Unifying Authentication & delegated API Access with OpenID Connect & OAuth2

Transcript

1. Unifying  Authen-ca-on  and   delegated  API  Access     OpenID

    Connect  &  OAuth2   Dominick  Baier   h@p://leastprivilege.com   @leastprivilege   think mobile!

2. 2   @leastprivilege   Dominick  Baier   •  Security  consultant

    at  thinktecture   •  Focus  on   –  security  in  distributed  applica9ons   –  iden9ty  management   –  access  control   –  Windows/.NET  security   –  mobile  app  security     •  MicrosoI  MVP  for  Developer  Security   •  ASP.NET  Web  API  Advisor   •  [email protected]   •  h@p://leastprivilege.com   think mobile!

3. 3   @leastprivilege   Typical  Applica9on  Scenarios   Browser  

   Na-ve  App   Server  App   Web  App   Web  API   Web  API   Web  API   Security  Token     Service  

4. 4   @leastprivilege   Security  Protocols   Browser   Na-ve

    App   Server  App   Web  App   Web  API   Web  API   Web  API   WS-­‐Fed,  SAML  2.0   OAuth2   OAuth2   OAuth2   OAuth2   OAuth2   OAuth2   ?   ?   Security  Token     Service  

5. 5   @leastprivilege   What's  wrong  with  SAML  (&  WS-­‐Federa9on)

     Craig  Burton  (#CIS2012):   “SAML  is  the  Windows  XP  of  Iden-ty.”   “No  funding.  No  innova-on.  People  s-ll   use  it.  But  it  has  no  future   SAML  is  dead  !=  SAML  is  bad.     SAML  is  dead  !=  SAML  isn’t  useful.     SAML  is  dead  means  SAML  !=  the  future.”  

6. 6   @leastprivilege   What’s  wrong  with  OAuth2  

7. 7   @leastprivilege   What’s  wrong  with  OAuth2  

8. 8   @leastprivilege   •  Authen-ca-on  protocol  on  top  of

    OAuth2   –  defines  iden9ty  tokens   –  defines  standard  token  type   –  defines  standard  cryptography   –  defines  valida9on  procedures   –  combines  authen9ca9on  with  short/long-­‐lived  delegated   API  access   –  defines  flows  for  na9ve,  browser  and  server-­‐based   applica9ons   "OpenID  Connect  1.0  is  a  simple  iden-ty  layer  on  top  of  the  OAuth  2.0  protocol."  

9. 9   @leastprivilege   h[p://openid.net/connect/  

10. 10   @leastprivilege   Implementa9ons  

11. 11   @leastprivilege   Implementa9ons  

12. 12   @leastprivilege   Excursion:  Endpoints   Authorize   Endpoint

      Token   Endpoint   UserInfo   Endpoint  

13. 13   @leastprivilege   Flows   •  Implicit  Flow  

    –  na9ve/browser/web  applica9ons   –  no  explicit  client  authen9ca9on   •  Authoriza-on  Code  Flow   –  server-­‐based  applica9ons   –  client  authen9ca9on   •  Hybrid  Flow   –  combines  proper9es  of  the  two  above   –  “shortcuts”  for  certain  scenarios   –  applica9ons  with  client  and  server  parts  

14. 14   @leastprivilege   Implicit  Flow  –  Web  Applica9ons  

    GET  /authorize        ?client_id=app1      &redirect_uri=h@ps://app.com/cb      &response_type=id_token      &response_mode=form_post      &scope=openid  email  

15. 15   @leastprivilege   Authen9ca9on  

16. 16   @leastprivilege   Excursion:  Scopes   Scope   Claims

      profile   name,  family_name,  given_name,  middle_name,   nickname,  preferred_username,  profile,  picture,   website,  gender,  birthdate,  zoneinfo,  locale,  and   updated_at   email   email,  email_verified   address   address   phone   phone_number,  phone_number_verified   offline_access   requests  refresh  token  

17. 17   @leastprivilege   Consent  

18. 18   @leastprivilege   Response   <form>      

       <input  type="hidden"                                    name="id_token"                                    value="xjsj…aas"  />   </form>   POST  /callback  

