TLDR - OAuth

D7c78f8757327b65a637aece98939f01?s=47 Andy March
September 12, 2019

TLDR - OAuth

Web authentication and authorization has come a long way in the last ten years. In this talk we'll look at where we've come from and how to OAuth and OIDC solved the problems we faced.

D7c78f8757327b65a637aece98939f01?s=128

Andy March

September 12, 2019
Tweet

Transcript

  1. TLDR: OAuth and OIDC Modern web authentication in 30 mins

    or less
  2. 10+ years working in secure systems Hi! Platform Specialist at

    Okta Software Developer (.NET / Java / JS) @andymarch
  3. None
  4. None
  5. None
  6. None
  7. Digital Identity Circa 2007 Simple Login – forms and cookies

    Single Sign-on – SAML Delegated Access – passwords
  8. Yelp ~ 2007

  9. Facebook ~ 2010

  10. None
  11. Specs are not tutorials

  12. Delegated authorization with OAuth 2.0

  13. Who’s who of OAuth 2.0 Resource Owner Client Authorization Server

    Resource Server Guest Hotel Room Reception Desk Hotel
  14. Register: redirect address ClientID, Client secret

  15. ClientId (a unique identifier of an application)

  16. ClientSecret (an authenticator for an application)

  17. None
  18. Redirect: AuthorizationServer, ClientID, Scope Login ClientID, Scope

  19. Scope (a requested permission)

  20. None
  21. None
  22. Consent (the user explicitly granting access)

  23. Image Credit: Michal Kan

  24. Image Credit: CloudLock

  25. None
  26. AuthorizationCode Redirect: AuthorizationCode

  27. Front Channel (server to server communication through a user’s browser)

  28. AuthorizationCode client id, client secret Access Token Access Token

  29. Back Channel (direct server to server communication)

  30. What is an access token anyway Sent by a client

    in calls to a service. Demonstrates a user has consented access to resources. Two varieties: - Reference tokens - Self encoded tokens
  31. Access Token eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx nIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULjJHTGZUQ0puSG0yUDR1ZTl2aU81dEhMSE5 xV2dUcWI3ZXhMY1lIbk11OVkiLCJpc3MiOiJodHRwczovL2V4YW1wbHkub2t0YS1lbWVhLmNvbS 9vYXV0aDIvZGVmYXVsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE1NjU5NDcyODYsI mV4cCI6MTU2NTk1NDQ4NiwiY2lkIjoiMG9hMmhmc2hybWdyY2tlbXYwaTciLCJ1aWQiOiIwMHUy dzZmdzN4cXZnTHYyUDBpNyIsInNjcCI6WyJvcGVuaWQiXSwic3ViIjoidGVzdEB0ZXN0LmNvbSJ 9.TgXMcCNGIpDvqa8EY75lbns_kcyVa6t7Qx5F97YxGd1Ci_iGYPtzBx8Qf2avQPWVcYJmA6mcx sBBeqzWMTcqWaGoSbt8N9MG1ma_JITIkEX2kZB2Vw66_X1vAwiKJ8_6ytoAVqcAkc2ulXdKp-

    XVGsCv1R011O70Hdp2tIzKNWH-wGV1uZDq5_dBGB4Pk6hkp7lQb- ix3WVBEEjyHUzMYFDki9vx_dvGuj2kaay_TPXVqc- OqClMd4O3vpwW3DZMCGB5vndAX49h61fbJUTShYGral-NC1XdI1dY1aTROGfetVC- k95zBTFVjwI_TsJe8qmVG9GLlO2fpkY4JdMhaA
  32. Access Token eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx nIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULjJHTGZUQ0puSG0yUDR1ZTl2aU81dEhMSE5 xV2dUcWI3ZXhMY1lIbk11OVkiLCJpc3MiOiJodHRwczovL2V4YW1wbHkub2t0YS1lbWVhLmNvbS 9vYXV0aDIvZGVmYXVsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE1NjU5NDcyODYsI mV4cCI6MTU2NTk1NDQ4NiwiY2lkIjoiMG9hMmhmc2hybWdyY2tlbXYwaTciLCJ1aWQiOiIwMHUy dzZmdzN4cXZnTHYyUDBpNyIsInNjcCI6WyJvcGVuaWQiXSwic3ViIjoidGVzdEB0ZXN0LmNvbSJ 9.TgXMcCNGIpDvqa8EY75lbns_kcyVa6t7Qx5F97YxGd1Ci_iGYPtzBx8Qf2avQPWVcYJmA6mcx sBBeqzWMTcqWaGoSbt8N9MG1ma_JITIkEX2kZB2Vw66_X1vAwiKJ8_6ytoAVqcAkc2ulXdKp-

