$30 off During Our Annual Pro Sale. View Details »

OAuth by Example - Workshop

Andy March
December 05, 2019

OAuth by Example - Workshop

Authentication and authorization has come a long way in the last ten years. Are you still rolling your own identity? Don't know the differences between the authorization code grant from and the client credentials grant? Do you want to accept social authentication to your service but you're not sure how?

Join Andy March as we review OAuth and OIDC, their history, the problems they solve and how you can apply them to your services. This workshop will guide you through configuring Okta as an identity provider, deploying a simple web app enforcing authentication and authorization.

Andy March

December 05, 2019
Tweet

More Decks by Andy March

Other Decks in Technology

Transcript

  1. by example

    View Slide

  2. 10+ years working in secure systems
    Hi!
    Platform Specialist at Okta
    Software Developer (.NET / Java / JS)
    @andymarch

    View Slide

  3. Heroku.com/signup
    Get Hands On

    View Slide

  4. View Slide

  5. View Slide

  6. View Slide

  7. View Slide

  8. Digital Identity
    Circa 2007
    Simple Login – forms and cookies
    Single Sign-on – SAML
    Delegated Access – passwords

    View Slide

  9. Yelp ~ 2007

    View Slide

  10. Facebook ~ 2010

    View Slide

  11. View Slide

  12. Specs are not tutorials

    View Slide

  13. Delegated authorization with OAuth 2.0

    View Slide

  14. Who’s who of OAuth 2.0
    Resource Owner Client Authorization Server Resource Server
    Guest Hotel Room
    Reception Desk
    Hotel

    View Slide

  15. Register: redirect address
    ClientID, Client secret

    View Slide

  16. ClientId
    (a unique identifier of an application)

    View Slide

  17. ClientSecret
    (an authenticator for an application)

    View Slide

  18. View Slide

  19. Authorization Code Grant
    (the most common and most secure grant for users)

    View Slide

  20. Redirect: AuthorizationServer, ClientID, Scope
    Login
    ClientID, Scope

    View Slide

  21. Scope
    (a requested permission)

    View Slide

  22. View Slide

  23. View Slide

  24. Consent
    (the user explicitly granting access)

    View Slide

  25. AuthorizationCode
    Redirect: AuthorizationCode

    View Slide

  26. Front Channel
    (server to server communication through a user’s browser)

    View Slide

  27. AuthorizationCode
    client id, client secret
    Access Token
    Access Token

    View Slide

  28. Back Channel
    (direct server to server communication)

    View Slide

  29. Client Credentials Grant
    (the machine to machine grant)

    View Slide

  30. client id, client secret, scopes
    Access Token
    Access Token

    View Slide

  31. What is an access token anyway
    Sent by a client in calls to a service.
    Demonstrates a user has consented access to resources.
    Two varieties:
    - Reference tokens
    - Self encoded tokens

    View Slide

  32. Access Token
    eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx
    nIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULjJHTGZUQ0puSG0yUDR1ZTl2aU81dEhMSE5
    xV2dUcWI3ZXhMY1lIbk11OVkiLCJpc3MiOiJodHRwczovL2V4YW1wbHkub2t0YS1lbWVhLmNvbS
    9vYXV0aDIvZGVmYXVsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE1NjU5NDcyODYsI
    mV4cCI6MTU2NTk1NDQ4NiwiY2lkIjoiMG9hMmhmc2hybWdyY2tlbXYwaTciLCJ1aWQiOiIwMHUy
    dzZmdzN4cXZnTHYyUDBpNyIsInNjcCI6WyJvcGVuaWQiXSwic3ViIjoidGVzdEB0ZXN0LmNvbSJ
    9.TgXMcCNGIpDvqa8EY75lbns_kcyVa6t7Qx5F97YxGd1Ci_iGYPtzBx8Qf2avQPWVcYJmA6mcx
    sBBeqzWMTcqWaGoSbt8N9MG1ma_JITIkEX2kZB2Vw66_X1vAwiKJ8_6ytoAVqcAkc2ulXdKp-
    XVGsCv1R011O70Hdp2tIzKNWH-wGV1uZDq5_dBGB4Pk6hkp7lQb-
    ix3WVBEEjyHUzMYFDki9vx_dvGuj2kaay_TPXVqc-
    OqClMd4O3vpwW3DZMCGB5vndAX49h61fbJUTShYGral-NC1XdI1dY1aTROGfetVC-
    k95zBTFVjwI_TsJe8qmVG9GLlO2fpkY4JdMhaA

