OAuth 2.0 and OpenID Connect

11954e59b49809173d48133ec4047fce?s=47 Aaron Parecki
February 07, 2019

OAuth 2.0 and OpenID Connect

Slides from my Okta OAuth workshop in New York City.

11954e59b49809173d48133ec4047fce?s=128

Aaron Parecki

February 07, 2019
Tweet

Transcript

  1. OAuth 2.0 and 
 OpenID Connect AARON PARECKI @aaronpk aaronpk.com

  2. @aaronpk oauth.net

  3. @aaronpk

  4. None
  5. @aaronpk

  6. @aaronpk WHAT IS OAUTH? AND WHY DOES IT MATTER?

  7. Specs are not good tutorials!

  8. @aaronpk THE PASSWORD ANTI-PATTERN

  9. @aaronpk THE PASSWORD ANTI-PATTERN facebook.com ~2010

  10. @aaronpk

  11. @aaronpk the app can't just get access to the user's

    data directly
  12. @aaronpk the app isn't allowed to ask for the user's

    password and use it
  13. @aaronpk so... how can I let an app access my

    data without giving it my password?
  14. @aaronpk

  15. @aaronpk An open standard for authorization

  16. @aaronpk

  17. @aaronpk Connect with Google https://yelp.com/

  18. @aaronpk the app needs to ask the user for an

    access token
 which it can use with the API password
  19. but… OAuth doesn’t tell the app who logged in

  20. @aaronpk A HOTEL KEY CARD, FOR APPS

  21. Authentication Authorization provides user identity provides delegated access

  22. @aaronpk HOW OAUTH WORKS

  23. @aaronpk OBTAINING AN ACCESS TOKEN Applications use an OAuth flow

    to obtain an access token ▸ Authorization Code Flow: web apps, native apps ▸ Device Flow: browserless or input-constrained devices ▸ Password: not really OAuth, only for first-party apps ▸ Client Credentials: for machine-to-machine authentication
  24. @aaronpk POST /resource/1/update HTTP/1.1 Authorization: Bearer RsT5OjbzRn430zqMLgV3Ia Host: api.authorization-server.com description=Hello+World

    OBTAINING AN ACCESS TOKEN
  25. @aaronpk ROLES IN OAUTH OAuth Server (Authorization Server) aka the

    token factory API (Resource Server) The Application (Client) The User's Device (User Agent)
  26. @aaronpk Is this a confidential client? Is the app trying

    to access a user's data? Can the app use a browser on the device? Is this a first-party app? Implicit Flow Authorization Code + PKCE Client Credentials Password Authorization Code No Yes No Yes Yes No Yes No Device Flow Do you need to avoid redirects? No Yes Can the app make a cross-domain POST? No Yes or N/A Is this a first- party app, and is there a keyboard? No Yes Choosing an OAuth Flow
  27. @aaronpk Is this a first- party app, and is there

    a keyboard? Is the app trying to access a user's data? Can the app use a browser on the device? Is this a first-party app? Implicit Flow Authorization Code + PKCE Client Credentials Password Authorization Code No Yes No Yes Yes No Yes No Device Flow Do you need to avoid redirects? No Yes Can the app make a cross-domain POST? No Yes or N/A No Yes Is this a confidential client? Choosing an OAuth Flow
  28. Public Clients Confidential Clients Application running on a server Has

    the ability to keep strings secret since code is running in a trusted environment The application can't keep strings secret JavaScript/Single-Page apps: "view source" Native apps: decompile and extract strings
  29. @aaronpk Is this a first- party app, and is there

    a keyboard? Can the app use a browser on the device? Is this a first-party app? Implicit Flow Authorization Code + PKCE Client Credentials Password Authorization Code No No Yes Yes No Yes No Device Flow Do you need to avoid redirects? No Yes Can the app make a cross-domain POST? No Yes or N/A No Yes Is this a confidential client? Is the app trying to access a user's data? Yes Choosing an OAuth Flow
  30. @aaronpk Is this a first- party app, and is there

    a keyboard? Can the app use a browser on the device? Is this a first-party app? Implicit Flow Authorization Code + PKCE Password Authorization Code No Yes Yes No Yes No Device Flow Do you need to avoid redirects? No Yes Can the app make a cross-domain POST? No Yes or N/A No Yes Is this a confidential client? Is the app trying to access a user's data? Yes Client Credentials No Choosing an OAuth Flow
  31. CLIENT CREDENTIALS GRANT TYPE:

