Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Dasith Wijesiriwardena
A Story of Identity,
Set Amongst The Clouds
About Me
1. Identity & Trust
> Identity, authentication and authorization
> Trust and claims based identity
> Parties involved
> Wh...
Definitions
Identity: Unique name of a person, device, or
combination of both.
Authentication: Process of verifying that i...
Definitions
Access Token
An object which represents the right to
perform some operation.
Identity Token
An object that aid...
Traditional Approach
Credentials
Application
Lookup User Database
User / Browser / UI
Identity Islands
Pet Sitting Service
Rent A Car
Flight Bookings
@#*()!~<+|>
You have been pwned
Breach
Scenario: Renting a Car
Hi. I’m Dilbert. I like to
rent your finest car.
Hi Dilbert. My name is Amy.
Can you please provid...
Claims Based Identity
A claim is a statement that one subject, such as a
person or organization, makes about itself or
ano...
Dilbert Adams
Drivers License as an Identity Token
Claims about the Subject
• Name
• Address
• Date of birth
• Photo
Issue...
• User
• Subject (Sub)
• Resource Owner (RO)
• Relying Party (RP)
• Client
• Audience (Aud)
• Resource
• Identity Provider...
Modern Approach
Identity Provider
Trust
Credentials
Token
Token
Application
User / Browser / UI
Validation
Recap
• Authentication vs Authorization
• Claims based identity
• Parties involved
• Traditional and modern approaches
• L...
Passwords
1. Password
2. Password
Access TokensVS
1. Password2. Token
3. Token
If token is a
reference token,
exchange it ...
Security Assertion Markup Language
Open standard for exchanging authentication and authorization data between
parties.
https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
Anatomy of a SAML Token
Assertion
Anatomy of a SAML Token
Anatomy of a SAML Token
Subject
Anatomy of a SAML Token
Conditions
Anatomy of a SAML Token
Auth Stmnt
Anatomy of a SAML Token
Attributes
JSON Web Tokens
Internet standard for creating JSON-based tokens
Header
Algorithm & Token Type
{
"alg": "HS256",
"typ": "J...
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjFMVE16YWtpaGlSbGFfOHoyQkVKVlhlV01xbyJ9.
eyJ2ZXIiOiIyLjAiLCJpc3MiOiJodHRwczov...
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjFMVE16YWtpaGlSbGFfOHoyQkVKVlhlV01xbyJ9.
eyJ2ZXIiOiIyLjAiLCJpc3MiOiJodHRwczov...
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjFMVE16YWtpaGlSbGFfOHoyQkVKVlhlV01xbyJ9.
eyJ2ZXIiOiIyLjAiLCJpc3MiOiJodHRwczov...
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjFMVE16YWtpaGlSbGFfOHoyQkVKVlhlV01xbyJ9.
eyJ2ZXIiOiIyLjAiLCJpc3MiOiJodHRwczov...
Sign Function
Constructing a JWT
Header Payload SecretSignature =
Header Payload SignatureJWT =
base64ue base64ue
base64ue...
Sign Function
Constructing a JWT
Header Payload SecretSignature =
Header Payload SignatureJWT =
base64ue base64ue
base64ue...
Header Payload
Sign Function
Constructing a JWT
Header Payload SecretSignature =
Header Payload SignatureJWT =
base64ue ba...
Header Payload
Sign Function
Constructing a JWT
Header Payload SecretSignature =
Header Payload SignatureJWT =
base64ue ba...
JWT
Sign Function
Verifying a JWT
Header Payload SecretSignature =
Header Payload Signature
==
base64ue base64ue
base64ue ...
JWT
Sign Function
Verifying a JWT
Header Payload SecretSignature =
Header Payload Signature
==
base64ue base64ue
base64ue ...
JWT
Sign Function
Verifying a JWT
Header Payload SecretSignature =
Header Payload Signature
==
base64ue base64ue
base64ue ...