    View Slide

  33. Access Token
    eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx
    nIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULjJHTGZUQ0puSG0yUDR1ZTl2aU81dEhMSE5
    xV2dUcWI3ZXhMY1lIbk11OVkiLCJpc3MiOiJodHRwczovL2V4YW1wbHkub2t0YS1lbWVhLmNvbS
    9vYXV0aDIvZGVmYXVsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE1NjU5NDcyODYsI
    mV4cCI6MTU2NTk1NDQ4NiwiY2lkIjoiMG9hMmhmc2hybWdyY2tlbXYwaTciLCJ1aWQiOiIwMHUy
    dzZmdzN4cXZnTHYyUDBpNyIsInNjcCI6WyJvcGVuaWQiXSwic3ViIjoidGVzdEB0ZXN0LmNvbSJ
    9.TgXMcCNGIpDvqa8EY75lbns_kcyVa6t7Qx5F97YxGd1Ci_iGYPtzBx8Qf2avQPWVcYJmA6mcx
    sBBeqzWMTcqWaGoSbt8N9MG1ma_JITIkEX2kZB2Vw66_X1vAwiKJ8_6ytoAVqcAkc2ulXdKp-
    XVGsCv1R011O70Hdp2tIzKNWH-wGV1uZDq5_dBGB4Pk6hkp7lQb-
    ix3WVBEEjyHUzMYFDki9vx_dvGuj2kaay_TPXVqc-
    OqClMd4O3vpwW3DZMCGB5vndAX49h61fbJUTShYGral-NC1XdI1dY1aTROGfetVC-
    k95zBTFVjwI_TsJe8qmVG9GLlO2fpkY4JdMhaA

    View Slide

  34. Access Token
    eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx
    nIjoiUlMyNTYifQ
    eyJ2ZXIiOjEsImp0aSI6IkFULjJHTGZUQ0puSG0yUDR1ZTl2aU81dEhMSE5xV2dUcWI3ZXhMY1l
    Ibk11OVkiLCJpc3MiOiJodHRwczovL2V4YW1wbHkub2t0YS1lbWVhLmNvbS9vYXV0aDIvZGVmYX
    VsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE1NjU5NDcyODYsImV4cCI6MTU2NTk1N
    DQ4NiwiY2lkIjoiMG9hMmhmc2hybWdyY2tlbXYwaTciLCJ1aWQiOiIwMHUydzZmdzN4cXZnTHYy
    UDBpNyIsInNjcCI6WyJvcGVuaWQiXSwic3ViIjoidGVzdEB0ZXN0LmNvbSJ9
    TgXMcCNGIpDvqa8EY75lbns_kcyVa6t7Qx5F97YxGd1Ci_iGYPtzBx8Qf2avQPWVcYJmA6mcxsB
    BeqzWMTcqWaGoSbt8N9MG1ma_JITIkEX2kZB2Vw66_X1vAwiKJ8_6ytoAVqcAkc2ulXdKp-
    XVGsCv1R011O70Hdp2tIzKNWH-wGV1uZDq5_dBGB4Pk6hkp7lQb-
    ix3WVBEEjyHUzMYFDki9vx_dvGuj2kaay_TPXVqc-
    OqClMd4O3vpwW3DZMCGB5vndAX49h61fbJUTShYGral-NC1XdI1dY1aTROGfetVC-
    k95zBTFVjwI_TsJe8qmVG9GLlO2fpkY4JdMhaA

    View Slide

  35. JWT Header
    {
    "typ": "JWT",
    "alg": "HS256"
    }

    View Slide

  36. {
    "ver": 1,
    "jti": "AT.2GLfTCJnHm2P4ue9viO5tHLHNqWgTqb7exLcYHnMu9Y",
    "iss": "https://examply.okta-emea.com/oauth2/default",
    "aud": "api://default",
    "iat": 1565947286,
    "exp": 1565953668,
    "cid": "0oa2hfshrmgrckemv0i7",
    "uid": "00u2w6fw3xqvgLv2P0i7",
    "scp": [
    ”profile"
    ],
    "sub": "[email protected]"
    }
    JWT Payload

    View Slide

  37. TgXMcCNGIpDvqa8EY75lbns_kcyVa6t7Qx5F97YxGd1Ci_iGYPtzBx8Qf2avQPWVcYJmA6mcxsB
    BeqzWMTcqWaGoSbt8N9MG1ma_JITIkEX2kZB2Vw66_X1vAwiKJ8_6ytoAVqcAkc2ulXdKp-
    XVGsCv1R011O70Hdp2tIzKNWH-wGV1uZDq5_dBGB4Pk6hkp7lQb-
    ix3WVBEEjyHUzMYFDki9vx_dvGuj2kaay_TPXVqc-
    OqClMd4O3vpwW3DZMCGB5vndAX49h61fbJUTShYGral-NC1XdI1dY1aTROGfetVC-
    k95zBTFVjwI_TsJe8qmVG9GLlO2fpkY4JdMhaA
    JWT Signature

