Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Identity & Access Control: Present & Future

Identity & Access Control: Present & Future

NDC Security 2018

Dominick Baier

January 24, 2018
Tweet

More Decks by Dominick Baier

Other Decks in Programming

Transcript

  1. 2 @leastprivilege Me • Independent Consultant – Specializing on Application

    Security Architectures – Working with Software Development Teams (ISVs and in-house) • Creator and Maintainer of IdentityServer OSS Project – Certified OpenID Connect & OAuth 2.0 Implementation for .NET – https://identityserver.io email [email protected] blog http://leastprivilege.com twitter @leastprivilege slides https://speakerdeck.com/leastprivilege
  2. 5 @leastprivilege IETF • Done – RFC6749: The OAuth 2.0

    Authorization Framework – RFC6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage – RFC6819: OAuth 2.0 Threat Model and Security Considerations – RFC7009: OAuth 2.0 Token Revocation – RFC7519: JSON Web Tokens (JWT) – RFC7521: Assertion Framework for Client Authentication and Authorization Grants • RFC7522: SAML Profile • RFC7523: JWT Profile – RFC7591: OAuth 2.0 Dynamic Client Registration Protocol – RFC7592: OAuth 2.0 Dynamic Client Registration Management Protocol – RFC7636: Proof Key for Code Exchange by OAuth Public Clients – RFC7662: OAuth 2.0 Token Introspection – RFC7800: Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) – RFC8176: Authentication Method Reference Values – RFC8252: OAuth 2.0 for Native Apps • Processing – OAuth 2.0 Device Flow for Browserless and Input Constrained Devices – OAuth 2.0 Authorization Server Metadata – JWT Secured Authorization Request – OAuth 2.0 Token Exchange • Active – JSON Web Token Best Current Practices – OAuth Security Topics – Mutual TLS Profile for OAuth 2.0 – OAuth 2.0 Token Binding • Recently expired – OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key Distribution
  3. 6 @leastprivilege OpenID Foundation • OpenID Connect – Core –

    Discovery – Dynamic Registration – Session Management • Front-Channel Logout • Back-Channel Logout – Federation • Other Working Groups – Enhanced Authentication Profiles (EAP) – Financial APIs (FAPI) – Mobile Operator Discovery, Registration & autheNticAtion (MODRNA) – Health Relationship Trust (HEART) – International Government Assurance (iGov) – more…
  4. 8 @leastprivilege Blogs • Mike Jones – http://self-issued.info/ • John

    Bradley – http://www.thread-safe.com/ • Nat Sakamura – https://nat.sakimura.org/
  5. 9 @leastprivilege Timeline 2005 SAML 2.0 2007 2009 2012 2014

    2015 2017 Soon Future OpenID Connect Session Management OpenID Connect Front-Channel Notifications OpenID Connect Back-Channel Notifications Authentication Method Reference Values OAuth 2.0 for Native Apps OAuth 2.0 Mutual TLS OAuth 2.0 Token Binding OpenID Connect Federation OpenID Connect Token Binding OAuth 2.0 Token Exchange OAuth 2.0 Device Flow OAuth 2.0 Discovery OAuth 1.0 WS-Federation 1.2 OAuth 1.0a OAuth 2.0 Bearer Tokens OpenID Connect Core OpenID Connect Discovery OpenID Connect Dynamic Registration OAuth 2.0 Assertion Framework OAuth 2.0 Dynamic Client Registration OAuth 2.0 Token Introspection JSON Web Token (JWT) OAuth 2.0 JSON Web Token (JWT) Profile OAuth 2.0 SAML 2.0 Profile OAuth 2.0 PKCE
  6. 10 @leastprivilege How it all began: Web-based SSO 1: Authentication

    Request 2: Callback w/ token Client (Service Provider or Relying Party) Security Token Service (Identity Provider) Service (or API) User Trusted Subsystem
  7. 11 @leastprivilege 3rd Parties / Identity Delegation Client Security Token