JWT
Sign Function
Verifying a JWT
Header Payload SecretSignature =
Header Payload Signature
==
base64ue base64ue
base64ue ...
JWT and Drivers License
Dilbert Adams
JWT and Drivers License
Dilbert Adams
JWT and Drivers License
Dilbert Adams
JWT and Drivers License
Dilbert Adams
JWT and Drivers License
Dilbert Adams
JWT and Drivers License
Dilbert Adams
Recap
• Passwords vs Tokens
• Why tokens are preferred
• SAML (Security Assertion Markup Language)
• JWT (JSON Web Token)
...
OAuth 2.0
OAuth 2.0 is the industry-standard protocol for
authorization. It focuses on client developer simplicity
while p...
History of OAuth
2007
December
OAuth 1.0
Final Draft
2010
April
Standardized
via IETF
2012
October
OAuth 2.0
Implicit, Aut...
Limitation of OAuth
• Only specifies a solution to authorization concerns
• No standard way of describing claims
Enter “Op...
OpenID Connect
OpenID Connect is an interoperable authentication
protocol based on the OAuth 2.0 family of
specifications....
OpenID Connect Concepts
Registration
Sign Up
Client / Relying PartySubject Issuer / IdP
 Store ClientId and Secret
 Pick...
OpenID Connect Concepts
Registration
Sign Up
Client / Relying PartySubject Issuer / IdP
 Store ClientId and Secret
 Pick...
OpenID Connect Concepts
Registration
Sign Up
Client / Relying PartySubject Issuer / IdP
 Store ClientId and Secret
 Pick...
OpenID Connect Concepts
Registration
Sign Up
Client / Relying PartySubject Issuer / IdP
 Store ClientId and Secret
 Pick...
OpenID Connect Discovery Endpoint Example
https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
OpenID Connect Discovery Endpoint Example
https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
OpenID Connect Discovery Endpoint Example
https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
OpenID Connect Discovery Endpoint Example
https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
OpenID Connect Discovery Endpoint Example
https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
Token Types
Key representing access
to a resource. Can be
self contained or a
reference token.
access_token
Contains ident...
Endpoints
Authorization
Token
Userinfo
Performs the authorization and
returns a supported combination of
access_token, id_...
Application Types
Confidential Clients Public Clients Other
WebApp (running on backend) Single Page Apps (Javascript) Inpu...
Some OAuth 2.0 Flows
• Implicit grant
• Authorization code grant
• Hybrid flow
• Token Exchange (On-behalf-of)
• Client cr...
Implicit Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow
Implicit Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow
GET
http...
Implicit Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow
Implicit Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow
GET
http...
Implicit Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow
Authoriz...
Authorization Code Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
Authorization Code Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
GET...
Authorization Code Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
Authorization Code Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
GET...
Authorization Code Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
GET...
Authorization Code Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
{
"...
Authorization Code Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
Aut...
Hybrid Flow
• Same as the implicit flow
• With additional reference token (authorization code).
• Exchange it for an acces...
Client Credentials Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant...
Token Exchange Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
Authorizat...
Device Code Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
Device Code Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
Device Code Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
Device Code Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
Device Code Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
Device Code Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
Resource Owner Password Grant Flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
Picking the right OAuth flow
Public
Client ?
Native or
SPA ?
Implicit
Auth Code +
PKCE
Has an
active user ?
Client Credent...
Recap
• OAuth
• What it solves
• OpenID Connect
• What it solves
• Concepts
• Endpoints
• Picking an appropriate OAuth flow
Want More?
• Protocol Reference: https://oauth.net
• Starter Kit: https://connect2id.com/learn
• Choosing Flows: https://a...
Thank you!
