Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mobile Client Security: Authentifizierung, Pers...

Mobile Client Security: Authentifizierung, Personalisierung und sichere Service-Kommunikation

Selbstverständlich müssen wir unsere mobilen Apps – bzw. die dahinter liegenden Web-APIs – absichern. Wenn wir in klassischen Systemen bisher mit "Username/Passwort" oder Windows Authentifizierung in der Anwendung gedacht haben, so müssen wir dies bei modernen Business- und mobilen Apps ändern. In dieser Session zeigen Dominick Baier und Christian Weyer architekturelle Wege und Implementierungen auf, um Authentifizierung und Autorisierung und Service Kommunikation sicher über OAuth-2.0 und OpenID Connect-basierte Ansätze abzuwickeln. Darauf aufbauend sehen Sie auch, wie mit der Idee von Tokens und Claims eine für Benutzer einfache Personalisierbarkeit Ihrer App realisiert werden kann – so schlagen Sie zwei Fliegen mit einer Klappe.

Christian Weyer

September 24, 2014
Tweet

More Decks by Christian Weyer

Other Decks in Programming

Transcript

  1. Dominick Baier, Christian Weyer | Thinktecture AG Mobile Client Security

    Authentifizierung, Personalisierung und sichere Service-Kommunikation think mobile!
  2. Dominick & Christian • Dominick Baier, Chief Security Officer –

    [email protected] – @leastprivilege • Christian Weyer, Managing Director – [email protected] – @christianweyer • http://www.thinktecture.com • http://www.leastprivilege.com 2 think mobile!
  3. Agenda • Mobile (web-based) client apps • Moving to token-based

    authentication • Authentication & Identity with OpenID Connect (OIDC) • OIDC Implicit Flow • Authorization & Personalization 3
  4. Mobile client apps • 'Mobile' is not just about devices

    – instead refers to a new way of working without being tied to a desktop in an office – users expect modern business applications to work on multiple devices, at multiple locations, online and offline • Mobile spans the whole stack – from native Windows 8 applications on laptop and tablets – to modern HTML5-based desktop applications – to classic Windows clients developed with WPF – to native applications developed for iPhone, iPad, Android and Windows Phone 4
  5. Modern application security • Works across any platforms & systems

    – cross origin (application mash ups) – common denominator technologies • Factoring out authentication & authorization – separation of concerns – decoupling of technical details – Authentication-as-a-service – Access-Control-as-a-service 8
  6. • Authentication protocol on top of OAuth2 – defines identity

    tokens – defines standard token type – defines standard cryptography – defines validation procedures – defines standard scopes – combines authentication with short/long-lived delegated API access – defines flows for native, browser and server-based applications "OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol."
  7. OIDC Flows • Implicit Flow – native/browser/web applications – no

    explicit client authentication • Authorization Code Flow – server-based applications – stronger authentication – long lived API access • Hybrid Flow – "in-between"
  8. OpenID Connect Implicit Flow for Client-side Applications GET /authorize ?client_id=app1

    &scope=openid email &redirect_uri=https://app1/cb &response_type=id_token
  9. Excursion: Scopes Scope Claims profile name, family_name, given_name, middle_name, nickname,

    preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at email email, email_verified address address phone phone_number, phone_number_verified offline_access requests refresh token
  10. Excursion: Identity Token { "typ": "JWT", "alg": "HS256" } {

    "iss": "https://idsrv3", "exp": 1340819380, "aud": "app1", "sub": "182jmm199", "email": "[email protected]", "email_verified": true, "amr": "password", "auth_time": 12340819300 } Header Claims eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt Header Claims Signature
  11. Combining Authentication with API Access GET /authorize ?client_id=app1 &scope=openid email

    api1 api2 &redirect_uri=oob://app1/cb &response_type=id_token token
  12. Client-side token management • Client requests token • Persisting the

    token data locally • Life time management – Tokens have finite lifetime • Client application needs to explicitly renew token 25
  13. Personalization • Need for “authorization” in the UI layer –

    which user can see or do what in the client application? – authorization always has to happen on the server, anyway • Technical concept of authorization morphs into user- oriented concept of personalization – features – capabilities – constraints 26
  14. Implementing personalization with Web API • Model personalization data and

    populate from server-side repository – based on incoming token 29 public class PersonalizationController : ApiController { public PersonalizationData GetPersonalizationData() { var user = …; var persData = new PersonalizationData { Features = GetFeatures(user), UiClaims = new UiClaimsData { UserName = user, Capabilities = GetCapabilities(user), Constraints = GetConstraints(user), NameValueClaims = GetNameValueClaims(user) } }; return persData; } var user = RequestContext.Principal as ClaimsPrincipal; var userName = user.FindFirst("sub").Value;
  15. Implementing personalization with AngularJS • Get personalization data upon successful

    authentication • Implement AngularJS service to inject personalization data into controllers • Data-bind to e.g. capabilities on $scope • Fully-fledged solution may include custom directives 30 $http({ method: "GET", url: ttTools.baseUrl + "api/personalization" }) .success(function (data) { tt.personalization.data = data; // populate routes/UI states from features… $rootScope.$broadcast(tt.personalization.constants.dataLoaded); }); app.factory("personalizationService", function () { return tt.personalization; });
  16. Summary • OpenID Connect is the future • Replaces –

    SAML2p & WS-Federation – home-grown OAuth2 authentication extensions • Combines authentication & API access (authorization) • Access token can be used to provide personalization data – dynamically deliver application parts – customize UI
  17. Resources • [email protected][email protected] • http://www.thinktecture.com • Thinktecture IdentityServer

    – https://github.com/thinktecture/Thinktecture.identityServer.v3 • Thinktecture’s GitHub Repositories – https://github.com/thinktecture • Christian Weyer’s GitHub Repositories – https://github.com/ChristianWeyer 32
  18. Resources • OpenID Libraries, Products, and Tools – http://openid.net/developers/libraries/ •

    Open Source Identity System Particicpants – http://osis.idcommons.net/wiki/Category:OC5_Part icipant 33