SlideShare a Scribd company logo

SAML, OAuth, and OpenID Connect Overview

D
David Waite
Technology
1 of 39
Download to read offline
Copyright ©2012 Ping Identity Corporation. All rights reserved.1 SAML, OAuth 2, and OpenID Connect Overview David Waite Ping Identity Corporation
Copyright ©2012 Ping Identity Corporation. All rights reserved. CLAIMS-BASED AND FEDERATED IDENTITY 2
Copyright ©2012 Ping Identity Corporation. All rights reserved. Claims-based Identity • Primarily a Microsoft-Pushed Concept –Unfortunate, less attention outside MS shops • Trusted-party message w/ user attributes –Alternative to directory lookup off account name • Authentication is an external concern –vs each mechanism implemented in each app 3
Copyright ©2012 Ping Identity Corporation. All rights reserved. Claims-based Identity • Could support multiple trusted issuers • Different levels of trust –Can this issuer assert for this user? –Can this issuer assert the user has this role? • A local trusted party may serve as intermediary/multiplexer –The Security Token Service (STS) Role 4
Copyright ©2012 Ping Identity Corporation. All rights reserved. Claims-based Identity • Policy decisions based on issuer, claims –vs group-based policy, local directory lookup –claims may map directly to policy decisions • Local trusted issuer can centralize, push policy decisions in tokens 5
Copyright ©2012 Ping Identity Corporation. All rights reserved. Federated Identity • Making local decisions from remote trusted entities is distributed identity • Since there is no global entity to trust, we call this “Federated Identity” • In the consumer space, this is –Social Logins –Windows Live ID –OpenID systems 6
Copyright ©2012 Ping Identity Corporation. All rights reserved. Web SSO vs API SSO • Web Browser SSO –cross domain interactions –requires no browser extensions –query params or javascript form-post transport –form login, cookies for authentication • API SSO –client logic to acquire tokens via authentication –cache/use tokens for API access 7
Copyright ©2012 Ping Identity Corporation. All rights reserved. SECURITY ASSERTION MARKUP LANGUAGE (SAML) 8
Copyright ©2012 Ping Identity Corporation. All rights reserved. SAML • Security Assertion Markup Language –A.K.A, a format for Securely Asserting Identity Information • Includes Web Single Sign-On (Web SSO) • Pieces leveraged by WS-Federation, WS- Security, OAuth 2.0 9
Copyright ©2012 Ping Identity Corporation. All rights reserved. Web SSO Problem • How to talk about a user (entity) • Between multiple security domains • Where that entity has different identity representations in each domain • Such that the entity can request resources • And not have to re-authenticate 10
Copyright ©2012 Ping Identity Corporation. All rights reserved. SAML Details • SAML is an XML format –With XML schema –Integrity, confidentiality protection via xmlsec –Almost always signed, encrypted with X.509 –Often self-issued X.509 certs • trust is established out-of-band • Only a subset of features supported by majority of implementations 11
Copyright ©2012 Ping Identity Corporation. All rights reserved. SAML Roles • Identity Provider –Authenticates the user directly –Asserts identity to other services • Service Provider –Requests, consumes identity to authenticate the user 12
Copyright ©2012 Ping Identity Corporation. All rights reserved. SAML Anatomy • SAML Assertion –describes the entity • SAML Protocol –request/response messages • SAML Binding –how messages are sent • SAML Profile –bindings and profiles used for a use case 13
Copyright ©2012 Ping Identity Corporation. All rights reserved. SAML Anatomy • Interesting Bits –SAML Assertion • token used by other specs –SAML Web Browser SSO Profile • describes how to send browsers cross domains to authenticate users 14
Copyright ©2012 Ping Identity Corporation. All rights reserved. Subset of SAML in wide use • Web Browser SSO • Assertions –subject - unique identifier in system • email, DN, employee ID –attributes • personalization items like first/last name • groups, other information for policy decisions 15
Copyright ©2012 Ping Identity Corporation. All rights reserved. SAML Limitations • XML digital signatures are difficult –to implement –to reason about • Majority of implementations only handle Web SSO • Most API usage is WS-Security (SOAP) –OAuth 2.0 profile is in draft 16
Copyright ©2012 Ping Identity Corporation. All rights reserved. OAUTH 2.0 17
Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 • Provides Authorization for API access –3rd party makes API calls on user’s behalf –Without asking for/caching user password –User can revoke client access individually –Changing password doesn’t break access 18
Copyright ©2012 Ping Identity Corporation. All rights reserved. Existing Problem to Solve* 19
Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Fundamentals • Four parties defined –The User –The Client application –A Protected Resource requiring authorization –An Authorization Service 20
Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Fundamentals • Access tokens –message to resource from AS about client • what they are allowed to do • who they represent –usually opaque to the client –validation of token is not part of core spec • local crypto check, or remote call –Requires secure transport (TLS) 21
Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 fundamentals • Scopes –Clients request scope of usage for token • API-specific strings or URIs –AS logic determines what scopes you get • internal policy • user consent –Good for pre-computing broad policy decisions 22
Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Fundamentals • Access token validation is often cached • Access tokens expire • Refresh token –given to client alongside access token –can be used to request new access token –usually what is revoked by user –only shared between client and AS 23
Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Benefits • Splits token acquisition from token usage • Acquisition POST /authsvc Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQK grant_type=password&username=jdoe&password=A3ddj3 • Usage: Authorization: Bearer YWNjZXNzdGtuCg== 24
Copyright ©2012 Ping Identity Corporation. All rights reserved. Grant Types • A few interesting grant_types: –username / password user auth –browser-based authentication and consent • returning temporary code to exchange for token • returning token directly to be consumed by code –client authentication w/o user –SAML (separate draft spec) –JWT (to discuss later) 25
Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Concerns • OAuth 2 is not a protocol, but a framework • No profiles for interoperability –No Mandatory to Implement grant types –AS extends return value • Token –Token might not be opaque to client –Resource → AS Token Validation • Client → Resource token usage is solid 26
Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Concerns • OAuth 1 had message signing –for integrity protection • Protect integrity/confidentiality with TLS 27
Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Concerns • But, OAuth 1 signing was –Request only –Only for URLEncoded request (no XML, JSON) –No existing support, had to be implemented –Home-grown impls broke on API changes –X.509-based signing often unimplemented –Confidentiality still required TLS • OAuth 2 has work toward MAC signing 28
Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Concerns • OAuth requires client registration –limits API usage to registered clients • except some username/password deployments • Does not protect from malicious or phishing clients –but would support user authentication mechanisms which would support this 29
Copyright ©2012 Ping Identity Corporation. All rights reserved. JSON WEB TOKEN (JWT) 30
Copyright ©2012 Ping Identity Corporation. All rights reserved. JSON Web Token • Abbreviated JWT, pronounced “Jot” • Standard token format –containing JSON data –supporting integrity, confidentiality • Overly broad/bad definition –“SAML Assertions in JSON instead of XML” 31
Copyright ©2012 Ping Identity Corporation. All rights reserved. JWT Overview • Fills in some missing pieces –What is a good OAuth access token format? –What “standard” attributes should I care about? • subject • “issued at” time • “not before”, “expiry” to provide validity window • “issuer”, “audience” • unique token identifier 32
Copyright ©2012 Ping Identity Corporation. All rights reserved. JWT Features • “Issuer” allows you to support multiple Authorization Servers • Allow resources to consume token directly –without talking to AS • OAuth 2 grant proposed to exchange remote JWT for local access token –federation 33
Copyright ©2012 Ping Identity Corporation. All rights reserved. JWT Format • Format is simple –URL-safe Base64-encoded data chunks, separated by dots • crypto object defining integrity/ confidentiality checks • data object with some reserved keys –possibly encrypted • optionally, signature block 34
Copyright ©2012 Ping Identity Corporation. All rights reserved. JWT Proposed usage • Eventual token form for APIs to support –network optimization • Alternative to SAML for API access from other domains 35
Copyright ©2012 Ping Identity Corporation. All rights reserved. OPENID CONNECT 36
Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Caveat • Not an Authentication Protocol on its own –Do not treat OAuth access tokens as • proof authentication was performed recently • proof the party giving you this token is the user • that this token is meant for your client –Generally, do not treat the token as a message to a client about the user 37
Copyright ©2012 Ping Identity Corporation. All rights reserved. OpenID Connect • Completely New Protocol • Extends AS with OpenID Provider Role • Adds Identity Token (id_token) for SSO –JSON Web Token –Message to client about user • Adds UserInfo endpoint • Adds hybrid flows –client is split between local and hosted pieces 38
Copyright ©2012 Ping Identity Corporation. All rights reserved. OpenID Connect • Adds Dynamic Registration of clients • Adds Discovery of OpenID Provider metadata on domain – via /.well-known/ 39

