Session I delivered at Oredev, with some updates, more detail, reviewing all of the security standards including ws-federation, saml, ws-trust, oauth,openID connect.
29. Home Realm Discovery
Browser
(requestor)
SignIn Response
RequestedSecurityToken
SAML 2 Token
Signature
Subject Confirmation
Token Lifetime
HTTP POST
wresult={Signin
Response}
wctx=[context]
2
1
HTTP GET
wa=wsignIn1.0
wtrealm=[Uri]
whr=[Uri]
wreply=[Uri]
wctx=[context]
Attributes (Claims = name, role)
Web Site
(RP)
IP-STS
(IdP)
30. WS-Trust
• HTTPS or Message Security (WS-Security)
• SAML holder-of-key tokens
– Signed by issuer
– Encrypted for relying party
– Includes proof key
• Core Messages (WS-Federation also uses)
– RST and RSTR
– Token validation, renewal or cancellation
30
32. Delegation / On Behalf Of
Client
Bearer token
Web
Application
Holder-of-key token
Service
STS
Credentials
33. SAML
• Security Assertion Markup Language
– OASIS standard
– Several versions 1.0, 1.1, 2.0
• Describes an XML security token format
and message exchange protocol
– Tokens are also used in federated security
scenarios for web services
– Message exchange is primarily browserbased
38. Motivation for OAuth
• No password sharing (valet key)
• Reduced risk of compromised credentials
• Ability to revoke access without changing
password
39. History
• OAuth 1.0a
– Complicated workflows
– Required signatures
– BUT, no SSL required
• OAuth 2
– Simplified workflows
– Rely on SSL for transfer protection
– Signatures NOT required
41. OAuth2 Abstract Flow
• Client requests authorization from Resource
Owner to access resources
• Resource Owner grants access through
Authorization Server
• Client uses access token to request resources
from Resource Server
• Resource Server returns resource if access
token is valid
46. OAuth2 Flows
• Authorization Code Grant
– Redirect based, web server redirect endpoint
• Implicit Grant
– Browser based (JavaScript), Mobile
• Resource Owner Password Credentials Grant
– Resource owner username/password known to client
• Client Credentials Grant
– Application based
• Extension Grant
47. Authorization Code
• User agent redirection (I.e., browser)
• Resource Owner must authenticate to
Authorization Server
– Credentials never shared with Client
– Authorization code sent to Client
• Client requests access token using
authorization code
– Access token never passed to user agent
48. Authorization Code Grant
Authorization Request
Authorization Request
Resource
Owner
Authorization Response
Authorization Response
Access Token Request
Client
Authorization
Server
Access Token Response
Resource Request
Resource
Server
Protected Resource
50. Implicit
• Optimized for JavaScript clients
• Access token issued to Client directly
– No authorization code (intermediate credential)
– Access token may be visible to resource
owner, user agent
53. Resource Owner Password Credentials
• Resource Owner credentials supplied to
request access token
• Client is tightly coupled to Resource Owner
– High degree of trust
– Client collects credentials to get access token
• Can exchange credentials for access token
– Dispose of passwords in memory
54. Resource Owner Password
Credentials Grant
Access Token Request
Resource Owner
Password Credentials
Resource
Owner
Access Token Response
Authorization
Server
Client
Resource Request
Resource
Server
Protected Resource
55. Resource Owner Password
Credentials Grant
Login
Page
1
2
3
Client
Application
grant_type
Username
password
scope*
acess_token
token_type
expires_in*
scope*
state*
refresh_token*
7
Authorization
Server
Credentials
Resource
Server
59. Extension Grant Flow
• Client requests access token by presenting a
token and specifying its kind
– I.e., OAuth-SAML2 specification
60. Client Registration
• Establishing trust with Authorization Server
– Provide a client type
– Provide a Url
– Provide other optional information
• Required for public and for implicit grants
Client Profile
Client Type
Web Application
Confidential
User-Agent Based
Public
Native Application
Public
61. Client Authentication
• Clients may register a password (secret) with
the Authorization Server
• Pass with Basic Authentication
• If not supported, pass as form parameters
65. Refresh Token
• Optional, Authorization Server decides
• Sent to Authorization Server to retrieve another
access token
– Different scope
– Additional time
• If access token is expired, can use refresh token
to request another one
– Without prompting Resource Owner
– Unless scope increases beyond what was approved
72. Profile Response
HTTP/1.1 200 OK
…
Content-Length: 609
{"id":"574847493","name":"Michele Leroux
Bustamante","first_name":"Michele","middle_name":"Leroux","last_name":
"Bustamante","link":"https://www.facebook.com/michelebusta","username":"mich
elebusta","birthday":”LA LA LA LA","bio":"I'm a geek. Wait, no I'm not. Wait, yes I
am...","quotes":"Never complain, never explain. -Katherine
Hepburn”,"gender":"female","email":"michelebustau0040gmail.com","timezone":1,"l
ocale":"en_US","verified":true,"updated_time":"2013-11-07T11:44:01+0000"}
81. Suggested Implementations
• Thinktecture
– Authorization Server and Identity Provider
– All but SAML 2
– Open Source
• Auth0
– Hosted model or appliance
– Affordable, from small bus to enterprise
– All protocols
– FREE version for dev
82. References
• Conference resources to be referenced here:
– http://michelebusta.com
• See my snapboards:
– Currently at the alpha site:
http://snapboardalpha.cloudapp.net/michelebusta
– Will move these to snapboard.com/michelebusta
when we go live on the main site (SOON watch my
blog for announcement)
• Contact me:
– michelebusta@solliance.net
– @michelebusta
83. Michele Leroux Bustamante
Managing Partner
Solliance (solliance.net)
CEO and Cofounder
Snapboard (snapboard.com)
Microsoft Regional Director
Microsoft MVP
Author, Speaker
Pluralsight courses on the way!
Blog: michelebusta.com
michelebusta@solliance.net
@michelebusta