identity 1.0 documentation

Terms

«  Portable Contacts 1.0 Draft C   ::   Contents   ::   SAML  »

Terms

Computing

REST
Representational state transfer (REST) is a style of software architecture for distributed hypermedia systems such as the World Wide Web by Wikipedia
RESTful
Conforming to the REST constraints is referred to as being “RESTful”. by Wikipedia
RESTful manner

RESTful style of computing.

  • How RESTful OpenID Connect suite ?

Connect

Simple Request Method
2.3.1.1. Simple Request Method
Request Parameter Method
2.3.1.2. Request Parameter Method
Authorization Header Method
2.1. Authorization Request Header Field
digitalSignature
4.3. Signing”. X.509 Key Usage (TBD)
keyEncipherment
4.4. Encryption”. X.509 Key Usage (TBD)
Key Usage
(TBD) X.509 Key Usage
Endpoint
Endpoints
(TBD)
Session Management Endpoint
Session Management Endpoints
(TBD)
Authentication Context Class Reference
Authentication Context Class References
authentication context class reference

Supported SAML Authentication Context Classes and Strengths

Entity Authentication Assurance Level
(TBD)( 1.1. Requirements Notation and Conventions )
PAPE
(TBD)( 1.2. Terminology )
nist_auth_level
(TBD)( 1.2. Terminology )
ID Tokens
ID Token
ID Token Verification
(TBD) ( 2.1.1. Authorization Request )
openid
(TBD) openid scope ? ( 2.1.2. Authorization Request )
client_secret
(TBD)
KeyWrap
(TBD)
Content Encryption Key
(TBD)
Request Object
(TBD)
Discovery Document
(TBD)
Signed Request Object
(TBD)
Signature Verification
(TBD)
Client Registration
(TBD)
Authorization Request Message
Authorization Request Messages
(TBD)
User ID Claim
(TBD)
Signing Algorithms
(TBD)
.well-known
(TBD)
Direct Configuration
(TBD)
Host
(TBD)
Normalization Rules
For SWD. See “2.1. Identifier Normalization .
Identifier Normalization
See “2.1. Identifier Normalization”.
User Identifier
(TBD) ( 2.1. Identifier Normalization )
Openid Provider
(TBD)
Port
(TBD)
Provider Discovery
(TBD)
Service
(TBD)
Tls/Ssl Server Certificate Check
(TBD)
URI Scheme
(TBD)
Issuer
(TBD)
Openid Provider Configuration Document
(TBD)
Public Key Location
(TBD)
Server Certificate Check
(TBD)
SWD Host
(TBD)
SWD Principal
(TBD)
Unicode Code Points
(TBD)
Authenticated User Session
(TBD)
Authorization Http Header
(TBD)
Fourth Party Web Sites
(TBD)
Fragment Parameter
(TBD)
Id Token
(TBD)
Implicit Grant Flow
Query Fragment
(TBD)
Query Parameter
(TBD)
Refresh Session Endpoint
(TBD)
Requested Resources
(TBD)
Sign In Session
(TBD)
User-Agent
(TBD)

OAuth

Access Token
Access Tokens
  • oauth_5” in OAuth describes access token response at Token Endpoint
  • oauth_1_4” describes what access token is generally in OAuth.
Access Token Request
Access Token Requests
(TBD)
Access Token Response
Access Token Responses
(TBD)
Authorization Code
oauth_1_3_1
Authorization Endpoint
( TODO )
Authorization Endpoint Request
Authorization Request
Authorization Endpoint Response
Authorization Response
Authorization Grant Type
OAuth grant types defined in Section 1.3.
Authorization Request
( TODO )
Authorization Requests
Authorization Request
Authorization Response
( TODO )
Authorization Scope
Scope
Access Token Scope
See “oauth_3_3
Authorization Server
( TODO )
Authorization Servers
Authorization Server
Client
( TODO )
Client Authentication
( TODO )
Client Credentials
See “oauth_1_3_4” .
Client Identifier
oauth_2_2
Confidential Client
oauth_2_1
Grant Type
Authorization Grant Type
Grant Types
Grant Type
OAuth
OAuth 2.0
The OAuth 2.0 Authorization Framework
OAuth Parameters Registry
oauth_11_2
Protected Resource
( TODO )
Protected Resources
Protected Resource
Public Client
oauth_2_1
Refresh Token
oauth_1_5
Refresh Tokens
Refresh Token
Resource Server
The OAuth 2.0 Authorization Framework ” defines a resource server as a role.
Resource Servers
Resource Server
Response Type
response_type
Response Types
response_type
Scopes
Scope
Server
( TODO )
Token Endpoint Request
Token Request
Token Endpoint Response
Token Response
Token Request
( TODO )
Token Requests
Token Request
Token Response
( TODO )

