OAuth by Example - Workshop

Transcript

1. by example

2. 10+ years working in secure systems Hi! Platform Specialist at

   Okta Software Developer (.NET / Java / JS) @andymarch

3. Heroku.com/signup Get Hands On

4. None
5. None
6. None
7. None

8. Digital Identity Circa 2007 Simple Login – forms and cookies

   Single Sign-on – SAML Delegated Access – passwords

9. Yelp ~ 2007

10. Facebook ~ 2010

11. None

12. Specs are not tutorials

13. Delegated authorization with OAuth 2.0

14. Who’s who of OAuth 2.0 Resource Owner Client Authorization Server

    Resource Server Guest Hotel Room Reception Desk Hotel

15. Register: redirect address ClientID, Client secret

16. ClientId (a unique identifier of an application)

17. ClientSecret (an authenticator for an application)

18. None

19. Authorization Code Grant (the most common and most secure grant

    for users)

20. Redirect: AuthorizationServer, ClientID, Scope Login ClientID, Scope

21. Scope (a requested permission)

22. None
23. None

24. Consent (the user explicitly granting access)

25. AuthorizationCode Redirect: AuthorizationCode

26. Front Channel (server to server communication through a user’s browser)

27. AuthorizationCode client id, client secret Access Token Access Token

28. Back Channel (direct server to server communication)

29. Client Credentials Grant (the machine to machine grant)

30. client id, client secret, scopes Access Token Access Token

31. What is an access token anyway Sent by a client

    in calls to a service. Demonstrates a user has consented access to resources. Two varieties: - Reference tokens - Self encoded tokens

32. Access Token eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx nIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULjJHTGZUQ0puSG0yUDR1ZTl2aU81dEhMSE5 xV2dUcWI3ZXhMY1lIbk11OVkiLCJpc3MiOiJodHRwczovL2V4YW1wbHkub2t0YS1lbWVhLmNvbS 9vYXV0aDIvZGVmYXVsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE1NjU5NDcyODYsI mV4cCI6MTU2NTk1NDQ4NiwiY2lkIjoiMG9hMmhmc2hybWdyY2tlbXYwaTciLCJ1aWQiOiIwMHUy dzZmdzN4cXZnTHYyUDBpNyIsInNjcCI6WyJvcGVuaWQiXSwic3ViIjoidGVzdEB0ZXN0LmNvbSJ 9.TgXMcCNGIpDvqa8EY75lbns_kcyVa6t7Qx5F97YxGd1Ci_iGYPtzBx8Qf2avQPWVcYJmA6mcx sBBeqzWMTcqWaGoSbt8N9MG1ma_JITIkEX2kZB2Vw66_X1vAwiKJ8_6ytoAVqcAkc2ulXdKp-

    XVGsCv1R011O70Hdp2tIzKNWH-wGV1uZDq5_dBGB4Pk6hkp7lQb- ix3WVBEEjyHUzMYFDki9vx_dvGuj2kaay_TPXVqc- OqClMd4O3vpwW3DZMCGB5vndAX49h61fbJUTShYGral-NC1XdI1dY1aTROGfetVC- k95zBTFVjwI_TsJe8qmVG9GLlO2fpkY4JdMhaA

33. Access Token eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx nIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULjJHTGZUQ0puSG0yUDR1ZTl2aU81dEhMSE5 xV2dUcWI3ZXhMY1lIbk11OVkiLCJpc3MiOiJodHRwczovL2V4YW1wbHkub2t0YS1lbWVhLmNvbS 9vYXV0aDIvZGVmYXVsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE1NjU5NDcyODYsI mV4cCI6MTU2NTk1NDQ4NiwiY2lkIjoiMG9hMmhmc2hybWdyY2tlbXYwaTciLCJ1aWQiOiIwMHUy dzZmdzN4cXZnTHYyUDBpNyIsInNjcCI6WyJvcGVuaWQiXSwic3ViIjoidGVzdEB0ZXN0LmNvbSJ 9.TgXMcCNGIpDvqa8EY75lbns_kcyVa6t7Qx5F97YxGd1Ci_iGYPtzBx8Qf2avQPWVcYJmA6mcx sBBeqzWMTcqWaGoSbt8N9MG1ma_JITIkEX2kZB2Vw66_X1vAwiKJ8_6ytoAVqcAkc2ulXdKp-