  32. API Client Secret GET /thing Authorization: Bearer XXX JSON response

    API Service POST /token Access token response Authorization Server
  33. Exchange the Client ID and Secret for a Token POST

    https://api.authorization-server.com/token grant_type=client_credentials& client_id=CLIENT_ID& client_secret=CLIENT_SECRET { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in": 3600 }
  34. When to use the Client Credentials grant • The app

    does not need to access user data • The app is a confidential client (something running on a server) • Mainly for machine-to-machine communication
  35. @aaronpk Is this a first- party app, and is there

    a keyboard? Can the app use a browser on the device? Implicit Flow Authorization Code + PKCE Client Credentials Password Authorization Code No No Yes No Yes No Device Flow Do you need to avoid redirects? No Yes Can the app make a cross-domain POST? No Yes or N/A No Yes Is this a confidential client? Is the app trying to access a user's data? Yes Is this a first-party app? Yes Choosing an OAuth Flow
  36. First Party Third Party

  37. @aaronpk Is this a first- party app, and is there

    a keyboard? Can the app use a browser on the device? Implicit Flow Authorization Code + PKCE Client Credentials Password Authorization Code No No Yes No No Device Flow No Yes Can the app make a cross-domain POST? No Yes or N/A No Yes Is this a confidential client? Is the app trying to access a user's data? Yes Is this a first-party app? Yes Choosing an OAuth Flow Yes Do you need to avoid redirects?
  38. https://accounts.google.com/oauth/authorize?response_ty

  39. None
  40. @aaronpk Is this a first- party app, and is there

    a keyboard? Can the app use a browser on the device? Implicit Flow Authorization Code + PKCE Client Credentials Authorization Code No No Yes No No Device Flow No Can the app make a cross-domain POST? No Yes or N/A No Yes Is this a confidential client? Is the app trying to access a user's data? Yes Is this a first-party app? Yes Choosing an OAuth Flow Yes Do you need to avoid redirects? Password Yes
  41. PASSWORD GRANT TYPE:

  42. Exchange the Username and Password for a Token POST https://api.authorization-server.com/token

    grant_type=password& username=USERNAME& password=PASSWORD& client_id=CLIENT_ID& client_secret=CLIENT_SECRET The user’s credentials are sent directly! Don't let third party apps do this!
  43. When to use the Password grant If your app meets

    all of these criteria: • Is a first-party app • (the user is logging in to an app branded the same as their account) • Cannot launch/redirect a browser to the authorization server • You do not need to support multifactor auth or delegated accounts
  44. @aaronpk Password Yes Is this a first- party app, and

    is there a keyboard? Can the app use a browser on the device? Implicit Flow Authorization Code + PKCE Client Credentials No No Yes No No Device Flow Can the app make a cross-domain POST? No Yes or N/A No Yes Is this a confidential client? Is the app trying to access a user's data? Yes Is this a first-party app? Yes Choosing an OAuth Flow Yes Do you need to avoid redirects? Authorization Code No
  45. @aaronpk No Password Yes Is this a first- party app,

    and is there a keyboard? Can the app use a browser on the device? Implicit Flow Authorization Code + PKCE Client Credentials No No Yes No Device Flow Can the app make a cross-domain POST? No Yes or N/A No Yes Is this a confidential client? Is the app trying to access a user's data? Yes Is this a first-party app? Yes Choosing an OAuth Flow Yes Do you need to avoid redirects? Authorization Code No
  46. AUTHORIZATION CODE GRANT TYPE:

