Authentication in Web, API-based & Distributed Environments

Transcript

1. AUTHENTICATION IN WEB, API-BASED & DISTRIBUTED ENVIRONMENTS NIKO KÖBLER (@DASNIKO)

2. ABOUT ME ▸ Freelance Consultant/Architect/Developer/Trainer @ www.n-k.de ▸ Doing stuff

   with & without computers, writing Software, > 20 yrs ▸ Co-Lead of JUG DA (https://www.jug-da.de / @JUG_DA) ▸ Speaker at international Tech Conferences ▸ Author of „Serverless Computing in AWS Cloud“ serverlessbuch.de ▸ Twitter: @dasniko SSO & AUTHENTICATION IN API-BASED ENVIRONMENTS

3. AUTHENTICATION AUTHORIZATION

4. None

5. ?

6. None
7. None
8. None
9. None
10. None
11. None

12. OAUTH2 AUTHORIZATION, NOT AUTHENTICATION! The OAuth 2.0 authorization framework enables

    a 3rd-party application to obtain limited access to an HTTP service. IETF, RFC 6749, 2012

13. OAUTH2 GRANT TYPES GRANT TYPE APPS Authorization Code Web, Apps

    Implicit JavaScript, etc. Resource Owner Password Credentials Apps Client Credentials Web Refresh Web, Apps

14. OAUTH2 TERMS Resource Owner Client Authorization Server Resource Server Redirect

    URI Response Type Scope Consent Client ID Client Secret Authorization Code Access Token
15. None

16. ACCESS TOKEN { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "refresh_token":

    "e339b569-6d95-482d-9534-5c0147136ab0" }

17. OPEN ID CONNECT AUTHENTICATION LAYER ON TOP OF OAUTH 2.0

    ‣ verify the identity of an end-user ‣ obtain basic profile information about the user ‣ RESTful HTTP API, using JSON as data format ‣ allows clients of all types (web-based, mobile, JavaScript) OPENID FOUNDATION, 2014

18. OIDC { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "identity_token": "???",

    "refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0" } OPENID CONNECT ADDS THE IDENTITY TOKEN

19. JWT JSON WEB TOKEN RFC 7519 STANDARD, 2015

20. JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOi IxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiY WRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrH DcEfxjoYZgeFONFh7HgQ BASE64 ENCODED

21. JSON WEB TOKEN

22. JWT PAYLOAD { "sub": "1234567890", "iss": "https://sso.myapi.com", "aud": "myApi", "exp":

    1479814753, "name": "John Doe", "admin": true } RESERVED CLAIMS: sub, iss, aud, exp

23. OPEN ID CONNECT STANDARD CLAIMS http://openid.net/specs/openid-connect-core-1_0.html

24. ACCESS TOKEN { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "identity_token":

    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0" }
25. None
26. None
27. None
28. None

29. THANK YOU. ANY QUESTIONS? Slides: https://speakerdeck.com/dasniko Niko Köbler | www.n-k.de

    | [email protected] | @dasniko SSO & AUTHENTICATION IN API-BASED ENVIRONMENTS