Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth and OpenID Connect in plain English

OAuth and OpenID Connect in plain English

In this talk, I'll break down the rationale behind OAuth and OpenID Connect in plain language, and explain when and how you should use these standards in your applications. I'll cover grant types, flows, scopes, tokens, and more. If you've ever felt confused about how these standards work, this talk is for you!

Nate Barbettini

September 09, 2017
Tweet

More Decks by Nate Barbettini

Other Decks in Programming

Transcript

  1. Identity use cases (circa 2007) • Simple login – forms

    and cookies • Single sign-on across sites – SAML • Mobile app login – ??? • Delegated authorization – ???
  2. The delegated authorization problem HOW CAN I LET A WEBSITE

    ACCESS MY DATA (WITHOUT GIVING IT MY PASSWORD)?
  3. Delegated authorization with OAuth 2.0 I trust Gmail and I

    kind of trust Yelp. I want Yelp to have access to my contacts only. yelp.com Connect with Google
  4. Delegated authorization with OAuth 2.0 yelp.com Connect with Google accounts.google.com

    Email Password accounts.google.com Allow Yelp to access your public profile and contacts? Yes No yelp.com/callback Loading… contacts.google.com
  5. OAuth 2.0 terminology • Resource owner • Client • Authorization

    server • Resource server • Authorization grant • Access token
  6. OAuth 2.0 authorization code flow yelp.com Connect with Google accounts.google.com

    Email Password accounts.google.com Allow Yelp to access your public profile and contacts? Yes No yelp.com/callback Loading… contacts.google.com Authorization server Talk to resource server with access token Resource owner Client Back to redirect URI with authorization code Redirect URI: yelp.com/callback Response type: code Go to authorization server
  7. OAuth 2.0 authorization code flow yelp.com Connect with Google accounts.google.com

    Email Password accounts.google.com Allow Yelp to access your public profile and contacts? Yes No yelp.com/callback Loading… contacts.google.com Authorization server Talk to resource server with access token Resource owner Client Back to redirect URI with authorization code Redirect URI: yelp.com/callback Response type: code Scope: profile contacts Request consent from resource owner Go to authorization server
  8. Even more OAuth 2.0 terminology • Back channel (highly secure

    channel) • Front channel (less secure channel)
  9. OAuth 2.0 authorization code flow yelp.com Connect with Google accounts.google.com

    Email Password accounts.google.com Allow Yelp to access your public profile and contacts? Yes No yelp.com/callback Loading… contacts.google.com Authorization server Talk to resource server with access token (back channel) Resource owner Client Back to redirect URI with authorization code (front channel) Request consent from resource owner Redirect URI: yelp.com/callback Response type: code Scope: profile contacts Go to authorization server (front channel)
  10. Exchange code for an access token POST www.googleapis.com/oauth2/v4/token Content-Type: application/x-www-form-urlencoded

    code=oMsCeLvIaQm6bTrgtp7& client_id=abc123& client_secret=secret123& grant_type=authorization_code
  11. OAuth 2.0 flows • Authorization code (front channel + back

    channel) • Implicit (front channel only) • Resource owner password credentials (back channel only) • Client credentials (back channel only)
  12. OAuth 2.0 implicit flow Yelp Angular app Connect with Google

    accounts.google.com Email Password accounts.google.com Allow Yelp to access your public profile and contacts? Yes No Yelp Angular app Hello! contacts.google.com Authorization server Talk to resource server with access token (front channel) Resource owner Client Back to redirect URI with token Request consent from resource owner Redirect URI: yelp.com/callback Response type: token Scope: profile contacts Go to authorization server
  13. Identity use cases (circa 2012) • Simple login – OAuth

    2.0 • Single sign-on across sites – OAuth 2.0 • Mobile app login – OAuth 2.0 • Delegated authorization – OAuth 2.0 Authentication Authentication Authentication Authorization
  14. Problems with OAuth 2.0 for authentication • No standard way

    to get the user's information • Every implementation is a little different • No common set of scopes
  15. OAuth 2.0 and OpenID Connect • OpenID Connect is for

    authentication • OAuth 2.0 is for authorization HTTP OAuth 2.0 OpenID Connect
  16. What OpenID Connect adds • ID token • UserInfo endpoint

    for getting more user information • Standard set of scopes • Standardized implementation
  17. OpenID Connect authorization code flow yelp.com Log in with Google

    accounts.google.com Email Password accounts.google.com Allow Yelp to access your public profile? Yes No yelp.com/callback accounts.google.com /userinfo Authorization server Get user info with access token Resource owner Client Back to redirect URI with authorization code Request consent from resource owner Hello Nate! Redirect URI: yelp.com/callback Response type: code Scope: openid profile Go to authorization server
  18. Exchange code for access token and ID token POST www.googleapis.com/oauth2/v4/token

    Content-Type: application/x-www-form-urlencoded code=oMsCeLvIaQm6bTrgtp7& client_id=abc123& client_secret=secret123& grant_type=authorization_code
  19. Authorization server returns access and ID tokens { "access_token": "fFAGRNJru1FTz70BzhT3Zg",