    XVGsCv1R011O70Hdp2tIzKNWH-wGV1uZDq5_dBGB4Pk6hkp7lQb- ix3WVBEEjyHUzMYFDki9vx_dvGuj2kaay_TPXVqc- OqClMd4O3vpwW3DZMCGB5vndAX49h61fbJUTShYGral-NC1XdI1dY1aTROGfetVC- k95zBTFVjwI_TsJe8qmVG9GLlO2fpkY4JdMhaA

34. Access Token eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx nIjoiUlMyNTYifQ eyJ2ZXIiOjEsImp0aSI6IkFULjJHTGZUQ0puSG0yUDR1ZTl2aU81dEhMSE5xV2dUcWI3ZXhMY1l Ibk11OVkiLCJpc3MiOiJodHRwczovL2V4YW1wbHkub2t0YS1lbWVhLmNvbS9vYXV0aDIvZGVmYX VsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE1NjU5NDcyODYsImV4cCI6MTU2NTk1N DQ4NiwiY2lkIjoiMG9hMmhmc2hybWdyY2tlbXYwaTciLCJ1aWQiOiIwMHUydzZmdzN4cXZnTHYy UDBpNyIsInNjcCI6WyJvcGVuaWQiXSwic3ViIjoidGVzdEB0ZXN0LmNvbSJ9 TgXMcCNGIpDvqa8EY75lbns_kcyVa6t7Qx5F97YxGd1Ci_iGYPtzBx8Qf2avQPWVcYJmA6mcxsB

    BeqzWMTcqWaGoSbt8N9MG1ma_JITIkEX2kZB2Vw66_X1vAwiKJ8_6ytoAVqcAkc2ulXdKp- XVGsCv1R011O70Hdp2tIzKNWH-wGV1uZDq5_dBGB4Pk6hkp7lQb- ix3WVBEEjyHUzMYFDki9vx_dvGuj2kaay_TPXVqc- OqClMd4O3vpwW3DZMCGB5vndAX49h61fbJUTShYGral-NC1XdI1dY1aTROGfetVC- k95zBTFVjwI_TsJe8qmVG9GLlO2fpkY4JdMhaA

35. JWT Header { "typ": "JWT", "alg": "HS256" }

36. { "ver": 1, "jti": "AT.2GLfTCJnHm2P4ue9viO5tHLHNqWgTqb7exLcYHnMu9Y", "iss": "https://examply.okta-emea.com/oauth2/default", "aud": "api://default", "iat":

    1565947286, "exp": 1565953668, "cid": "0oa2hfshrmgrckemv0i7", "uid": "00u2w6fw3xqvgLv2P0i7", "scp": [ ”profile" ], "sub": "test@test.com" } JWT Payload

37. TgXMcCNGIpDvqa8EY75lbns_kcyVa6t7Qx5F97YxGd1Ci_iGYPtzBx8Qf2avQPWVcYJmA6mcxsB BeqzWMTcqWaGoSbt8N9MG1ma_JITIkEX2kZB2Vw66_X1vAwiKJ8_6ytoAVqcAkc2ulXdKp- XVGsCv1R011O70Hdp2tIzKNWH-wGV1uZDq5_dBGB4Pk6hkp7lQb- ix3WVBEEjyHUzMYFDki9vx_dvGuj2kaay_TPXVqc- OqClMd4O3vpwW3DZMCGB5vndAX49h61fbJUTShYGral-NC1XdI1dY1aTROGfetVC- k95zBTFVjwI_TsJe8qmVG9GLlO2fpkY4JdMhaA JWT Signature

38. None

39. Local Token Validation Check the signature Check the audience Check

    the issuance timestamp Check the expiry timestamp
40. None
41. None
42. None

43. Remote Token Validation: Introspection http://examply.okta-emea.com/oauth2/default/v1/introspect Authorization Basic ${Base64(<client_id>:<client_secret>)} token=“bdfFGEW3g[…]sdChg7a4n8” token_type_hint=access_token