    Service (Identity Provider) 3rd Party Service User Trust Boundary
  8. 12 @leastprivilege OAuth Client Authorization Server Service User Identity Provider

    1: authorize request 2: callback w/ code 3: exchange code with access token 4: use token
  9. 14 @leastprivilege OAuth 2 • Simplification – bearer tokens •

    Support for public clients – client secret optional – implicit grant type specifically made for JavaScript – client credentials grant for server-to-server communication – password grant type for legacy applications
  10. 17 @leastprivilege The token problem (Part 1) • OAuth 2.0

    did not define a token format – many homegrown (and thus incompatible) implementations • Token introspection – turn opaque tokens into claims • Token revocation – get rid of tokens
  11. 20 @leastprivilege JSON Web Tokens (JWT) • Family of RFCs

    dealing with structure, signatures, encryption, key material.. { "typ": "JWT", "alg": "RS256" "kid": "1" } { "iss": "http://myIssuer", "exp": "1340819380", "aud": "http://myResource", "client_id": "client1", "user_id": "bob" } Header Payload eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt Header Payload Signature
  12. 23 @leastprivilege Key OpenID Connect Features • Identity tokens –

    signed protocol response – authentication metadata – helps mitigate various attacks • Discovery (metadata) • Multiple response types – allows requesting identity and access tokens in a single protocol interaction • Session management • Interop – https://openid.net/certification/
  13. 26 @leastprivilege Identity Token { "typ": "JWT", "alg": "RS256", "kid":

    "mj399j…" } { "iss": "https://issuer", "exp": 1340819380, "iat": 1340818761, "aud": "app1", "nonce": "j1y…a23", "amr": [ "pwd" ], "auth_time": 12340819300 "sub": "182jmm199", "name": "Alice", } Header Payload eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt Header Payload Signature
  14. 27 @leastprivilege Authentication and API Access GET /authorize ?client_id=app1 &redirect_uri=https://app.com/callback

    &response_type=id_token token &nonce=j1y…a23 &scope=openid email api1 api2
  15. 29 @leastprivilege Session Management • Logout is hard – thus

    three specs – JavaScript-based sessions – Front-channel notifications – Back-channel notifications • A full logout means – logout from local client – logout from identity provider – logout from potential upstream identity provider – notify all other clients in same session
  16. 30 @leastprivilege Front-Channel Notifications Client <iframe style="visibility:hidden" src="https://client1/signout?sid=123"> </iframe> <iframe

    class="visibility:hidden" src="https://client2/signout?sid=123"> </iframe> <iframe class="visibility:hidden" src="https://client3/signout?sid=123"> </iframe> <a href="https://client1">return</a> GET /end_session
  17. 31 @leastprivilege Back-Channel Notifications Client GET /end_session POST { "iss":

    "https://demo.identityserver.io", "sub": "248289761001", "aud": "client1", "iat": 1471566154, "jti": "bWJq", "sid": "8u09jejd099", "events": { "http://schemas.openid.net/event/backchannel-logout": {} } }
  18. 32 @leastprivilege The Public Client Problem • JavaScript applications –

    no place to hide secrets – Content Security Policy (CSP) improves the situation • Native Mobile/Desktop Clients – slightly better due to access to native APIs – targeted attacks in the past • OAuth 2.0 (and OpenID Connect) for native apps – https://tools.ietf.org/search/rfc8252
  19. 33 @leastprivilege Proof Key for Code Exchange (PKCE) GET /authorize

    ?client_id=nativeapp &scope=openid profile api1 api2 offline_access &redirect_uri=com.mycompany.nativeapp://cb &response_type=code id_token &nonce=j1y…a23 &code_challenge=x929..1921 nonce = random_number code_verifier = random_number code_challenge = hash(code_verifier) https://tools.ietf.org/html/rfc7636
  20. 34 @leastprivilege Requesting the access token • Exchange code for

    access token – using client id and code verifier code & code verifier (client_id) { access_token: "xyz…123", refresh_token: "dxy…103" expires_in: 3600, token_type: "Bearer" }
  21. 36 @leastprivilege General Approach 1) client generates pub/priv key pair

