TLDR - OAuth

D7c78f8757327b65a637aece98939f01?s=47 Andy March
September 12, 2019

TLDR - OAuth

Web authentication and authorization has come a long way in the last ten years. In this talk we'll look at where we've come from and how to OAuth and OIDC solved the problems we faced.

D7c78f8757327b65a637aece98939f01?s=128

Andy March

September 12, 2019
Tweet

Transcript

  1. 2.

    10+ years working in secure systems Hi! Platform Specialist at

    Okta Software Developer (.NET / Java / JS) @andymarch
  2. 3.
  3. 4.
  4. 5.
  5. 6.
  6. 7.

    Digital Identity Circa 2007 Simple Login – forms and cookies

    Single Sign-on – SAML Delegated Access – passwords
  7. 10.
  8. 13.

    Who’s who of OAuth 2.0 Resource Owner Client Authorization Server

    Resource Server Guest Hotel Room Reception Desk Hotel
  9. 17.
  10. 20.
  11. 21.
  12. 25.
  13. 30.

    What is an access token anyway Sent by a client

    in calls to a service. Demonstrates a user has consented access to resources. Two varieties: - Reference tokens - Self encoded tokens
  14. 35.

    { "ver": 1, "jti": "AT.2GLfTCJnHm2P4ue9viO5tHLHNqWgTqb7exLcYHnMu9Y", "iss": "https://examply.okta-emea.com/oauth2/default", "aud": "api://default", "iat":

    1565947286, "exp": 1565953668, "cid": "0oa2hfshrmgrckemv0i7", "uid": "00u2w6fw3xqvgLv2P0i7", "scp": [ ”profile" ], "sub": "test@test.com" } JWT Payload
  15. 37.
  16. 38.

    Local Token Validation Check the signature Check the audience Check

    the issuance timestamp Check the expiry timestamp
  17. 39.
  18. 40.
  19. 41.
  20. 43.
  21. 44.

    Token Refresh http://examply.okta-emea.com/oauth2/default/v1/token Authorization Basic ${Base64(<client_id>:<client_secret>)} grant_type=refresh_token redirect_uri=https://examply.co.uk/callback scope=profile refresh_token="eyJhbGciOiJ[...]K1Sun9bA"

    { "token_type": Bearer, "access_token": eyJhbGciOiJ[...]K1Sun9bA, "expires_in": 3600, "scope": ”profile", "refresh_token": "eyJhbGciOiJ[...]K1Sun9bA", } Request Response
  22. 45.

    Simple Login – OAuth 2.0 Single Sign-on – OAuth 2.0

    Mobile app login – OAuth 2.0 Delegated Access – OAuth 2.0 Digital Identity Circa 2012 Authentication Authentication Authentication Authorization
  23. 46.
  24. 47.

    OpenID Connect Default Scopes Openid Indicates an OpenId request Profile

    Access to the user’s profile Email Access to the user’s email address Address Access to the user’s physical address Phone Access to the user’s telephone number Offline_access Request refresh token for continued access
  25. 52.

    { "sub": "00u2w6fw3xqvgLv2P0i7", "ver": 1, "iss": "https://examply.okta-emea.com/oauth2/default", "aud": "0oa2hfshrmgrckemv0i7", "iat":

    1565961634, "exp": 1565965234, "jti": "ID.xow_smA3r9c_nESu7eAgbP0IVDEuqZdFH56ii7Cgfpw", "amr": [ "pwd" ], "idp": "00o2az2ierqKuOT0D0i7", "nonce": ”number_only_once", "auth_time": 1565961610, "at_hash": "6stguYO_Wp6CV45p1HSlCQ", } ID Token Payload
  26. 53.

    Access Token vs ID Token OAuth specification Audience is the

    resource server Describes the granted access by the user OpenId Specification Audience is the client Describes the authentication of the user
  27. 54.

    Simple Login – OpenID Connect Single Sign-on – OpenID Connect

    Mobile App Login – OpenID Connect Delegated Access – OAuth 2.0 Digital Identity Today