  47. User: I’d like to use this great app App: Please

    go to the authorization server to grant me access User: I’d like to log in to “The Best App Ever”, it wants to access my photos AS: Here is a temporary code the app can use App: Here is the temporary code, and my secret, please give me a token User: Here is the temporary code, please use this to get a token AS: Here is an access token! App: Please let me access this user’s data with this access token! User Agent App OAuth Server API
  48. Front Channel Back Channel https://accounts.google.com/?... Passing data via the browser's

    address bar The user, or malicious software, can modify the requests and responses Sent from server to server Code is run on a server, not on the user's computer, so requests cannot be tampered with
  49. Back Channel Benefits ‣ The application knows it's talking to

    the right server ‣ Connection from app to server can't be tampered with ‣ Response from the server can be trusted because it came back in the same connection
  50. OAuth Server OAuth Client Passing Data via the Back Channel

  51. OAuth Server OAuth Client Passing Data via the Front Channel

  52. Front Channel Benefits https://accounts.google.com/?... ‣ The user being involved enables

    them to give consent ‣ Doesn't require the receiver to have a publicly routable IP
 (e.g. can work on a phone)
  53. @aaronpk ▸ Redirect interception ▸ The sender has no guarantee

    the receiver will get the data ▸ Data leak in browser history ▸ The data is written to the browser history
 which may be synced to "the cloud" or other devices Any data received via the front channel must be verified before it is used! FRONT-CHANNEL RISKS
  54. The app builds the "Log in" link https://authorization-server.com/auth • response_type=code

    - indicates that your app expects to receive an authorization code • client_id=CLIENT_ID - The client ID you received when you first created the application • redirect_uri=REDIRECT_URI - Indicates the URL to return the user to after authorization is complete, such as https://example-app.com/callback • scope=photos - A space-separated string indicating which parts of the user's account you wish to access • state=1234zyx - A random string generated by your application, which you'll verify later
  55. The app builds the "Log in" link https://authorization-server.com/auth? response_type=code& client_id=CLIENT_ID&

    redirect_uri=REDIRECT_URI& scope=photos& state=1234zyx
  56. None
  57. The user is redirected back to the application with an

    authorization https://example.com/callback?error=access_denied&state=1234xyz The user is redirected back to the application with an error code If User Denies If User Allows https://example.com/callback? code=AUTH_CODE_HERE& state=1234zyx
  58. Verify State • The application verifies the state matches the

    value it started with • This lets the application be sure it isn't trying to exchange an attacker's authorization code The app must do this because it received the authorization code via the front channel!
  59. Exchange the Code for an Access Token POST https://api.authorization-server.com/token •

    grant_type=authorization_code - indicates that this request contains an authorization code • code=CODE_FROM_QUERY - Include the authorization code from the query string of this request • redirect_uri=REDIRECT_URI - This must match the redirect_uri used in the original request • client_id=CLIENT_ID - The client ID you received when you first created the application • client_secret=CLIENT_SECRET - Since this request is made from server-side code, the secret is included
  60. Exchange the Code for an Access Token POST https://api.authorization-server.com/token Content-type:

    application/x-www-form-urlencoded grant_type=authorization_code& code=AUTH_CODE_HERE& redirect_uri=REDIRECT_URI& client_id=CLIENT_ID& client_secret=CLIENT_SECRET
  61. Exchange the Code for an Access Token { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600,

    "refresh_token":"64d049f8b21191e12522d5d96d5641af5e8" } The server replies with an access token and expiration time or if there was an error: {"error":"invalid_request"}
  62. When to use the Authorization Code grant • Is a

    confidential client • Is able to redirect a browser to the authorization server
  63. @aaronpk Is this a first- party app, and is there

    a keyboard? Can the app use a browser on the device? Implicit Flow Authorization Code + PKCE No Yes No Device Flow Can the app make a cross-domain POST? No Yes or N/A No Yes Password Yes Client Credentials Is this a confidential client? Is the app trying to access a user's data? Yes Is this a first-party app? Yes Choosing an OAuth Flow Yes Do you need to avoid redirects? Authorization Code No No No
  64. @aaronpk Yes Yes Password Client Credentials Is the app trying

    to access a user's data? Yes Is this a first-party app? Yes Do you need to avoid redirects? Authorization Code No No No Is this a first- party app, and is there a keyboard? Implicit Flow Authorization Code + PKCE Yes No Device Flow Can the app make a cross-domain POST? No Yes or N/A No Yes Is this a confidential client? Choosing an OAuth Flow No Can the app use a browser on the device?
  65. @aaronpk https://example.com

