Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth2, OIDC & JWT - Important Basics!

OAuth2, OIDC & JWT - Important Basics!

Niko Köbler

May 03, 2022
Tweet

More Decks by Niko Köbler

Other Decks in Programming

Transcript

  1. Niko Köbler | keycloak-experte.de Keycloak IAM & SSO ABOUT ME

    ▸ Independent Consultant/Architect/Developer/Trainer ▸ Doing stuff with & without Computers, Software, > 25 yrs ▸ "Mr. Keycloak" > 9 yrs (since 1.x) ▸ Co-Lead of JUG DA (https://www.jug-da.de / @JUG_DA) ▸ Author of „Serverless Computing in AWS Cloud“ serverlessbuch.de ▸ Web: www.n-k.de / Social: @dasniko ▸ YouTube: youtube.com/@dasniko
  2. OAuth 2.0 AUTHORIZATION, NOT AUTHENTICATION! IETF, RFC 6749, 2012 The

    OAuth 2.0 authorization framework enables a 3rd-party application to obtain limited access to an HTTP service.
  3. OAuth 2.0 Grant Types GRANT TYPE APPS Authorization Code (+PKCE!)

    Web, Apps Implicit JavaScript, etc. Resource Owner Password Credentials Apps Client Credentials Web Refresh Web, Apps
  4. User (Resource Owner) Code Verifier ABC123 Application (Client) Login Code

    Challenge e0bebd22… SHA256 Hash Identity Provider (Authorization Server) HTTP Redirect with Code Challenge & Code Challenge Method Application (Client) HTTP Redirect with Authorization Code HTTP Response with Access Token HTTP POST with Authorization Code and Code Verifier Code Challenge Comparison PROOF KEY FOR CODE EXCHANGE PKCE
  5. OAuth 2.1 IETF, OAUTH 2.1 DRAFT ‣ PKCE is required

    for all clients using the authz code flow ‣ Redirect URIs must be compared using exact string matching ‣ The Implicit grant is omitted from this specification ‣ The Resource Owner Password Credentials grant is omitted from this specification
  6. OPEN ID CONNECT Authentication Layer on top of OAuth 2.0

    ‣ verify the identity of an end-user ‣ obtain basic profile information about the user ‣ RESTful HTTP API, using JSON as data format ‣ allows clients of all types (web-based, mobile, JavaScript) OpenID Foundation, 2014
  7. SCOPES In OAuth2, scopes define on which data a 3rd

    party service has which access to. Scope values are not defined.
  8. SCOPES In OIDC scopes are defined: openid, profile, email, address,

    phone, offline_access Scopes define which user-related data a client can obtain from the IdP
  9. OIDC { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "id_token": "???",

    "refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0", "refresh_expires_in": 36000 } OpenID Connect adds the IDentity Token
  10. JWT PAYLOAD { "jti": "b7f7b763-240c-4560-827b-d7635e4b2213", "sub": "c7bd0190-7fbd-42bd-8929-63f2a17473fb", "iss": "https://sso.myapi.com", "aud":

    "myApi", "exp": 1686767014, "iat": 1686763414, "nbf": 1686763414 } RESERVED CLAIMS: jti, sub, iss, aud, exp, iat, nbf
  11. TOKEN RESPONSE { "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "token_type": "Bearer", "expires_in": 3600, "id_token":

    "eyJhbGciOiAiUlMyNTYiLCJ0eXAiOiAiSldUIn0...", "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "refresh_expires_in": 36000 }
  12. PEP 1. View Record #123 6. View Record #123 PDP

    2. Can user view record #123? 3. Evaluate Policies PAP Manage Policies PIP 4. Retrieve additional attributes 5. Permit, user can view record #123 AuthZ: PAP / PDP / PEP / PIP