$30 off During Our Annual Pro Sale. View Details »

OAuth by Example - Workshop

Andy March
December 05, 2019
Technology
1
170

OAuth by Example - Workshop

Authentication and authorization has come a long way in the last ten years. Are you still rolling your own identity? Don't know the differences between the authorization code grant from and the client credentials grant? Do you want to accept social authentication to your service but you're not sure how?

Join Andy March as we review OAuth and OIDC, their history, the problems they solve and how you can apply them to your services. This workshop will guide you through configuring Okta as an identity provider, deploying a simple web app enforcing authentication and authorization.

Andy March

December 05, 2019
Tweet

More Decks by Andy March

See All by Andy March
Securing APIs
andymarch
0
37
Customers in the Crosshairs
andymarch
1
200
TLDR - OAuth
andymarch
0
68
Identity as Code
andymarch
0
330

Other Decks in Technology

See All in Technology
Garoon 開発チーム / Garoon development team
cybozuinsideout
PRO
0
2.2k
CTO of the year 2023ピッチ資料(オーディエンス賞)チューリングCTO青木
aoshun7
0
550
論文紹介: Improving Implicit Feedback-Based Recommendation through Multi-Behavior Alignment(Xin Xin et al., 2023)
hakubishin3
0
170
ニフティの過去・現在・未来 - NIFTY Tech Day 2023
niftycorp
0
140
開発組織の体制づくり、いつやるか問題
akiroom
0
1.7k
実装がすべてではない、開発者の周りから考える Web プロダクトセキュリティ
oldbigbuddha
1
220
LangChainとフルサーバーレスですばやくセキュアなRAGアプリをつくるための実践解説/LangChain_Book
yoshidashingo
8
2.9k
サービスの1等地ホーム画面改善と効果的なステークホルダーマネジメント / Improvement of Prime Location Home Screen for Services and Effective Stakeholder Management
rilmayer
0
170
231116 あつまれ入力デバイスの沼 Ryu.Cyberさん
comucal
PRO
0
200
AWS Security Hubを有効化したけど見てない人に向けたDevSecOpsの実現方法 / #kayac_andpad_event
muziyoshiz
0
130
AWS re:Invent 2023の期間中に出たコンテナアップデート集
yoshiitaka
3
200
AutoGenで作るLLM Agen
peisuke
1
310

Featured

See All Featured
How New CSS Is Changing Everything About Graphic Design on the Web
jensimmons
215
12k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
A designer walks into a library…
pauljervisheath
199
22k
Designing on Purpose - Digital PM Summit 2013
jponch
108
6.2k
Stop Working from a Prison Cell
hatefulcrawdad
264
18k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
185
15k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
44
12k
Robots, Beer and Maslow
schacon
154
7.7k
What the flash - Photography Introduction
edds
64
11k
Thoughts on Productivity
jonyablonski
55
3.5k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
0
2.7k
Docker and Python
trallard
32
2.4k

Transcript

  1. by example

    View Slide

  2. 10+ years working in secure systems
    Hi!
    Platform Specialist at Okta
    Software Developer (.NET / Java / JS)
    @andymarch

    View Slide

  3. Heroku.com/signup
    Get Hands On

    View Slide

  4. View Slide

  5. View Slide

  6. View Slide

  7. View Slide

  8. Digital Identity
    Circa 2007
    Simple Login – forms and cookies
    Single Sign-on – SAML
    Delegated Access – passwords

    View Slide

  9. Yelp ~ 2007

    View Slide

  10. Facebook ~ 2010

    View Slide

  11. View Slide

  12. Specs are not tutorials

    View Slide

  13. Delegated authorization with OAuth 2.0

    View Slide

  14. Who’s who of OAuth 2.0
    Resource Owner Client Authorization Server Resource Server
    Guest Hotel Room
    Reception Desk
    Hotel

