Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

2019 | Transactional Authorization | Identiverse | Day 1, June 25

63 Aufrufe

Veröffentlicht am

Last year, we took a look at what's wrong with OAuth 2. This year, we'll look at some of the directions that technology is moving in, including an in-depth view of transactional authorization built around many of the lessons learned from OAuth 2's deployment.

Veröffentlicht in: Serviceleistungen
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

2019 | Transactional Authorization | Identiverse | Day 1, June 25

  1. 1. @justin__richerhttps://bspk.io/ Transactional Authorization 1
  2. 2. @justin__richerhttps://bspk.io/ What’s Wrong with OAuth 2? 2
  3. 3. @justin__richerhttps://bspk.io/ 3
  4. 4. @justin__richerhttps://bspk.io/ 4
  5. 5. @justin__richerhttps://bspk.io/ 5
  6. 6. @justin__richerhttps://bspk.io/ 6
  7. 7. @justin__richerhttps://bspk.io/ 7
  8. 8. @justin__richerhttps://bspk.io/ 8
  9. 9. @justin__richerhttps://bspk.io/ Not OAuth 9
  10. 10. @justin__richerhttps://bspk.io/ 10
  11. 11. @justin__richerhttps://bspk.io/ 11
  12. 12. @justin__richerhttps://bspk.io/ 12
  13. 13. @justin__richerhttps://bspk.io/ 13
  14. 14. @justin__richerhttps://bspk.io/ 14 Time for School!
  15. 15. @justin__richerhttps://bspk.io/ 15
  16. 16. @justin__richerhttps://bspk.io/ 16
  17. 17. @justin__richerhttps://bspk.io/ 17
  18. 18. @justin__richerhttps://bspk.io/ 18
  19. 19. @justin__richerhttps://bspk.io/ 19
  20. 20. @justin__richerhttps://bspk.io/ 20
  21. 21. @justin__richerhttps://bspk.io/ 21
  22. 22. @justin__richerhttps://bspk.io/ 22
  23. 23. @justin__richerhttps://bspk.io/ 23
  24. 24. @justin__richerhttps://bspk.io/ 24
  25. 25. @justin__richerhttps://bspk.io/ 25
  26. 26. @justin__richerhttps://bspk.io/ 26
  27. 27. @justin__richerhttps://bspk.io/ 27
  28. 28. @justin__richerhttps://bspk.io/ 28
  29. 29. @justin__richerhttps://bspk.io/ 29
  30. 30. @justin__richerhttps://bspk.io/ 30
  31. 31. @justin__richerhttps://bspk.io/ 31
  32. 32. @justin__richerhttps://bspk.io/ 32
  33. 33. @justin__richerhttps://bspk.io/ 33
  34. 34. @justin__richerhttps://bspk.io/ 34
  35. 35. @justin__richerhttps://bspk.io/ 35
  36. 36. @justin__richerhttps://bspk.io/ 36
  37. 37. @justin__richerhttps://bspk.io/ 37
  38. 38. @justin__richerhttps://bspk.io/ 38
  39. 39. @justin__richerhttps://bspk.io/ 39
  40. 40. @justin__richerhttps://bspk.io/ 40
  41. 41. @justin__richerhttps://bspk.io/ The Client 41
  42. 42. @justin__richerhttps://bspk.io/ The Authz Server 42
  43. 43. @justin__richerhttps://bspk.io/ The User 43
  44. 44. @justin__richerhttps://bspk.io/ 44
  45. 45. @justin__richerhttps://bspk.io/ A reminder: This is not OAuth 45
  46. 46. @justin__richerhttps://bspk.io/ The Front Channel 46
  47. 47. @justin__richerhttps://bspk.io/ The Front Channel • User is present • Brower is flexible 47
  48. 48. @justin__richerhttps://bspk.io/ The Front Channel • User is present • Brower is flexible • Information leakage • Tampering • Injection • URL size limitations • HTTP Referrer headers • HTTP server logs 48
  49. 49. @justin__richerhttps://bspk.io/ The Front Channel • User authentication • User interaction • Client identifier • Requested scope • Application state • etc… • Authorization code • Access tokens • Identity assertions • Application state • etc. 49
  50. 50. @justin__richerhttps://bspk.io/ 50
