Single Sign-on & Authentication for Mobile, Web & Desktop Applications

Transcript

1. Authentifizierung und Single Sign-On für Mobile, Web & Desktop Anwendungen

2. Authentication scenarios for mobile Applications* The Microsoft Technology Stack** Corporate

   vs Customer facing Applications *WS-Federation, OpenID Connect, OAuth2 **AD, ADFS, AAD, ADAL, Katana Agenda

3. Classic Intranet Scenario VPN

4. None

5. Bridging the Gap – On Premise ADFS Web Application Proxy

6. Cloud sync AAD

7. Typical Application Scenarios Browser Native app Server app Web application

   Web API Web API Web API

8. Protocols Browser Native app Server app Web application Web API

   Web API Web API WS-Fed, SAML 2.0, OpenID Connect OAuth2 OAuth2 OAuth2 OAuth2 OAuth2 OAuth2

9. 1. Browser to Web Application Browser Web application WS-Fed, SAML

   2.0, OpenID Connect

10. Browser WebApp ADFS / AAD WebApp Service Principal •  App

    ID URI •  Reply Url 1. Navigate to site 2. Redirect to token service 3. Sign in 4. Send security token to Reply URL 5. Set session Web Browser to Web App: WS-Federation, SAML 2.0, OpenID Connect SAML, WS-Fed, or OpenID Connect Endpoint Katana

11. Authentication Middleware for ASP.NET WS-Federation OpenID Connect JSON Web Tokens

    Cookies Katana

12. OpenID Connect – Request GET /authorize ?client_id=app1 &scope=openid profile &redirect_uri=https://app.com/cb

    &response_type=id_token &response_mode=form_post

13. OpenID Connect – Response <form> <input type="hidden" name="id_token" value="xjsj…aas" />

    </form> POST /callback

14. JSON Web Tokens (JWT) {      "typ":  "JWT",  

       "alg":  "HS256"   }   {      "iss":  "https://login.windows.net",      "exp":  1340819380,      "aud":  "app1",            "sub":  "182jmm199",      "email":  "[email protected]",      "email_verified":  true,      "amr":  "password",      "auth_time":  12340819300   }   Header Claims eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt   Header Claims Signature

15. 2. Native Client to Web API Native app Web API

    OAuth 2.0

16. WebAPI ADFS / AAD 1. Request Authorization Code Native Client

    to Web API: OAuth 2.0 auth code grant, public client NativeApp NativeApp SP •  Client ID •  Redirect URI Authorize Endpoint Token Endpoint ADAL 2. Sign in 3. Return Authorization Code to Redirect URI User sees web pop up … Katana WebAPI SP •  App ID URI

17.   GET  https://login/adfs/oauth2/authorize   ?response_type=code   &resource=https://myservice   &client_id=fb715b0e-­‐3ca9-­‐45b8-­‐9928-­‐2329a776b42d  

    &redirect_uri=http://myclient/      <<  Stuff  happens  here  to  sign  the  user  in...  >>     302  Found  http://myclient/   ?code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGCXIY6dQcQ-­‐_cqhsBff…   Authorization Code Request/Response

18. Web-based Name/Password 2FA Kerberos (ADFS) Client Certificates (ADFS) Authentication Methods

19. NativeApp 4. Redeem Authorization Code Native Client to Web API:

    OAuth 2.0 auth code grant, public client Authorize Endpoint Token Endpoint ADAL 5. Return Access Token, Refresh Token 6. Send Access Token on Authorization Header WebAPI Katana ADFS / AAD NativeApp SP •  Client ID •  Redirect URI WebAPI SP •  App ID URI

20. POST  https://login/adfs/oauth2/token   grant_type=authorization_code   &code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGCXIY6dQcQ_cqhsBffHFnGbeQHcm…   &client_id=fb715b0e-­‐3ca9-­‐45b8-­‐9928-­‐2329a776b42d   &redirect_uri=http://myclient/

      &resource=https://myservice       200  OK   {"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5…",   "token_type":"Bearer",   "expires_in":"3599",   "refresh_token":"AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMqzyrQrqeeZzKzwN…",   Token Request/Response

21. {      "typ":  "JWT",  "alg":  "RS256",  "x5t":  "NGTFvdK-­‐fythEuLwjpwAJOM9n-­‐A”  

