2023.11.30 (목)
속초-3.1℃- -5.5℃
- 철원-6.7℃
- 동두천-6.7℃
- 파주-6.2℃
- 대관령-9.4℃
- 춘천-5.2℃
백령도-1.5℃- 북강릉-1.4℃
- 강릉-0.8℃
- 동해1.0℃
- 서울-4.8℃
- 인천-4.4℃
- 원주-2.9℃
- 울릉도3.6℃
- 수원-3.6℃
영월-2.5℃- 충주-3.3℃
서산-0.5℃- 울진1.0℃
청주-1.4℃- 대전-1.3℃
- 추풍령-1.4℃
- 안동-1.7℃
- 상주-0.9℃
- 포항2.6℃
- 군산1.6℃
- 대구2.6℃
- 전주1.8℃
- 울산3.9℃
- 창원5.0℃
- 광주3.9℃
- 부산6.9℃
- 통영7.0℃
- 목포4.2℃
- 여수4.7℃
- 흑산도5.2℃
- 완도5.8℃
- 고창2.9℃
- 순천2.4℃
- 홍성(예)0.0℃
- -2.1℃
- 제주8.8℃
- 고산8.5℃
- 성산7.2℃
- 서귀포11.7℃
- 진주4.3℃
- 강화-5.2℃
- 양평-3.5℃
- 이천-3.7℃
- 인제-4.5℃
- 홍천-4.6℃
- 태백-7.1℃
- 정선군-4.9℃
- 제천-4.4℃
- 보은-1.8℃
- 천안-2.0℃
- 보령0.4℃
- 부여0.4℃
- 금산-0.1℃
- -1.1℃
- 부안2.3℃
- 임실0.9℃
- 정읍2.7℃
- 남원1.9℃
- 장수-0.6℃
- 고창군3.0℃
- 영광군3.2℃
- 김해시5.7℃
- 순창군2.3℃
- 북창원6.1℃
- 양산시7.1℃
- 보성군4.8℃
- 장흥4.6℃
- 해남4.8℃
- 고흥5.8℃
- 의령군4.0℃
- 함양군2.1℃
- 광양시3.6℃
- 진도군5.2℃
- 봉화-1.2℃
- 영주-2.6℃
- 문경-2.1℃
- 청송군-1.4℃
- 영덕0.8℃
- 의성0.3℃
- 구미1.1℃
- 영천1.3℃
- 경주시2.0℃
- 거창0.9℃
- 합천4.0℃
- 밀양4.0℃
- 산청2.3℃
- 거제6.8℃
- 남해5.4℃
- 6.9℃
[기획-디지털 ID 표준] ⑮산업단체와 포럼 - 오픈ID(OpenID)
[기획-디지털 ID 표준] ⑮산업단체와 포럼 - 오픈ID(OpenID)
- 박재희 기자
- 등록 2023.11.02 10:58
- 조회수 1,711
![Korea Digital ID(iNIS) 2(디지털 ID 산업의 발전 전략 [출처=iNIS]).jpg](http://stdnews.kr/bbs/view_image.php?fn=http%3A%2F%2Fwww.stdnews.kr%2Fdata%2Feditor%2F2311%2F20231102105957_8c7c9b153ad0478ee0c8c3e046bf4852_6mq2.jpg)
디지털 ID(Digital Identity) 분야에서 상호운용(interoperable)이 가능하고 안전한 서비스 보장을 위한 표준에 대한 수요가 증가하고 있다. 다양한 표준 조직 및 산업 기관이 활동하는 이유다.
디지털 ID 표준을 개발하는 곳은 유럽표준화기구(European Standardisation Organistions), 국제표준화기구(International Standardisation Organisations), 상업 포럼 및 컨소시엄, 국가기관 등 다양하다.
산업단체와 포럼은 공식적으로 표준화 조직으로 간주되지 않지만 디지털 ID 영역을 포함한 특정 영역에서는 사실상의 표준을 제공하고 있다.
몇몇의 경우 이들 단체들이 추가 비준을 위해 자신들이 생산한 사양을 ISO/IEC, ITU 통신 표준화 부문(ITU-T), ETSI 등 표준 기관에 제출할 수 있다.