  51. 51. @justin__richerhttps://bspk.io/ Trying to protect the front channel • OIDC • JAR • JARM • PKCE • Token Binding 51
  52. 52. @justin__richerhttps://bspk.io/ 52 Proposal: Avoid the Front Channel until we need it
  53. 53. @justin__richerhttps://bspk.io/ 53 Transactions!
  54. 54. @justin__richerhttps://bspk.io/ OAuth has always been transactional 54
  55. 55. @justin__richerhttps://bspk.io/ 55
  56. 56. @justin__richerhttps://bspk.io/ 56 Transactions: Registering Intent
  57. 57. @justin__richerhttps://bspk.io/ Start a Transaction { "client":... "interact":... "user":... "resources":[ ...], "key":... } 57
  58. 58. @justin__richerhttps://bspk.io/ “What I Am” "client":{ "name":"My Client DisplayName", "uri":"https://example.net/client" } 58
  59. 59. @justin__richerhttps://bspk.io/ ”What I want” "resources":[{ "actions":["read","write","dolphin"], "locations":["https://server.example.net/", "https://resource.local/other"], "data":["metadata"] }] 59
  60. 60. @justin__richerhttps://bspk.io/ ”What I know about the user” "user":{ "assertion":"eyJraWQiOiIxZTlnZGs3IiwiYWxnIjoi..." "type":"oidc_id_token" } 60
  61. 61. @justin__richerhttps://bspk.io/ “How to recognize me” "key":{ "type":"jwsd", "jwks":{ "keys":[{ "kty":"RSA", "e":"AQAB", "kid":"xyz-1", "alg":"RS256", "n":"kOB5rR4Jv0GMeLaY6_It_..." } ] } } 61
  62. 62. @justin__richerhttps://bspk.io/ The client has to prove possession of all referenced keys 62
  63. 63. @justin__richerhttps://bspk.io/ ”How I can interact with the user” "interact":{ "type":"redirect", "callback":"https://client.example.net/return/123455", "state":"LKLTI25DK82FX4T4QFZC" } 63
  64. 64. @justin__richerhttps://bspk.io/ Process all aspects of the transaction request 64
  65. 65. @justin__richerhttps://bspk.io/ “I need to talk to the user” 65
  66. 66. @justin__richerhttps://bspk.io/ ”Go fetch me the user” { "interaction_url": "https://server.example.com/interact/4CF492MLVMSW9MKMXKHQ", "handle":{ "value":"80UPRY5NM33OMUKMKSKU", "type":"bearer" } } 66
  67. 67. @justin__richerhttps://bspk.io/ Each step points to the next 67
  68. 68. @justin__richerhttps://bspk.io/ The Front Channel https://server.example.com/interact/4CF492MLVMSW9MKMXKHQ 68
  69. 69. @justin__richerhttps://bspk.io/ Look up the transaction based on the incoming interaction URL 69
  70. 70. @justin__richerhttps://bspk.io/ Problem Solved! 70
  71. 71. @justin__richerhttps://bspk.io/ • Authenticate • Authorize • Consent • Modify User interacts like you’d expect 71
  72. 72. @justin__richerhttps://bspk.io/ https://client.example.net/return/123455 ?state=LKLTI25DK82FX4T4QFZC&interact=4IFWWIKYBC2PQ6U56NL1 72
  73. 73. @justin__richerhttps://bspk.io/ Validate the state value 73
  74. 74. @justin__richerhttps://bspk.io/ Continue the Transaction { "handle":"80UPRY5NM33OMUKMKSKU", "interact_handle":"4IFWWIKYBC2PQ6U56NL1" } 74
  75. 75. @justin__richerhttps://bspk.io/ The client STILL has to prove possession of all referenced keys 75
  76. 76. @justin__richerhttps://bspk.io/ ”Here’s an access token” { "access_token":{ "value":"OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0", "type":"bearer" } } 76
  77. 77. @justin__richerhttps://bspk.io/ 77 Handles: Referencing previous state
  78. 78. @justin__richerhttps://bspk.io/ “Use this, I’ll remember you” { "client_handle":{ "value":"VBUEOIQA82PBY2ZDJW7Q","type":"bearer" }, "key_handle":{ "value":"7C7C4AZ9KHRS6X63AJAO","type":"bearer" } } 78
