$30 off During Our Annual Pro Sale. View Details »

TLDR - OAuth

Andy March
September 12, 2019

TLDR - OAuth

Web authentication and authorization has come a long way in the last ten years. In this talk we'll look at where we've come from and how to OAuth and OIDC solved the problems we faced.

Andy March

September 12, 2019
Tweet

More Decks by Andy March

Other Decks in Technology

Transcript

  1. TLDR: OAuth and OIDC
    Modern web authentication in 30 mins or less

    View Slide

  2. 10+ years working in secure systems
    Hi!
    Platform Specialist at Okta
    Software Developer (.NET / Java / JS)
    @andymarch

    View Slide

  3. View Slide

  4. View Slide

  5. View Slide

  6. View Slide

  7. Digital Identity
    Circa 2007
    Simple Login – forms and cookies
    Single Sign-on – SAML
    Delegated Access – passwords

    View Slide

  8. Yelp ~ 2007

    View Slide

  9. Facebook ~ 2010

    View Slide

  10. View Slide

  11. Specs are not tutorials

    View Slide

  12. Delegated authorization with OAuth 2.0

    View Slide

  13. Who’s who of OAuth 2.0
    Resource Owner Client Authorization Server Resource Server
    Guest Hotel Room
    Reception Desk
    Hotel

    View Slide

  14. Register: redirect address
    ClientID, Client secret

    View Slide

  15. ClientId
    (a unique identifier of an application)

    View Slide

  16. ClientSecret
    (an authenticator for an application)

    View Slide

  17. View Slide

  18. Redirect: AuthorizationServer, ClientID, Scope
    Login
    ClientID, Scope

    View Slide

  19. Scope
    (a requested permission)

    View Slide

  20. View Slide

  21. View Slide

  22. Consent
    (the user explicitly granting access)

    View Slide

  23. Image Credit: Michal Kan

    View Slide

  24. Image Credit: CloudLock

    View Slide

  25. View Slide

  26. AuthorizationCode
    Redirect: AuthorizationCode

    View Slide

  27. Front Channel
    (server to server communication through a user’s browser)

    View Slide

  28. AuthorizationCode
    client id, client secret
    Access Token
    Access Token

    View Slide

  29. Back Channel
    (direct server to server communication)

    View Slide

  30. What is an access token anyway
    Sent by a client in calls to a service.
    Demonstrates a user has consented access to resources.
    Two varieties:
    - Reference tokens
    - Self encoded tokens

    View Slide

  31. Access Token
    eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx
    nIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULjJHTGZUQ0puSG0yUDR1ZTl2aU81dEhMSE5
    xV2dUcWI3ZXhMY1lIbk11OVkiLCJpc3MiOiJodHRwczovL2V4YW1wbHkub2t0YS1lbWVhLmNvbS
    9vYXV0aDIvZGVmYXVsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE1NjU5NDcyODYsI
    mV4cCI6MTU2NTk1NDQ4NiwiY2lkIjoiMG9hMmhmc2hybWdyY2tlbXYwaTciLCJ1aWQiOiIwMHUy
    dzZmdzN4cXZnTHYyUDBpNyIsInNjcCI6WyJvcGVuaWQiXSwic3ViIjoidGVzdEB0ZXN0LmNvbSJ
    9.TgXMcCNGIpDvqa8EY75lbns_kcyVa6t7Qx5F97YxGd1Ci_iGYPtzBx8Qf2avQPWVcYJmA6mcx
    sBBeqzWMTcqWaGoSbt8N9MG1ma_JITIkEX2kZB2Vw66_X1vAwiKJ8_6ytoAVqcAkc2ulXdKp-
    XVGsCv1R011O70Hdp2tIzKNWH-wGV1uZDq5_dBGB4Pk6hkp7lQb-
    ix3WVBEEjyHUzMYFDki9vx_dvGuj2kaay_TPXVqc-
    OqClMd4O3vpwW3DZMCGB5vndAX49h61fbJUTShYGral-NC1XdI1dY1aTROGfetVC-
    k95zBTFVjwI_TsJe8qmVG9GLlO2fpkY4JdMhaA