이러한 산업단체 및 포럼에는 △인증기관브라우저 포럼(Certification Authority Browser Forum, CA/Browser Forum) △클라우드 서명 컨소시엄(Cloud Signature Consortium, CSC) △국제자금세탁방지기구(Financial Action Task Force, FATF) △신속온라인인증(Fast Identity Online, FIDO) △국제인터넷표준화기구(Internet Engineering Task Force, IETF) △구조화 정보 표준 개발기구(오아시스)(Organization for the Advancement of Structured Information Standards, OASIS) △오픈ID(OpenID) △SOG-IS(Senior Officials Group-Information Systems Security) △W3C(World Wide Web Consortium) 등이다.
오픈ID(OpenID)는 개인 및 기업의 비영리 국제 표준화 조직으로 OpenID(개방형 표준 및 분산 인증 프로토콜)를 활성화, 홍보, 보호하기 위해 노력하고 있다.
오픈ID 코넥트 코어(OpenID Connect Core)는 핵심 OpenID 기능을 정의하고 있다. OpenID 기능은 OAuth 2.0 기반에 구축된 인증과 최종 사용자에 대한 정보를 전달하기 위한 클레임의 사용이다.
추가적인 기술 사양 문서는 검증 가능한 자격 증명 및 검증 가능한 프리젠테이션의 발급을 확장하기 위해 작성됐다. 또한 OpenID Connect 사용에 대한 보안 및 개인 정보 보호 고려 사항에 대해 설명하고 있다.
아래는 오픈ID가 발행한 'OpenID Connect Core 1.0 incorporating errata set 1' 목차 내용이다.
■ 목차(Table of Contents)
1. Introduction
1.1. Requirements Notation and Conventions
1.2. Terminology
1.3. Overview
2. ID Token
3. Authentication
3.1. Authentication using the Authorization Code Flow
3.1.1. Authorization Code Flow Steps
3.1.2. Authorization Endpoint
3.1.2.1. Authentication Request
3.1.2.2. Authentication Request Validation
3.1.2.3. Authorization Server Authenticates End-User
3.1.2.4. Authorization Server Obtains End-User Consent/Authorization
3.1.2.5. Successful Authentication Response
3.1.2.6. Authentication Error Response
3.1.2.7. Authentication Response Validation
3.1.3. Token Endpoint
3.1.3.1. Token Request
3.1.3.2. Token Request Validation
3.1.3.3. Successful Token Response
3.1.3.4. Token Error Response
3.1.3.5. Token Response Validation
3.1.3.6. ID Token
3.1.3.7. ID Token Validation
3.1.3.8. Access Token Validation
3.2. Authentication using the Implicit Flow
3.2.1. Implicit Flow Steps
3.2.2. Authorization Endpoint
3.2.2.1. Authentication Request
3.2.2.2. Authentication Request Validation
3.2.2.3. Authorization Server Authenticates End-User
3.2.2.4. Authorization Server Obtains End-User Consent/Authorization
3.2.2.5. Successful Authentication Response
3.2.2.6. Authentication Error Response
3.2.2.7. Redirect URI Fragment Handling
3.2.2.8. Authentication Response Validation
3.2.2.9. Access Token Validation
3.2.2.10. ID Token
3.2.2.11. ID Token Validation
3.3. Authentication using the Hybrid Flow
3.3.1. Hybrid Flow Steps
3.3.2. Authorization Endpoint
3.3.2.1. Authentication Request
3.3.2.2. Authentication Request Validation
3.3.2.3. Authorization Server Authenticates End-User
3.3.2.4. Authorization Server Obtains End-User Consent/Authorization
3.3.2.5. Successful Authentication Response
3.3.2.6. Authentication Error Response
3.3.2.7. Redirect URI Fragment Handling
3.3.2.8. Authentication Response Validation
3.3.2.9. Access Token Validation
3.3.2.10. Authorization Code Validation
3.3.2.11. ID Token
3.3.2.12. ID Token Validation
3.3.3. Token Endpoint
3.3.3.1. Token Request
3.3.3.2. Token Request Validation
3.3.3.3. Successful Token Response
3.3.3.4. Token Error Response
3.3.3.5. Token Response Validation
3.3.3.6. ID Token
3.3.3.7. ID Token Validation
3.3.3.8. Access Token
3.3.3.9. Access Token Validation
4. Initiating Login from a Third Party
5. Claims
5.1. Standard Claims
5.1.1. Address Claim
5.1.2. Additional Claims
5.2. Claims Languages and Scripts
5.3. UserInfo Endpoint
5.3.1. UserInfo Request
5.3.2. Successful UserInfo Response
5.3.3. UserInfo Error Response
5.3.4. UserInfo Response Validation
5.4. Requesting Claims using Scope Values
5.5. Requesting Claims using the "claims" Request Parameter
5.5.1. Individual Claims Requests
5.5.1.1. Requesting the "acr" Claim
5.5.2. Languages and Scripts for Individual Claims
5.6. Claim Types