    View Slide

  15. Register: redirect address
    ClientID, Client secret

    View Slide

  16. ClientId
    (a unique identifier of an application)

    View Slide

  17. ClientSecret
    (an authenticator for an application)

    View Slide

  18. View Slide

  19. Authorization Code Grant
    (the most common and most secure grant for users)

    View Slide

  20. Redirect: AuthorizationServer, ClientID, Scope
    Login
    ClientID, Scope

    View Slide

  21. Scope
    (a requested permission)

    View Slide

  22. View Slide

  23. View Slide

  24. Consent
    (the user explicitly granting access)

    View Slide

  25. AuthorizationCode
    Redirect: AuthorizationCode

    View Slide

  26. Front Channel
    (server to server communication through a user’s browser)

    View Slide

  27. AuthorizationCode
    client id, client secret
    Access Token
    Access Token

    View Slide

  28. Back Channel
    (direct server to server communication)

    View Slide

  29. Client Credentials Grant
    (the machine to machine grant)

    View Slide

  30. client id, client secret, scopes
    Access Token
    Access Token

    View Slide

  31. What is an access token anyway
    Sent by a client in calls to a service.
    Demonstrates a user has consented access to resources.
    Two varieties:
    - Reference tokens
    - Self encoded tokens

    View Slide

  32. Access Token
    eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx
    nIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULjJHTGZUQ0puSG0yUDR1ZTl2aU81dEhMSE5
    xV2dUcWI3ZXhMY1lIbk11OVkiLCJpc3MiOiJodHRwczovL2V4YW1wbHkub2t0YS1lbWVhLmNvbS
    9vYXV0aDIvZGVmYXVsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE1NjU5NDcyODYsI
    mV4cCI6MTU2NTk1NDQ4NiwiY2lkIjoiMG9hMmhmc2hybWdyY2tlbXYwaTciLCJ1aWQiOiIwMHUy
    dzZmdzN4cXZnTHYyUDBpNyIsInNjcCI6WyJvcGVuaWQiXSwic3ViIjoidGVzdEB0ZXN0LmNvbSJ
    9.TgXMcCNGIpDvqa8EY75lbns_kcyVa6t7Qx5F97YxGd1Ci_iGYPtzBx8Qf2avQPWVcYJmA6mcx
    sBBeqzWMTcqWaGoSbt8N9MG1ma_JITIkEX2kZB2Vw66_X1vAwiKJ8_6ytoAVqcAkc2ulXdKp-
    XVGsCv1R011O70Hdp2tIzKNWH-wGV1uZDq5_dBGB4Pk6hkp7lQb-
    ix3WVBEEjyHUzMYFDki9vx_dvGuj2kaay_TPXVqc-
    OqClMd4O3vpwW3DZMCGB5vndAX49h61fbJUTShYGral-NC1XdI1dY1aTROGfetVC-
    k95zBTFVjwI_TsJe8qmVG9GLlO2fpkY4JdMhaA

    View Slide

  33. Access Token
    eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx
    nIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULjJHTGZUQ0puSG0yUDR1ZTl2aU81dEhMSE5
    xV2dUcWI3ZXhMY1lIbk11OVkiLCJpc3MiOiJodHRwczovL2V4YW1wbHkub2t0YS1lbWVhLmNvbS
    9vYXV0aDIvZGVmYXVsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE1NjU5NDcyODYsI
    mV4cCI6MTU2NTk1NDQ4NiwiY2lkIjoiMG9hMmhmc2hybWdyY2tlbXYwaTciLCJ1aWQiOiIwMHUy
    dzZmdzN4cXZnTHYyUDBpNyIsInNjcCI6WyJvcGVuaWQiXSwic3ViIjoidGVzdEB0ZXN0LmNvbSJ
    9.TgXMcCNGIpDvqa8EY75lbns_kcyVa6t7Qx5F97YxGd1Ci_iGYPtzBx8Qf2avQPWVcYJmA6mcx
    sBBeqzWMTcqWaGoSbt8N9MG1ma_JITIkEX2kZB2Vw66_X1vAwiKJ8_6ytoAVqcAkc2ulXdKp-
    XVGsCv1R011O70Hdp2tIzKNWH-wGV1uZDq5_dBGB4Pk6hkp7lQb-
    ix3WVBEEjyHUzMYFDki9vx_dvGuj2kaay_TPXVqc-
    OqClMd4O3vpwW3DZMCGB5vndAX49h61fbJUTShYGral-NC1XdI1dY1aTROGfetVC-
    k95zBTFVjwI_TsJe8qmVG9GLlO2fpkY4JdMhaA