@dasiths
dasith.me
COFFEE BY WIFI BY CHILDCARE BY
DDD Melbourne 2019 :  Modern Authentication 101
DDD Melbourne 2019 :  Modern Authentication 101
DDD Melbourne 2019 :  Modern Authentication 101
DDD Melbourne 2019 :  Modern Authentication 101
Nächste SlideShare
Wird geladen in …5
×

DDD Melbourne 2019 : Modern Authentication 101

189 Aufrufe

Veröffentlicht am

There has never been more emphasis in security than in the modern environment of distributed computing and increased sharing of data. Our data does not sit inside silos consumed by one application anymore. In this context the modern distributed applications need to securely access protected resources without having to share passwords. We need scalable solutions that work with things like single page applications. We will dive in and explore terms like "OAuth", "OpenId Connect" and "JWT" and how they relate to authentication and authorisation. This presentation hopes to give you a good understanding of what, where and how to get started with the modern approaches to authentication.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

DDD Melbourne 2019 : Modern Authentication 101

  1. 1. Dasith Wijesiriwardena A Story of Identity, Set Amongst The Clouds
  2. 2. About Me
  3. 3. 1. Identity & Trust > Identity, authentication and authorization > Trust and claims based identity > Parties involved > What do they solve? > Concepts and Acronyms > Main Flows 3. OAuth and OpenID Connect 2. Tokens > SAML and JWT
  4. 4. Definitions Identity: Unique name of a person, device, or combination of both. Authentication: Process of verifying that identity. Authorization: Function of specifying access rights/privileges to resources.
  5. 5. Definitions Access Token An object which represents the right to perform some operation. Identity Token An object that aids in proving the user's identity and authenticating that user.
  6. 6. Traditional Approach Credentials Application Lookup User Database User / Browser / UI
  7. 7. Identity Islands Pet Sitting Service Rent A Car Flight Bookings @#*()!~<+|> You have been pwned Breach
  8. 8. Scenario: Renting a Car Hi. I’m Dilbert. I like to rent your finest car. Hi Dilbert. My name is Amy. Can you please provider a driver’s license or passport? Trust
  9. 9. Claims Based Identity A claim is a statement that one subject, such as a person or organization, makes about itself or another subject. The subject making the claim or claims is the provider. - Wikipedia.org
  10. 10. Dilbert Adams Drivers License as an Identity Token Claims about the Subject • Name • Address • Date of birth • Photo Issuer (Identity Provider) • VicRoads Validation • Holographic Logo
  11. 11. • User • Subject (Sub) • Resource Owner (RO) • Relying Party (RP) • Client • Audience (Aud) • Resource • Identity Provider (IdP) • Authorization Server (AS) • Issuing Authority (ISS) • Token Issuer • Security Token Service (STS) • Login Server So many names… Application
  12. 12. Modern Approach Identity Provider Trust Credentials Token Token Application User / Browser / UI Validation
  13. 13. Recap • Authentication vs Authorization • Claims based identity • Parties involved • Traditional and modern approaches • Leveraging existing trust relationships • Terms • User, Subject, Resource Owner • Relying Party, Client • Id Provider, Auth Server, Token Issuer
  14. 14. Passwords 1. Password 2. Password Access TokensVS 1. Password2. Token 3. Token If token is a reference token, exchange it for identity claims from the IdP 4. Ref Token 5. Claims
  15. 15. Security Assertion Markup Language Open standard for exchanging authentication and authorization data between parties.