    View Slide

  32. Access Token
    eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx
    nIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULjJHTGZUQ0puSG0yUDR1ZTl2aU81dEhMSE5
    xV2dUcWI3ZXhMY1lIbk11OVkiLCJpc3MiOiJodHRwczovL2V4YW1wbHkub2t0YS1lbWVhLmNvbS
    9vYXV0aDIvZGVmYXVsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE1NjU5NDcyODYsI
    mV4cCI6MTU2NTk1NDQ4NiwiY2lkIjoiMG9hMmhmc2hybWdyY2tlbXYwaTciLCJ1aWQiOiIwMHUy
    dzZmdzN4cXZnTHYyUDBpNyIsInNjcCI6WyJvcGVuaWQiXSwic3ViIjoidGVzdEB0ZXN0LmNvbSJ
    9.TgXMcCNGIpDvqa8EY75lbns_kcyVa6t7Qx5F97YxGd1Ci_iGYPtzBx8Qf2avQPWVcYJmA6mcx
    sBBeqzWMTcqWaGoSbt8N9MG1ma_JITIkEX2kZB2Vw66_X1vAwiKJ8_6ytoAVqcAkc2ulXdKp-
    XVGsCv1R011O70Hdp2tIzKNWH-wGV1uZDq5_dBGB4Pk6hkp7lQb-
    ix3WVBEEjyHUzMYFDki9vx_dvGuj2kaay_TPXVqc-
    OqClMd4O3vpwW3DZMCGB5vndAX49h61fbJUTShYGral-NC1XdI1dY1aTROGfetVC-
    k95zBTFVjwI_TsJe8qmVG9GLlO2fpkY4JdMhaA

    View Slide

  33. Access Token
    eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx
    nIjoiUlMyNTYifQ
    eyJ2ZXIiOjEsImp0aSI6IkFULjJHTGZUQ0puSG0yUDR1ZTl2aU81dEhMSE5xV2dUcWI3ZXhMY1l
    Ibk11OVkiLCJpc3MiOiJodHRwczovL2V4YW1wbHkub2t0YS1lbWVhLmNvbS9vYXV0aDIvZGVmYX
    VsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE1NjU5NDcyODYsImV4cCI6MTU2NTk1N
    DQ4NiwiY2lkIjoiMG9hMmhmc2hybWdyY2tlbXYwaTciLCJ1aWQiOiIwMHUydzZmdzN4cXZnTHYy
    UDBpNyIsInNjcCI6WyJvcGVuaWQiXSwic3ViIjoidGVzdEB0ZXN0LmNvbSJ9
    TgXMcCNGIpDvqa8EY75lbns_kcyVa6t7Qx5F97YxGd1Ci_iGYPtzBx8Qf2avQPWVcYJmA6mcxsB
    BeqzWMTcqWaGoSbt8N9MG1ma_JITIkEX2kZB2Vw66_X1vAwiKJ8_6ytoAVqcAkc2ulXdKp-
    XVGsCv1R011O70Hdp2tIzKNWH-wGV1uZDq5_dBGB4Pk6hkp7lQb-
    ix3WVBEEjyHUzMYFDki9vx_dvGuj2kaay_TPXVqc-
    OqClMd4O3vpwW3DZMCGB5vndAX49h61fbJUTShYGral-NC1XdI1dY1aTROGfetVC-
    k95zBTFVjwI_TsJe8qmVG9GLlO2fpkY4JdMhaA

    View Slide

  34. JWT Header
    {
    "typ": "JWT",
    "alg": "HS256"
    }

    View Slide

  35. {
    "ver": 1,
    "jti": "AT.2GLfTCJnHm2P4ue9viO5tHLHNqWgTqb7exLcYHnMu9Y",
    "iss": "https://examply.okta-emea.com/oauth2/default",
    "aud": "api://default",
    "iat": 1565947286,
    "exp": 1565953668,
    "cid": "0oa2hfshrmgrckemv0i7",
    "uid": "00u2w6fw3xqvgLv2P0i7",
    "scp": [
    ”profile"
    ],
    "sub": "[email protected]"
    }
    JWT Payload

    View Slide

  36. TgXMcCNGIpDvqa8EY75lbns_kcyVa6t7Qx5F97YxGd1Ci_iGYPtzBx8Qf2avQPWVcYJmA6mcxsB
    BeqzWMTcqWaGoSbt8N9MG1ma_JITIkEX2kZB2Vw66_X1vAwiKJ8_6ytoAVqcAkc2ulXdKp-
    XVGsCv1R011O70Hdp2tIzKNWH-wGV1uZDq5_dBGB4Pk6hkp7lQb-
    ix3WVBEEjyHUzMYFDki9vx_dvGuj2kaay_TPXVqc-
    OqClMd4O3vpwW3DZMCGB5vndAX49h61fbJUTShYGral-NC1XdI1dY1aTROGfetVC-
    k95zBTFVjwI_TsJe8qmVG9GLlO2fpkY4JdMhaA
    JWT Signature

    View Slide

  37. View Slide

  38. Local Token Validation
    Check the signature
    Check the audience
    Check the issuance timestamp
    Check the expiry timestamp