    View Slide

  34. Access Token
    eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx
    nIjoiUlMyNTYifQ
    eyJ2ZXIiOjEsImp0aSI6IkFULjJHTGZUQ0puSG0yUDR1ZTl2aU81dEhMSE5xV2dUcWI3ZXhMY1l
    Ibk11OVkiLCJpc3MiOiJodHRwczovL2V4YW1wbHkub2t0YS1lbWVhLmNvbS9vYXV0aDIvZGVmYX
    VsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE1NjU5NDcyODYsImV4cCI6MTU2NTk1N
    DQ4NiwiY2lkIjoiMG9hMmhmc2hybWdyY2tlbXYwaTciLCJ1aWQiOiIwMHUydzZmdzN4cXZnTHYy
    UDBpNyIsInNjcCI6WyJvcGVuaWQiXSwic3ViIjoidGVzdEB0ZXN0LmNvbSJ9
    TgXMcCNGIpDvqa8EY75lbns_kcyVa6t7Qx5F97YxGd1Ci_iGYPtzBx8Qf2avQPWVcYJmA6mcxsB
    BeqzWMTcqWaGoSbt8N9MG1ma_JITIkEX2kZB2Vw66_X1vAwiKJ8_6ytoAVqcAkc2ulXdKp-
    XVGsCv1R011O70Hdp2tIzKNWH-wGV1uZDq5_dBGB4Pk6hkp7lQb-
    ix3WVBEEjyHUzMYFDki9vx_dvGuj2kaay_TPXVqc-
    OqClMd4O3vpwW3DZMCGB5vndAX49h61fbJUTShYGral-NC1XdI1dY1aTROGfetVC-
    k95zBTFVjwI_TsJe8qmVG9GLlO2fpkY4JdMhaA

    View Slide

  35. JWT Header
    {
    "typ": "JWT",
    "alg": "HS256"
    }

    View Slide

  36. {
    "ver": 1,
    "jti": "AT.2GLfTCJnHm2P4ue9viO5tHLHNqWgTqb7exLcYHnMu9Y",
    "iss": "https://examply.okta-emea.com/oauth2/default",
    "aud": "api://default",
    "iat": 1565947286,
    "exp": 1565953668,
    "cid": "0oa2hfshrmgrckemv0i7",
    "uid": "00u2w6fw3xqvgLv2P0i7",
    "scp": [
    ”profile"
    ],
    "sub": "[email protected]"
    }
    JWT Payload

    View Slide

  37. TgXMcCNGIpDvqa8EY75lbns_kcyVa6t7Qx5F97YxGd1Ci_iGYPtzBx8Qf2avQPWVcYJmA6mcxsB
    BeqzWMTcqWaGoSbt8N9MG1ma_JITIkEX2kZB2Vw66_X1vAwiKJ8_6ytoAVqcAkc2ulXdKp-
    XVGsCv1R011O70Hdp2tIzKNWH-wGV1uZDq5_dBGB4Pk6hkp7lQb-
    ix3WVBEEjyHUzMYFDki9vx_dvGuj2kaay_TPXVqc-
    OqClMd4O3vpwW3DZMCGB5vndAX49h61fbJUTShYGral-NC1XdI1dY1aTROGfetVC-
    k95zBTFVjwI_TsJe8qmVG9GLlO2fpkY4JdMhaA
    JWT Signature

    View Slide

  38. View Slide

  39. Local Token Validation
    Check the signature
    Check the audience
    Check the issuance timestamp
    Check the expiry timestamp

    View Slide

  40. View Slide

  41. View Slide

  42. View Slide

  43. Remote Token Validation: Introspection
    http://examply.okta-emea.com/oauth2/default/v1/introspect
    Authorization Basic ${Base64(:)}
    token=“bdfFGEW3g[…]sdChg7a4n8”
    token_type_hint=access_token
    {
    "active": true
    }
    Request
    Response

    View Slide

  44. View Slide

  45. Simple Login – OAuth 2.0
    Single Sign-on – OAuth 2.0
    Mobile app login – OAuth 2.0
    Delegated Access – OAuth 2.0
    Digital Identity
    Circa 2012
    Authentication
    Authentication
    Authentication
    Authorization