  16. 16. https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
  17. 17. Anatomy of a SAML Token
  18. 18. Assertion Anatomy of a SAML Token
  19. 19. Anatomy of a SAML Token Subject
  20. 20. Anatomy of a SAML Token Conditions
  21. 21. Anatomy of a SAML Token Auth Stmnt
  22. 22. Anatomy of a SAML Token Attributes
  23. 23. JSON Web Tokens Internet standard for creating JSON-based tokens Header Algorithm & Token Type { "alg": "HS256", "typ": "JWT" } Payload Data { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 } Signature Verification HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), Client Secret )
  24. 24. eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjFMVE16YWtpaGlSbGFfOHoyQkVKVlhlV01xbyJ9. eyJ2ZXIiOiIyLjAiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vOTE4ODA0MG QtNmM2Ny00YzViLWIxMTItMzZhMzA0YjY2ZGFkL3YyLjAiLCJzdWIiOiJBQUFBQUFBQUFBQUFBQUFB QUFBQUFJa3pxRlZyU2FTYUZIeTc4MmJidGFRIiwiYXVkIjoiNmNiMDQwMTgtYTNmNS00NmE3LWI5O TUtOTQwYzc4ZjVhZWYzIiwiZXhwIjoxNTM2MzYxNDExLCJpYXQiOjE1MzYyNzQ3MTEsIm5iZiI6MTUz NjI3NDcxMSwibmFtZSI6IkFiZSBMaW5jb2xuIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiQWJlTGlAbWljcm9 zb2Z0LmNvbSIsIm9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC02NmYzLTMzMzJlY2E3ZWE4MSIsI nRpZCI6IjMzMzgwNDBkLTZjNjctNGM1Yi1iMTEyLTM2YTMwNGI2NmRhZCIsIm5vbmNlIjoiMTIzNTIzIi wiYWlvIjoiRGYyVVZYTDFpeCFsTUNXTVNPSkJjRmF0emNHZnZGR2hqS3Y4cTVnMHg3MzJkUjVNQjV CaXN2R1FPN1lXQnlqZDhpUURMcSFlR2JJRGFreXA1bW5PcmNkcUhlWVNubHRlcFFtUnA2QUlaOGp ZIn0=. 1AFWW-Ck5nROwSlltm7GzZvDwUkqvhSQpm55TQsmVo9Y59cLhRXpvB8n- 55HCr9Z6G_31_UbeUkoz612I2j_Sm9FFShSDDjoaLQr54CreGIJvjtmS3EkK9a7SJBbcpL1MpUtlfygow3 9tFjY7EVNW9plWUvRrTgVk7lYLprvfzw-CIqw3gHC- T7IK_m_xkr08INERBtaecwhTeN4chPC4W3jdmw_lIxzC48YoQ0dB1L9- ImX98Egypfrlbm0IBL5spFzL6JDZIRRJOu8vecJvj1mq-IUhGt0MacxX8jdxYLP- KUu2d9MbNKpCKJuZ7p8gwTL5B7NlUdh_dmSviPWrw Anatomy of a JWT
  25. 25. eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjFMVE16YWtpaGlSbGFfOHoyQkVKVlhlV01xbyJ9. eyJ2ZXIiOiIyLjAiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vOTE4ODA0MG QtNmM2Ny00YzViLWIxMTItMzZhMzA0YjY2ZGFkL3YyLjAiLCJzdWIiOiJBQUFBQUFBQUFBQUFBQUFB QUFBQUFJa3pxRlZyU2FTYUZIeTc4MmJidGFRIiwiYXVkIjoiNmNiMDQwMTgtYTNmNS00NmE3LWI5O TUtOTQwYzc4ZjVhZWYzIiwiZXhwIjoxNTM2MzYxNDExLCJpYXQiOjE1MzYyNzQ3MTEsIm5iZiI6MTUz NjI3NDcxMSwibmFtZSI6IkFiZSBMaW5jb2xuIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiQWJlTGlAbWljcm9 zb2Z0LmNvbSIsIm9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC02NmYzLTMzMzJlY2E3ZWE4MSIsI nRpZCI6IjMzMzgwNDBkLTZjNjctNGM1Yi1iMTEyLTM2YTMwNGI2NmRhZCIsIm5vbmNlIjoiMTIzNTIzIi wiYWlvIjoiRGYyVVZYTDFpeCFsTUNXTVNPSkJjRmF0emNHZnZGR2hqS3Y4cTVnMHg3MzJkUjVNQjV CaXN2R1FPN1lXQnlqZDhpUURMcSFlR2JJRGFreXA1bW5PcmNkcUhlWVNubHRlcFFtUnA2QUlaOGp ZIn0=. 