    XVGsCv1R011O70Hdp2tIzKNWH-wGV1uZDq5_dBGB4Pk6hkp7lQb- ix3WVBEEjyHUzMYFDki9vx_dvGuj2kaay_TPXVqc- OqClMd4O3vpwW3DZMCGB5vndAX49h61fbJUTShYGral-NC1XdI1dY1aTROGfetVC- k95zBTFVjwI_TsJe8qmVG9GLlO2fpkY4JdMhaA
  33. Access Token eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx nIjoiUlMyNTYifQ eyJ2ZXIiOjEsImp0aSI6IkFULjJHTGZUQ0puSG0yUDR1ZTl2aU81dEhMSE5xV2dUcWI3ZXhMY1l Ibk11OVkiLCJpc3MiOiJodHRwczovL2V4YW1wbHkub2t0YS1lbWVhLmNvbS9vYXV0aDIvZGVmYX VsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE1NjU5NDcyODYsImV4cCI6MTU2NTk1N DQ4NiwiY2lkIjoiMG9hMmhmc2hybWdyY2tlbXYwaTciLCJ1aWQiOiIwMHUydzZmdzN4cXZnTHYy UDBpNyIsInNjcCI6WyJvcGVuaWQiXSwic3ViIjoidGVzdEB0ZXN0LmNvbSJ9 TgXMcCNGIpDvqa8EY75lbns_kcyVa6t7Qx5F97YxGd1Ci_iGYPtzBx8Qf2avQPWVcYJmA6mcxsB

    BeqzWMTcqWaGoSbt8N9MG1ma_JITIkEX2kZB2Vw66_X1vAwiKJ8_6ytoAVqcAkc2ulXdKp- XVGsCv1R011O70Hdp2tIzKNWH-wGV1uZDq5_dBGB4Pk6hkp7lQb- ix3WVBEEjyHUzMYFDki9vx_dvGuj2kaay_TPXVqc- OqClMd4O3vpwW3DZMCGB5vndAX49h61fbJUTShYGral-NC1XdI1dY1aTROGfetVC- k95zBTFVjwI_TsJe8qmVG9GLlO2fpkY4JdMhaA
  34. JWT Header { "typ": "JWT", "alg": "HS256" }

  35. { "ver": 1, "jti": "AT.2GLfTCJnHm2P4ue9viO5tHLHNqWgTqb7exLcYHnMu9Y", "iss": "https://examply.okta-emea.com/oauth2/default", "aud": "api://default", "iat":

    1565947286, "exp": 1565953668, "cid": "0oa2hfshrmgrckemv0i7", "uid": "00u2w6fw3xqvgLv2P0i7", "scp": [ ”profile" ], "sub": "test@test.com" } JWT Payload
  36. TgXMcCNGIpDvqa8EY75lbns_kcyVa6t7Qx5F97YxGd1Ci_iGYPtzBx8Qf2avQPWVcYJmA6mcxsB BeqzWMTcqWaGoSbt8N9MG1ma_JITIkEX2kZB2Vw66_X1vAwiKJ8_6ytoAVqcAkc2ulXdKp- XVGsCv1R011O70Hdp2tIzKNWH-wGV1uZDq5_dBGB4Pk6hkp7lQb- ix3WVBEEjyHUzMYFDki9vx_dvGuj2kaay_TPXVqc- OqClMd4O3vpwW3DZMCGB5vndAX49h61fbJUTShYGral-NC1XdI1dY1aTROGfetVC- k95zBTFVjwI_TsJe8qmVG9GLlO2fpkY4JdMhaA JWT Signature

  37. None
  38. Local Token Validation Check the signature Check the audience Check

    the issuance timestamp Check the expiry timestamp
  39. None
  40. None
  41. None
  42. Remote Token Validation: Introspection http://examply.okta-emea.com/oauth2/default/v1/introspect Authorization Basic ${Base64(<client_id>:<client_secret>)} token=“bdfFGEW3g[…]sdChg7a4n8” token_type_hint=access_token

