Apidays Paris 2023 - I Have an OAuth2 Access Token, Now what do I do with it, Matthew Auburn, Morgan Stanley

Transcript

1. I have an Access token, Now what! apidays Paris 2023

   - December 06, 07 & 08, 2023 Matthew Auburn, VP and Tech Lead at Morgan Stanley | Co-author of Mastering API Architecture Handling Access Tokens in your architecture

2. • Work at Morgan Stanley • Working in Security Design

   • Previously API Platform Tech Lead • A Masters focused on Security • Co-Author of Mastering API Architecture Who am I

3. Agenda • Why give this talk • What is an

   Access Token…. • How do you introspect them • Where should you introspect them in your architecture

4. • Resource Owner - An entity capable of granting access

   to a protected resource (typically a human) • Authorization Server - The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization • Client - An application making protected resource requests on behalf of the resource owner and with its authorization. • Resource server - The server hosting the protected resources, capable of accepting and responding to protected resource requests using access token OAuth2 Abstract Protocol An OAuth2 refresher

5. C4 - System Context

6. Why give this talk

7. C4 - Containers

8. What is an Access Token

9. https://www.rfc-editor.org/rfc/rfc6749#section-1.4 “Access tokens are credentials used to access protected resources.

   An access token is a string representing an authorization issued to the client”

10. Access Tokens and usage • When OAuth2 was released there

    was no RFC explicitly de fi ning what an access token should look like • Di ff erent Auth servers (IDPs ), made their own choices for their Access Tokens…. • There is no single pattern how a Access Tokens should be used in an architecture

11. Typical Access Token Formats • JWTs • Opaque Token

12. JWT • JWT spec - https://datatracker.ietf.org/doc/html/rfc7519 • Has registered claims

    (de fi nitions are set) • Simple for processing and compact • Signed JWTs • Encrypted JWTs • NOTE: When someone says JWT what they typically mean is a Signed JWT

13. • eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYS1p4MH lsb2U4bXFkTHJiX3VPaHI0M2FLNWxha3p6RXkyYTRpb0FoVXNNIn0.eyJl eHAiOjE3MDAyMzk4OTEsImlhdCI6MTcwMDIzOTU5MSwiYXV0aF90aW1lIj oxNzAwMjM5NTkxLCJqdGkiOiI0ZWYwOTZhNC1hYjkzLTQwMTctODkxNi00 OTUwZmY3OTU5YTQiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcm VhbG1zL29hdXRoMi13b3Jrc2hvcCIsImF1ZCI6ImFjY291bnQiLCJzdWIi OiIyMDQ2MDJkNS04YjAzLTRkMTYtOGFhYi0zMTZjY2YyM2ZjNTEiLCJ0eX AiOiJCZWFyZXIiLCJhenAiOiJNb2JpbGVDbGllbnRBcHBsaWNhdGlvbiIs Im5vbmNlIjoidVNvTWVjdVkzT1B6TmpsZmE3bTE1aDF2U1UwdGtDa2FMVD

    BCNTQ3dkhBQSIsInNlc3Npb25fc3RhdGUiOiI2ODZlMDA5Mi04Y2U0LTRm ZjktOGM4NC0wNjJkMmI5MzEwMTciLCJhY3IiOiIxIiwiYWxsb3dlZC1vcm lnaW5zIjpbImh0dHA6Ly9sb2NhbGhvc3Q6NzA3MCJdLCJyZWFsbV9hY2Nl c3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy1vYXV0aDItd29ya3Nob3 AiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJy ZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2 UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9m aWxlIl19fSwic2NvcGUiOiJvcGVuaWQgQ29uZmVyZW5jZS1BUEkgcHJvZm lsZSBlbWFpbCIsInNpZCI6IjY4NmUwMDkyLThjZTQtNGZmOS04Yzg0LTA2 MmQyYjkzMTAxNyIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycm VkX3VzZXJuYW1lIjoibWF0dHlhIn0.W4e-2EqmWrU7Mj0aAxFxksOlfbM4 vUumGAdpYWjjfwVnDOul5bTwOEX4YlIFE_HcjaUngmtzfdha_4WW025m8c h036sHISbzKZkvj7lorq1Qg5KmVMClfCxb-7J9enrDxky6usU4ETvIpBpo 1bcUL8ejscgivPAxWRXbr1rXwv_jAIknseUgGP572BrM3EwCmUv3aX0Ha5 7DlGHOxkRvxbbOIuzcfhfFcw8seq4zOATvypqmzfY1QcRl9uQVR3cphJ6H ROitta1ullpHGS6Yb3F3farU0r0hZIglgmjq6ehNj3AVBGOUkLW2HhIC- syJeJFAD5IjjuAWe3fJPpaO8g Signed JWT Example

14. Opaque tokens • A long random value • No identi

    fi able information in the token - must be looked up • atfqI-QW3HXqF1hkot1e6hJDIj4qHnwTEUXiGJFf09k.SRHhlx6wlDz5GZncAr99HfM7FUbDQlUg73MapL0TJ2I Example token taken from Cloudentity https://cloudentity.com/developers/basics/tokens/opaque-token/

15. C4 - Containers

16. ADR - Access Token Format • Context - As an

    organisation we are using OAuth2 for our API Access and need to process Access Tokens. The IDP we use o ff ers Access Tokens in various formats and we need to pick one. • Decision - The format of the Access Tokens issued will be to use X • Consequences - Using Access Tokens in the format of X will

17. Introspecting Access Tokens

18. Inspecting an Access Token • JWTs are typically inspected in-process

    • An opaque token needs to be checked, You can also inspect a JWT. • JWTs can be introspected to see if they are are revoked, though not all Auth Servers provide this. • Token Introspection endpoint - RFC 7662 - https://www.rfc-editor.org/rfc/ rfc7662.html

19. C4 - Containers

20. Demo Token Introspection

21. None

22. Inspecting - Access Tokens at the edge • Scope (scope)

    - what is the Client Application authorized to access • Audiance (aud) - Where the token should be used • Authentication Context Class Reference (acr) - Authentication strength • GET /conferences • scope: conference:READ • aud: api.conferences.com • acr: 1 (password) • POST /conferences • scope: conference:WRITE • aud: api.conferences.com • acr: 2 (MFA)

23. Where to inspect your token

24. C4 - Containers

25. C4 - Containers

26. C4 - Containers

27. Thank you