TLDR - OAuth

Transcript

1. TLDR: OAuth and OIDC Modern web authentication in 30 mins

   or less

2. 10+ years working in secure systems Hi! Platform Specialist at

   Okta Software Developer (.NET / Java / JS) @andymarch
3. None
4. None
5. None
6. None

7. Digital Identity Circa 2007 Simple Login – forms and cookies

   Single Sign-on – SAML Delegated Access – passwords

8. Yelp ~ 2007

9. Facebook ~ 2010

10. None

11. Specs are not tutorials

12. Delegated authorization with OAuth 2.0

13. Who’s who of OAuth 2.0 Resource Owner Client Authorization Server

    Resource Server Guest Hotel Room Reception Desk Hotel

14. Register: redirect address ClientID, Client secret

15. ClientId (a unique identifier of an application)

16. ClientSecret (an authenticator for an application)

17. None

18. Redirect: AuthorizationServer, ClientID, Scope Login ClientID, Scope

19. Scope (a requested permission)

20. None
21. None

22. Consent (the user explicitly granting access)

23. Image Credit: Michal Kan

24. Image Credit: CloudLock

25. None

26. AuthorizationCode Redirect: AuthorizationCode

27. Front Channel (server to server communication through a user’s browser)

28. AuthorizationCode client id, client secret Access Token Access Token

29. Back Channel (direct server to server communication)

30. What is an access token anyway Sent by a client

    in calls to a service. Demonstrates a user has consented access to resources. Two varieties: - Reference tokens - Self encoded tokens

31. Access Token eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx nIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULjJHTGZUQ0puSG0yUDR1ZTl2aU81dEhMSE5 xV2dUcWI3ZXhMY1lIbk11OVkiLCJpc3MiOiJodHRwczovL2V4YW1wbHkub2t0YS1lbWVhLmNvbS 9vYXV0aDIvZGVmYXVsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE1NjU5NDcyODYsI mV4cCI6MTU2NTk1NDQ4NiwiY2lkIjoiMG9hMmhmc2hybWdyY2tlbXYwaTciLCJ1aWQiOiIwMHUy dzZmdzN4cXZnTHYyUDBpNyIsInNjcCI6WyJvcGVuaWQiXSwic3ViIjoidGVzdEB0ZXN0LmNvbSJ 9.TgXMcCNGIpDvqa8EY75lbns_kcyVa6t7Qx5F97YxGd1Ci_iGYPtzBx8Qf2avQPWVcYJmA6mcx sBBeqzWMTcqWaGoSbt8N9MG1ma_JITIkEX2kZB2Vw66_X1vAwiKJ8_6ytoAVqcAkc2ulXdKp-

    XVGsCv1R011O70Hdp2tIzKNWH-wGV1uZDq5_dBGB4Pk6hkp7lQb- ix3WVBEEjyHUzMYFDki9vx_dvGuj2kaay_TPXVqc- OqClMd4O3vpwW3DZMCGB5vndAX49h61fbJUTShYGral-NC1XdI1dY1aTROGfetVC- k95zBTFVjwI_TsJe8qmVG9GLlO2fpkY4JdMhaA

32. Access Token eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx nIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULjJHTGZUQ0puSG0yUDR1ZTl2aU81dEhMSE5 xV2dUcWI3ZXhMY1lIbk11OVkiLCJpc3MiOiJodHRwczovL2V4YW1wbHkub2t0YS1lbWVhLmNvbS 9vYXV0aDIvZGVmYXVsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE1NjU5NDcyODYsI mV4cCI6MTU2NTk1NDQ4NiwiY2lkIjoiMG9hMmhmc2hybWdyY2tlbXYwaTciLCJ1aWQiOiIwMHUy dzZmdzN4cXZnTHYyUDBpNyIsInNjcCI6WyJvcGVuaWQiXSwic3ViIjoidGVzdEB0ZXN0LmNvbSJ 9.TgXMcCNGIpDvqa8EY75lbns_kcyVa6t7Qx5F97YxGd1Ci_iGYPtzBx8Qf2avQPWVcYJmA6mcx sBBeqzWMTcqWaGoSbt8N9MG1ma_JITIkEX2kZB2Vw66_X1vAwiKJ8_6ytoAVqcAkc2ulXdKp-