    View Slide

  38. View Slide

  39. Local Token Validation
    Check the signature
    Check the audience
    Check the issuance timestamp
    Check the expiry timestamp

    View Slide

  40. View Slide

  41. View Slide

  42. View Slide

  43. Remote Token Validation: Introspection
    http://examply.okta-emea.com/oauth2/default/v1/introspect
    Authorization Basic ${Base64(:)}
    token=“bdfFGEW3g[…]sdChg7a4n8”
    token_type_hint=access_token
    {
    "active": true
    }
    Request
    Response

    View Slide

  44. View Slide

  45. Simple Login – OAuth 2.0
    Single Sign-on – OAuth 2.0
    Mobile app login – OAuth 2.0
    Delegated Access – OAuth 2.0
    Digital Identity
    Circa 2012
    Authentication
    Authentication
    Authentication
    Authorization

    View Slide

  46. OpenID

    View Slide

  47. OpenID Connect Default Scopes
    Openid
    Indicates an OpenId request
    Profile
    Access to the user’s profile
    Email
    Access to the user’s email address
    Address
    Access to the user’s physical address
    Phone
    Access to the user’s telephone number
    Offline_access
    Request refresh token for continued access

    View Slide

  48. eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx
    nIjoiUlMyNTYifQ.eyJzdWIiOiIwMHUydzZmdzN4cXZnTHYyUDBpNyIsInZlciI6MSwiaXNzIjo
    iaHR0cHM6Ly9leGFtcGx5Lm9rdGEtZW1lYS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiIwb2
    EyaGZzaHJtZ3Jja2VtdjBpNyIsImlhdCI6MTU2NTk2MTYzNCwiZXhwIjoxNTY1OTY1MjM0LCJqd
    GkiOiJJRC54b3dfc21BM3I5Y19uRVN1N2VBZ2JQMElWREV1cVpkRkg1NmlpN0NnZnB3IiwiYW1y
    IjpbInB3ZCJdLCJpZHAiOiIwMG8yYXoyaWVycUt1T1QwRDBpNyIsIm5vbmNlIjoieHc5czJiZXM
    zdCIsImF1dGhfdGltZSI6MTU2NTk2MTYxMCwiYXRfaGFzaCI6IjZzdGd1WU9fV3A2Q1Y0NXAxSF
    NsQ1EiLCJ0ZXN0Y2xhaW0iOlsiRXZlcnlvbmUiXX0.Il6htgtZeH9vhN1xXB05DWvNG9V-
    xiVAki3qEaj8jxI2jkHshq-2lhy_wmaZpjeDUGQNCIwv-
    1K3JkckW4cFzmDn0Dw6hCykN5EEFLGfkBeO-
    25nV64UZUHFDAGH_jhI5v5ARGKZcQQIwf3saeakA2rVkXDAYW8SWwbt96hwFkH15JolTK0YVf1h
    nRX9hzrkKPJY9JgIhmDsMciLvMOPs93ViAR4ufUp_hVYLSsR6Uq-
    PDR33eoX9XqktylviG9K9BoRzqu8muM1nqrwZAFUk61CeTRNhR5nI30-NH0bcZhAY2Ts8Q-
    Pj41m8t_7LIVYbUqxvC0JhcdKbmCNN3FRVw
    ID Tokens

    View Slide

  49. eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx
    nIjoiUlMyNTYifQ.eyJzdWIiOiIwMHUydzZmdzN4cXZnTHYyUDBpNyIsInZlciI6MSwiaXNzIjo
    iaHR0cHM6Ly9leGFtcGx5Lm9rdGEtZW1lYS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiIwb2
    EyaGZzaHJtZ3Jja2VtdjBpNyIsImlhdCI6MTU2NTk2MTYzNCwiZXhwIjoxNTY1OTY1MjM0LCJqd
    GkiOiJJRC54b3dfc21BM3I5Y19uRVN1N2VBZ2JQMElWREV1cVpkRkg1NmlpN0NnZnB3IiwiYW1y
    IjpbInB3ZCJdLCJpZHAiOiIwMG8yYXoyaWVycUt1T1QwRDBpNyIsIm5vbmNlIjoieHc5czJiZXM
    zdCIsImF1dGhfdGltZSI6MTU2NTk2MTYxMCwiYXRfaGFzaCI6IjZzdGd1WU9fV3A2Q1Y0NXAxSF
    NsQ1EiLCJ0ZXN0Y2xhaW0iOlsiRXZlcnlvbmUiXX0.Il6htgtZeH9vhN1xXB05DWvNG9V-
    xiVAki3qEaj8jxI2jkHshq-2lhy_wmaZpjeDUGQNCIwv-
    1K3JkckW4cFzmDn0Dw6hCykN5EEFLGfkBeO-
    25nV64UZUHFDAGH_jhI5v5ARGKZcQQIwf3saeakA2rVkXDAYW8SWwbt96hwFkH15JolTK0YVf1h
    nRX9hzrkKPJY9JgIhmDsMciLvMOPs93ViAR4ufUp_hVYLSsR6Uq-
    PDR33eoX9XqktylviG9K9BoRzqu8muM1nqrwZAFUk61CeTRNhR5nI30-NH0bcZhAY2Ts8Q-
    Pj41m8t_7LIVYbUqxvC0JhcdKbmCNN3FRVw
    ID Tokens