  66. @aaronpk Yes Yes Password Client Credentials Is the app trying

    to access a user's data? Yes Is this a first-party app? Yes Do you need to avoid redirects? Authorization Code No No No Is this a first- party app, and is there a keyboard? Implicit Flow Authorization Code + PKCE No Device Flow No Yes or N/A No Yes Is this a confidential client? Choosing an OAuth Flow No Can the app use a browser on the device? Yes Can the app make a cross-domain POST?
  67. @aaronpk Yes Yes Password Client Credentials Is the app trying

    to access a user's data? Yes Is this a first-party app? Yes Do you need to avoid redirects? Authorization Code No No No Is this a first- party app, and is there a keyboard? Implicit Flow No Device Flow No No Yes Is this a confidential client? Choosing an OAuth Flow No Can the app use a browser on the device? Yes Can the app make a cross-domain POST? Authorization Code + PKCE Yes or N/A
  68. AUTHORIZATION CODE + PKCE GRANT TYPE:

  69. @aaronpk PKCE PROOF-KEY FOR CODE EXCHANGE RFC 7636 (pronounced "pixie")

  70. Redirect URLs for Native Apps • There is no built-in

    security for redirect URIs like when we use DNS, • since any app can claim any URL scheme.
  71. Redirect URLs for Native Apps App-Claimed URL Pattern https://maps.google.com/* Custom

    URL Scheme: example://redirect
  72. Problem: • The authorization server returns the authorization code in

    the front channel • so it can't guarantee it was actually received by the correct application • it needs a way to verify that the correct application is using it to get a token • Normally the client_secret solves this, but we can't use a secret!
  73. @aaronpk PKCE PKCE Authorization Code Flow

  74. User: I’d like to use this great app App: Please

    go to the authorization server to grant me access, take this hash with you User: I’d like to log in to this app, here's the hashed secret it gave me AS: Here is a temporary code the app can use App: Here's the code, and the plaintext secret, please give me a token User: Here is the temporary code, please use this to get a token AS: Let me verify the hash of that secret... ok here is an access token! App: Please let me access this user’s data with this access token! App: Hang on while I generate a new secret and hash it User Agent App OAuth Server API
  75. Generate the Code Verifier 4A6hBupTkAtgbaQs39RSELUEqtSWTDTcRzVh1PpxD5YVKllU Generate a random string 43-128

    characters long ipSBt30y48l401NGbLjo026cqwsRQzR5KI40AuLAdZ8 The challenge is the SHA256 hash of the verifier string base64url(sha256(code_verifier)) Generate the Code Challenge
  76. Build the "Log in" link https://authorization-server.com/auth? response_type=code& client_id=CLIENT_ID& redirect_uri=REDIRECT_URI& scope=photos&

    state=1234zyx& code_challenge=XXXXXXXXXXXXX& code_challenge_method=S256 Include the code challenge (the hashed value) in the request
  77. None
  78. The user is redirected back to the application with an

    authorization code example://callback?error=access_denied&state=1234xyz The user is redirected back to the application with an error code If User Denies If User Allows example://callback? code=AUTH_CODE_HERE& state=1234zyx
  79. Exchange the Code for an Access Token Verify state, then

    make a POST request: • grant_type=authorization_code - indicates that this request contains an authorization code • code=CODE_FROM_QUERY - Include the authorization code from the query string of this request • redirect_uri=REDIRECT_URI - This must match the redirect_uri used in the original request • client_id=CLIENT_ID - The client ID you received when you first created the application • code_verifier=VERIFIER_STRING - The plaintext code verifier initially created
  80. Exchange the Code for an Access Token POST https://api.authorization-server.com/token grant_type=authorization_code&

    code=AUTH_CODE_HERE& redirect_uri=REDIRECT_URI& client_id=CLIENT_ID& code_verifier=VERIFIER_STRING Note: code verifier used in place of client secret
  81. Exchange the Code for an Access Token { "access_token":"RsT5OjbzRn430zqMLgV3Ia", "expires_in":3600,