JSON Something

JSON
( TODO )
jku
JSON (Web) Key URL. An absolute URL that refers to a resource for a set of JSON-encoded public keys, one of which corresponds to the key that was used to sign the JWS. See “jws.table.1”.
Certificate Chains
(TODO) ( Abstract )
JSON Claims Object
(TODO)
URI Query Parameters
( TBD )
base64url
( TBD )
JWE Plaintext
( TBD )
Algorithm
( TBD )
Encryption Method
( TBD ) ( 5. JWT Header )
JWS Header Parameters
( TBD ) ( 5. JWT Header )
JWE Header Parameters
See ref:jwe.4 ( 5. JWT Header )

SAML

Identity Provider
IdP (TBD)
Service Provider
SP (TBD)
Public Key
(TBD)
Private Key
(TBD)
Artifact Resolution Profile
(TBD)
Holder-of-Key Web Browser SSO
Holder-of-Key Web Browser SSO Profile
(TBD)
Relay State Mechanizm
(TBD)
Holder-of-Key
(TBD)
Holder-of-Key Assertions
Holder-of-Key SAML Assertions
(TBD)
Certificate Issuer
(TBD)
Client Certificates
(TBD)
DER
Distinguished Encoding Rules to encode ASN.1
BER
Basic Encoding Rule to encode ASN.1 structure in octet stream.
CER
Canonical Encoding Rules to encode ASN.1
PER
acking Encoding Rules to encode ASN.1
Holder-Of-Key
(TBD)
Holder-Of-Key Subject Confirmation
(TBD)
Issuer Dn
(TBD)
Issuer Serial Number
(TBD)
Nist
(TBD)
Private Key
(TBD)
Relaystate Mechanism
(TBD)
Saml Assertion
(TBD)
Saml Issuers
(TBD)
Saml Relying Party
(TBD)
Saml Response
(TBD)
Security Context
(TBD)
Ski
(TBD)
Ski Extension
(TBD)
Sstc
(TBD)
Subject Distinguished Name
(TBD)
Subject Key Identifier
(TBD)
The Service Provider
(TBD)
Tls Handshake
(TBD)
Tls Session Key
(TBD)
Trust Relationship
(TBD)
Trusted Certificate
(TBD)
User Agent
(TBD)
Web Browser Sso
(TBD)
X.509 Issuer
(TBD)
Xml Signature
(TBD)
Asn.1 Encoding
Asn.1 Encodings
(TBD)
Authentication Request
(TBD)
Authentication Statement
(TBD)
Bearer Subject Confirmation
(TBD)
Ber
(TBD)
Cer
(TBD)

Others

MTI
Mandatory to Implement
Direct Communication
Direct communication is a Client to Server communication which does not pass through the User-Agent.
Indirect Communication
In indirect communication, messages are passed through the User-Agent.
Check Session Endpoint
A protected resource that, when presented with an access token by the client, returns authentication information about the user represented by that access token.
UserInfo Request
(TBD)
UserInfo Response
(TBD)
User Info Endpoint
UserInfo Endpoint
A protected resource that, when presented with an access token by the client, returns authorized information about the user represented by that access token.
Query String
( TODO )
Fragment
( TODO )
Query String Serialization
In order to serialize the parameters using the query string serialization, the client constructs the string by adding the following parameters to the end-user authorization endpoint URI query component using the application/x-www-form-urlencoded format as defined by [W3C.REC‑html401‑19991224] (Hors, A., Jacobs, I., and D. Raggett, “HTML 4.01 Specification,” December 1999.).
GSA
U.S. General Service Administartion. http://www.gsa.gov/
ISO 29115
ISO/IEC 29115 Entity Authentication Assurance Framework.
HMAC-SHA
HMAC
Connect
OpenID Connect
audience
( TODO )
nonce
( TODO )
schema
Metadata for JSON returned by UserInfo Endpoint (“basic_4_1”).
PPID
Pairwise Pseudonymous Identifier. A set of identifiers bound for a single principal, and each of them is shared in each relation of entities. See accounts_overview_PPID .
SCIM
Mortimer, C., Smarr, J., Harding, P., and P. Madsen, “Simple Cloud Identity Management: Core Schema 1.0,” June 2011. ( http://www.simplecloud.info/specs/draft-scim-core-schema-01.html )
vCard
( TODO )
PortableContacts
( TODO )
UserInfo
( TODO )
scope

OAuth grant request parameter. See ” oauth_3_3 ”.