1AFWW-Ck5nROwSlltm7GzZvDwUkqvhSQpm55TQsmVo9Y59cLhRXpvB8n- 55HCr9Z6G_31_UbeUkoz612I2j_Sm9FFShSDDjoaLQr54CreGIJvjtmS3EkK9a7SJBbcpL1MpUtlfygow3 9tFjY7EVNW9plWUvRrTgVk7lYLprvfzw-CIqw3gHC- T7IK_m_xkr08INERBtaecwhTeN4chPC4W3jdmw_lIxzC48YoQ0dB1L9- ImX98Egypfrlbm0IBL5spFzL6JDZIRRJOu8vecJvj1mq-IUhGt0MacxX8jdxYLP- KUu2d9MbNKpCKJuZ7p8gwTL5B7NlUdh_dmSviPWrw Header Anatomy of a JWT
  26. 26. eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjFMVE16YWtpaGlSbGFfOHoyQkVKVlhlV01xbyJ9. eyJ2ZXIiOiIyLjAiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vOTE4ODA0MG QtNmM2Ny00YzViLWIxMTItMzZhMzA0YjY2ZGFkL3YyLjAiLCJzdWIiOiJBQUFBQUFBQUFBQUFBQUFB QUFBQUFJa3pxRlZyU2FTYUZIeTc4MmJidGFRIiwiYXVkIjoiNmNiMDQwMTgtYTNmNS00NmE3LWI5O TUtOTQwYzc4ZjVhZWYzIiwiZXhwIjoxNTM2MzYxNDExLCJpYXQiOjE1MzYyNzQ3MTEsIm5iZiI6MTUz NjI3NDcxMSwibmFtZSI6IkFiZSBMaW5jb2xuIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiQWJlTGlAbWljcm9 zb2Z0LmNvbSIsIm9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC02NmYzLTMzMzJlY2E3ZWE4MSIsI nRpZCI6IjMzMzgwNDBkLTZjNjctNGM1Yi1iMTEyLTM2YTMwNGI2NmRhZCIsIm5vbmNlIjoiMTIzNTIzIi wiYWlvIjoiRGYyVVZYTDFpeCFsTUNXTVNPSkJjRmF0emNHZnZGR2hqS3Y4cTVnMHg3MzJkUjVNQjV CaXN2R1FPN1lXQnlqZDhpUURMcSFlR2JJRGFreXA1bW5PcmNkcUhlWVNubHRlcFFtUnA2QUlaOGp ZIn0=. 1AFWW-Ck5nROwSlltm7GzZvDwUkqvhSQpm55TQsmVo9Y59cLhRXpvB8n- 55HCr9Z6G_31_UbeUkoz612I2j_Sm9FFShSDDjoaLQr54CreGIJvjtmS3EkK9a7SJBbcpL1MpUtlfygow3 9tFjY7EVNW9plWUvRrTgVk7lYLprvfzw-CIqw3gHC- T7IK_m_xkr08INERBtaecwhTeN4chPC4W3jdmw_lIxzC48YoQ0dB1L9- ImX98Egypfrlbm0IBL5spFzL6JDZIRRJOu8vecJvj1mq-IUhGt0MacxX8jdxYLP- KUu2d9MbNKpCKJuZ7p8gwTL5B7NlUdh_dmSviPWrw Payload Anatomy of a JWT
  27. 27. eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjFMVE16YWtpaGlSbGFfOHoyQkVKVlhlV01xbyJ9. eyJ2ZXIiOiIyLjAiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vOTE4ODA0MG QtNmM2Ny00YzViLWIxMTItMzZhMzA0YjY2ZGFkL3YyLjAiLCJzdWIiOiJBQUFBQUFBQUFBQUFBQUFB QUFBQUFJa3pxRlZyU2FTYUZIeTc4MmJidGFRIiwiYXVkIjoiNmNiMDQwMTgtYTNmNS00NmE3LWI5O TUtOTQwYzc4ZjVhZWYzIiwiZXhwIjoxNTM2MzYxNDExLCJpYXQiOjE1MzYyNzQ3MTEsIm5iZiI6MTUz