    XVGsCv1R011O70Hdp2tIzKNWH-wGV1uZDq5_dBGB4Pk6hkp7lQb- ix3WVBEEjyHUzMYFDki9vx_dvGuj2kaay_TPXVqc- OqClMd4O3vpwW3DZMCGB5vndAX49h61fbJUTShYGral-NC1XdI1dY1aTROGfetVC- k95zBTFVjwI_TsJe8qmVG9GLlO2fpkY4JdMhaA

33. Access Token eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx nIjoiUlMyNTYifQ eyJ2ZXIiOjEsImp0aSI6IkFULjJHTGZUQ0puSG0yUDR1ZTl2aU81dEhMSE5xV2dUcWI3ZXhMY1l Ibk11OVkiLCJpc3MiOiJodHRwczovL2V4YW1wbHkub2t0YS1lbWVhLmNvbS9vYXV0aDIvZGVmYX VsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE1NjU5NDcyODYsImV4cCI6MTU2NTk1N DQ4NiwiY2lkIjoiMG9hMmhmc2hybWdyY2tlbXYwaTciLCJ1aWQiOiIwMHUydzZmdzN4cXZnTHYy UDBpNyIsInNjcCI6WyJvcGVuaWQiXSwic3ViIjoidGVzdEB0ZXN0LmNvbSJ9 TgXMcCNGIpDvqa8EY75lbns_kcyVa6t7Qx5F97YxGd1Ci_iGYPtzBx8Qf2avQPWVcYJmA6mcxsB

    BeqzWMTcqWaGoSbt8N9MG1ma_JITIkEX2kZB2Vw66_X1vAwiKJ8_6ytoAVqcAkc2ulXdKp- XVGsCv1R011O70Hdp2tIzKNWH-wGV1uZDq5_dBGB4Pk6hkp7lQb- ix3WVBEEjyHUzMYFDki9vx_dvGuj2kaay_TPXVqc- OqClMd4O3vpwW3DZMCGB5vndAX49h61fbJUTShYGral-NC1XdI1dY1aTROGfetVC- k95zBTFVjwI_TsJe8qmVG9GLlO2fpkY4JdMhaA

34. JWT Header { "typ": "JWT", "alg": "HS256" }

35. { "ver": 1, "jti": "AT.2GLfTCJnHm2P4ue9viO5tHLHNqWgTqb7exLcYHnMu9Y", "iss": "https://examply.okta-emea.com/oauth2/default", "aud": "api://default", "iat":

    1565947286, "exp": 1565953668, "cid": "0oa2hfshrmgrckemv0i7", "uid": "00u2w6fw3xqvgLv2P0i7", "scp": [ ”profile" ], "sub": "[email protected]" } JWT Payload

36. TgXMcCNGIpDvqa8EY75lbns_kcyVa6t7Qx5F97YxGd1Ci_iGYPtzBx8Qf2avQPWVcYJmA6mcxsB BeqzWMTcqWaGoSbt8N9MG1ma_JITIkEX2kZB2Vw66_X1vAwiKJ8_6ytoAVqcAkc2ulXdKp- XVGsCv1R011O70Hdp2tIzKNWH-wGV1uZDq5_dBGB4Pk6hkp7lQb- ix3WVBEEjyHUzMYFDki9vx_dvGuj2kaay_TPXVqc- OqClMd4O3vpwW3DZMCGB5vndAX49h61fbJUTShYGral-NC1XdI1dY1aTROGfetVC- k95zBTFVjwI_TsJe8qmVG9GLlO2fpkY4JdMhaA JWT Signature

37. None

38. Local Token Validation Check the signature Check the audience Check

    the issuance timestamp Check the expiry timestamp
39. None
40. None
41. None

42. Remote Token Validation: Introspection http://examply.okta-emea.com/oauth2/default/v1/introspect Authorization Basic ${Base64(<client_id>:<client_secret>)} token=“bdfFGEW3g[…]sdChg7a4n8” token_type_hint=access_token