    2) sends public key to STS during token request 4) client uses private key to sign HTTP request 3) STS embeds pub key in access token 5) API validates access token 6) extracts proof key & validates the HTTP signature pub key token incl. pub key token incl. pub key signature
  22. 37 @leastprivilege Current Opinion • Standardization of cnf (confirmation) claim

    • Specialized scenarios – Mutual TLS Profile for OAuth 2.0 • Consumer scenarios – HTTPS Token Binding for OAuth 2 and OpenID Connect { "cnf": "JSON web key", }
  23. 38 @leastprivilege Example: Mutual TLS { "iss": "https://issuer", "exp": 1340819380,

    "nbf": 1340818761, "sub": "182jmm199", "cnf": { "x5t#S256": "bwcK0esc3ACC3DB2Y5_lESsXE8o9ltc05O89jdN-dg2" } }
  24. 40 @leastprivilege Using Token Binding for PoP • OpenID Connect

    Token Bound Authentication – https://openid.net/specs/openid-connect-token-bound-authentication-1_0.html • OAuth 2.0 Token Binding – https://tools.ietf.org/wg/oauth/draft-ietf-oauth-token-binding/
  25. 41 @leastprivilege Example: Request to Client GET / HTTP/1.1 Host:

    client.example.io Sec-Token-Binding: AIkAAgBBQKzyIrmcYKTZfFJv …1_610h0h-IX-
  26. 42 @leastprivilege Example: Redirect to OpenID Connect Provider HTTP/1.1 302

    Location: https://idp.example.io/authorize?.... Include-Referred-Token-Binding-ID: true
  27. 43 @leastprivilege Example: Authentication Request GET /authorize Host: idp.example.com Sec-Token-Binding:

    ARIAAgBBQC…fsI1D1sTq5mvT_2H_dihNIvu Referred-Sec-Token-Binding: ARIAAgBBQC…fsI1D1sTq5mvNIvu
  28. 44 @leastprivilege Example: Authentication Response { "iss": "https://issuer", "exp": 1340819380,

    "nbf": 1340818761, "sub": "182jmm199", "cnf": { "tbh": "ARIAAgBBQC…fsI1D1sTq5mvNIvu" } }
  29. 45 @leastprivilege Multi-Hop Delegation API 1 API 2 { "client_id":

    "front_end" "sub": "123" "scope": [ "api1" ] } { "client_id": "front_end" "sub": "123" "scope": [ "api2" ] "actor" : { "client_id": "api1" } } https://tools.ietf.org/wg/oauth/draft-ietf-oauth-token-exchange/ POST /token grant_type=urn:ietf:params:oauth:grant-type:token- exchange &scope=api2 &subject_token=accVkjcJy…qceLTC &subject_token_type= urn:ietf:params:oauth:token-type:access_token { "access_token":"eyJhbG…z0yC7hlSQ", "issued_token_type": "urn:ietf:params:oauth:token-type:access_token", "token_type":"Bearer", "expires_in":60 }
  30. 49 @leastprivilege What's going on with OpenID Connect? • Some

    important working groups (IMO) – Enhanced Authentication – Financial APIs – Federation • Some OIDC features back-ported to OAuth 2.0 – JWT secured authorization requests – discovery – client management
  31. 50 @leastprivilege IoT • Concise Binary Object Representation (CBOR) –

    https://tools.ietf.org/html/rfc7049 – http://cbor.io/ • CBOR Object Signing and Encryption (COSE) – https://tools.ietf.org/html/rfc8152 • CBOR Web Token (CWT) – https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-10
  32. 51 @leastprivilege Summary • Easier than WS* ? – well,

    at least it's not XML – no easy solutions for hard problems • Pick the features you need – if you require interop, a (final) spec would be good • Good coverage of base specs in standard libraries/products – OpenID Connect only spec so far with conformance tests