    View Slide

  46. OpenID

    View Slide

  47. OpenID Connect Default Scopes
    Openid
    Indicates an OpenId request
    Profile
    Access to the user’s profile
    Email
    Access to the user’s email address
    Address
    Access to the user’s physical address
    Phone
    Access to the user’s telephone number
    Offline_access
    Request refresh token for continued access

    View Slide

  48. eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx
    nIjoiUlMyNTYifQ.eyJzdWIiOiIwMHUydzZmdzN4cXZnTHYyUDBpNyIsInZlciI6MSwiaXNzIjo
    iaHR0cHM6Ly9leGFtcGx5Lm9rdGEtZW1lYS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiIwb2
    EyaGZzaHJtZ3Jja2VtdjBpNyIsImlhdCI6MTU2NTk2MTYzNCwiZXhwIjoxNTY1OTY1MjM0LCJqd
    GkiOiJJRC54b3dfc21BM3I5Y19uRVN1N2VBZ2JQMElWREV1cVpkRkg1NmlpN0NnZnB3IiwiYW1y
    IjpbInB3ZCJdLCJpZHAiOiIwMG8yYXoyaWVycUt1T1QwRDBpNyIsIm5vbmNlIjoieHc5czJiZXM
    zdCIsImF1dGhfdGltZSI6MTU2NTk2MTYxMCwiYXRfaGFzaCI6IjZzdGd1WU9fV3A2Q1Y0NXAxSF
    NsQ1EiLCJ0ZXN0Y2xhaW0iOlsiRXZlcnlvbmUiXX0.Il6htgtZeH9vhN1xXB05DWvNG9V-
    xiVAki3qEaj8jxI2jkHshq-2lhy_wmaZpjeDUGQNCIwv-
    1K3JkckW4cFzmDn0Dw6hCykN5EEFLGfkBeO-
    25nV64UZUHFDAGH_jhI5v5ARGKZcQQIwf3saeakA2rVkXDAYW8SWwbt96hwFkH15JolTK0YVf1h
    nRX9hzrkKPJY9JgIhmDsMciLvMOPs93ViAR4ufUp_hVYLSsR6Uq-
    PDR33eoX9XqktylviG9K9BoRzqu8muM1nqrwZAFUk61CeTRNhR5nI30-NH0bcZhAY2Ts8Q-
    Pj41m8t_7LIVYbUqxvC0JhcdKbmCNN3FRVw
    ID Tokens

    View Slide

  49. eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx
    nIjoiUlMyNTYifQ.eyJzdWIiOiIwMHUydzZmdzN4cXZnTHYyUDBpNyIsInZlciI6MSwiaXNzIjo
    iaHR0cHM6Ly9leGFtcGx5Lm9rdGEtZW1lYS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiIwb2
    EyaGZzaHJtZ3Jja2VtdjBpNyIsImlhdCI6MTU2NTk2MTYzNCwiZXhwIjoxNTY1OTY1MjM0LCJqd
    GkiOiJJRC54b3dfc21BM3I5Y19uRVN1N2VBZ2JQMElWREV1cVpkRkg1NmlpN0NnZnB3IiwiYW1y
    IjpbInB3ZCJdLCJpZHAiOiIwMG8yYXoyaWVycUt1T1QwRDBpNyIsIm5vbmNlIjoieHc5czJiZXM
    zdCIsImF1dGhfdGltZSI6MTU2NTk2MTYxMCwiYXRfaGFzaCI6IjZzdGd1WU9fV3A2Q1Y0NXAxSF
    NsQ1EiLCJ0ZXN0Y2xhaW0iOlsiRXZlcnlvbmUiXX0.Il6htgtZeH9vhN1xXB05DWvNG9V-
    xiVAki3qEaj8jxI2jkHshq-2lhy_wmaZpjeDUGQNCIwv-
    1K3JkckW4cFzmDn0Dw6hCykN5EEFLGfkBeO-
    25nV64UZUHFDAGH_jhI5v5ARGKZcQQIwf3saeakA2rVkXDAYW8SWwbt96hwFkH15JolTK0YVf1h
    nRX9hzrkKPJY9JgIhmDsMciLvMOPs93ViAR4ufUp_hVYLSsR6Uq-
    PDR33eoX9XqktylviG9K9BoRzqu8muM1nqrwZAFUk61CeTRNhR5nI30-NH0bcZhAY2Ts8Q-
    Pj41m8t_7LIVYbUqxvC0JhcdKbmCNN3FRVw
    ID Tokens