5.6.1. Normal Claims
5.6.2. Aggregated and Distributed Claims
5.6.2.1. Example of Aggregated Claims
5.6.2.2. Example of Distributed Claims
5.7. Claim Stability and Uniqueness
6. Passing Request Parameters as JWTs
6.1. Passing a Request Object by Value
6.1.1. Request using the "request" Request Parameter
6.2. Passing a Request Object by Reference
6.2.1. URL Referencing the Request Object
6.2.2. Request using the "request_uri" Request Parameter
6.2.3. Authorization Server Fetches Request Object
6.2.4. "request_uri" Rationale
6.3. Validating JWT-Based Requests
6.3.1. Encrypted Request Object
6.3.2. Signed Request Object
6.3.3. Request Parameter Assembly and Validation
7. Self-Issued OpenID Provider
7.1. Self-Issued OpenID Provider Discovery
7.2. Self-Issued OpenID Provider Registration
7.2.1. Providing Information with the "registration" Request Parameter
7.3. Self-Issued OpenID Provider Request
7.4. Self-Issued OpenID Provider Response
7.5. Self-Issued ID Token Validation
8. Subject Identifier Types
8.1. Pairwise Identifier Algorithm
9. Client Authentication
10. Signatures and Encryption
10.1. Signing
10.1.1. Rotation of Asymmetric Signing Keys
10.2. Encryption
10.2.1. Rotation of Asymmetric Encryption Keys
11. Offline Access
12. Using Refresh Tokens
12.1. Refresh Request
12.2. Successful Refresh Response
12.3. Refresh Error Response
13. Serializations
13.1. Query String Serialization
13.2. Form Serialization
13.3. JSON Serialization
14. String Operations
15. Implementation Considerations
15.1. Mandatory to Implement Features for All OpenID Providers
15.2. Mandatory to Implement Features for Dynamic OpenID Providers
15.3. Discovery and Registration
15.4. Mandatory to Implement Features for Relying Parties
15.5. Implementation Notes
15.5.1. Authorization Code Implementation Notes
15.5.2. Nonce Implementation Notes
15.5.3. Redirect URI Fragment Handling Implementation Notes
15.6. Compatibility Notes
15.6.1. Pre-Final IETF Specifications
15.6.2. Google "iss" Value
15.7. Related Specifications and Implementer's Guides
16. Security Considerations
16.1. Request Disclosure
16.2. Server Masquerading
16.3. Token Manufacture/Modification
16.4. Access Token Disclosure
16.5. Server Response Disclosure
16.6. Server Response Repudiation
16.7. Request Repudiation
16.8. Access Token Redirect
16.9. Token Reuse
16.10. Eavesdropping or Leaking Authorization Codes (Secondary Authenticator Capture)
16.11. Token Substitution
16.12. Timing Attack
16.13. Other Crypto Related Attacks
16.14. Signing and Encryption Order
16.15. Issuer Identifier
16.16. Implicit Flow Threats
16.17. TLS Requirements
16.18. Lifetimes of Access Tokens and Refresh Tokens
16.19. Symmetric Key Entropy
16.20. Need for Signed Requests
16.21. Need for Encrypted Requests
17. Privacy Considerations
17.1. Personally Identifiable Information
17.2. Data Access Monitoring
17.3. Correlation
17.4. Offline Access
18. IANA Considerations
18.1. JSON Web Token Claims Registration
18.1.1. Registry Contents
18.2. OAuth Parameters Registration
18.2.1. Registry Contents
18.3. OAuth Extensions Error Registration
18.3.1. Registry Contents
19. References
19.1. Normative References
19.2. Informative References
Appendix A. Authorization Examples
A.1. Example using response_type=code
A.2. Example using response_type=id_token
A.3. Example using response_type=id_token token
A.4. Example using response_type=code id_token
A.5. Example using response_type=code token
A.6. Example using response_type=code id_token token
A.7. RSA Key Used in Examples
Appendix B. Acknowledgements
Appendix C. Notices
§ Authors' Addresses
아래는 오픈ID가 발행한 'OpenID Connect Core 1.0 incorporating errata set 1' 목차 내용이다.