NjI3NDcxMSwibmFtZSI6IkFiZSBMaW5jb2xuIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiQWJlTGlAbWljcm9 zb2Z0LmNvbSIsIm9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC02NmYzLTMzMzJlY2E3ZWE4MSIsI nRpZCI6IjMzMzgwNDBkLTZjNjctNGM1Yi1iMTEyLTM2YTMwNGI2NmRhZCIsIm5vbmNlIjoiMTIzNTIzIi wiYWlvIjoiRGYyVVZYTDFpeCFsTUNXTVNPSkJjRmF0emNHZnZGR2hqS3Y4cTVnMHg3MzJkUjVNQjV CaXN2R1FPN1lXQnlqZDhpUURMcSFlR2JJRGFreXA1bW5PcmNkcUhlWVNubHRlcFFtUnA2QUlaOGp ZIn0=. 1AFWW-Ck5nROwSlltm7GzZvDwUkqvhSQpm55TQsmVo9Y59cLhRXpvB8n- 55HCr9Z6G_31_UbeUkoz612I2j_Sm9FFShSDDjoaLQr54CreGIJvjtmS3EkK9a7SJBbcpL1MpUtlfygow3 9tFjY7EVNW9plWUvRrTgVk7lYLprvfzw-CIqw3gHC- T7IK_m_xkr08INERBtaecwhTeN4chPC4W3jdmw_lIxzC48YoQ0dB1L9- ImX98Egypfrlbm0IBL5spFzL6JDZIRRJOu8vecJvj1mq-IUhGt0MacxX8jdxYLP- KUu2d9MbNKpCKJuZ7p8gwTL5B7NlUdh_dmSviPWrw Anatomy of a JWT Signature
  28. 28. Sign Function Constructing a JWT Header Payload SecretSignature = Header Payload SignatureJWT = base64ue base64ue base64ue base64ue base64ue Header Payload JSON Data= = JSON Data
  29. 29. Sign Function Constructing a JWT Header Payload SecretSignature = Header Payload SignatureJWT = base64ue base64ue base64ue base64ue base64ue Header Payload JSON Data= = JSON Data base64ue base64ue Header Payload
  30. 30. Header Payload Sign Function Constructing a JWT Header Payload SecretSignature = Header Payload SignatureJWT = base64ue base64ue base64ue base64ue base64ue Header Payload JSON Data= = JSON Data
  31. 31. Header Payload Sign Function Constructing a JWT Header Payload SecretSignature = Header Payload SignatureJWT = base64ue base64ue base64ue base64ue base64ue Header Payload JSON Data= = JSON Data
  32. 32. JWT Sign Function Verifying a JWT Header Payload SecretSignature = Header Payload Signature == base64ue base64ue base64ue base64ue base64ue Signature Signature Is Valid?
  33. 33. JWT Sign Function Verifying a JWT Header Payload SecretSignature = Header Payload Signature == base64ue base64ue base64ue base64ue base64ue Signature Signature Is Valid?
  34. 34. JWT Sign Function Verifying a JWT Header Payload SecretSignature = Header Payload Signature == base64ue base64ue base64ue base64ue base64ue Signature Signature Is Valid?
  35. 35. JWT Sign Function Verifying a JWT Header Payload SecretSignature = Header Payload Signature == base64ue base64ue base64ue base64ue base64ue Signature Signature Is Valid?