See accounts_overview_scope sample implementation.

URI Query String Serialization
Never used by the world other than OpenID/Connect community. ( basic_3_2_1 )
accounts
sample applciaiton in which OpenID/Connect is implemented. accounts_overview
Request File Registration Service
( TODO )
Query Component
( TODO )
SP800_63
Electronic Authentication Guideline
Two Factor Authentication
Two-factor authentication (TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are. It is a part of the broader family of multi-factor authentication, which is a defense in depth approach to security. From a security perspective, the idea is to use evidences which have separate range of attack vectors (e.g. logical, physical) leading to more complex attack scenario and consequently, lower risk. ( To Factoor Authenticatkon - Wikipedia )
Implicit Flow
( TODO )
Code Flow
Authorization Code Flow
( TODO )
End-User
( TODO )
( TODO )
SSL
( TODO )
HMAC
( TODO )
IMEI
IMEI is short for International Mobile Equipment Identity and is a unique number given to every single mobile phone. IMEI - Wikipedia .
X-FRAME-OPTION
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
TLS
End-User Authorization Endpoint
Authorization Endpoint
Sammer
Slang a person who perpetrates a scam; swindler ( FreeDictionaly)
Open Redirectors
( TODO )
Redirection URI
( TODO )
Token
There are lots of “tokes” defined around in OAuth and Connect . A “token” may refer to an Access Token and somtimes to Refresh Token, or both.
Tokens
Token
Duration
( TODO )
Javascript Framebusting
( TODO )
Static Registration
( TODO )
Dynamic Registration
( TODO )
Authorization Header
( TODO )
Authorization Headers
( TODO )
Clients
Client
Client Secret
( TODO )
Client Secrets
( TODO )
Client ID
( TODO )
Artifact
( TODO )
IANA
( TODO ) (oauth_11_2 )
IESG
( TODO ) (oauth_11_2 )
Designated Experts
( TODO ) (oauth_11_2 )
Specification Required
( TODO ) (oauth_11_2 )
UTC

Universal Time, Coordinated (in Japanese ).

“UTC is synonymous with GMT(Greenwich Mean Time ), but GMT is no longer precisely defined by the scientific community.”

PEM
Privacy Enhanced Mail

Attacks

clickjacking
Clickjacking is a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. (` Clickjacking - Wikipedia <http://en.wikipedia.org/wiki/Clickjacking>`_ ) .
CSRF
XSRF
XSRF Attacks
( TODO )
Eavesdropping
(TBD)
Man-in-the-middle
( TODO )
Online Guessing
(TBD)
Pharming
(TBD)
Phishing
( TODO )
Replay
Replay Attack
Replay Attacks

( TODO )

(TBD)

Session Fixation
One person to fixate (set) another person’s session identifier (SID). Most session fixation attacks are web based, and most rely on session identifiers being accepted from URLs (query string) or POST data. Session Fixation - Wikipedia.
Session Hijack
(TBD)
Session Poisoining
Others change some session data. Session Poisoning - Wikipedia.

TBD

_claim_names Member
(TBD)
A128gcm
(TBD)
A256gcm
(TBD)
Access Grant
(TBD)
Access Token Endpoint
(TBD)
Access Token Grant Lifetimes
(TBD)
Access Token Grants
(TBD)
Authorization
(TBD)
Bearer
(TBD)
Bearer Tokens
(TBD)
Claim Source
(TBD)
Claims Sources
(TBD)
Client Authentication Parameters
(TBD)
Ecdh-Es
(TBD)
Ecdsa Signatures
(TBD)
Encryption Algorithm
(TBD)
Error Response
(TBD)
Hmac Signatures
(TBD)
Hs256
(TBD)
Hs384
(TBD)
Hs512
(TBD)
ID Token Request
(TBD)
Implicit
(TBD)
Integrated Integrity Check
(TBD)
Integrity
(TBD)
io3166?1
(TBD)
iso639?1
(TBD)
Jws Signed Jwt
(TBD)
Oauth2.0bearer
(TBD)
Openid Providers
(TBD)
Pairwise Pseudonymous Identifier
(TBD)
Path Component
(TBD)
Pem
(TBD)
Personally Identifiable Information
(TBD)
Plaintext Jwt
(TBD)
Public Signing Key
(TBD)
Redirect_uris
(TBD)
Refresh Token Request
(TBD)
Rs256
(TBD)
Rsa
(TBD)
Signature Algorithm
(TBD)
Simple Web Discovery
(TBD)
User
(TBD)
User_id_type
(TBD)
Userinfo Access Log
(TBD)
Userinfo Claims
(TBD)
Userinfo Data
(TBD)