■ 목차(Table of Contents)
1. Introduction
1.1. Requirements Notation and Conventions
1.2. Terminology
1.3. Overview
2. ID Token
3. Authentication
3.1. Authentication using the Authorization Code Flow
3.1.1. Authorization Code Flow Steps
3.1.2. Authorization Endpoint
3.1.2.1. Authentication Request
3.1.2.2. Authentication Request Validation
3.1.2.3. Authorization Server Authenticates End-User
3.1.2.4. Authorization Server Obtains End-User Consent/Authorization
3.1.2.5. Successful Authentication Response
3.1.2.6. Authentication Error Response
3.1.2.7. Authentication Response Validation
3.1.3. Token Endpoint
3.1.3.1. Token Request
3.1.3.2. Token Request Validation
3.1.3.3. Successful Token Response
3.1.3.4. Token Error Response
3.1.3.5. Token Response Validation
3.1.3.6. ID Token
3.1.3.7. ID Token Validation
3.1.3.8. Access Token Validation
3.2. Authentication using the Implicit Flow
3.2.1. Implicit Flow Steps
3.2.2. Authorization Endpoint
3.2.2.1. Authentication Request
3.2.2.2. Authentication Request Validation
3.2.2.3. Authorization Server Authenticates End-User
3.2.2.4. Authorization Server Obtains End-User Consent/Authorization
3.2.2.5. Successful Authentication Response
3.2.2.6. Authentication Error Response
3.2.2.7. Redirect URI Fragment Handling
3.2.2.8. Authentication Response Validation
3.2.2.9. Access Token Validation
3.2.2.10. ID Token
3.2.2.11. ID Token Validation
3.3. Authentication using the Hybrid Flow
3.3.1. Hybrid Flow Steps
3.3.2. Authorization Endpoint
3.3.2.1. Authentication Request
3.3.2.2. Authentication Request Validation
3.3.2.3. Authorization Server Authenticates End-User
3.3.2.4. Authorization Server Obtains End-User Consent/Authorization
3.3.2.5. Successful Authentication Response
3.3.2.6. Authentication Error Response
3.3.2.7. Redirect URI Fragment Handling
3.3.2.8. Authentication Response Validation
3.3.2.9. Access Token Validation
3.3.2.10. Authorization Code Validation
3.3.2.11. ID Token
3.3.2.12. ID Token Validation
3.3.3. Token Endpoint
3.3.3.1. Token Request
3.3.3.2. Token Request Validation
3.3.3.3. Successful Token Response
3.3.3.4. Token Error Response
3.3.3.5. Token Response Validation
3.3.3.6. ID Token
3.3.3.7. ID Token Validation
3.3.3.8. Access Token
3.3.3.9. Access Token Validation
4. Initiating Login from a Third Party
5. Claims
5.1. Standard Claims
5.1.1. Address Claim
5.1.2. Additional Claims
5.2. Claims Languages and Scripts
5.3. UserInfo Endpoint
5.3.1. UserInfo Request
5.3.2. Successful UserInfo Response
5.3.3. UserInfo Error Response
5.3.4. UserInfo Response Validation
5.4. Requesting Claims using Scope Values
5.5. Requesting Claims using the "claims" Request Parameter
5.5.1. Individual Claims Requests
5.5.1.1. Requesting the "acr" Claim
5.5.2. Languages and Scripts for Individual Claims
