Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Authentication in Web, API-based & Distributed Environments

Authentication in Web, API-based & Distributed Environments

395d9a1bac6f64d04bbd713d5b6bc433?s=128

Niko Köbler

March 22, 2021
Tweet

Transcript

  1. AUTHENTICATION IN WEB, API-BASED & DISTRIBUTED ENVIRONMENTS NIKO KÖBLER (@DASNIKO)

  2. ABOUT ME ▸ Freelance Consultant/Architect/Developer/Trainer @ www.n-k.de ▸ Doing stuff

    with & without computers, writing Software, > 20 yrs ▸ Co-Lead of JUG DA (https://www.jug-da.de / @JUG_DA) ▸ Speaker at international Tech Conferences ▸ Author of „Serverless Computing in AWS Cloud“ serverlessbuch.de ▸ Twitter: @dasniko SSO & AUTHENTICATION IN API-BASED ENVIRONMENTS
  3. AUTHENTICATION AUTHORIZATION

  4. None
  5. ?

  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. OAUTH2 AUTHORIZATION, NOT AUTHENTICATION! The OAuth 2.0 authorization framework enables

    a 3rd-party application to obtain limited access to an HTTP service. IETF, RFC 6749, 2012
  13. OAUTH2 GRANT TYPES GRANT TYPE APPS Authorization Code Web, Apps

    Implicit JavaScript, etc. Resource Owner Password Credentials Apps Client Credentials Web Refresh Web, Apps
  14. OAUTH2 TERMS Resource Owner Client Authorization Server Resource Server Redirect

    URI Response Type Scope Consent Client ID Client Secret Authorization Code Access Token
  15. None
  16. ACCESS TOKEN { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "refresh_token":

    "e339b569-6d95-482d-9534-5c0147136ab0" }
  17. OPEN ID CONNECT AUTHENTICATION LAYER ON TOP OF OAUTH 2.0

    ‣ verify the identity of an end-user ‣ obtain basic profile information about the user ‣ RESTful HTTP API, using JSON as data format ‣ allows clients of all types (web-based, mobile, JavaScript) OPENID FOUNDATION, 2014
  18. OIDC { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "identity_token": "???",

    "refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0" } OPENID CONNECT ADDS THE IDENTITY TOKEN
  19. JWT JSON WEB TOKEN RFC 7519 STANDARD, 2015

  20. JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOi IxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiY WRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrH DcEfxjoYZgeFONFh7HgQ BASE64 ENCODED

  21. JSON WEB TOKEN

  22. JWT PAYLOAD { "sub": "1234567890", "iss": "https://sso.myapi.com", "aud": "myApi", "exp":

    1479814753, "name": "John Doe", "admin": true } RESERVED CLAIMS: sub, iss, aud, exp
  23. OPEN ID CONNECT STANDARD CLAIMS http://openid.net/specs/openid-connect-core-1_0.html

  24. ACCESS TOKEN { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "identity_token":

    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0" }
  25. None
  26. None
  27. None
  28. None
  29. THANK YOU. ANY QUESTIONS? Slides: https://speakerdeck.com/dasniko Niko Köbler | www.n-k.de

    | niko@n-k.de | @dasniko SSO & AUTHENTICATION IN API-BASED ENVIRONMENTS