Recommended

CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
 
CIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-SectionCIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-SectionCloudIDSummit
 
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMTrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMhackingtrialpay
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...PROIDEA
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDGasperi Jerome
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake
 

Recommended

CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CIS13: Introduction to OAuth 2.0
CIS13: Introduction to OAuth 2.0CloudIDSummit
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
 
CIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-SectionCIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-SectionCloudIDSummit
 
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMTrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMhackingtrialpay
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...PROIDEA
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDGasperi Jerome
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkOAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenIDPrabath Siriwardena
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedEugene Siow
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2Mike Schwartz
 
OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018OpenIDFoundation
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCloudIDSummit
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web SecurityOliver Pfaff
 
Full stack security
Full stack securityFull stack security
Full stack securityDPC Consulting Ltd
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card AuthenticationDan Usher
 
Web authentication
Web authenticationWeb authentication
Web authenticationPradeep J V
 
Authentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackAuthentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackFITC
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileNordic APIs
 

More Related Content

What's hot

Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Justin Richer
 
OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedEugene Siow
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2Mike Schwartz
 
OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018OpenIDFoundation
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCloudIDSummit
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web SecurityOliver Pfaff
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card AuthenticationDan Usher
 
Web authentication
Web authenticationWeb authentication
Web authenticationPradeep J V
 
Authentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackAuthentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackFITC
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 

What's hot (20)

Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenID
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 Explained
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2
 
OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018OpenID Connect "101" Introduction -- October 23, 2018
OpenID Connect "101" Introduction -- October 23, 2018
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David Chase
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web Security
 
Full stack security
Full stack securityFull stack security
Full stack security
 
Smart Card Authentication
Smart Card AuthenticationSmart Card Authentication
Smart Card Authentication
 
Web authentication
Web authenticationWeb authentication
Web authentication
 
Authentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackAuthentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN Stack
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 

Similar to SAML, OAuth, and OpenID Connect Overview

CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileNordic APIs
 
CIS 2013 Ping Identity Chalktalk
CIS 2013 Ping Identity ChalktalkCIS 2013 Ping Identity Chalktalk
CIS 2013 Ping Identity ChalktalkCraig Wu
 
IoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architectureIoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architectureVinod Wilson
 
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCloudIDSummit
 
De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 Leonard Moustacchis
 
CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at ScaleCloudIDSummit
 
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)Sam Bowne
 
Single SignOn with Federation using Claims
Single SignOn with Federation using ClaimsSingle SignOn with Federation using Claims
Single SignOn with Federation using ClaimsVolkan Uzun
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...APIsecure_ Official
 
CIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans ZandbeltCIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans ZandbeltCloudIDSummit
 
#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...
#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...
#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...Paris Open Source Summit
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NGWorteks
 
Complete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIsComplete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIsXing (Xingheng) Wang
 
1400 ping madsen-nordicapis-connect-01
1400 ping madsen-nordicapis-connect-011400 ping madsen-nordicapis-connect-01
1400 ping madsen-nordicapis-connect-01Nordic APIs
 
[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New Black[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New BlackWSO2
 
Secured REST Microservices with Spring Cloud
Secured REST Microservices with Spring CloudSecured REST Microservices with Spring Cloud
Secured REST Microservices with Spring CloudOrkhan Gasimov
 

Similar to SAML, OAuth, and OpenID Connect Overview (20)

CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
Who’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and MobileWho’s Knocking? Identity for APIs, Web and Mobile
Who’s Knocking? Identity for APIs, Web and Mobile
 
CIS 2013 Ping Identity Chalktalk
CIS 2013 Ping Identity ChalktalkCIS 2013 Ping Identity Chalktalk
CIS 2013 Ping Identity Chalktalk
 
IoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architectureIoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architecture
 
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John Bradley
 
De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2
 
CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at Scale
 
Presentation
PresentationPresentation
Presentation
 
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
 
Single SignOn with Federation using Claims
Single SignOn with Federation using ClaimsSingle SignOn with Federation using Claims
Single SignOn with Federation using Claims
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
 
CIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans ZandbeltCIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans Zandbelt
 
#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...
#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...
#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
 
Complete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIsComplete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIs
 
Identity soup
Identity soupIdentity soup
Identity soup
 
1400 ping madsen-nordicapis-connect-01
1400 ping madsen-nordicapis-connect-011400 ping madsen-nordicapis-connect-01
1400 ping madsen-nordicapis-connect-01
 
[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New Black[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New Black
 
Secured REST Microservices with Spring Cloud
Secured REST Microservices with Spring CloudSecured REST Microservices with Spring Cloud
Secured REST Microservices with Spring Cloud
 

Recently uploaded

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 

Recently uploaded (20)