    "refresh_token":"64d049f8b2119a12522d5dd96d5641af5e8" } The server compares the code_verifier with the code_challenge that was in the request when it generated the authorization code, and responds with an access token.
  82. PKCE: Proof Key for Code Exchange • Authenticates the code

    exchange step • Does not authenticate the app itself • Safe for clients to do with authorization servers that don't support PKCE
  83. @aaronpk AppAuth.io iOS / Android / JavaScript

  84. When to use Authorization Code + PKCE • Is a

    public client • Is able to launch/redirect a browser to the authorization server • Can make a POST request to the token endpoint • e.g. for JavaScript apps, the auth server supports CORS requests
  85. @aaronpk Authorization Code + PKCE Yes or N/A Yes Yes

    Password Client Credentials Is the app trying to access a user's data? Yes Is this a first-party app? Yes Do you need to avoid redirects? Authorization Code No No No Is this a first- party app, and is there a keyboard? No Device Flow No Yes Is this a confidential client? Choosing an OAuth Flow No Can the app use a browser on the device? Yes Can the app make a cross-domain POST? Implicit Flow No
  86. IMPLICIT GRANT TYPE:

  87. User: I’d like to use this great app App: Please

    go to the authorization server to grant me access User: I’d like to log in to “The Best App Ever”, it wants to access my photos AS: Here is an access token! App: Please let me access this user’s data with this access token! User Agent App OAuth Server API
  88. OAuth Server OAuth Client access token! Implicit Flow Sends the

    
 Access Token via the Front Channel
  89. The app builds the "Log in" link https://authorization-server.com/auth • response_type=token

    - indicates that your app expects to receive an authorization code • client_id=CLIENT_ID - The client ID you received when you first created the application • redirect_uri=REDIRECT_URI - Indicates the URL to return the user to after authorization is complete, such as https://example-app.com/callback • scope=photos - A space-separated string indicating which parts of the user's account you wish to access • state=1234zyx - A random string generated by your application, which you'll verify later
  90. The app builds the "Log in" link https://authorization-server.com/auth? response_type=token& client_id=CLIENT_ID&

    redirect_uri=REDIRECT_URI& scope=photos& state=1234zyx
  91. None
  92. https://example.com/auth#error=access_denied&state=1234xyz The user is redirected back to the application with

    an error code If User Denies The auth server redirects with the access token in the URL If User Allows https://example.com/auth#token=ACCESS_TOKEN&state=1234xyz
  93. https://example.com/callback?code=XXXXXXXXXXXX https://example.com/callback#token=XXXXXXXXXXXX GET https://example.com/callback?code=XXXXXXXXXXXX GET https://example.com/callback

  94. caniuse.com/history window.history.pushState()

  95. None
  96. Risks of Using the Implicit Flow • Redirect interception •

    It's possible to intercept the access token during the redirect, 
 and no way to detect this • Access token leak in browser history • The access token is stored in the browser history, 
 which may be synced to multiple devices • Access token leak to scripts • The access token will be visible to all third-party scripts on the page, 
 e.g. analytics, ads, etc
  97. https://tools.ietf.org/html/draft-ietf-oauth-security-topics

  98. https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps

  99. When to use the Implicit Flow If your app meets

    all of these criteria: • Is a JavaScript app running in a browser • Has no server-side component • The OAuth server you are using does not allow cross-domain requests • If you have no other option, because really...
  100. @aaronpk Authorization Code + PKCE Yes or N/A Yes Yes

    Password Client Credentials Is the app trying to access a user's data? Yes Is this a first-party app? Yes Do you need to avoid redirects? Authorization Code No No No Is this a first- party app, and is there a keyboard? No Device Flow No Yes Is this a confidential client? Choosing an OAuth Flow No Can the app use a browser on the device? Yes Can the app make a cross-domain POST? Implicit Flow No
  101. @aaronpk Is this a first- party app, and is there

    a keyboard? No Yes Yes Can the app make a cross-domain POST? Implicit Flow No Authorization Code + PKCE Yes or N/A Yes Yes Password Client Credentials Is the app trying to access a user's data? Yes Is this a first-party app? Yes Do you need to avoid redirects? Authorization Code No No No Device Flow No Is this a confidential client? Choosing an OAuth Flow No Can the app use a browser on the device?
  102. None
  103. @aaronpk

  104. @aaronpk Yes Yes Can the app make a cross-domain POST?