    View Slide

  50. eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx
    nIjoiUlMyNTYifQ
    eyJzdWIiOiIwMHUydzZmdzN4cXZnTHYyUDBpNyIsInZlciI6MSwiaXNzIjoiaHR0cHM6Ly9leGF
    tcGx5Lm9rdGEtZW1lYS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiIwb2EyaGZzaHJtZ3Jja2
    VtdjBpNyIsImlhdCI6MTU2NTk2MTYzNCwiZXhwIjoxNTY1OTY1MjM0LCJqdGkiOiJJRC54b3dfc
    21BM3I5Y19uRVN1N2VBZ2JQMElWREV1cVpkRkg1NmlpN0NnZnB3IiwiYW1yIjpbInB3ZCJdLCJp
    ZHAiOiIwMG8yYXoyaWVycUt1T1QwRDBpNyIsIm5vbmNlIjoieHc5czJiZXMzdCIsImF1dGhfdGl
    tZSI6MTU2NTk2MTYxMCwiYXRfaGFzaCI6IjZzdGd1WU9fV3A2Q1Y0NXAxSFNsQ1EiLCJ0ZXN0Y2
    xhaW0iOlsiRXZlcnlvbmUiXX0
    Il6htgtZeH9vhN1xXB05DWvNG9V-xiVAki3qEaj8jxI2jkHshq-2lhy_wmaZpjeDUGQNCIwv-
    1K3JkckW4cFzmDn0Dw6hCykN5EEFLGfkBeO-
    25nV64UZUHFDAGH_jhI5v5ARGKZcQQIwf3saeakA2rVkXDAYW8SWwbt96hwFkH15JolTK0YVf1h
    nRX9hzrkKPJY9JgIhmDsMciLvMOPs93ViAR4ufUp_hVYLSsR6Uq-
    PDR33eoX9XqktylviG9K9BoRzqu8muM1nqrwZAFUk61CeTRNhR5nI30-NH0bcZhAY2Ts8Q-
    Pj41m8t_7LIVYbUqxvC0JhcdKbmCNN3FRVw
    ID Tokens

    View Slide

  51. {
    "typ": "JWT",
    "alg": "RS256",
    "kid": "yOY8cGSvWQXsax4AZjYWrag8VSi-brQiUh3_pWCfL_Y"
    }
    ID Token Header

    View Slide

  52. {
    "sub": "00u2w6fw3xqvgLv2P0i7",
    "ver": 1,
    "iss": "https://examply.okta-emea.com/oauth2/default",
    "aud": "0oa2hfshrmgrckemv0i7",
    "iat": 1565961634,
    "exp": 1565965234,
    "jti": "ID.xow_smA3r9c_nESu7eAgbP0IVDEuqZdFH56ii7Cgfpw",
    "amr": [
    "pwd"
    ],
    "idp": "00o2az2ierqKuOT0D0i7",
    "nonce": ”number_only_once",
    "auth_time": 1565961610,
    "at_hash": "6stguYO_Wp6CV45p1HSlCQ",
    }
    ID Token Payload

    View Slide

  53. Access Token vs ID Token
    OAuth specification
    Audience is the resource server
    Describes the granted access by the user
    OpenId Specification
    Audience is the client
    Describes the authentication of the user

    View Slide

  54. Simple Login – OpenID Connect
    Single Sign-on – OpenID Connect
    Mobile App Login – OpenID Connect
    Delegated Access – OAuth 2.0
    Digital Identity
    Today

    View Slide

  55. andymarch.co.uk/oauthbyexample
    Get Hands On

    View Slide

  56. Resources

    View Slide

  57. OAuth 2.0 Playground

    View Slide

  58. OAuth 2.0 Simplified
    Written by Aaron Parecki, Senior Security Architect @ Okta
    Member of the OAuth working group
    Maintainer of OAuth.net

    View Slide

  59. OAuth.net

    View Slide

  60. OIDCDebugger.com

    View Slide

  61. Developer.okta.com
    [email protected]
    @andymarch

    View Slide