    { "active": true } Request Response
43. None

44. Token Refresh http://examply.okta-emea.com/oauth2/default/v1/token Authorization Basic ${Base64(<client_id>:<client_secret>)} grant_type=refresh_token redirect_uri=https://examply.co.uk/callback scope=profile refresh_token="eyJhbGciOiJ[...]K1Sun9bA"

    { "token_type": Bearer, "access_token": eyJhbGciOiJ[...]K1Sun9bA, "expires_in": 3600, "scope": ”profile", "refresh_token": "eyJhbGciOiJ[...]K1Sun9bA", } Request Response

45. Simple Login – OAuth 2.0 Single Sign-on – OAuth 2.0

    Mobile app login – OAuth 2.0 Delegated Access – OAuth 2.0 Digital Identity Circa 2012 Authentication Authentication Authentication Authorization

46. OpenID

47. OpenID Connect Default Scopes Openid Indicates an OpenId request Profile

    Access to the user’s profile Email Access to the user’s email address Address Access to the user’s physical address Phone Access to the user’s telephone number Offline_access Request refresh token for continued access

48. eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx nIjoiUlMyNTYifQ.eyJzdWIiOiIwMHUydzZmdzN4cXZnTHYyUDBpNyIsInZlciI6MSwiaXNzIjo iaHR0cHM6Ly9leGFtcGx5Lm9rdGEtZW1lYS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiIwb2 EyaGZzaHJtZ3Jja2VtdjBpNyIsImlhdCI6MTU2NTk2MTYzNCwiZXhwIjoxNTY1OTY1MjM0LCJqd GkiOiJJRC54b3dfc21BM3I5Y19uRVN1N2VBZ2JQMElWREV1cVpkRkg1NmlpN0NnZnB3IiwiYW1y IjpbInB3ZCJdLCJpZHAiOiIwMG8yYXoyaWVycUt1T1QwRDBpNyIsIm5vbmNlIjoieHc5czJiZXM zdCIsImF1dGhfdGltZSI6MTU2NTk2MTYxMCwiYXRfaGFzaCI6IjZzdGd1WU9fV3A2Q1Y0NXAxSF NsQ1EiLCJ0ZXN0Y2xhaW0iOlsiRXZlcnlvbmUiXX0.Il6htgtZeH9vhN1xXB05DWvNG9V- xiVAki3qEaj8jxI2jkHshq-2lhy_wmaZpjeDUGQNCIwv- 1K3JkckW4cFzmDn0Dw6hCykN5EEFLGfkBeO-

    25nV64UZUHFDAGH_jhI5v5ARGKZcQQIwf3saeakA2rVkXDAYW8SWwbt96hwFkH15JolTK0YVf1h nRX9hzrkKPJY9JgIhmDsMciLvMOPs93ViAR4ufUp_hVYLSsR6Uq- PDR33eoX9XqktylviG9K9BoRzqu8muM1nqrwZAFUk61CeTRNhR5nI30-NH0bcZhAY2Ts8Q- Pj41m8t_7LIVYbUqxvC0JhcdKbmCNN3FRVw ID Tokens

49. eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx nIjoiUlMyNTYifQ.eyJzdWIiOiIwMHUydzZmdzN4cXZnTHYyUDBpNyIsInZlciI6MSwiaXNzIjo iaHR0cHM6Ly9leGFtcGx5Lm9rdGEtZW1lYS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiIwb2 EyaGZzaHJtZ3Jja2VtdjBpNyIsImlhdCI6MTU2NTk2MTYzNCwiZXhwIjoxNTY1OTY1MjM0LCJqd GkiOiJJRC54b3dfc21BM3I5Y19uRVN1N2VBZ2JQMElWREV1cVpkRkg1NmlpN0NnZnB3IiwiYW1y IjpbInB3ZCJdLCJpZHAiOiIwMG8yYXoyaWVycUt1T1QwRDBpNyIsIm5vbmNlIjoieHc5czJiZXM zdCIsImF1dGhfdGltZSI6MTU2NTk2MTYxMCwiYXRfaGFzaCI6IjZzdGd1WU9fV3A2Q1Y0NXAxSF NsQ1EiLCJ0ZXN0Y2xhaW0iOlsiRXZlcnlvbmUiXX0.Il6htgtZeH9vhN1xXB05DWvNG9V- xiVAki3qEaj8jxI2jkHshq-2lhy_wmaZpjeDUGQNCIwv- 1K3JkckW4cFzmDn0Dw6hCykN5EEFLGfkBeO-

