SlideShare ist ein Scribd-Unternehmen logo

CIS14: Working with OAuth and OpenID Connect

CloudIDSummit
CloudIDSummit

Roland Hedberg, Umeå University All you need to know about OpenID Connect, with concrete examples and hands-on demos that illustrate how OpenID Connect can be used in web and mobile scenarios.

Technologie
1 von 54
Downloaden Sie, um offline zu lesen
OAuth 2.0 and OpenID Connect Basics From OAuth2 to OpenID Connect by Roland Hedberg
Let’s start with OAuth2
❖ The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, ! ❖ either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, ! ❖ or by allowing the third-party application to obtain access on its own behalf.
The players Authorization Server Resource ServerClient
Authorization Request Authorization Server Resource Server Client Authorization request
Authorization Request - details Parameters! client_id! redirect_uri! response_type! scope! state Authorization Server Resource Server Client Authorization request GET! http://example.com/authorization?state=1521671980316802035&! ! redirect_uri=https://example.org/authz_cb&! ! response_type=code&! ! client_id=SFEBuhC7sp3a
Authorization Server Resource Server Client AUTHENTICATION HAPPENS & End-user consent/authorization
Authorization Response Authorization Server Resource Server Client Authorization response
Authorization Response - details Authorization Server Resource Server Client Authorization response GET! https://example.org/authz_cb?state=1521671980316802035&! ! code=s87BT60pp2UbNX2HnkWpZ9YhPVHRZaoTuU9XJul6JMuQaKUidUM6y1Boab6 Parameters code! state access_token! token_type! expires_in! scope! state
Access Token Request Authorization Server Resource Server Client Access token request
Access Token Request - details POST! http://example.com/token! ! code=s87BT60pp2UbNX2HnkWpZ9YhPVHRZaoTuU9XJul6JMuQaKUidUM6y1Boab6&! ! grant_type=authorization_code&! ! redirect_uri=https://example.org/authz_cb Authorization Server Resource Server Client Access token request Parameters! client_id! code! grant_type! redirect_uri
Access Token Response Authorization Server Resource Server Client Access token response
Access Token Response - details {! ! 'access_token': ’s87BT60pp2UbNX2HnkWpfPfWNo9Gi7chACuWoa2IDND', ! ! 'expires_in': 3600, ! ! 'refresh_token': ’s87BT60pp2U+bNX2HnkWpVCnDYPsy8EOpI’! ! 'state': ’STATE0’,! ! 'token_type': 'Bearer', ! } Authorization Server Resource Server Client Access token response Parameters! access_token! expires_in! refresh_token scope! token_type
Resource Access Authorization Server Resource Server Client Resource request/response
Resource Access - details Authorization Server Resource Server Client Resource request/response GET! https://example.com/resource! ! Header:! ! Authorization: ’Bearer s87BT60pp2UbNX2HnkWpfPfWNo9Gi7chACuWoa2IDND’!
The whole Authorization Server Resource Server Client Authorization request Authorization Server Resource Server Client Authorization response Authorization Server Resource Server Client Access token request Authorization Server Resource Server Client Access token response Authorization Server Resource Server Client Resource request/response Authorization Server Resource Server Client AUTHENTICATION HAPPENS & End-user consent/authorization
Flows ❖ Authorization Code Grant! ❖ Implicit Grant! ❖ Resource Owner Password Credentials Grant! ❖ Client Credentials Grant
Implicit grant Authorization Server Resource Server Client Authorization request Authorization Server Resource Server Client Resource request/response Authorization Server Resource Server Client Authorization response Authorization Server Resource Server Client AUTHENTICATION HAPPENS & End-user consent/authorization
Resource Owner Password Credentials Grant & Client Credentials Grant Authorization Server Resource Server Client Access token request Authorization Server Resource Server Client Access token response Authorization Server Resource Server Client Resource request/response
From OAuth2 to OpenID Connect
❖ OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. ! ❖ It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
The differences ❖ Only authorization grant and implicit grant flows! ❖ Dynamic provider discovery and client registration! ❖ ID Token! ❖ Additions/Clarifications/Constrictions! ❖ UserInfo endpoint
Flows ❖ Authorization code! ❖ Implicit! ❖ Hybrid (authorization code with a twist)! ❖ code id_token! ❖ code token! ❖ code id_token token
Dynamic provider discovery and client registration
Dynamic discovery and registration 1. Find the provider! 2. Discover provider info! 3. Register client