    "id_token": "eyJraB03ds3F..." "expires_in": 3920, "token_type": "Bearer", }
  20. ID token (JWT) eyJhbGciOiJSUzI1NiIsImtpZCI6IkRNa3Itd0JqRU1EYnhOY25xaVJISVhu YUxubWI3UUpfWF9rWmJyaEtBMGMifQ . eyJzdWIiOiIwMHU5bzFuaWtqdk9CZzVabzBoNyIsInZlciI6MSwiaXNzIjoi aHR0cHM6Ly9kZXYtMzQxNjA3Lm9rdGFwcmV2aWV3LmNvbS9vYXV0aDIvYXVz OW84d3ZraG9ja3c5VEwwaDciLCJhdWQiOiJsWFNlbkx4eFBpOGtRVmpKRTVz NCIsImlhdCI6MTUwOTA0OTg5OCwiZXhwIjoxNTA5MDUzNDk4LCJqdGkiOiJJ

    RC5oa2RXSXNBSXZTbnBGYVFHTVRYUGNVSmhhMkgwS2c5Ykl3ZEVvVm1ZZHN3 IiwiYW1yIjpbImtiYSIsIm1mYSIsInB3ZCJdLCJpZHAiOiIwMG85bzFuaWpr aWpLeGNpbjBoNyIsIm5vbmNlIjoidWpwMmFzeHlqN2UiLCJhdXRoX3RpbWUi OjE1MDkwNDk3MTl9 . dv4Ek8B4BDee1PcQT_4zm7kxDEY1sRIGbLoNtlodZcSzHz- XU5GkKyl6sAVmdXOIPUlAIrJAhNfQWQ- _XZLBVPjETiZE8CgNg5uqNmeXMUnYnQmvN5oWlXUZ8Gcub-GAbJ8- NQuyBmyec1j3gmGzX3wemke8NkuI6SX2L4Wj1PyvkknBtbjfiF9ud1- ERKbobaFbnjDFOFTzvL6g34SpMmZWy6uc_Hs--n4IC-ex- _Ps3FcMwRggCW_-7o2FpH6rJTOGPZYrOx44n3ZwAu2dGm6axtPI- sqU8b6sw7DaHpogD_hxsXgMIOzOBMbYsQEiczoGn71ZFz_1O7FiW4dH6g Header Payload (claims) Signature
  21. The ID token (JWT) (Header) . { "iss": "https://accounts.google.com", "sub":

    "[email protected]", "name": "Nate Barbettini" "aud": "s6BhdRkqt3", "exp": 1311281970, "iat": 1311280970, "auth_time": 1311280969, } . (Signature)
  22. Calling the userinfo endpoint GET www.googleapis.com/oauth2/v4/userinfo Authorization: Bearer fFAGRNJru1FTz70BzhT3Zg 200

    OK Content-Type: application/json { "sub": "[email protected]", "name": "Nate Barbettini" "profile_picture": "http://plus.g.co/123" }
  23. Identity use cases (today) • Simple login – OpenID Connect

    • Single sign-on across sites – OpenID Connect • Mobile app login – OpenID Connect • Delegated authorization – OAuth 2.0 Authentication Authentication Authentication Authorization
  24. OAuth and OpenID Connect Use OAuth 2.0 for: • Granting

    access to your API • Getting access to user data in other systems (Authorization) Use OpenID Connect for: • Logging the user in • Making your accounts available in other systems (Authentication)
  25. Which flow (grant type) do I use? • Web application

    w/ server backend: authorization code flow • Native mobile app: authorization code flow with PKCE • JavaScript app (SPA) w/ API backend: implicit flow • Microservices and APIs: client credentials flow
  26. Example: web application with server backend Authorization server handles login

    and security, establishes session for user Set-Cookie: sessionid=f00b4r; Max-Age: 86400; example.com Log in login.example.com Email Password Back to web app with code grant, exchanged for ID token OpenID Connect (code flow)
  27. Example: native mobile app Authorization server handles login and security

    Example App Log in login.example.com Email Password Back to app with code grant, exchanged for ID token and access token OpenID Connect (code flow + PKCE) Store tokens in protected device storage Use ID token to know who the user is Attach access token to outgoing API requests AppAuth
  28. Example: SPA with API backend Authorization server handles login and

    security, establishes session for user app.example.com Log in login.example.com Email Password Back to web app with ID token and access token OpenID Connect (implicit flow) Store tokens locally with JavaScript Use ID token to know who the user is Attach access token to outgoing API requests
  29. Token validation • The fast way: local validation • Check

    expiration timestamp • Validate cryptographic signature • The strong way: introspection
  30. Revocation 12PM 1PM 2PM Token issued and used for API

    calls Device compromised! What happens? POST /oauth2/default/v1/revoke Content-Type: application/x-www-form-urlencoded token=fFAGRNJru1FTz70BzhT3Zg &token_type_hint=access_token &client_id=...
  31. Keeping the user signed in For both local validation and

    introspection, the token is invalid once it expires, so: • If there's a user at the keyboard, just redirect through the authorization server again. • If there's no user (automated tasks), request a refresh token (offline scope).