    Implicit Flow No Authorization Code + PKCE Yes or N/A Yes Yes Password Client Credentials Is the app trying to access a user's data? Yes Is this a first-party app? Yes Do you need to avoid redirects? Authorization Code No No No Device Flow No Is this a confidential client? Choosing an OAuth Flow No Can the app use a browser on the device? Is this a first- party app, and is there a keyboard? No
  105. @aaronpk Yes Can the app make a cross-domain POST? Implicit

    Flow No Authorization Code + PKCE Yes or N/A Yes Yes Client Credentials Is the app trying to access a user's data? Yes Is this a first-party app? Yes Do you need to avoid redirects? Authorization Code No No No Device Flow No Is this a confidential client? Choosing an OAuth Flow No Can the app use a browser on the device? Is this a first- party app, and is there a keyboard? No Yes Password
  106. @aaronpk Yes Password Yes Can the app make a cross-domain

    POST? Implicit Flow No Authorization Code + PKCE Yes or N/A Yes Yes Client Credentials Is the app trying to access a user's data? Yes Is this a first-party app? Yes Do you need to avoid redirects? Authorization Code No No No Is this a confidential client? Choosing an OAuth Flow No Can the app use a browser on the device? Is this a first- party app, and is there a keyboard? No Device Flow No
  107. DEVICE FLOW GRANT TYPE:

  108. @aaronpk BROWSERLESS DEVICES

  109. None
  110. None
  111. Request a Device Code POST https://authorization-server.com/device client_id=CLIENT_ID First the device

    requests a device code and user code.
  112. Request a Device Code { "device_code": "NGU5OWFiNjQ5YmQwNGY3YTdmZTEyNzQ3YzQ1YSA", "user_code": "BDWD-HQPK", "verification_uri":

    "https://example.com/device", "expires_in": 1800, "interval": 5 } The server responds with a new device code and user code, as well as the URL the user should visit to enter the code.
  113. Display the URL and User Code

  114. NLBLMDPP POST https://authorization-server.com/token grant_type=urn:ietf:params:oauth:grant- type:device_code &client_id=CLIENT_ID &device_code=NGU5OWFiNjQ5YmQwNGY3YTdmZTEyNzQ3YzQ1YSA While the device

    waits for the user to enter the code and authorize the application, the device polls the token endpoint. { "error": "authorization_pending" }
  115. While the device waits for the user to enter the

    code and authorize the application, the device polls the token endpoint. { "error": "authorization_pending" } POST https://authorization-server.com/token grant_type=urn:ietf:params:oauth:grant- type:device_code &client_id=CLIENT_ID &device_code=NGU5OWFiNjQ5YmQwNGY3YTdmZTEyNzQ3YzQ1YSA
  116. While the device waits for the user to enter the

    code and authorize the application, the device polls the token endpoint. { "error": "authorization_pending" } POST https://authorization-server.com/token grant_type=urn:ietf:params:oauth:grant- type:device_code &client_id=CLIENT_ID &device_code=NGU5OWFiNjQ5YmQwNGY3YTdmZTEyNzQ3YzQ1YSA
  117. While the device waits for the user to enter the

    code and authorize the application, the device polls the token endpoint. { "error": "authorization_pending" } POST https://authorization-server.com/token grant_type=urn:ietf:params:oauth:grant- type:device_code &client_id=CLIENT_ID &device_code=NGU5OWFiNjQ5YmQwNGY3YTdmZTEyNzQ3YzQ1YSA
  118. While the device waits for the user to enter the

    code and authorize the application, the device polls the token endpoint. { "error": "authorization_pending" } POST https://authorization-server.com/token grant_type=urn:ietf:params:oauth:grant- type:device_code &client_id=CLIENT_ID &device_code=NGU5OWFiNjQ5YmQwNGY3YTdmZTEyNzQ3YzQ1YSA
  119. While the device waits for the user to enter the

    code and authorize the application, the device polls the token endpoint. { "access_token": "RsT5OjbzRn430zqMLgV3Ia", "expires_in": 3600, "refresh_token": "b7aab35e97298a060e0ede5b43ed1f70a8" } POST https://authorization-server.com/token grant_type=urn:ietf:params:oauth:grant- type:device_code &client_id=CLIENT_ID &device_code=NGU5OWFiNjQ5YmQwNGY3YTdmZTEyNzQ3YzQ1YSA
  120. NLBLMDPP