    25nV64UZUHFDAGH_jhI5v5ARGKZcQQIwf3saeakA2rVkXDAYW8SWwbt96hwFkH15JolTK0YVf1h nRX9hzrkKPJY9JgIhmDsMciLvMOPs93ViAR4ufUp_hVYLSsR6Uq- PDR33eoX9XqktylviG9K9BoRzqu8muM1nqrwZAFUk61CeTRNhR5nI30-NH0bcZhAY2Ts8Q- Pj41m8t_7LIVYbUqxvC0JhcdKbmCNN3FRVw ID Tokens

50. eyJraWQiOiJ5T1k4Y0dTdldRWHNheDRBWmpZV3JhZzhWU2ktYnJRaVVoM19wV0NmTF9ZIiwiYWx nIjoiUlMyNTYifQ eyJzdWIiOiIwMHUydzZmdzN4cXZnTHYyUDBpNyIsInZlciI6MSwiaXNzIjoiaHR0cHM6Ly9leGF tcGx5Lm9rdGEtZW1lYS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiIwb2EyaGZzaHJtZ3Jja2 VtdjBpNyIsImlhdCI6MTU2NTk2MTYzNCwiZXhwIjoxNTY1OTY1MjM0LCJqdGkiOiJJRC54b3dfc 21BM3I5Y19uRVN1N2VBZ2JQMElWREV1cVpkRkg1NmlpN0NnZnB3IiwiYW1yIjpbInB3ZCJdLCJp ZHAiOiIwMG8yYXoyaWVycUt1T1QwRDBpNyIsIm5vbmNlIjoieHc5czJiZXMzdCIsImF1dGhfdGl tZSI6MTU2NTk2MTYxMCwiYXRfaGFzaCI6IjZzdGd1WU9fV3A2Q1Y0NXAxSFNsQ1EiLCJ0ZXN0Y2 xhaW0iOlsiRXZlcnlvbmUiXX0 Il6htgtZeH9vhN1xXB05DWvNG9V-xiVAki3qEaj8jxI2jkHshq-2lhy_wmaZpjeDUGQNCIwv-

    1K3JkckW4cFzmDn0Dw6hCykN5EEFLGfkBeO- 25nV64UZUHFDAGH_jhI5v5ARGKZcQQIwf3saeakA2rVkXDAYW8SWwbt96hwFkH15JolTK0YVf1h nRX9hzrkKPJY9JgIhmDsMciLvMOPs93ViAR4ufUp_hVYLSsR6Uq- PDR33eoX9XqktylviG9K9BoRzqu8muM1nqrwZAFUk61CeTRNhR5nI30-NH0bcZhAY2Ts8Q- Pj41m8t_7LIVYbUqxvC0JhcdKbmCNN3FRVw ID Tokens

51. { "typ": "JWT", "alg": "RS256", "kid": "yOY8cGSvWQXsax4AZjYWrag8VSi-brQiUh3_pWCfL_Y" } ID Token

    Header

52. { "sub": "00u2w6fw3xqvgLv2P0i7", "ver": 1, "iss": "https://examply.okta-emea.com/oauth2/default", "aud": "0oa2hfshrmgrckemv0i7", "iat":

    1565961634, "exp": 1565965234, "jti": "ID.xow_smA3r9c_nESu7eAgbP0IVDEuqZdFH56ii7Cgfpw", "amr": [ "pwd" ], "idp": "00o2az2ierqKuOT0D0i7", "nonce": ”number_only_once", "auth_time": 1565961610, "at_hash": "6stguYO_Wp6CV45p1HSlCQ", } ID Token Payload

53. Access Token vs ID Token OAuth specification Audience is the

    resource server Describes the granted access by the user OpenId Specification Audience is the client Describes the authentication of the user

54. Simple Login – OpenID Connect Single Sign-on – OpenID Connect

    Mobile App Login – OpenID Connect Delegated Access – OAuth 2.0 Digital Identity Today

55. Developer.okta.com [email protected] @andymarch