1.Find the provider ❖ Webfinger (RFC 7033)! ❖ User identifier -> URL! ❖ carol@example.org ->! ! GET /.well-known/webfinger?! resource=acct:carol@example.com&! rel=http://openid.net/specs/connect/1.0/issuer! HTTP/1.1! Host: example.com
Webfinger response HTTP/1.1 200 OK! Access-Control-Allow-Origin: *! Content-Type: application/jrd+json! ! {! "subject" : "acct:carol@example.com",! "links" :! [ {! "rel" : "http://openid.net/specs/connect/1.0/issuer",! "href" : "https://openid.example.com"! } ]! }
2.Discover provider info - query GET /.well-known/openid-configuration HTTP/1.1! Host: openid.example.com
2. Discover provider info - response ❖ issuer! ❖ jwks_uri! ❖ endpoints! ❖ functions supported! ❖ support for signing/encrypting algorithms! ❖ policy/tos
Required information ❖ issuer! ❖ jwks_uri! ❖ authorization_endpoint! ❖ token_endpoint (*)! ❖ response_types_supported! ❖ subject_types_supported! ❖ id_token_signing_alg_supported
3. Client registration ❖ uris! ❖ application information! ❖ support for signing/encrypting algorithms! ❖ key material! ❖ server behavior! ❖ client behavior
required information ❖ redirect_uris
Client registration response ❖ client_id! ❖ possibly client_secret and if so client_secret_experies_at! ❖ and the Authorization servers view of things
An Authorization Server ❖ MAY add fields the client didn’t include.! ❖ MAY reject or replace any of the Client's requested field values and substitute them with suitable values.! ❖ MAY ignore values provided by the client, and MUST ignore any fields sent by the Client that it does not understand.
A Client can not ❖ modify a registration! ❖ delete a registration
ID Token
ID Token ❖ Have to make a detour into JWT/K/A/S/E land
JWT ❖ Jason Web Token! ❖ a compact URL-safe means of representing claims to be transferred between two parties! ❖ Suggested pronunciation: ’jot’
JWS represents content secured with digital signatures or Message Authentication Codes (MACs) using JavaScript Object Notation (JSON) based data structures. JWE represents encrypted content using JavaScript Object Notation (JSON) based data structures.
JWK a JavaScript Object Notation (JSON) data structure that represents a cryptographic key JWA registers cryptographic algorithms and identifiers to be used with the JSON Web Signature(JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) specifications
ID Token ❖a security token that contains Claims about the Authentication of an End-User by an Authorization Server when using a Client, and potentially other requested Claims. ! ❖is represented as a JSON Web Token (JWT)
ID Token claims -required ❖ iss - Issuer Identifier for the Issuer of the response! ❖ sub - Subject Identifier! ❖ aud - Intended audience! ❖ exp - Expiration time! ❖ iat - Issued at! ❖ auth_time - Authentication time! ❖ nonce
ID Token claims - optional ❖ acr - Authentication Context Class Reference! ❖ amr - Authentication Method References! ❖ azp - Authorized party
Additions/ Clarifications/ Constrictions
OAuth2 Authorization Request - details Parameters! client_id! redirect_uri! response_type! scope! state Authorization Server Resource Server Client Authorization request GET! http://example.com/authorization?state=1521671980316802035&! ! redirect_uri=https://example.org/authz_cb&! ! response_type=code&! ! client_id=SFEBuhC7sp3a
Authentication Request - OpenID Connect extensions ❖ response_mode - The mechanism to use for returning parameters! ❖ nonce - Associates client session with ID Token! ❖ Signed/encrypted Authentication Request! ❖ End-user interactions! ❖ Response details
Signed/encrypted Authentication Request ❖ request - by value! ❖ request_uri - by reference! ! ❖ Single self-contained parameter! ❖ Signed and/or encrypted (JWT)
End-user interactions ❖ display - How to display pages to End-User! ❖ prompt - If the End-User should be prompted for re-authentication/ consent! ❖ max_age - allowed max time since last authentication! ❖ ui_locales - End-User’s preferred languages and scripts! ❖ id_token_hint - ID Token previously issued ! ❖ login_hint - login identifier the End-User might want to use! ❖ acr_values - requested Authentication Context Class Reference values
Response details ❖ claims! ❖ user_info! ❖ id_token! ! ❖ claims specification! ❖ null! ❖ essential! ❖ value! ❖ values
UserInfo endpoint
User info ❖ sub! ❖ name! ❖ given_name! ❖ family_name! ❖ middle_name! ❖ nickname! ❖ preferred_username Set of standard claims ❖ profile! ❖ picture! ❖ website! ❖ email! ❖ email_verified! ❖ gender! ❖ birthdate ❖ zoneinfo! ❖ locale! ❖ phone_number! ❖ phone_number_verfied! ❖ address! ❖ updated_at!
claims types ❖ Normal! ❖ Aggregated! ❖ Distributed
Summary ❖ OAuth2 is about authorization! ❖ OpenID Connect adds authentication and identity information
Questions ?

