OAuth2, OIDC & JWT - Important Basics!

Transcript

1. OAUTH2, OIDC & JWT

2. ABOUT ME ▸ Independent Consultant/Architect/Developer/Trainer ▸ Doing stuff with &

   without Computers, Software, > 25 yrs ▸ "Mr. Keycloak" since 2015 (v1.x) ▸ Organizer of Keycloak DevDay Conf (keycloak-day.dev) ▸ Co-Lead of JUG DA (www.jug-da.de / @JUG_DA) ▸ Author of „Serverless Computing in AWS Cloud“ ▸ Web: www.n-k.de / Social: @dasniko YouTube: youtube.com/@dasniko

3. OAuth 2.0 OIDC JWT

4. Aaron Parecki, Okta, @aaronpk, 2020

5. AUTHORIZATION AUTHENTICATION

6. None

7. Authorization Code Grant

8. TOKEN RESPONSE { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "refresh_token":

   "e339b569-6d95-482d-9534-5c0147136ab0", "refresh_expires_in": 36000 }

9. OAuth2 w/ Pseudo Authentication

10. OAuth 2.0 AUTHORIZATION, NOT AUTHENTICATION! IETF, RFC 6749, 2012 The

    OAuth 2.0 authorization framework enables a 3rd-party application to obtain limited access to an HTTP service.

11. OAuth 2.0 Grant Types GRANT TYPE APPS Authorization Code (+PKCE!)

    Web, Apps Implicit JavaScript, etc. Resource Owner Password Credentials Apps Client Credentials Web Refresh Web, Apps

12. Implicit Grant

13. Resource Owner Password Credentials Grant

14. OAuth 2.0 Grant Types GRANT TYPE APPS Authorization Code (+PKCE!)

    Web, Apps Implicit JavaScript, etc. Resource Owner Password Credentials Apps Client Credentials Web Refresh Web, Apps

15. User (Resource Owner) Code Verifier ABC123 Client (Application) Login Code

    Challenge e0bebd22… SHA256 Hash Identity Provider (Authorization Server) HTTP Redirect with Code Challenge & Code Challenge Method Client (Application) Login HTTP Redirect with Authorization Code HTTP Response with Access Token HTTP POST with Authorization Code and Code Verifier Code Challenge Comparison PROOF KEY FOR CODE EXCHANGE PKCE
16. None

17. OAuth 2.1 IETF, OAUTH 2.1 DRAFT ‣ PKCE is required

    for all clients using the authz code flow ‣ Redirect URIs must be compared using exact string matching ‣ The Implicit grant is omitted from this specification ‣ The Resource Owner Password Credentials grant is omitted from this specification

18. TOKEN RESPONSE { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "refresh_token":

    "e339b569-6d95-482d-9534-5c0147136ab0", "refresh_expires_in": 36000 }

19. OPEN ID CONNECT Authentication Layer on top of OAuth 2.0

    ‣ verify the identity of an end-user ‣ obtain basic profile information about the user ‣ RESTful HTTP API, using JSON as data format ‣ allows clients of all types (web-based, mobile, JavaScript) OpenID Foundation, 2014

20. SCOPES In OAuth2, scopes define on which data a 3rd

    party service has which access to. Scope values are not defined.

21. SCOPES In OIDC scopes are defined: openid, profile, email, address,

    phone, offline_access Scopes define which user-related data a client can obtain from the IdP

22. SCOPE: OPENID Authorization Server becomes Identity Provider

23. OIDC { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "id_token": "???",

    "refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0", "refresh_expires_in": 36000 } OpenID Connect adds the IDentity Token

24. JWT JSON Web Token IETF, RFC 7519 Standard, 2015

25. JWT eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImQyMD M2MGU4LTgyOTUtNDlhNy1iOGQzLTMxOWU3MWI2OD k4MiJ9.eyJqdGkiOiJhYzMwYWM3Ni00NTQ5LTRiMWMtO TQwYi1hMGNjNjU1NTNkM2YiLCJpc3MiOiJodHRwOi8va2 V5Y2xvYWsuZGUiLCJzdWIiOiIxMjM0NTY3ODkwIiwibmF tZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.H6T 2YmhH-7nsp3zUu9XE7Cs-62J6D38KsXcIO6ZmxDikJ… Base64 encoded

26. JSON Web Token

27. JWT PAYLOAD { "jti": "b7f7b763-240c-4560-827b-d7635e4b2213", "sub": "c7bd0190-7fbd-42bd-8929-63f2a17473fb", "iss": "https://sso.myapi.com", "aud":

    "myApi", "exp": 1686767014, "iat": 1686763414, "nbf": 1686763414 } RESERVED CLAIMS: jti, sub, iss, aud, exp, iat, nbf

28. OpenID Connect Standard Claims http://openid.net/specs/openid-connect-core-1_0.html

29. TOKEN RESPONSE { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "id_token":

    "eyJhbGciOiAiUlMyNTYiLCJ0eXAiOiAiSldUIn0...", "refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0", "refresh_expires_in": 36000 }

30. TOKEN RESPONSE { "access_token": "eyJhbGciOiAiUlMyNTYiLCJ0eXAiOiAiSldUIn0...", "token_type": "Bearer", "expires_in": 3600, "id_token":

    "eyJhbGciOiAiUlMyNTYiLCJ0eXAiOiAiSldUIn0...", "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "refresh_expires_in": 36000 }

31. OIDC OpenID Connect adds the USERINFO Endpoint

32. None

33. THANK YOU. ANY QUESTIONS? More info / slides: https://linktr.ee/dasniko NIKO

    KÖBLER | www.n-k.de | [email protected] | @dasniko OAUTH2, OIDC & JWT

34. BACKUP

35. PEP 1. View Record #123 6. View Record #123 PDP

    2. Can user view record #123? 3. Evaluate Policies PAP Manage Policies PIP 4. Retrieve additional attributes 5. Permit, user can view record #123 AuthZ: PAP / PDP / PEP / PIP