    View Slide

  50. eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx
    nIjoiUlMyNTYifQ
    eyJzdWIiOiIwMHUydzZmdzN4cXZnTHYyUDBpNyIsInZlciI6MSwiaXNzIjoiaHR0cHM6Ly9leGF
    tcGx5Lm9rdGEtZW1lYS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiIwb2EyaGZzaHJtZ3Jja2
    VtdjBpNyIsImlhdCI6MTU2NTk2MTYzNCwiZXhwIjoxNTY1OTY1MjM0LCJqdGkiOiJJRC54b3dfc
    21BM3I5Y19uRVN1N2VBZ2JQMElWREV1cVpkRkg1NmlpN0NnZnB3IiwiYW1yIjpbInB3ZCJdLCJp
    ZHAiOiIwMG8yYXoyaWVycUt1T1QwRDBpNyIsIm5vbmNlIjoieHc5czJiZXMzdCIsImF1dGhfdGl
    tZSI6MTU2NTk2MTYxMCwiYXRfaGFzaCI6IjZzdGd1WU9fV3A2Q1Y0NXAxSFNsQ1EiLCJ0ZXN0Y2
    xhaW0iOlsiRXZlcnlvbmUiXX0
    Il6htgtZeH9vhN1xXB05DWvNG9V-xiVAki3qEaj8jxI2jkHshq-2lhy_wmaZpjeDUGQNCIwv-
    1K3JkckW4cFzmDn0Dw6hCykN5EEFLGfkBeO-
    25nV64UZUHFDAGH_jhI5v5ARGKZcQQIwf3saeakA2rVkXDAYW8SWwbt96hwFkH15JolTK0YVf1h
    nRX9hzrkKPJY9JgIhmDsMciLvMOPs93ViAR4ufUp_hVYLSsR6Uq-
    PDR33eoX9XqktylviG9K9BoRzqu8muM1nqrwZAFUk61CeTRNhR5nI30-NH0bcZhAY2Ts8Q-
    Pj41m8t_7LIVYbUqxvC0JhcdKbmCNN3FRVw
    ID Tokens

    View Slide

  51. {
    "typ": "JWT",
    "alg": "RS256",
    "kid": "yOY8cGSvWQXsax4AZjYWrag8VSi-brQiUh3_pWCfL_Y"
    }
    ID Token Header

    View Slide

  52. {
    "sub": "00u2w6fw3xqvgLv2P0i7",
    "ver": 1,
    "iss": "https://examply.okta-emea.com/oauth2/default",
    "aud": "0oa2hfshrmgrckemv0i7",
    "iat": 1565961634,
    "exp": 1565965234,
    "jti": "ID.xow_smA3r9c_nESu7eAgbP0IVDEuqZdFH56ii7Cgfpw",
    "amr": [
    "pwd"
    ],
    "idp": "00o2az2ierqKuOT0D0i7",
    "nonce": ”number_only_once",
    "auth_time": 1565961610,
    "at_hash": "6stguYO_Wp6CV45p1HSlCQ",
    }
    ID Token Payload

    View Slide

  53. Access Token vs ID Token
    OAuth specification
    Audience is the resource server
    Describes the granted access by the user
    OpenId Specification
    Audience is the client
    Describes the authentication of the user

    View Slide

  54. Simple Login – OpenID Connect
    Single Sign-on – OpenID Connect
    Mobile App Login – OpenID Connect
    Delegated Access – OAuth 2.0
    Digital Identity
    Today

    View Slide

  55. andymarch.co.uk/oauthbyexample
    Get Hands On

    View Slide

  56. Resources

    View Slide

  57. OAuth 2.0 Playground

    View Slide

  58. OAuth 2.0 Simplified
    Written by Aaron Parecki, Senior Security Architect @ Okta
    Member of the OAuth working group
    Maintainer of OAuth.net

    View Slide

  59. OAuth.net

    View Slide

  60. OIDCDebugger.com

    View Slide

  61. Developer.okta.com
    [email protected]
    @andymarch

    View Slide