Empfohlen

OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCloudIDSummit
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDGasperi Jerome
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenIDPrabath Siriwardena
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
Full stack security
Full stack securityFull stack security
Full stack securityDPC Consulting Ltd
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 

Empfohlen

OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCloudIDSummit
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDGasperi Jerome
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenIDPrabath Siriwardena
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
Full stack security
Full stack securityFull stack security
Full stack securityDPC Consulting Ltd
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedEugene Siow
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebRichard Metzler
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2Mike Schwartz
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2Profesia Srl, Lynx Group
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorMifrazMurthaja
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2scotttomilson
 
Dataporten intro (workshop with Difi)
Dataporten intro (workshop with Difi)Dataporten intro (workshop with Difi)
Dataporten intro (workshop with Difi)Andreas Åkre Solberg
 
[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect ProtocolClément OUDOT
 

Weitere ähnliche Inhalte

Was ist angesagt?

OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedEugene Siow
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebRichard Metzler
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2Mike Schwartz
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2Profesia Srl, Lynx Group
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorMifrazMurthaja
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2scotttomilson
 

Was ist angesagt? (20)

OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 Explained
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound Authenticator
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2
 

Andere mochten auch

Dataporten intro (workshop with Difi)
Dataporten intro (workshop with Difi)Dataporten intro (workshop with Difi)
Dataporten intro (workshop with Difi)Andreas Åkre Solberg
 
[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect ProtocolClément OUDOT
 
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...Brian Campbell
 
Introducing SAML 2.0 Protocol: Security and Performance
Introducing SAML 2.0 Protocol: Security and PerformanceIntroducing SAML 2.0 Protocol: Security and Performance
Introducing SAML 2.0 Protocol: Security and PerformanceAmin Saqi
 
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CIS14: An Overview of FIDO's Universal Factor (UAF) SpecificationsCIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CIS14: An Overview of FIDO's Universal Factor (UAF) SpecificationsCloudIDSummit
 
OpenID Connect - Nat Sakimura at OpenID TechNight #7
OpenID Connect - Nat Sakimura at OpenID TechNight #7OpenID Connect - Nat Sakimura at OpenID TechNight #7
OpenID Connect - Nat Sakimura at OpenID TechNight #7OpenID Foundation Japan
 
OAuth 2.0 & OpenID Connect #MA7
OAuth 2.0 & OpenID Connect #MA7OAuth 2.0 & OpenID Connect #MA7
OAuth 2.0 & OpenID Connect #MA7Nov Matake
 
Introduction to FIDO Authentication
Introduction to FIDO AuthenticationIntroduction to FIDO Authentication
Introduction to FIDO AuthenticationFIDO Alliance
 
Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authenticat...
Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authenticat...Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authenticat...
Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authenticat...FIDO Alliance
 
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014Nov Matake
 
Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali OWASP Delhi
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 

Andere mochten auch (12)

Dataporten intro (workshop with Difi)
Dataporten intro (workshop with Difi)Dataporten intro (workshop with Difi)
Dataporten intro (workshop with Difi)
 