    View Slide

  39. View Slide

  40. View Slide

  41. View Slide

  42. Remote Token Validation: Introspection
    http://examply.okta-emea.com/oauth2/default/v1/introspect
    Authorization Basic ${Base64(:)}
    token=“bdfFGEW3g[…]sdChg7a4n8”
    token_type_hint=access_token
    {
    "active": true
    }
    Request
    Response

    View Slide

  43. View Slide

  44. Token Refresh
    http://examply.okta-emea.com/oauth2/default/v1/token
    Authorization Basic ${Base64(:)}
    grant_type=refresh_token
    redirect_uri=https://examply.co.uk/callback
    scope=profile
    refresh_token="eyJhbGciOiJ[...]K1Sun9bA"
    {
    "token_type": Bearer,
    "access_token": eyJhbGciOiJ[...]K1Sun9bA,
    "expires_in": 3600,
    "scope": ”profile",
    "refresh_token": "eyJhbGciOiJ[...]K1Sun9bA",
    }
    Request
    Response

    View Slide

  45. Simple Login – OAuth 2.0
    Single Sign-on – OAuth 2.0
    Mobile app login – OAuth 2.0
    Delegated Access – OAuth 2.0
    Digital Identity
    Circa 2012
    Authentication
    Authentication
    Authentication
    Authorization

    View Slide

  46. OpenID

    View Slide

  47. OpenID Connect Default Scopes
    Openid
    Indicates an OpenId request
    Profile
    Access to the user’s profile
    Email
    Access to the user’s email address
    Address
    Access to the user’s physical address
    Phone
    Access to the user’s telephone number
    Offline_access
    Request refresh token for continued access

    View Slide

  48. eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx
    nIjoiUlMyNTYifQ.eyJzdWIiOiIwMHUydzZmdzN4cXZnTHYyUDBpNyIsInZlciI6MSwiaXNzIjo
    iaHR0cHM6Ly9leGFtcGx5Lm9rdGEtZW1lYS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiIwb2
    EyaGZzaHJtZ3Jja2VtdjBpNyIsImlhdCI6MTU2NTk2MTYzNCwiZXhwIjoxNTY1OTY1MjM0LCJqd
    GkiOiJJRC54b3dfc21BM3I5Y19uRVN1N2VBZ2JQMElWREV1cVpkRkg1NmlpN0NnZnB3IiwiYW1y
    IjpbInB3ZCJdLCJpZHAiOiIwMG8yYXoyaWVycUt1T1QwRDBpNyIsIm5vbmNlIjoieHc5czJiZXM
    zdCIsImF1dGhfdGltZSI6MTU2NTk2MTYxMCwiYXRfaGFzaCI6IjZzdGd1WU9fV3A2Q1Y0NXAxSF
    NsQ1EiLCJ0ZXN0Y2xhaW0iOlsiRXZlcnlvbmUiXX0.Il6htgtZeH9vhN1xXB05DWvNG9V-
    xiVAki3qEaj8jxI2jkHshq-2lhy_wmaZpjeDUGQNCIwv-
    1K3JkckW4cFzmDn0Dw6hCykN5EEFLGfkBeO-
    25nV64UZUHFDAGH_jhI5v5ARGKZcQQIwf3saeakA2rVkXDAYW8SWwbt96hwFkH15JolTK0YVf1h
    nRX9hzrkKPJY9JgIhmDsMciLvMOPs93ViAR4ufUp_hVYLSsR6Uq-
    PDR33eoX9XqktylviG9K9BoRzqu8muM1nqrwZAFUk61CeTRNhR5nI30-NH0bcZhAY2Ts8Q-
    Pj41m8t_7LIVYbUqxvC0JhcdKbmCNN3FRVw
    ID Tokens