19. 19   @leastprivilege   Excursion:  Iden9ty  Token   {  

       "typ":  "JWT",      "alg":  "RS256",      "x5t":  "mj399j…"   }   {      "iss":  "https://idsrv3",      "exp":  1340819380,      "aud":  "app1",            "sub":  "182jmm199",      "email":  "[email protected]",      "email_verified":  true,      "amr":  "password",      "auth_time":  12340819300   }   Header   Claims   eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt   Header   Claims   Signature  

20. 20   @leastprivilege   Excursion:  Discovery  

21. 21   @leastprivilege   Katana  Middleware  for     OpenID

     Connect   app.UseOpenIdConnectAuthentication(new  OpenIdConnectAuthenticationOptions          {                  Authority  =  "https://identity.thinktecture.com",                    Client_Id  =  "myapp",                  Redirect_Uri  =  "https://myapp.com",                  Response_Type  =  "id_token",                  Scope  =  "openid  email",                      SignInAsAuthenticationType  =  "Cookies"          };     app.UseCookieAuthentication(new  CookieAuthenticationOptions          {                  AuthenticationType  =  "Cookies"          });  

22. 22   @leastprivilege   Implicit  Flow  for  Client-­‐side   Applica9ons

      GET  /authorize        ?client_id=app1      &scope=openid  email      &redirect_uri=oob://app1/cb      &response_type=id_token  

23. 23   @leastprivilege   Response   GET  /cb    

       #id_token=x12f…zsz        

24. 24   @leastprivilege   Accessing  APIs   client  iden9ty  

    user  iden9ty   user  iden9ty  

25. 25   @leastprivilege   Calling  an  API  using  Client  Iden9ty

      Authoriza-on:  Bearer  <token>   POST  /token     grant_type=client_creden-als   scope=api1   client_id=client   client_secret=secret  

26. 26   @leastprivilege   Calling  an  API  using  User  Iden9ty

      GET  /authorize        ?client_id=app1      &scope=openid  email  api1      &redirect_uri=oob://app1/cb      &response_type=id_token  token  

27. 27   @leastprivilege   Response   GET  /cb    

       #id_token=x12f…zsz      &token=32x…133      &expires_in=3600      &token_type=bearer  

28. 28   @leastprivilege   Accessing  the  API   Authoriza-on:  Bearer

     <token>  

29. 29   @leastprivilege   Authoriza9on  Codes:   Long  lived  API

     Access   GET  /authorize        ?client_id=app1      &scope=openid  email  api1  api2  offline_access      &redirect_uri=h@ps://app.com/callback      &response_type=code  

30. 30   @leastprivilege   Response   GET  /callback?code=xj….123  

31. 31   @leastprivilege   Back-­‐channel  Communica9on   code   (client_id:client_secret)

      {      access_token:  "xyz…123",      refresh_token:  "dxy…103”      expires_in:  3600,      token_type:  bearer,   }  

32. 32   @leastprivilege   Bringing  it  all  together:   Hybrid

     Flow   GET  /authorize        ?client_id=app1      &scope=openid  email  api1  api2  offline_access      &redirect_uri=h@ps://app.com/callback      &response_type=code  id_token  token  

33. 33   @leastprivilege   Session  Management   •  OpenID  Connect

     contains  a  specifica-on  for  session   management   –  client-­‐ini9ated  logout   –  session  status  change  no9fica9ons  

34. 34   @leastprivilege   Client-­‐ini9ated  logout   GET  /endsession  

         ?id_token_hint=a7s…b12      &post_redirect_uri=h@ps://app.com  

35. 35   @leastprivilege   Session  Status  Change  No9fica9ons   Browser

      Client  1   authen9ca9on   request   cookie   authen9ca9on   request   Client  2  

36. 36   @leastprivilege   Session  Status  Change  No9fica9ons   Browser

      Client  1   authen9ca9on   request   cookie   authen9ca9on   request   Client  2   check_session_iframe   <script  />   check_session_iframe   <script  />  

37. 37   @leastprivilege   Resources   •  h@p://openid.net/connect/   • 

    h@p://openid.net/developers/libraries/   •  h@p://oauth.net/ar-cles/authen-ca-on/   •  h@p://osis.idcommons.net/wiki/ Category:OC5_Par-cipant   •  h@ps://github.com/thinktecture/ Thinktecture.Iden-tyServer.v3  

38. 38   @leastprivilege   thank  you!   h[p://leastprivilege.com   [email protected]