[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol
 
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
 
Introducing SAML 2.0 Protocol: Security and Performance
Introducing SAML 2.0 Protocol: Security and PerformanceIntroducing SAML 2.0 Protocol: Security and Performance
Introducing SAML 2.0 Protocol: Security and Performance
 
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CIS14: An Overview of FIDO's Universal Factor (UAF) SpecificationsCIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
 
OpenID Connect - Nat Sakimura at OpenID TechNight #7
OpenID Connect - Nat Sakimura at OpenID TechNight #7OpenID Connect - Nat Sakimura at OpenID TechNight #7
OpenID Connect - Nat Sakimura at OpenID TechNight #7
 
OAuth 2.0 & OpenID Connect #MA7
OAuth 2.0 & OpenID Connect #MA7OAuth 2.0 & OpenID Connect #MA7
OAuth 2.0 & OpenID Connect #MA7
 
Introduction to FIDO Authentication
Introduction to FIDO AuthenticationIntroduction to FIDO Authentication
Introduction to FIDO Authentication
 
Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authenticat...
Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authenticat...Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authenticat...
Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authenticat...
 
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
 
Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 

Ähnlich wie CIS14: Working with OAuth and OpenID Connect

Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security WSO2
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootGeert Pante
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...Vladimir Bychkov
 
O Auth 2.0 The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from HellO Auth 2.0 The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from HellWSO2
 
O auth with facebook and google using .net
O auth with facebook and google using .netO auth with facebook and google using .net
O auth with facebook and google using .netSathyaish Chakravarthy
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Kai Hofstetter
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkSamuele Cozzi
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Functional Imperative
 
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
Y U No OAuth, Using Common Patterns to Secure Your Web ApplicationsY U No OAuth, Using Common Patterns to Secure Your Web Applications
Y U No OAuth, Using Common Patterns to Secure Your Web ApplicationsJason Robert
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Nino Ho
 

Ähnlich wie CIS14: Working with OAuth and OpenID Connect (20)

OAuth 2
OAuth 2OAuth 2
OAuth 2
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
 
O Auth 2.0 The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from HellO Auth 2.0 The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from Hell
 
OAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care HouseOAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care House
 
O auth with facebook and google using .net
O auth with facebook and google using .netO auth with facebook and google using .net
O auth with facebook and google using .net
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization Framework
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
 
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
Y U No OAuth, Using Common Patterns to Secure Your Web ApplicationsY U No OAuth, Using Common Patterns to Secure Your Web Applications
Y U No OAuth, Using Common Patterns to Secure Your Web Applications
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 

Mehr von CloudIDSummit

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content HighlightsCloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016CloudIDSummit
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2CloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CloudIDSummit
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CloudIDSummit
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCloudIDSummit
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCloudIDSummit
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CloudIDSummit
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCloudIDSummit
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCloudIDSummit
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...CloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCloudIDSummit
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCloudIDSummit
 

Mehr von CloudIDSummit (20)

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content Highlights
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean Deuby
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of Things
 

Kürzlich hochgeladen

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 

Kürzlich hochgeladen (20)