    View Slide

  49. eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx
    nIjoiUlMyNTYifQ.eyJzdWIiOiIwMHUydzZmdzN4cXZnTHYyUDBpNyIsInZlciI6MSwiaXNzIjo
    iaHR0cHM6Ly9leGFtcGx5Lm9rdGEtZW1lYS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiIwb2
    EyaGZzaHJtZ3Jja2VtdjBpNyIsImlhdCI6MTU2NTk2MTYzNCwiZXhwIjoxNTY1OTY1MjM0LCJqd
    GkiOiJJRC54b3dfc21BM3I5Y19uRVN1N2VBZ2JQMElWREV1cVpkRkg1NmlpN0NnZnB3IiwiYW1y
    IjpbInB3ZCJdLCJpZHAiOiIwMG8yYXoyaWVycUt1T1QwRDBpNyIsIm5vbmNlIjoieHc5czJiZXM
    zdCIsImF1dGhfdGltZSI6MTU2NTk2MTYxMCwiYXRfaGFzaCI6IjZzdGd1WU9fV3A2Q1Y0NXAxSF
    NsQ1EiLCJ0ZXN0Y2xhaW0iOlsiRXZlcnlvbmUiXX0.Il6htgtZeH9vhN1xXB05DWvNG9V-
    xiVAki3qEaj8jxI2jkHshq-2lhy_wmaZpjeDUGQNCIwv-
    1K3JkckW4cFzmDn0Dw6hCykN5EEFLGfkBeO-
    25nV64UZUHFDAGH_jhI5v5ARGKZcQQIwf3saeakA2rVkXDAYW8SWwbt96hwFkH15JolTK0YVf1h
    nRX9hzrkKPJY9JgIhmDsMciLvMOPs93ViAR4ufUp_hVYLSsR6Uq-
    PDR33eoX9XqktylviG9K9BoRzqu8muM1nqrwZAFUk61CeTRNhR5nI30-NH0bcZhAY2Ts8Q-
    Pj41m8t_7LIVYbUqxvC0JhcdKbmCNN3FRVw
    ID Tokens

    View Slide

  50. eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx
    nIjoiUlMyNTYifQ
    eyJzdWIiOiIwMHUydzZmdzN4cXZnTHYyUDBpNyIsInZlciI6MSwiaXNzIjoiaHR0cHM6Ly9leGF
    tcGx5Lm9rdGEtZW1lYS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiIwb2EyaGZzaHJtZ3Jja2
    VtdjBpNyIsImlhdCI6MTU2NTk2MTYzNCwiZXhwIjoxNTY1OTY1MjM0LCJqdGkiOiJJRC54b3dfc
    21BM3I5Y19uRVN1N2VBZ2JQMElWREV1cVpkRkg1NmlpN0NnZnB3IiwiYW1yIjpbInB3ZCJdLCJp
    ZHAiOiIwMG8yYXoyaWVycUt1T1QwRDBpNyIsIm5vbmNlIjoieHc5czJiZXMzdCIsImF1dGhfdGl
    tZSI6MTU2NTk2MTYxMCwiYXRfaGFzaCI6IjZzdGd1WU9fV3A2Q1Y0NXAxSFNsQ1EiLCJ0ZXN0Y2
    xhaW0iOlsiRXZlcnlvbmUiXX0
    Il6htgtZeH9vhN1xXB05DWvNG9V-xiVAki3qEaj8jxI2jkHshq-2lhy_wmaZpjeDUGQNCIwv-
    1K3JkckW4cFzmDn0Dw6hCykN5EEFLGfkBeO-
    25nV64UZUHFDAGH_jhI5v5ARGKZcQQIwf3saeakA2rVkXDAYW8SWwbt96hwFkH15JolTK0YVf1h
    nRX9hzrkKPJY9JgIhmDsMciLvMOPs93ViAR4ufUp_hVYLSsR6Uq-
    PDR33eoX9XqktylviG9K9BoRzqu8muM1nqrwZAFUk61CeTRNhR5nI30-NH0bcZhAY2Ts8Q-
    Pj41m8t_7LIVYbUqxvC0JhcdKbmCNN3FRVw
    ID Tokens

    View Slide

  51. {
    "typ": "JWT",
    "alg": "RS256",
    "kid": "yOY8cGSvWQXsax4AZjYWrag8VSi-brQiUh3_pWCfL_Y"
    }
    ID Token Header

    View Slide

  52. {
    "sub": "00u2w6fw3xqvgLv2P0i7",
    "ver": 1,
    "iss": "https://examply.okta-emea.com/oauth2/default",
    "aud": "0oa2hfshrmgrckemv0i7",
    "iat": 1565961634,
    "exp": 1565965234,
    "jti": "ID.xow_smA3r9c_nESu7eAgbP0IVDEuqZdFH56ii7Cgfpw",
    "amr": [
    "pwd"
    ],
    "idp": "00o2az2ierqKuOT0D0i7",
    "nonce": ”number_only_once",
    "auth_time": 1565961610,
    "at_hash": "6stguYO_Wp6CV45p1HSlCQ",
    }
    ID Token Payload

    View Slide

  53. Access Token vs ID Token
    OAuth specification
    Audience is the resource server
    Describes the granted access by the user
    OpenId Specification
    Audience is the client
    Describes the authentication of the user

    View Slide

  54. Simple Login – OpenID Connect
    Single Sign-on – OpenID Connect
    Mobile App Login – OpenID Connect
    Delegated Access – OAuth 2.0
    Digital Identity
    Today

    View Slide

  55. Developer.okta.com
    [email protected]
    @andymarch

    View Slide