    }.   {    "aud":  "http://myService",    "iss":  "https://sts.windows.net/81aabdd2-­‐3682-­‐48fd-­‐9efa-­‐2cb2fcea8557/",    "iat":  1396468289,  "nbf":  1396468289,  "exp":  1396472189,  "ver":  "1.0",    "tid":  "81aabdd2-­‐3682-­‐48fd-­‐9efa-­‐2cb2fcea8557",    "oid":  "b3809430-­‐6c28-­‐4e43-­‐870d-­‐fa7d38636dcd",    "upn":  "[email protected]",    "sub":  "vl4OHydFcvAhqoncJsINb8E6KaAEzJH2D5iKKnZZy-­‐A",    "family_name":  "Baier",    "given_name":  "Dominick",    "appid":  "fb715b0e-­‐3ca9-­‐45b8-­‐9928-­‐2329a776b42d",   }   Example AAD JWT Access Token (shortened) http://jwt.io/

22. Active Directory Authentication Library Open Source Client Library for Desktop

    .NET Windows RT Windows Phone iOS/Android Native iOS/Android Xamarin ADAL https://github.com/AzureAD

23. ADAL supports token caching (extensible) Token renewal via existing logon

    session Refresh tokens Token Lifetime Management

24. Native Client to Web API: Refresh Tokens NativeApp Authorize Endpoint

    Token Endpoint ADAL 2. Access Token has Expired 3. Request new Access Token with Refresh Token 4. Return Access Token, Refresh Token 5. Call web API with Access Token in AuthZ Header 1. Call WebAPI (Access Token in AuthZ Header) WebAPI Katana ADFS / AAD NativeApp SP •  Client ID •  Redirect URI WebAPI SP •  App ID URI

25. Brand new ADAL.js library (preview) familiar programming interface, AngularJS support..

    Support for OAuth2 “Implicit Flow” simplified flow – no server back-end required currently AAD only What about SPAs? http://www.cloudidentity.com/blog/2014/10/28/adal-javascript-and-angularjs-deep-dive/

26. 3. Web Application to Web API Browser Web application Web

    API

27. Web App calls Web API using own identity Trusted Subsystem

    design OAuth2 client credential flow or code flow Web App calls Web API using user identity OpenID Connect and/or OAuth2 code flow Options

28. WebAPI Web App to Web API: OAuth 2.0 client credentials

    1. Signed in, using the web app… Browser WebApp 2. Request token (Client ID, Credential, App ID URI) 3. Return access token 4. Call web API with Access Token in AuthZ Header *The application’s credential can be a password, or it can be an assertion (a JWT token) signed with private key. AAD NativeApp SP •  Client ID •  Credential WebAPI SP •  App ID URI Authorize Endpoint Token Endpoint Katana ADAL Katana

29. WebAPI Web App to Web API: Delegation with OpenID Connect

    Browser WebApp 1. Navigate to site 2. Redirect to sign in and request auth code (Client ID, Redirect URI) 3. Sign in 4. Return ID Token and Auth Code to Redirect URI 6. Set session Authorize Endpoint Token Endpoint Might require user consent AAD NativeApp SP •  Client ID •  Credential WebAPI SP •  App ID URI Katana ADAL Katana

30. Web App to Web API: Delegation with OpenID Connect Browser

    WebApp WIF OWIN 7. Request access token 8. Return access token, refresh token 9. Call web API with Access Token in AuthZ Header Authorize Endpoint Token Endpoint ADAL WebAPI WebApp Katana ADAL Katana AAD NativeApp SP •  Client ID •  Credential WebAPI SP •  App ID URI

31. AD traditionally geared towards corporate identities ADFS & AAD are

    protocol / infrastructure extensions What about customer identities & applications? Where to store identities? What about social logins? B2B vs B2C

32. B2B & B2C Hybrid Architecture ADFS Customer Accounts AAD Thinktecture

    IdentityServer https://github.com/thinktecture/Thinktecture.IdentityServer.v3

33. ADFS (2012R2) Azure AD IdentityServer v3 Type Domain joined SaaS

    Standalone WS-Federation yes yes yes WS-Trust yes no no OAuth2 Code Flow yes yes yes Resource Owner Flow no yes yes Implicit Flow no yes yes Client Credentials Flow no yes yes Social Logins no no yes OpenID Connect no yes yes Saml2p yes yes no Price Model Part of Windows Server Freemium Free (OSS) http://blogs.technet.com/b/ad/archive/2014/09/15/azure-active-directory-basic-is-now-ga.aspx Feature Matrix (non exhaustive)

34. © 2014 Microsoft Corporation. All rights reserved. Because Microsoft must

    respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Vielen Dank [email protected] http://leastprivilege.com @leastprivilege