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 

CIS14: Working with OAuth and OpenID Connect

  • 1. OAuth 2.0 and OpenID Connect Basics From OAuth2 to OpenID Connect by Roland Hedberg
  • 3. ❖ The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, ! ❖ either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, ! ❖ or by allowing the third-party application to obtain access on its own behalf.
  • 5. Authorization Request Authorization Server Resource Server Client Authorization request
  • 6. Authorization Request - details Parameters! client_id! redirect_uri! response_type! scope! state Authorization Server Resource Server Client Authorization request GET! http://example.com/authorization?state=1521671980316802035&! ! redirect_uri=https://example.org/authz_cb&! ! response_type=code&! ! client_id=SFEBuhC7sp3a
  • 7. Authorization Server Resource Server Client AUTHENTICATION HAPPENS & End-user consent/authorization
  • 8. Authorization Response Authorization Server Resource Server Client Authorization response
  • 9. Authorization Response - details Authorization Server Resource Server Client Authorization response GET! https://example.org/authz_cb?state=1521671980316802035&! ! code=s87BT60pp2UbNX2HnkWpZ9YhPVHRZaoTuU9XJul6JMuQaKUidUM6y1Boab6 Parameters code! state access_token! token_type! expires_in! scope! state
  • 10. Access Token Request Authorization Server Resource Server Client Access token request
  • 11. Access Token Request - details POST! http://example.com/token! ! code=s87BT60pp2UbNX2HnkWpZ9YhPVHRZaoTuU9XJul6JMuQaKUidUM6y1Boab6&! ! grant_type=authorization_code&! ! redirect_uri=https://example.org/authz_cb Authorization Server Resource Server Client Access token request Parameters! client_id! code! grant_type! redirect_uri
  • 12. Access Token Response Authorization Server Resource Server Client Access token response
  • 13. Access Token Response - details {! ! 'access_token': ’s87BT60pp2UbNX2HnkWpfPfWNo9Gi7chACuWoa2IDND', ! ! 'expires_in': 3600, ! ! 'refresh_token': ’s87BT60pp2U+bNX2HnkWpVCnDYPsy8EOpI’! ! 'state': ’STATE0’,! ! 'token_type': 'Bearer', ! } Authorization Server Resource Server Client Access token response Parameters! access_token! expires_in! refresh_token scope! token_type
  • 14. Resource Access Authorization Server Resource Server Client Resource request/response
  • 15. Resource Access - details Authorization Server Resource Server Client Resource request/response GET! https://example.com/resource! ! Header:! ! Authorization: ’Bearer s87BT60pp2UbNX2HnkWpfPfWNo9Gi7chACuWoa2IDND’!
  • 16. The whole Authorization Server Resource Server Client Authorization request Authorization Server Resource Server Client Authorization response Authorization Server Resource Server Client Access token request Authorization Server Resource Server Client Access token response Authorization Server Resource Server Client Resource request/response Authorization Server Resource Server Client AUTHENTICATION HAPPENS & End-user consent/authorization
  • 17. Flows ❖ Authorization Code Grant! ❖ Implicit Grant! ❖ Resource Owner Password Credentials Grant! ❖ Client Credentials Grant
  • 18. Implicit grant Authorization Server Resource Server Client Authorization request Authorization Server Resource Server Client Resource request/response Authorization Server Resource Server Client Authorization response Authorization Server Resource Server Client AUTHENTICATION HAPPENS & End-user consent/authorization
  • 19. Resource Owner Password Credentials Grant & Client Credentials Grant Authorization Server Resource Server Client Access token request Authorization Server Resource Server Client Access token response Authorization Server Resource Server Client Resource request/response
  • 20. From OAuth2 to OpenID Connect
  • 21. ❖ OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. ! ❖ It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
  • 22. The differences ❖ Only authorization grant and implicit grant flows! ❖ Dynamic provider discovery and client registration! ❖ ID Token! ❖ Additions/Clarifications/Constrictions! ❖ UserInfo endpoint
  • 23. Flows ❖ Authorization code! ❖ Implicit! ❖ Hybrid (authorization code with a twist)! ❖ code id_token! ❖ code token! ❖ code id_token token
  • 24. Dynamic provider discovery and client registration
  • 25. Dynamic discovery and registration 1. Find the provider! 2. Discover provider info! 3. Register client
  • 26. 1.Find the provider ❖ Webfinger (RFC 7033)! ❖ User identifier -> URL! ❖ carol@example.org ->! ! GET /.well-known/webfinger?! resource=acct:carol@example.com&! rel=http://openid.net/specs/connect/1.0/issuer! HTTP/1.1! Host: example.com