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 

SAML, OAuth, and OpenID Connect Overview

  • 1. Copyright ©2012 Ping Identity Corporation. All rights reserved.1 SAML, OAuth 2, and OpenID Connect Overview David Waite Ping Identity Corporation
  • 2. Copyright ©2012 Ping Identity Corporation. All rights reserved. CLAIMS-BASED AND FEDERATED IDENTITY 2
  • 3. Copyright ©2012 Ping Identity Corporation. All rights reserved. Claims-based Identity • Primarily a Microsoft-Pushed Concept –Unfortunate, less attention outside MS shops • Trusted-party message w/ user attributes –Alternative to directory lookup off account name • Authentication is an external concern –vs each mechanism implemented in each app 3
  • 4. Copyright ©2012 Ping Identity Corporation. All rights reserved. Claims-based Identity • Could support multiple trusted issuers • Different levels of trust –Can this issuer assert for this user? –Can this issuer assert the user has this role? • A local trusted party may serve as intermediary/multiplexer –The Security Token Service (STS) Role 4
  • 5. Copyright ©2012 Ping Identity Corporation. All rights reserved. Claims-based Identity • Policy decisions based on issuer, claims –vs group-based policy, local directory lookup –claims may map directly to policy decisions • Local trusted issuer can centralize, push policy decisions in tokens 5
  • 6. Copyright ©2012 Ping Identity Corporation. All rights reserved. Federated Identity • Making local decisions from remote trusted entities is distributed identity • Since there is no global entity to trust, we call this “Federated Identity” • In the consumer space, this is –Social Logins –Windows Live ID –OpenID systems 6
  • 7. Copyright ©2012 Ping Identity Corporation. All rights reserved. Web SSO vs API SSO • Web Browser SSO –cross domain interactions –requires no browser extensions –query params or javascript form-post transport –form login, cookies for authentication • API SSO –client logic to acquire tokens via authentication –cache/use tokens for API access 7
  • 8. Copyright ©2012 Ping Identity Corporation. All rights reserved. SECURITY ASSERTION MARKUP LANGUAGE (SAML) 8
  • 9. Copyright ©2012 Ping Identity Corporation. All rights reserved. SAML • Security Assertion Markup Language –A.K.A, a format for Securely Asserting Identity Information • Includes Web Single Sign-On (Web SSO) • Pieces leveraged by WS-Federation, WS- Security, OAuth 2.0 9
  • 10. Copyright ©2012 Ping Identity Corporation. All rights reserved. Web SSO Problem • How to talk about a user (entity) • Between multiple security domains • Where that entity has different identity representations in each domain • Such that the entity can request resources • And not have to re-authenticate 10
  • 11. Copyright ©2012 Ping Identity Corporation. All rights reserved. SAML Details • SAML is an XML format –With XML schema –Integrity, confidentiality protection via xmlsec –Almost always signed, encrypted with X.509 –Often self-issued X.509 certs • trust is established out-of-band • Only a subset of features supported by majority of implementations 11
  • 12. Copyright ©2012 Ping Identity Corporation. All rights reserved. SAML Roles • Identity Provider –Authenticates the user directly –Asserts identity to other services • Service Provider –Requests, consumes identity to authenticate the user 12
  • 13. Copyright ©2012 Ping Identity Corporation. All rights reserved. SAML Anatomy • SAML Assertion –describes the entity • SAML Protocol –request/response messages • SAML Binding –how messages are sent • SAML Profile –bindings and profiles used for a use case 13
  • 14. Copyright ©2012 Ping Identity Corporation. All rights reserved. SAML Anatomy • Interesting Bits –SAML Assertion • token used by other specs –SAML Web Browser SSO Profile • describes how to send browsers cross domains to authenticate users 14
  • 15. Copyright ©2012 Ping Identity Corporation. All rights reserved. Subset of SAML in wide use • Web Browser SSO • Assertions –subject - unique identifier in system • email, DN, employee ID –attributes • personalization items like first/last name • groups, other information for policy decisions 15
  • 16. Copyright ©2012 Ping Identity Corporation. All rights reserved. SAML Limitations • XML digital signatures are difficult –to implement –to reason about • Majority of implementations only handle Web SSO • Most API usage is WS-Security (SOAP) –OAuth 2.0 profile is in draft 16
  • 17. Copyright ©2012 Ping Identity Corporation. All rights reserved. OAUTH 2.0 17
  • 18. Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 • Provides Authorization for API access –3rd party makes API calls on user’s behalf –Without asking for/caching user password –User can revoke client access individually –Changing password doesn’t break access 18
  • 19. Copyright ©2012 Ping Identity Corporation. All rights reserved. Existing Problem to Solve* 19
  • 20. Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Fundamentals • Four parties defined –The User –The Client application –A Protected Resource requiring authorization –An Authorization Service 20