    { "active": true } Request Response
44. None

45. Simple Login – OAuth 2.0 Single Sign-on – OAuth 2.0

    Mobile app login – OAuth 2.0 Delegated Access – OAuth 2.0 Digital Identity Circa 2012 Authentication Authentication Authentication Authorization

46. OpenID

47. OpenID Connect Default Scopes Openid Indicates an OpenId request Profile

    Access to the user’s profile Email Access to the user’s email address Address Access to the user’s physical address Phone Access to the user’s telephone number Offline_access Request refresh token for continued access

48. eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx nIjoiUlMyNTYifQ.eyJzdWIiOiIwMHUydzZmdzN4cXZnTHYyUDBpNyIsInZlciI6MSwiaXNzIjo iaHR0cHM6Ly9leGFtcGx5Lm9rdGEtZW1lYS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiIwb2 EyaGZzaHJtZ3Jja2VtdjBpNyIsImlhdCI6MTU2NTk2MTYzNCwiZXhwIjoxNTY1OTY1MjM0LCJqd GkiOiJJRC54b3dfc21BM3I5Y19uRVN1N2VBZ2JQMElWREV1cVpkRkg1NmlpN0NnZnB3IiwiYW1y IjpbInB3ZCJdLCJpZHAiOiIwMG8yYXoyaWVycUt1T1QwRDBpNyIsIm5vbmNlIjoieHc5czJiZXM zdCIsImF1dGhfdGltZSI6MTU2NTk2MTYxMCwiYXRfaGFzaCI6IjZzdGd1WU9fV3A2Q1Y0NXAxSF NsQ1EiLCJ0ZXN0Y2xhaW0iOlsiRXZlcnlvbmUiXX0.Il6htgtZeH9vhN1xXB05DWvNG9V- xiVAki3qEaj8jxI2jkHshq-2lhy_wmaZpjeDUGQNCIwv- 1K3JkckW4cFzmDn0Dw6hCykN5EEFLGfkBeO-

    25nV64UZUHFDAGH_jhI5v5ARGKZcQQIwf3saeakA2rVkXDAYW8SWwbt96hwFkH15JolTK0YVf1h nRX9hzrkKPJY9JgIhmDsMciLvMOPs93ViAR4ufUp_hVYLSsR6Uq- PDR33eoX9XqktylviG9K9BoRzqu8muM1nqrwZAFUk61CeTRNhR5nI30-NH0bcZhAY2Ts8Q- Pj41m8t_7LIVYbUqxvC0JhcdKbmCNN3FRVw ID Tokens

49. eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx nIjoiUlMyNTYifQ.eyJzdWIiOiIwMHUydzZmdzN4cXZnTHYyUDBpNyIsInZlciI6MSwiaXNzIjo iaHR0cHM6Ly9leGFtcGx5Lm9rdGEtZW1lYS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiIwb2 EyaGZzaHJtZ3Jja2VtdjBpNyIsImlhdCI6MTU2NTk2MTYzNCwiZXhwIjoxNTY1OTY1MjM0LCJqd GkiOiJJRC54b3dfc21BM3I5Y19uRVN1N2VBZ2JQMElWREV1cVpkRkg1NmlpN0NnZnB3IiwiYW1y IjpbInB3ZCJdLCJpZHAiOiIwMG8yYXoyaWVycUt1T1QwRDBpNyIsIm5vbmNlIjoieHc5czJiZXM zdCIsImF1dGhfdGltZSI6MTU2NTk2MTYxMCwiYXRfaGFzaCI6IjZzdGd1WU9fV3A2Q1Y0NXAxSF NsQ1EiLCJ0ZXN0Y2xhaW0iOlsiRXZlcnlvbmUiXX0.Il6htgtZeH9vhN1xXB05DWvNG9V- xiVAki3qEaj8jxI2jkHshq-2lhy_wmaZpjeDUGQNCIwv- 1K3JkckW4cFzmDn0Dw6hCykN5EEFLGfkBeO-

