 
CIS 2016 Content Highlights
CloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
CloudIDSummit
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
CloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CloudIDSummit
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CloudIDSummit
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CloudIDSummit
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CloudIDSummit
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CloudIDSummit
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CloudIDSummit
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CloudIDSummit
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CloudIDSummit
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
CloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CloudIDSummit
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CloudIDSummit
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CloudIDSummit
 
CIS 2015 Identity Relationship Management in the Internet of Things
CloudIDSummit
 

Recently uploaded (20)

PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
Cloud computing and distributed systems.
kkkkkhan
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Encapsulation theory and applications.pdf
gurumoop
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 

CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

  • 2. CONSOLIDATING AUTHENTICATION AND API AUTHORIZATION USING OPENID CONNECT John Bradley Copyright © 2014 Ping Identity Corp.All rights reserved. 2Confidential — do not distribute
  • 3. SAML SOAP WS-* SAML Web SSO SAML SOAP WS-* Typical SAML Deployment model Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 3
  • 4. Typical SAML Deployment model Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 4 • Two flows – One using Web SSO for Authentication. – One call to a STS to exchange authentication token for security token. – Typically no user consent. – Not mobile friendly.
  • 5. OpenID Connect OpenID Connect Deployment model Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 5 OAuth 2
  • 6. OpenID Connect Deployment model Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 6 • Single flow – One request returns both Identity Assertion and security token for access. – Opportunity for user consent for API and login in a single interface. – Mobile/REST friendly.
  • 7. Connect Rolls Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 7 • Authorization Server (IdP) – Authorization endpoint – Token endpoint • Client (SP) • Resource Server (API)
  • 8. Authentication & Authorization request Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 8 • The basic OAuth Authorization request contains a list of scopes (resources) that the client is requesting access to. • Connect adds a single scope to the request called “openid” that causes the Identity assertion to be returned.
  • 9. Authorization Response Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 9 • The Authorization server response is standard OAuth • The Authorization server returns a single use artifact called a code. • This prevents PII leakage via the browser, and prevents large redirect URI that cause problems in some browsers.
  • 10. Request for tokens Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 10 • The client uses its credentials to make a direct authenticated request to the Authorization Server with the code received from the Authorization server via the users browser. • This is a simple http POST request. • This request is standard OAuth.
  • 11. Token Response Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 11 • Standard OAuth response containing – Refresh Token – Access Token – JWT id_token (Connect extension to OAuth)
  • 12. Identity Assertion Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 12 • JWT Contains –  Audience –  Issuer –  Subject –  Issued At –  Expiry –  Other optional claims like Authentication context.
  • 13. Refresh Token Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 13 • Used to make additional requests for access tokens. – Allows access tokens to be short lived. – Allows Authorization server to revoke API access by not granting new access tokens. – Revoked refresh tokens cause the client to attempt reauthorization by the Resource owner (user).
  • 14. Access Token Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 14 • The token is added to REST calls to a Resource server’s API. – The token can be a signed JWT – The token can be opaque and introspected via callback to the Authorization server.
  • 15. Delta between Oauth 2 and Connect to add basic Authentication Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 15 • One additional scope requested “openID” • One additional parameter returned id_token.
  • 16. Native Applications Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 16 • Many social native applications use the id_token from a login at google to authenticate to their own API.
  • 17. Using the id_token as an assertion Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 17 Native App Authorization server App API Server AS Resource Server Request Access and ID Tokens Access Token ID Token
  • 18. NAPPS Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 18 Token Agent Authorization server App API Server AS Resource Server Authentication Request Refresh Token Access Token ID Token Native App Request Token Request Access & ID Tokens Access & ID Tokens
  • 19. QUESTIONS? John Bradley @ve7jtb Confidential — do not distribute Copyright © 2014 Ping Identity Corp.All rights reserved. 19