  • 21. Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Fundamentals • Access tokens –message to resource from AS about client • what they are allowed to do • who they represent –usually opaque to the client –validation of token is not part of core spec • local crypto check, or remote call –Requires secure transport (TLS) 21
  • 22. Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 fundamentals • Scopes –Clients request scope of usage for token • API-specific strings or URIs –AS logic determines what scopes you get • internal policy • user consent –Good for pre-computing broad policy decisions 22
  • 23. Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Fundamentals • Access token validation is often cached • Access tokens expire • Refresh token –given to client alongside access token –can be used to request new access token –usually what is revoked by user –only shared between client and AS 23
  • 24. Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Benefits • Splits token acquisition from token usage • Acquisition POST /authsvc Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQK grant_type=password&username=jdoe&password=A3ddj3 • Usage: Authorization: Bearer YWNjZXNzdGtuCg== 24
  • 25. Copyright ©2012 Ping Identity Corporation. All rights reserved. Grant Types • A few interesting grant_types: –username / password user auth –browser-based authentication and consent • returning temporary code to exchange for token • returning token directly to be consumed by code –client authentication w/o user –SAML (separate draft spec) –JWT (to discuss later) 25
  • 26. Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Concerns • OAuth 2 is not a protocol, but a framework • No profiles for interoperability –No Mandatory to Implement grant types –AS extends return value • Token –Token might not be opaque to client –Resource → AS Token Validation • Client → Resource token usage is solid 26
  • 27. Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Concerns • OAuth 1 had message signing –for integrity protection • Protect integrity/confidentiality with TLS 27
  • 28. Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Concerns • But, OAuth 1 signing was –Request only –Only for URLEncoded request (no XML, JSON) –No existing support, had to be implemented –Home-grown impls broke on API changes –X.509-based signing often unimplemented –Confidentiality still required TLS • OAuth 2 has work toward MAC signing 28
  • 29. Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Concerns • OAuth requires client registration –limits API usage to registered clients • except some username/password deployments • Does not protect from malicious or phishing clients –but would support user authentication mechanisms which would support this 29
  • 30. Copyright ©2012 Ping Identity Corporation. All rights reserved. JSON WEB TOKEN (JWT) 30
  • 31. Copyright ©2012 Ping Identity Corporation. All rights reserved. JSON Web Token • Abbreviated JWT, pronounced “Jot” • Standard token format –containing JSON data –supporting integrity, confidentiality • Overly broad/bad definition –“SAML Assertions in JSON instead of XML” 31
  • 32. Copyright ©2012 Ping Identity Corporation. All rights reserved. JWT Overview • Fills in some missing pieces –What is a good OAuth access token format? –What “standard” attributes should I care about? • subject • “issued at” time • “not before”, “expiry” to provide validity window • “issuer”, “audience” • unique token identifier 32
  • 33. Copyright ©2012 Ping Identity Corporation. All rights reserved. JWT Features • “Issuer” allows you to support multiple Authorization Servers • Allow resources to consume token directly –without talking to AS • OAuth 2 grant proposed to exchange remote JWT for local access token –federation 33
  • 34. Copyright ©2012 Ping Identity Corporation. All rights reserved. JWT Format • Format is simple –URL-safe Base64-encoded data chunks, separated by dots • crypto object defining integrity/ confidentiality checks • data object with some reserved keys –possibly encrypted • optionally, signature block 34
  • 35. Copyright ©2012 Ping Identity Corporation. All rights reserved. JWT Proposed usage • Eventual token form for APIs to support –network optimization • Alternative to SAML for API access from other domains 35
  • 36. Copyright ©2012 Ping Identity Corporation. All rights reserved. OPENID CONNECT 36
  • 37. Copyright ©2012 Ping Identity Corporation. All rights reserved. OAuth 2.0 Caveat • Not an Authentication Protocol on its own –Do not treat OAuth access tokens as • proof authentication was performed recently • proof the party giving you this token is the user • that this token is meant for your client –Generally, do not treat the token as a message to a client about the user 37
  • 38. Copyright ©2012 Ping Identity Corporation. All rights reserved. OpenID Connect • Completely New Protocol • Extends AS with OpenID Provider Role • Adds Identity Token (id_token) for SSO –JSON Web Token –Message to client about user • Adds UserInfo endpoint • Adds hybrid flows –client is split between local and hosted pieces 38
  • 39. Copyright ©2012 Ping Identity Corporation. All rights reserved. OpenID Connect • Adds Dynamic Registration of clients • Adds Discovery of OpenID Provider metadata on domain – via /.well-known/ 39