  79. 79. @justin__richerhttps://bspk.io/ Starting a new transaction with handles { "client":"VBUEOIQA82PBY2ZDJW7Q", "key":"7C7C4AZ9KHRS6X63AJAO" } 79
  80. 80. @justin__richerhttps://bspk.io/ The client STILL has to prove possession of all referenced keys 80
  81. 81. @justin__richerhttps://bspk.io/ An access token and a transaction handle { "access_token":{ "value":"OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0", "type":"bearer” }, "handle":{ "value":"80UPRY5NM33OMUKMKSKU", "type":"bearer" } } 81
  82. 82. @justin__richerhttps://bspk.io/ Refreshing a Token { "handle":"80UPRY5NM33OMUKMKSKU" } 82
  83. 83. @justin__richerhttps://bspk.io/ Remembering the user { "user_handle":{ "value":"XUT2MFM1XBIKJKSDU8QM", "type":"bearer" } } 83
  84. 84. @justin__richerhttps://bspk.io/ Scopes, redux "resources":[ "read","write","dolphin" ] 84
  85. 85. @justin__richerhttps://bspk.io/ Structured scopes "resources":[ "read","write","dolphin", { "actions":["read","write","dolphin"], "locations":["https://server.example.net/", "https://resource.local/other"], "data":["metadata"] } ] 85
  86. 86. @justin__richerhttps://bspk.io/ What about other devices? 86
  87. 87. @justin__richerhttps://bspk.io/ The difference is interaction 87
  88. 88. @justin__richerhttps://bspk.io/ ”How I Can Interact With The User” "interact":{ "type":"device” } 88
  89. 89. @justin__richerhttps://bspk.io/ ”Go fetch me the user” { "interaction_url": "https://server.example.com/interact/device", "user_code":"A1BC-3DFF", "handle":{ "value":"80UPRY5NM33OMUKMKSKU", "type":"bearer" } } 89
  90. 90. @justin__richerhttps://bspk.io/ Tell the user https://server.example.com/interact/device A1BC-3DFF 90
  91. 91. @justin__richerhttps://bspk.io/ • Authenticate • Authorize • Consent • Modify • A1BC-3DFF User interacts like you’d expect 91
  92. 92. @justin__richerhttps://bspk.io/ Look up the transaction based on the user code 92
  93. 93. @justin__richerhttps://bspk.io/ Are we ready yet? { "handle":"80UPRY5NM33OMUKMKSKU" } 93
  94. 94. @justin__richerhttps://bspk.io/ Not yet { "wait":30, "handle":{ "value":"BI9QNW6V9W3XFJK4R02D", "type":"bearer" } } 94
  95. 95. @justin__richerhttps://bspk.io/ What about a combined URL? 95
  96. 96. @justin__richerhttps://bspk.io/ We can use the regular interaction URL { "interaction_url": "https://server.example.com/interact/4CF492MLVMSW9MKMXKHQ", "handle":{ "value":"80UPRY5NM33OMUKMKSKU", "type":"bearer" } } 96
  97. 97. @justin__richerhttps://bspk.io/ What about identity? 97
  98. 98. @justin__richerhttps://bspk.io/ Pass identity assertions like OIDC, VC { "id_token":"eyj0...", "verifiable_claims":"..." } 98
  99. 99. @justin__richerhttps://bspk.io/ What about binding tokens? 99
  100. 100. @justin__richerhttps://bspk.io/ Access token is bound to a key { "access_token":{ "value":"OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0", "type":"jwsd", "key":{ "kid":"token-1234",... } } } 10 0
  101. 101. @justin__richerhttps://bspk.io/ Key proof is presented alongside token Authorization:JWSDOS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0 Detached-JWS:eyJiNjQiOmZhbHNlLCJhbGciOiJSU... 10 1
  102. 102. @justin__richerhttps://bspk.io/ Getting involved 10 2
  103. 103. @justin__richerhttps://bspk.io/ 10 3
  104. 104. @justin__richerhttps://bspk.io/ https://oauth.xyz/ 10 4
  105. 105. @justin__richerhttps://bspk.io/ 10 5
  106. 106. @justin__richerhttps://bspk.io/ 10 6 Questions?
  107. 107. @justin__richerhttps://bspk.io/ 10 7

×