Mobile Client Security: Authentifizierung, Personalisierung und sichere Service-Kommunikation

Transcript

1. Dominick Baier, Christian Weyer | Thinktecture AG Mobile Client Security

   Authentifizierung, Personalisierung und sichere Service-Kommunikation think mobile!

2. Dominick & Christian • Dominick Baier, Chief Security Officer –

   [email protected] – @leastprivilege • Christian Weyer, Managing Director – [email protected] – @christianweyer • http://www.thinktecture.com • http://www.leastprivilege.com 2 think mobile!

3. Agenda • Mobile (web-based) client apps • Moving to token-based

   authentication • Authentication & Identity with OpenID Connect (OIDC) • OIDC Implicit Flow • Authorization & Personalization 3

4. Mobile client apps • 'Mobile' is not just about devices

   – instead refers to a new way of working without being tied to a desktop in an office – users expect modern business applications to work on multiple devices, at multiple locations, online and offline • Mobile spans the whole stack – from native Windows 8 applications on laptop and tablets – to modern HTML5-based desktop applications – to classic Windows clients developed with WPF – to native applications developed for iPhone, iPad, Android and Windows Phone 4

5. Simplified overall architecture 5 Human user Client applications Services /

   Data

6. Traditional Authentication & Trusted Subsystem Design Trusted Subsystem

7. Authentication & Trusted Subsystem Design Trusted Subsystem SAML2p & WS-Federation

   T

8. Modern application security • Works across any platforms & systems

   – cross origin (application mash ups) – common denominator technologies • Factoring out authentication & authorization – separation of concerns – decoupling of technical details – Authentication-as-a-service – Access-Control-as-a-service 8

9. Delegated Service/API Access Trust Boundary ? ?

10. Delegated Service/API Access Trust Boundary T T T OAuth2 WS-Trust

11. What's wrong with OAuth2?

12. • Authentication protocol on top of OAuth2 – defines identity

    tokens – defines standard token type – defines standard cryptography – defines validation procedures – defines standard scopes – combines authentication with short/long-lived delegated API access – defines flows for native, browser and server-based applications "OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol."

13. http://openid.net/connect/

14. OIDC Flows • Implicit Flow – native/browser/web applications – no

    explicit client authentication • Authorization Code Flow – server-based applications – stronger authentication – long lived API access • Hybrid Flow – "in-between"

15. Excursion: Endpoints Authorize Endpoint Token Endpoint UserInfo Endpoint

16. OpenID Connect Implicit Flow for Client-side Applications GET /authorize ?client_id=app1

    &scope=openid email &redirect_uri=https://app1/cb &response_type=id_token

17. Excursion: Scopes Scope Claims profile name, family_name, given_name, middle_name, nickname,

    preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at email email, email_verified address address phone phone_number, phone_number_verified offline_access requests refresh token

18. Authentication

19. Consent

20. Response GET /cb #id_token=x12f…zsz

21. Excursion: Identity Token { "typ": "JWT", "alg": "HS256" } {

    "iss": "https://idsrv3", "exp": 1340819380, "aud": "app1", "sub": "182jmm199", "email": "[email protected]", "email_verified": true, "amr": "password", "auth_time": 12340819300 } Header Claims eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt Header Claims Signature

22. Combining Authentication with API Access GET /authorize ?client_id=app1 &scope=openid email

    api1 api2 &redirect_uri=oob://app1/cb &response_type=id_token token

23. Response GET /cb #id_token=x12f…zsz &token=32x…133 &expires_in=3600 &token_type=bearer

24. Accessing the API Authorization: Bearer <token>

25. Client-side token management • Client requests token • Persisting the

    token data locally • Life time management – Tokens have finite lifetime • Client application needs to explicitly renew token 25

26. Personalization • Need for “authorization” in the UI layer –

    which user can see or do what in the client application? – authorization always has to happen on the server, anyway • Technical concept of authorization morphs into user- oriented concept of personalization – features – capabilities – constraints 26

27. Personalization illustrated - I 27

28. Personalization illustrated - II 28

29. Implementing personalization with Web API • Model personalization data and

    populate from server-side repository – based on incoming token 29 public class PersonalizationController : ApiController { public PersonalizationData GetPersonalizationData() { var user = …; var persData = new PersonalizationData { Features = GetFeatures(user), UiClaims = new UiClaimsData { UserName = user, Capabilities = GetCapabilities(user), Constraints = GetConstraints(user), NameValueClaims = GetNameValueClaims(user) } }; return persData; } var user = RequestContext.Principal as ClaimsPrincipal; var userName = user.FindFirst("sub").Value;

30. Implementing personalization with AngularJS • Get personalization data upon successful

    authentication • Implement AngularJS service to inject personalization data into controllers • Data-bind to e.g. capabilities on $scope • Fully-fledged solution may include custom directives 30 $http({ method: "GET", url: ttTools.baseUrl + "api/personalization" }) .success(function (data) { tt.personalization.data = data; // populate routes/UI states from features… $rootScope.$broadcast(tt.personalization.constants.dataLoaded); }); app.factory("personalizationService", function () { return tt.personalization; });

31. Summary • OpenID Connect is the future • Replaces –

    SAML2p & WS-Federation – home-grown OAuth2 authentication extensions • Combines authentication & API access (authorization) • Access token can be used to provide personalization data – dynamically deliver application parts – customize UI

32. Resources • [email protected] • [email protected] • http://www.thinktecture.com • Thinktecture IdentityServer

    – https://github.com/thinktecture/Thinktecture.identityServer.v3 • Thinktecture’s GitHub Repositories – https://github.com/thinktecture • Christian Weyer’s GitHub Repositories – https://github.com/ChristianWeyer 32

33. Resources • OpenID Libraries, Products, and Tools – http://openid.net/developers/libraries/ •

    Open Source Identity System Particicpants – http://osis.idcommons.net/wiki/Category:OC5_Part icipant 33