5.6. Claim Types
5.6.1. Normal Claims
5.6.2. Aggregated and Distributed Claims
5.6.2.1. Example of Aggregated Claims
5.6.2.2. Example of Distributed Claims
5.7. Claim Stability and Uniqueness
6. Passing Request Parameters as JWTs
6.1. Passing a Request Object by Value
6.1.1. Request using the "request" Request Parameter
6.2. Passing a Request Object by Reference
6.2.1. URL Referencing the Request Object
6.2.2. Request using the "request_uri" Request Parameter
6.2.3. Authorization Server Fetches Request Object
6.2.4. "request_uri" Rationale
6.3. Validating JWT-Based Requests
6.3.1. Encrypted Request Object
6.3.2. Signed Request Object
6.3.3. Request Parameter Assembly and Validation
7. Self-Issued OpenID Provider
7.1. Self-Issued OpenID Provider Discovery
7.2. Self-Issued OpenID Provider Registration
7.2.1. Providing Information with the "registration" Request Parameter
7.3. Self-Issued OpenID Provider Request
7.4. Self-Issued OpenID Provider Response
7.5. Self-Issued ID Token Validation
8. Subject Identifier Types
8.1. Pairwise Identifier Algorithm
9. Client Authentication
10. Signatures and Encryption
10.1. Signing
10.1.1. Rotation of Asymmetric Signing Keys
10.2. Encryption
10.2.1. Rotation of Asymmetric Encryption Keys
11. Offline Access
12. Using Refresh Tokens
12.1. Refresh Request
12.2. Successful Refresh Response
12.3. Refresh Error Response
13. Serializations
13.1. Query String Serialization
13.2. Form Serialization
13.3. JSON Serialization
14. String Operations
15. Implementation Considerations
15.1. Mandatory to Implement Features for All OpenID Providers
15.2. Mandatory to Implement Features for Dynamic OpenID Providers
15.3. Discovery and Registration
15.4. Mandatory to Implement Features for Relying Parties
15.5. Implementation Notes
15.5.1. Authorization Code Implementation Notes
15.5.2. Nonce Implementation Notes
15.5.3. Redirect URI Fragment Handling Implementation Notes
15.6. Compatibility Notes
15.6.1. Pre-Final IETF Specifications
15.6.2. Google "iss" Value
15.7. Related Specifications and Implementer's Guides
16. Security Considerations
16.1. Request Disclosure
16.2. Server Masquerading
16.3. Token Manufacture/Modification
16.4. Access Token Disclosure
16.5. Server Response Disclosure
16.6. Server Response Repudiation
16.7. Request Repudiation
16.8. Access Token Redirect
16.9. Token Reuse
16.10. Eavesdropping or Leaking Authorization Codes (Secondary Authenticator Capture)
16.11. Token Substitution
16.12. Timing Attack
16.13. Other Crypto Related Attacks
16.14. Signing and Encryption Order
16.15. Issuer Identifier
16.16. Implicit Flow Threats
16.17. TLS Requirements
16.18. Lifetimes of Access Tokens and Refresh Tokens
16.19. Symmetric Key Entropy
16.20. Need for Signed Requests
16.21. Need for Encrypted Requests