    { "active": true } Request Response
  43. None
  44. Token Refresh http://examply.okta-emea.com/oauth2/default/v1/token Authorization Basic ${Base64(<client_id>:<client_secret>)} grant_type=refresh_token redirect_uri=https://examply.co.uk/callback scope=profile refresh_token="eyJhbGciOiJ[...]K1Sun9bA"

    { "token_type": Bearer, "access_token": eyJhbGciOiJ[...]K1Sun9bA, "expires_in": 3600, "scope": ”profile", "refresh_token": "eyJhbGciOiJ[...]K1Sun9bA", } Request Response
  45. Simple Login – OAuth 2.0 Single Sign-on – OAuth 2.0

    Mobile app login – OAuth 2.0 Delegated Access – OAuth 2.0 Digital Identity Circa 2012 Authentication Authentication Authentication Authorization
  46. OpenID

  47. OpenID Connect Default Scopes Openid Indicates an OpenId request Profile

    Access to the user’s profile Email Access to the user’s email address Address Access to the user’s physical address Phone Access to the user’s telephone number Offline_access Request refresh token for continued access
  48. eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx nIjoiUlMyNTYifQ.eyJzdWIiOiIwMHUydzZmdzN4cXZnTHYyUDBpNyIsInZlciI6MSwiaXNzIjo iaHR0cHM6Ly9leGFtcGx5Lm9rdGEtZW1lYS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiIwb2 EyaGZzaHJtZ3Jja2VtdjBpNyIsImlhdCI6MTU2NTk2MTYzNCwiZXhwIjoxNTY1OTY1MjM0LCJqd GkiOiJJRC54b3dfc21BM3I5Y19uRVN1N2VBZ2JQMElWREV1cVpkRkg1NmlpN0NnZnB3IiwiYW1y IjpbInB3ZCJdLCJpZHAiOiIwMG8yYXoyaWVycUt1T1QwRDBpNyIsIm5vbmNlIjoieHc5czJiZXM zdCIsImF1dGhfdGltZSI6MTU2NTk2MTYxMCwiYXRfaGFzaCI6IjZzdGd1WU9fV3A2Q1Y0NXAxSF NsQ1EiLCJ0ZXN0Y2xhaW0iOlsiRXZlcnlvbmUiXX0.Il6htgtZeH9vhN1xXB05DWvNG9V- xiVAki3qEaj8jxI2jkHshq-2lhy_wmaZpjeDUGQNCIwv- 1K3JkckW4cFzmDn0Dw6hCykN5EEFLGfkBeO-

    25nV64UZUHFDAGH_jhI5v5ARGKZcQQIwf3saeakA2rVkXDAYW8SWwbt96hwFkH15JolTK0YVf1h nRX9hzrkKPJY9JgIhmDsMciLvMOPs93ViAR4ufUp_hVYLSsR6Uq- PDR33eoX9XqktylviG9K9BoRzqu8muM1nqrwZAFUk61CeTRNhR5nI30-NH0bcZhAY2Ts8Q- Pj41m8t_7LIVYbUqxvC0JhcdKbmCNN3FRVw ID Tokens
  49. eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx nIjoiUlMyNTYifQ.eyJzdWIiOiIwMHUydzZmdzN4cXZnTHYyUDBpNyIsInZlciI6MSwiaXNzIjo iaHR0cHM6Ly9leGFtcGx5Lm9rdGEtZW1lYS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiIwb2 EyaGZzaHJtZ3Jja2VtdjBpNyIsImlhdCI6MTU2NTk2MTYzNCwiZXhwIjoxNTY1OTY1MjM0LCJqd GkiOiJJRC54b3dfc21BM3I5Y19uRVN1N2VBZ2JQMElWREV1cVpkRkg1NmlpN0NnZnB3IiwiYW1y IjpbInB3ZCJdLCJpZHAiOiIwMG8yYXoyaWVycUt1T1QwRDBpNyIsIm5vbmNlIjoieHc5czJiZXM zdCIsImF1dGhfdGltZSI6MTU2NTk2MTYxMCwiYXRfaGFzaCI6IjZzdGd1WU9fV3A2Q1Y0NXAxSF NsQ1EiLCJ0ZXN0Y2xhaW0iOlsiRXZlcnlvbmUiXX0.Il6htgtZeH9vhN1xXB05DWvNG9V- xiVAki3qEaj8jxI2jkHshq-2lhy_wmaZpjeDUGQNCIwv- 1K3JkckW4cFzmDn0Dw6hCykN5EEFLGfkBeO-