  36. 36. JWT and Drivers License Dilbert Adams
  37. 37. JWT and Drivers License Dilbert Adams
  38. 38. JWT and Drivers License Dilbert Adams
  39. 39. JWT and Drivers License Dilbert Adams
  40. 40. JWT and Drivers License Dilbert Adams
  41. 41. JWT and Drivers License Dilbert Adams
  42. 42. Recap • Passwords vs Tokens • Why tokens are preferred • SAML (Security Assertion Markup Language) • JWT (JSON Web Token) • Header, Payload, Signature • Constructing • Verifying
  43. 43. OAuth 2.0 OAuth 2.0 is the industry-standard protocol for authorization. It focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. - OAuth.net
  44. 44. History of OAuth 2007 December OAuth 1.0 Final Draft 2010 April Standardized via IETF 2012 October OAuth 2.0 Implicit, Auth Code, Resource Owner, Client Credentials flows Today Device Code, Token Exchange etc
  45. 45. Limitation of OAuth • Only specifies a solution to authorization concerns • No standard way of describing claims Enter “OpenID Connect”
  46. 46. OpenID Connect OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0 family of specifications. It uses straightforward REST/JSON message flows. - OpenID.net (Identity, Authentication) + OAuth 2.0 = OpenID Connect
  47. 47. OpenID Connect Concepts Registration Sign Up Client / Relying PartySubject Issuer / IdP  Store ClientId and Secret  Pick correct flow for public vs confidential clients  Construct a HTTP request  Handle call-back  Verify token and manage lifetime  Allow client and user registration  Discovery endpoint for meta data “.well-known/openid- configuration”  Issuer, signing certificate public key, supported claims, scopes etc..  Implement endpoints for Token, Authorization and UserInfo  Register and sign in to the IdP  Inspect and grant consent to the requested scopes
  48. 48. OpenID Connect Concepts Registration Sign Up Client / Relying PartySubject Issuer / IdP  Store ClientId and Secret  Pick correct flow for public vs confidential clients  Construct a HTTP request  Handle call-back  Verify token and manage lifetime  Allow client and user registration  Discovery endpoint for meta data “.well-known/openid- configuration”  Issuer, signing certificate public key, supported claims, scopes etc..  Implement endpoints for Token, Authorization and UserInfo  Register and sign in to the IdP  Inspect and grant consent to the requested scopes
  49. 49. OpenID Connect Concepts Registration Sign Up Client / Relying PartySubject Issuer / IdP  Store ClientId and Secret  Pick correct flow for public vs confidential clients  Construct a HTTP request  Handle call-back  Verify token and manage lifetime  Allow client and user registration  Discovery endpoint for meta data “.well-known/openid- configuration”  Issuer, signing certificate public key, supported claims, scopes etc..  Implement endpoints for Token, Authorization and UserInfo  Register and sign in to the IdP  Inspect and grant consent to the requested scopes
  50. 50. OpenID Connect Concepts Registration Sign Up Client / Relying PartySubject Issuer / IdP  Store ClientId and Secret  Pick correct flow for public vs confidential clients  Construct a HTTP request  Handle call-back  Verify token and manage lifetime  Allow client and user registration  Discovery endpoint for meta data “.well-known/openid- configuration”  Issuer, signing certificate public key, supported claims, scopes etc..  Implement endpoints for Token, Authorization and UserInfo  Register and sign in to the IdP  Inspect and grant consent to the requested scopes
  51. 51. OpenID Connect Discovery Endpoint Example https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
  52. 52. OpenID Connect Discovery Endpoint Example https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
  53. 53. OpenID Connect Discovery Endpoint Example https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
  54. 54. OpenID Connect Discovery Endpoint Example https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
  55. 55. OpenID Connect Discovery Endpoint Example https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
  56. 56. Token Types Key representing access to a resource. Can be self contained or a reference token. access_token Contains identity information in the form of a (self contained) JWT. id_token A reference token that can be used to obtain a new access_token when the current one is no longer valid. refresh_token A reference token that can be exchanged for the access_token. code (authorization code)
  57. 57. Endpoints Authorization Token Userinfo Performs the authorization and returns a supported combination of access_token, id_token , refresh_token, and/or code Exchanges a reference token (code or refresh_token) to an access_token, id_token and/or refresh_token. Exchange the access_token for a set of claims about the identity of the subject.