17. Privacy Considerations
17.1. Personally Identifiable Information
17.2. Data Access Monitoring
17.3. Correlation
17.4. Offline Access
18. IANA Considerations
18.1. JSON Web Token Claims Registration
18.1.1. Registry Contents
18.2. OAuth Parameters Registration
18.2.1. Registry Contents
18.3. OAuth Extensions Error Registration
18.3.1. Registry Contents
19. References
19.1. Normative References
19.2. Informative References
Appendix A. Authorization Examples
A.1. Example using response_type=code
A.2. Example using response_type=id_token
A.3. Example using response_type=id_token token
A.4. Example using response_type=code id_token
A.5. Example using response_type=code token
A.6. Example using response_type=code id_token token
A.7. RSA Key Used in Examples
Appendix B. Acknowledgements
Appendix C. Notices
§ Authors' Addresses
- 1식약처, ‘대체식품 표시 가이드라인’ 배포해 식품산업 활성화 지원한다
- 2품질 강국 실현하는 「제49회 국가품질경영대회」 개최
- 3한국이 이끄는 미래 기술, '뉴로모픽 소자' 국제표준 도입 본격 착수
- 4국가기술표준원, 단체표준인증제도(SPS) 혁신 간담회 개최
- 5식약처, 첨단바이오의약품 개발 지원 위한 가이드라인 제·개정
- 6[특집-기술위원회] TC 138 - 유체 수송용 플라스틱 파이프, 피팅 …
- 7Vattenfall 해상 풍력 발전소, IECRE 프로젝트 인증서 획득
- 8의료기기 국제 규제 선도 및 수출 지원한다
- 9TTA아카데미, 국립안동대학교와 SW 전문인력 양성 위해 협력 강화
- 10식약처, 의료기기 사이버보안을 위한 가이드라인 3종 배포
![[특집-기술위원회] TC 142 - 공기 및 기타 가스 청소 장비(Cleaning equipment for air and other gases)](http://stdnews.kr/data/file/news/thumb-3555376170_fvmTsJ7z_f84a2eec337675b3645b999631800d2cfbe28aac_118x78.jpg "[특집-기술위원회] TC 142 - 공기 및 기타 가스 청소 장비(Cleaning equipment for air and other gases)")
![[신간 소개] 'ICT융복합안전 - 스마트 모빌리티 안전(K-안전모델)' 목차 소개](http://stdnews.kr/data/file/news/thumb-32068165_v7rljeRH_8d5c24810f1cdb136d08d1eb6b7f3e060b85eed3_118x78.jpg "[신간 소개] 'ICT융복합안전 - 스마트 모빌리티 안전(K-안전모델)' 목차 소개")
![[잘난척아는척TV] 충전기 타입이 자꾸 바뀌는 이유](http://stdnews.kr/data/file/news/thumb-661839498_b09ltrRW_d5e36bb7755deae8f2d0fd06db3041a3e97ed9f8_118x78.jpg "[잘난척아는척TV] 충전기 타입이 자꾸 바뀌는 이유")
![[특집-기상기후재난] 한국중부발전(주) 신정철 선임 인터뷰 - 행정안전부 뿐 아니라 기상기후 연계조직 모두가 참여하는 협의체가 돼야](http://stdnews.kr/data/file/news/thumb-3555374516_iKWwUBas_9c1729f1e3977ee50c398986e7f98d5002a57deb_118x78.jpg "[특집-기상기후재난] 한국중부발전(주) 신정철 선임 인터뷰 - 행정안전부 뿐 아니라 기상기후 연계조직 모두가 참여하는 협의체가 돼야")
![[잘난척아는척TV] 평생 아무도 알려주지 않은 첫째 주 목요일은 언제일까?](http://stdnews.kr/data/file/news/thumb-2948726586_UkXaF364_18ad3c8e673eb23da0e5df66ebf7fd2a8317fdb4_190x190.jpg "[잘난척아는척TV] 평생 아무도 알려주지 않은 첫째 주 목요일은 언제일까?")
![[잘난척아는척TV] 평생 아무도 알려주지 않은 첫째 주 목요일은 언제일까?](http://stdnews.kr/data/file/news/thumb-2948726586_UkXaF364_18ad3c8e673eb23da0e5df66ebf7fd2a8317fdb4_90x60.jpg "[잘난척아는척TV] 평생 아무도 알려주지 않은 첫째 주 목요일은 언제일까?"){kind=small}
명칭(제호) | 표준뉴스 | 등록번호 : 서울 아 54185 | 등록일자 : 2022년 3월 16일 | 발행일자 : 2022년 1월 3일 | 전화번호 : 02-780-1057
발행인 : 오남성 | 편집인 : 권예지 | 주소 : 서울특별시 영등포구 63로 40 (여의도동 61-3) 라이프오피스텔 529호
Copyright©2021 표준뉴스 All Right Reserved
최종편집: 2023.11.29 07:23