    25nV64UZUHFDAGH_jhI5v5ARGKZcQQIwf3saeakA2rVkXDAYW8SWwbt96hwFkH15JolTK0YVf1h nRX9hzrkKPJY9JgIhmDsMciLvMOPs93ViAR4ufUp_hVYLSsR6Uq- PDR33eoX9XqktylviG9K9BoRzqu8muM1nqrwZAFUk61CeTRNhR5nI30-NH0bcZhAY2Ts8Q- Pj41m8t_7LIVYbUqxvC0JhcdKbmCNN3FRVw ID Tokens

50. eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx nIjoiUlMyNTYifQ eyJzdWIiOiIwMHUydzZmdzN4cXZnTHYyUDBpNyIsInZlciI6MSwiaXNzIjoiaHR0cHM6Ly9leGF tcGx5Lm9rdGEtZW1lYS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiIwb2EyaGZzaHJtZ3Jja2 VtdjBpNyIsImlhdCI6MTU2NTk2MTYzNCwiZXhwIjoxNTY1OTY1MjM0LCJqdGkiOiJJRC54b3dfc 21BM3I5Y19uRVN1N2VBZ2JQMElWREV1cVpkRkg1NmlpN0NnZnB3IiwiYW1yIjpbInB3ZCJdLCJp ZHAiOiIwMG8yYXoyaWVycUt1T1QwRDBpNyIsIm5vbmNlIjoieHc5czJiZXMzdCIsImF1dGhfdGl tZSI6MTU2NTk2MTYxMCwiYXRfaGFzaCI6IjZzdGd1WU9fV3A2Q1Y0NXAxSFNsQ1EiLCJ0ZXN0Y2 xhaW0iOlsiRXZlcnlvbmUiXX0 Il6htgtZeH9vhN1xXB05DWvNG9V-xiVAki3qEaj8jxI2jkHshq-2lhy_wmaZpjeDUGQNCIwv-

    1K3JkckW4cFzmDn0Dw6hCykN5EEFLGfkBeO- 25nV64UZUHFDAGH_jhI5v5ARGKZcQQIwf3saeakA2rVkXDAYW8SWwbt96hwFkH15JolTK0YVf1h nRX9hzrkKPJY9JgIhmDsMciLvMOPs93ViAR4ufUp_hVYLSsR6Uq- PDR33eoX9XqktylviG9K9BoRzqu8muM1nqrwZAFUk61CeTRNhR5nI30-NH0bcZhAY2Ts8Q- Pj41m8t_7LIVYbUqxvC0JhcdKbmCNN3FRVw ID Tokens

51. { "typ": "JWT", "alg": "RS256", "kid": "yOY8cGSvWQXsax4AZjYWrag8VSi-brQiUh3_pWCfL_Y" } ID Token

    Header

52. { "sub": "00u2w6fw3xqvgLv2P0i7", "ver": 1, "iss": "https://examply.okta-emea.com/oauth2/default", "aud": "0oa2hfshrmgrckemv0i7", "iat":

    1565961634, "exp": 1565965234, "jti": "ID.xow_smA3r9c_nESu7eAgbP0IVDEuqZdFH56ii7Cgfpw", "amr": [ "pwd" ], "idp": "00o2az2ierqKuOT0D0i7", "nonce": ”number_only_once", "auth_time": 1565961610, "at_hash": "6stguYO_Wp6CV45p1HSlCQ", } ID Token Payload

53. Access Token vs ID Token OAuth specification Audience is the

    resource server Describes the granted access by the user OpenId Specification Audience is the client Describes the authentication of the user

54. Simple Login – OpenID Connect Single Sign-on – OpenID Connect

    Mobile App Login – OpenID Connect Delegated Access – OAuth 2.0 Digital Identity Today

55. andymarch.co.uk/oauthbyexample Get Hands On

56. Resources

57. OAuth 2.0 Playground

58. OAuth 2.0 Simplified Written by Aaron Parecki, Senior Security Architect

    @ Okta Member of the OAuth working group Maintainer of OAuth.net

59. OAuth.net

60. OIDCDebugger.com

61. Developer.okta.com andy.march@okta.com @andymarch