  • 27. Webfinger response HTTP/1.1 200 OK! Access-Control-Allow-Origin: *! Content-Type: application/jrd+json! ! {! "subject" : "acct:carol@example.com",! "links" :! [ {! "rel" : "http://openid.net/specs/connect/1.0/issuer",! "href" : "https://openid.example.com"! } ]! }
  • 28. 2.Discover provider info - query GET /.well-known/openid-configuration HTTP/1.1! Host: openid.example.com
  • 29. 2. Discover provider info - response ❖ issuer! ❖ jwks_uri! ❖ endpoints! ❖ functions supported! ❖ support for signing/encrypting algorithms! ❖ policy/tos
  • 30. Required information ❖ issuer! ❖ jwks_uri! ❖ authorization_endpoint! ❖ token_endpoint (*)! ❖ response_types_supported! ❖ subject_types_supported! ❖ id_token_signing_alg_supported
  • 31. 3. Client registration ❖ uris! ❖ application information! ❖ support for signing/encrypting algorithms! ❖ key material! ❖ server behavior! ❖ client behavior
  • 33. Client registration response ❖ client_id! ❖ possibly client_secret and if so client_secret_experies_at! ❖ and the Authorization servers view of things
  • 34. An Authorization Server ❖ MAY add fields the client didn’t include.! ❖ MAY reject or replace any of the Client's requested field values and substitute them with suitable values.! ❖ MAY ignore values provided by the client, and MUST ignore any fields sent by the Client that it does not understand.
  • 35. A Client can not ❖ modify a registration! ❖ delete a registration
  • 37. ID Token ❖ Have to make a detour into JWT/K/A/S/E land
  • 38. JWT ❖ Jason Web Token! ❖ a compact URL-safe means of representing claims to be transferred between two parties! ❖ Suggested pronunciation: ’jot’
  • 39. JWS represents content secured with digital signatures or Message Authentication Codes (MACs) using JavaScript Object Notation (JSON) based data structures. JWE represents encrypted content using JavaScript Object Notation (JSON) based data structures.
  • 40. JWK a JavaScript Object Notation (JSON) data structure that represents a cryptographic key JWA registers cryptographic algorithms and identifiers to be used with the JSON Web Signature(JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) specifications
  • 41. ID Token ❖a security token that contains Claims about the Authentication of an End-User by an Authorization Server when using a Client, and potentially other requested Claims. ! ❖is represented as a JSON Web Token (JWT)
  • 42. ID Token claims -required ❖ iss - Issuer Identifier for the Issuer of the response! ❖ sub - Subject Identifier! ❖ aud - Intended audience! ❖ exp - Expiration time! ❖ iat - Issued at! ❖ auth_time - Authentication time! ❖ nonce
  • 43. ID Token claims - optional ❖ acr - Authentication Context Class Reference! ❖ amr - Authentication Method References! ❖ azp - Authorized party
  • 45. OAuth2 Authorization Request - details Parameters! client_id! redirect_uri! response_type! scope! state Authorization Server Resource Server Client Authorization request GET! http://example.com/authorization?state=1521671980316802035&! ! redirect_uri=https://example.org/authz_cb&! ! response_type=code&! ! client_id=SFEBuhC7sp3a
  • 46. Authentication Request - OpenID Connect extensions ❖ response_mode - The mechanism to use for returning parameters! ❖ nonce - Associates client session with ID Token! ❖ Signed/encrypted Authentication Request! ❖ End-user interactions! ❖ Response details
  • 47. Signed/encrypted Authentication Request ❖ request - by value! ❖ request_uri - by reference! ! ❖ Single self-contained parameter! ❖ Signed and/or encrypted (JWT)
  • 48. End-user interactions ❖ display - How to display pages to End-User! ❖ prompt - If the End-User should be prompted for re-authentication/ consent! ❖ max_age - allowed max time since last authentication! ❖ ui_locales - End-User’s preferred languages and scripts! ❖ id_token_hint - ID Token previously issued ! ❖ login_hint - login identifier the End-User might want to use! ❖ acr_values - requested Authentication Context Class Reference values
  • 49. Response details ❖ claims! ❖ user_info! ❖ id_token! ! ❖ claims specification! ❖ null! ❖ essential! ❖ value! ❖ values
  • 51. User info ❖ sub! ❖ name! ❖ given_name! ❖ family_name! ❖ middle_name! ❖ nickname! ❖ preferred_username Set of standard claims ❖ profile! ❖ picture! ❖ website! ❖ email! ❖ email_verified! ❖ gender! ❖ birthdate ❖ zoneinfo! ❖ locale! ❖ phone_number! ❖ phone_number_verfied! ❖ address! ❖ updated_at!
  • 52. claims types ❖ Normal! ❖ Aggregated! ❖ Distributed
  • 53. Summary ❖ OAuth2 is about authorization! ❖ OpenID Connect adds authentication and identity information