  58. 58. Application Types Confidential Clients Public Clients Other WebApp (running on backend) Single Page Apps (Javascript) Input Constrained Devices WebApi Native App Native App Daemon Apps
  59. 59. Some OAuth 2.0 Flows • Implicit grant • Authorization code grant • Hybrid flow • Token Exchange (On-behalf-of) • Client credentials grant • Device code grant • Resource owner password grant*
  60. 60. Implicit Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow
  61. 61. Implicit Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow GET https://idp.com/authorize? client_id=my_client_id &response_type=id_token &redirect_uri=callback_url &scope=openid&response_mode=fragment &state=12345&nonce=678910
  62. 62. Implicit Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow
  63. 63. Implicit Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow GET https://localhost/myapp/# access_token=jwt_here &token_type=Bearer &expires_in=3599 &scope=valid_scopes &id_token=jwt_here &state=12345
  64. 64. Implicit Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow Authorization: Bearer access_token
  65. 65. Authorization Code Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
  66. 66. Authorization Code Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow GET https://idp.com/authorize? client_id=my_client_id &response_type=code &redirect_uri=callback_url &scope=openid &response_mode=query &state=12345 &nonce=678910
  67. 67. Authorization Code Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
  68. 68. Authorization Code Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow GET https://localhost/webapp? code=reference_token_here &state=12345
  69. 69. Authorization Code Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow GET https://idp.com/token? client_id=my_client_id &client_secret=some_secret &grant_type=authorization_code &code=reference_token_here &redirect_uri=callback_url
  70. 70. Authorization Code Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow { "access_token": jwt_here "token_type": "Bearer", "expires_in": 3599, "scope": consented scopes, "refresh_token": ref_token "id_token": jwt_here }
  71. 71. Authorization Code Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow Authorization: Bearer access_token
  72. 72. Hybrid Flow • Same as the implicit flow • With additional reference token (authorization code). • Exchange it for an access token using the token endpoint. https://YOUR_REDIRECT_URI /#access_token=opaque_token &expires_in=7200 &token_type=Bearer &code=AUTHORIZATION_CODE &id_token=jwt
  73. 73. Client Credentials Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow Credentials Admin consent required Authorization Server Dilbert’s Driving History
  74. 74. Token Exchange Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow Authorization Server
  75. 75. Device Code Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
  76. 76. Device Code Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
  77. 77. Device Code Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
  78. 78. Device Code Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
  79. 79. Device Code Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
  80. 80. Device Code Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
  81. 81. Resource Owner Password Grant Flow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
  82. 82. Picking the right OAuth flow Public Client ? Native or SPA ? Implicit Auth Code + PKCE Has an active user ? Client Credentials Input Constrained ? Legacy App ?Resource Owner Password Cred… Device Code Auth Code Yes No No Yes No No Yes Yes SPA Native
  83. 83. Recap • OAuth • What it solves • OpenID Connect • What it solves • Concepts • Endpoints • Picking an appropriate OAuth flow
  84. 84. Want More? • Protocol Reference: https://oauth.net • Starter Kit: https://connect2id.com/learn • Choosing Flows: https://auth0.com/docs/api- auth/which-oauth-flow-to-use • MS Identity Platform (Azure AD) Documentation • IdentityServer: https://identityserver.io • Rob Moore & Matt Davies : Modern Auth @ NDC 2016
  85. 85. Thank you! @dasiths dasith.me
  86. 86. COFFEE BY WIFI BY CHILDCARE BY

×