in the identity space – co-creator of IdentityServer & IdentityModel OSS Project – certified OpenID Connect & OAuth 2.0 Engine for ASP.NET Core • Co-Founder of Duende Software – the new home of IdentityServer – https://duendesoftware.com email [email protected] blog https://blog.duendesoftware.com twitter @leastprivilege slides https://speakerdeck.com/duendesoftware
Server Browser Mobile Server Resource Owner User authorize/token request 1 return access token 2 access resource using access token 3 public vs confidential clients
The authorization and token endpoints allow the client to specify the scope of the access request using the "scope" request parameter. The value of the scope parameter is expressed as a list of space-delimited, case-sensitive strings. If the value contains multiple space-delimited strings, their order does not matter, and each string adds an additional access range to the requested scope. The authorization server MAY fully or partially ignore the scope requested by the client, based on the authorization server policy or the resource owner's instructions. RFC6749
content is a private implementation detail between Authorization Server and Resource – client is simply a forwarder – client must not try to ”consume” token • JWT validation rules – signature must be valid and signature algorithm must be allowed – typ must be at+jwt – iss must be an expected value – current time must be before exp and after iat – scope must contain an expected value
A server that receives valid credentials that are not adequate to gain access ought to respond with the 403 (Forbidden) status code The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. The server generating a 401 response MUST send a WWW-Authenticate header field (Section 4.1) containing at least one challenge applicable to the target resource.
user – suitable for any type of interactive client application – allows for UI during protocol flow (login, consent, etc.) – dependent on browser • Support for refresh tokens for UX-friendly token management • Always used in conjunction with PKCE extension – https://tools.ietf.org/html/rfc7636
• Clients need to manage and re-new their tokens if longer access is required – should not need to involve user – UX friendly • Refresh token allows for manual lifetime management – similar to sliding expiration cookies
for client to consume – "authentication response" aka id_token • Contains description of the "authentication event" – user id – authentication time – authentication method – additional user claims
OpenID Connect – https://openid.net/specs/openid-connect-core-1_0.html • Two is the magic number – https://leastprivilege.com/2019/09/09/two-is-the-magic-number/ • Securing SPAs using the BFF pattern – https://blog.duendesoftware.com/posts/20210326_bff/
– designed to allow 3rd party access – built with user interaction in mind • Authorization Server – knows all resources – knows all clients – provides protocol and UI endpoints – authenticates clients and users – issues tokens • OpenID Connect is an authentication protocol – implementation of OAuth