  121. None
  122. @aaronpk Yes Password Yes Can the app make a cross-domain

    POST? Implicit Flow No Authorization Code + PKCE Yes or N/A Yes Yes Client Credentials Is the app trying to access a user's data? Yes Is this a first-party app? Yes Do you need to avoid redirects? Authorization Code No No No Is this a confidential client? Choosing an OAuth Flow No Can the app use a browser on the device? Is this a first- party app, and is there a keyboard? No Device Flow No
  123. WHO LOGGED IN? OPENID CONNECT:

  124. None
  125. OpenID Connect Request https://authorization-server.com/auth? response_type=id_token& client_id=CLIENT_ID& redirect_uri=REDIRECT_URI& scope=openid+profile& state=xyz1234& nonce=1029384756

  126. If User Allows Access https://example.com/ #id_token=eyJraWQiOiJiRmxZbmkzLXRhMXFSa0lFellHc2tLeFFRVUJvczZnOU9RQnRmNm9x cUxJIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHVjcTNid2o0V25JcTNnejBoNyIsIm5hbWU iOiJQYWRtYS0yIEdvdmluZGFyYWphbHUiLCJsb2NhbGUiOiJlbi1VUyIsInZlciI6MSwiaXNzI joiaHR0cHM6Ly9wYWRtYWdvdmluZGFyYWphbHUub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZ hdWx0IiwiYXVkIjoiMG9hZDlydTd0endmNUFqcGIwaDcgIiwiaWF0IjoxNTI0NTk0OTEwLCJle

    HAiOjE1MjQ1OTg1MTAsImp0aSI6IklELklfNUc4RzhWdXowMHJvYl9aSzlja3J0T0pseVdwNzh xMU5naGV2QlJ6dkEiLCJhbXIiOlsicHdkIl0sImlkcCI6IjAwb2NxM2J3aTFoTnpRT3B5MGg3I iwibm9uY2UiOiJhYmMiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJwYWRtYS5nb3ZpbmRhcmFqYWx 1QG9rdGEuY29tIiwiZ2l2ZW5fbmFtZSI6IlBhZG1hIiwibWlkZGxlX25hbWUiOiJLcmlzaG5hI iwiZmFtaWx5X25hbWUiOiJHb3ZpbmRhcmFqYWx1Iiwiem9uZWluZm8iOiJBbWVyaWNhL0xvc19 BbmdlbGVzIiwidXBkYXRlZF9hdCI6MTUyNDU5NDM2MSwiYXV0aF90aW1lIjoxNTI0NTk0OTA3f Q.HvMYW8XbdCf1BWZfHQ1odaAYJjZqKkh1NUkHW0clk6J7pYunn8jllbIp0IhSjcCn6PBIlZPr rE0dkuyjvdHjVI8ALQNwtM7FnIs9H6gCH0oONx4EL4KEf4d_w46qeqsCwMClvNoaE3c2I5kONu JUlaefbnr6Al_y9z5mvLyDynf9IjrOyTPoIrgk9V46l28Aulp4dJhqBtZfpYyVbKrXawHSO5Fv KTDMPBhQgxt0_6PKG7sSkhbMeBicIc35SJJaXt81KSfkYDUp5s1UQ74ATHrtLe7HMU1yp_Kajg YUKxMXO5NiXpeNEHzarAOWzLHblrQcgkpuJbY3KM1HHg&state=xyz1234 The user is redirected back to the redirect_uri with an ID token
  127. ID Token: JWT eyJraWQiOiJiRmxZbmkzLXRhMXFSa0lFellHc2tLeFFRVUJvczZnOU9RQnRmNm9xcUxJIiwiYWxnI joiUlMyNTYifQ . eyJzdWIiOiIwMHVjcTNid2o0V25JcTNnejBoNyIsIm5hbWUiOiJQYWRtYS0yIEdvdmluZGFyYWphb HUiLCJsb2NhbGUiOiJlbi1VUyIsInZlciI6MSwiaXNzIjoiaHR0cHM6Ly9wYWRtYWdvdmluZGFyYW phbHUub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoiMG9hZDlydTd0endmNUF qcGIwaDcgIiwiaWF0IjoxNTI0NTk0OTEwLCJleHAiOjE1MjQ1OTg1MTAsImp0aSI6IklELklfNUc4