UMA

User Authorization Process
(TBD)
AM
Access Manager
Authorization API
(TBD)
Authorization API Endpoint
(TBD)
Authorization Code Grant Type
(TBD)
Configuration Data
(TBD)
Host Access Token
(TBD)
Host Registration Endpoint
(TBD)
Hostmeta
(TBD)
OAuth-Protected
(TBD)
OAuth2
(TBD)
Openid Connect
(TBD)
PDP
Policy Decision Point
PEP
Policy Enforcement Point
Permissions
(TBD)
Protection API
(TBD)
Protection API Endpoints
(TBD)
Registration Area
(TBD)
Requester Access Token
(TBD)
Requester Access Tokens
(TBD)
Resource Sets
(TBD)
RFC6415
:rfc:6415
UMA
UMA Core protocol
Uma-Protected
(TBD)
User Policies
(TBD)
AM Operator
(TBD)
Authorization Manager
(TBD)
Authorization Proxy
(TBD)
Authorizing Users
(TBD)
Host Operator
(TBD)
Hosts
host
Phases 2
Phase 2
Policy
(TBD)
Protected API
(TBD)
Requested Scope
(TBD)
Requesting Parties
(TBD) Requester ?
A User Authorization Process
(TBD)
am_uri
(TBD)
authorization_code
host_grant_types_supported
Cache Period
uma_core.3.3
callback URL
3.5. Claims-Gathering Flows
client_credentials
host_grant_types_supported
extension grant type
host_grant_types_supported . (TBD)
OAuth Grant Types
Grant Type in OAuth
object
(TBD)
originating IP address
(TBD) uma_core.3.3
permission objects
uma_core.3.3
policies
3.5. Claims-Gathering Flows
redirect URL
3.5. Claims-Gathering Flows
Token Status
uma_core.3.3
Token Status Description
uma_core.3.3
Token Status Request
uma_core.3.3

JWT

Cryptographic Hash Function
(TBD)
ECDSA
(TBD)
HMAC SHA-256
(TBD)
HMAC SHA-384
(TBD)
HMAC SHA-512
(TBD)
Iana JSON Web Encryption Algorithms
(TBD)
Iana JSON Web Signature Algorithms
(TBD)
JWS Secured Input
(TBD)
Mac
(TBD)
P-256
(TBD)
PKCS#1
(TBD)
RSA-PKCS1-1.5
(TBD)
RSASSA-PKCS1-V1_5
(TBD)
SHA-2
SHA-2 is a set of cryptographic hash functions (SHA-224, SHA-256, SHA-384, SHA-512) designed by the National Security Agency (NSA) and published in 2001 by the NIST as a U.S. Federal Information Processing Standard. (Wikipedia )
SHA-256
(TBD)
SHA-384
(TBD)
SHA-512
(TBD)
Shared Key
(TBD)
White Space
(TBD)
alg
(TBD)
enc
(TBD)
typ
(TBD)
GCM
Galois/Counter Mode, as defined in [FIPS‑197] and [NIST‑800‑38D]
ECDH

MAC Scheme

HTTP MAC access authentication scheme
MAC scheme
1. Introduction
HTTP Basic access authentication scheme
Basic scheme
RFC 2617 / 1. Introduction
HTTP Digest authentication scheme
Digest scheme
(TDB)

Security

Ephemeral
Ephemeral Key
短期鍵
  • 比較的短命である公開鍵もしくはプライベート鍵。
  • A cryptographic key is called ephemeral if it is generated for each execution of a key establishment process. ( Ephermeral Key, Wikipedia )
  • 反対 Static Key
Static
Static Key
  • A cryptographic key is called static if it is intended for use for a relatively long period of time and is typically intended for use in many instances of a cryptographic key establishment scheme ( Static Key, Wikipedia )

«  Portable Contacts 1.0 Draft C   ::   Contents   ::   SAML  »