    25nV64UZUHFDAGH_jhI5v5ARGKZcQQIwf3saeakA2rVkXDAYW8SWwbt96hwFkH15JolTK0YVf1h nRX9hzrkKPJY9JgIhmDsMciLvMOPs93ViAR4ufUp_hVYLSsR6Uq- PDR33eoX9XqktylviG9K9BoRzqu8muM1nqrwZAFUk61CeTRNhR5nI30-NH0bcZhAY2Ts8Q- Pj41m8t_7LIVYbUqxvC0JhcdKbmCNN3FRVw ID Tokens
  50. eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx nIjoiUlMyNTYifQ eyJzdWIiOiIwMHUydzZmdzN4cXZnTHYyUDBpNyIsInZlciI6MSwiaXNzIjoiaHR0cHM6Ly9leGF tcGx5Lm9rdGEtZW1lYS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiIwb2EyaGZzaHJtZ3Jja2 VtdjBpNyIsImlhdCI6MTU2NTk2MTYzNCwiZXhwIjoxNTY1OTY1MjM0LCJqdGkiOiJJRC54b3dfc 21BM3I5Y19uRVN1N2VBZ2JQMElWREV1cVpkRkg1NmlpN0NnZnB3IiwiYW1yIjpbInB3ZCJdLCJp ZHAiOiIwMG8yYXoyaWVycUt1T1QwRDBpNyIsIm5vbmNlIjoieHc5czJiZXMzdCIsImF1dGhfdGl tZSI6MTU2NTk2MTYxMCwiYXRfaGFzaCI6IjZzdGd1WU9fV3A2Q1Y0NXAxSFNsQ1EiLCJ0ZXN0Y2 xhaW0iOlsiRXZlcnlvbmUiXX0 Il6htgtZeH9vhN1xXB05DWvNG9V-xiVAki3qEaj8jxI2jkHshq-2lhy_wmaZpjeDUGQNCIwv-

    1K3JkckW4cFzmDn0Dw6hCykN5EEFLGfkBeO- 25nV64UZUHFDAGH_jhI5v5ARGKZcQQIwf3saeakA2rVkXDAYW8SWwbt96hwFkH15JolTK0YVf1h nRX9hzrkKPJY9JgIhmDsMciLvMOPs93ViAR4ufUp_hVYLSsR6Uq- PDR33eoX9XqktylviG9K9BoRzqu8muM1nqrwZAFUk61CeTRNhR5nI30-NH0bcZhAY2Ts8Q- Pj41m8t_7LIVYbUqxvC0JhcdKbmCNN3FRVw ID Tokens
  51. { "typ": "JWT", "alg": "RS256", "kid": "yOY8cGSvWQXsax4AZjYWrag8VSi-brQiUh3_pWCfL_Y" } ID Token

    Header
  52. { "sub": "00u2w6fw3xqvgLv2P0i7", "ver": 1, "iss": "https://examply.okta-emea.com/oauth2/default", "aud": "0oa2hfshrmgrckemv0i7", "iat":

    1565961634, "exp": 1565965234, "jti": "ID.xow_smA3r9c_nESu7eAgbP0IVDEuqZdFH56ii7Cgfpw", "amr": [ "pwd" ], "idp": "00o2az2ierqKuOT0D0i7", "nonce": ”number_only_once", "auth_time": 1565961610, "at_hash": "6stguYO_Wp6CV45p1HSlCQ", } ID Token Payload
  53. Access Token vs ID Token OAuth specification Audience is the

    resource server Describes the granted access by the user OpenId Specification Audience is the client Describes the authentication of the user
  54. Simple Login – OpenID Connect Single Sign-on – OpenID Connect

    Mobile App Login – OpenID Connect Delegated Access – OAuth 2.0 Digital Identity Today
  55. Developer.okta.com andy.march@okta.com @andymarch