    RzhWdXowMHJvYl9aSzlja3J0T0pseVdwNzhxMU5naGV2QlJ6dkEiLCJhbXIiOlsicHdkIl0sImlkc CI6IjAwb2NxM2J3aTFoTnpRT3B5MGg3Iiwibm9uY2UiOiJhYmMiLCJwcmVmZXJyZWRfdXNlcm5hbW UiOiJwYWRtYS5nb3ZpbmRhcmFqYWx1QG9rdGEuY29tIiwiZ2l2ZW5fbmFtZSI6IlBhZG1hIiwibWl kZGxlX25hbWUiOiJLcmlzaG5hIiwiZmFtaWx5X25hbWUiOiJHb3ZpbmRhcmFqYWx1Iiwiem9uZWlu Zm8iOiJBbWVyaWNhL0xvc19BbmdlbGVzIiwidXBkYXRlZF9hdCI6MTUyNDU5NDM2MSwiYXV0aF90a W1lIjoxNTI0NTk0OTA3fQ . HvMYW8XbdCf1BW- ZfHQ1odaAYJjZqKkh1NUkHW0clk6J7pYunn8jllbIp0IhSjcCn6PBIlZPrrE0dkuyjvdHjVI8ALQN wtM7FnIs9H6gCH0oONx4EL4K-Ef4d_w46qeqsCwMClvNoaE3c2I5-kON- uJUlaefbnr6Al_y9z5mvLyDynf9IjrOyTPoIrgk9V46l28Aulp4dJhqBtZfpYyVbKrXawHSO5FvKT DMPBhQgxt0_6PKG7sSkhbMeBicIc35SJJaXt81KSfkYDUp5s1UQ74ATHrtLe7HMU1yp_KajgYUKxM XO5NiXpeNEHzarAOWzLHblrQcgkpuJbY3KM1HHg header payload signature
  128. © Okta and/or its affiliates. All rights reserved. Okta Confidential

  129. Decoded ID Token header . { "sub": "{USER_ID}", "iss": "https://authorization-server.com/oauth2/ausd1nry9hBoyvKrY0h7",

    "aud": "{CLIENT_ID}", "iat": 1524237221, "exp": 1524240821, "nonce": "{NONCE}", "auth_time": 1524606562 } . signature
  130. Verifying the JWT • Fetch the public key of the

    server that issued the token • Verify the signature matches
  131. • issuer (iss) – does the token originate from the

    right auth server? • audience (aud) – is the token intended for my application? • expiry time (exp) – has the current time already passed the exp time? • issued at time (iat) – is the current time too far from the issued time? • nonce - does it match the nonce passed in the request? Validating the Claims
  132. Remote ID Token Validation POST https://authorization-server.com/introspect token_type_hint=id_token& token=ID_TOKEN& client_id=CLIENT_ID& client_secret=CLIENT_SECRET

  133. Remote ID Token Validation Response { "active": true, "sub": "0oacww4sy8YYS1gOw0h7",

    "exp": 1524240821, "iat": 1524237221, "iss": "https://auth-server/ausd1nry9hBoyvKrY0h7" }
  134. OpenID Connect - Authorization Code https://authorization-server.com/auth? response_type=code& client_id=CLIENT_ID& redirect_uri=REDIRECT_URI& scope=openid+profile&

    state=xyz1234& nonce=1029385476
  135. OpenID Connect - Authorization Code • Exchange the code for

    an ID Token • No need to verify the signature since the token was obtained via a secure backchannel
  136. None
  137. When do you need OpenID Connect? If your app needs

    to know a unique user ID, or needs to know other profile information about the user
  138. RESOURCES

  139. oauth.com

  140. oauth.com/playground

  141. oauth.net

  142. developer.okta.com/blog

  143. @aaronpk aaronpk.com oauth2simplified.com