Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth2, OIDC & JWT - Important Basics!

OAuth2, OIDC & JWT - Important Basics!

Niko Köbler

May 03, 2022
Tweet

More Decks by Niko Köbler

Other Decks in Programming

Transcript

  1. OAUTH2, OIDC & JWT
    NIKO KÖBLER (@DASNIKO)
    KEYCLOAK-EXPERTE.DE

    View full-size slide

  2. Niko Köbler | keycloak-experte.de
    Keycloak IAM & SSO
    ABOUT ME
    ▸ Freelance Consultant/Architect/Developer/Trainer
    ▸ Doing stuff with & without Computers, Software, > 25 yrs
    ▸ "Mr. Keycloak" > 9 yrs (since 1.x)
    ▸ Co-Lead of JUG DA (https://www.jug-da.de / @JUG_DA)
    ▸ Author of „Serverless Computing in AWS Cloud“
    serverlessbuch.de
    ▸ Web: www.n-k.de / Social: @dasniko
    ▸ YouTube: youtube.com/@dasniko

    View full-size slide

  3. OAUTH2
    OIDC
    JWT

    View full-size slide

  4. AUTHORIZATION
    AUTHENTICATION

    View full-size slide

  5. OAUTH2
    AUTHORIZATION, NOT AUTHENTICATION!
    IETF, RFC 6749, 2012
    The OAuth 2.0 authorization framework
    enables a 3rd-party application to obtain
    limited access to an HTTP service.

    View full-size slide

  6. OAUTH2 GRANT TYPES
    GRANT TYPE APPS
    Authorization Code Web, Apps
    Implicit JavaScript, etc.
    Resource Owner Password Credentials Apps
    Client Credentials Web
    Refresh Web, Apps

    View full-size slide

  7. User
    (Resource Owner)
    Code Verifier
    ABC123
    Application
    (Client)
    Login Code Challenge
    e0bebd22…
    SHA256 Hash
    Identity Provider
    (Authorization Server)
    HTTP Redirect with
    Code Challenge &
    Code Challenge
    Method
    Application
    (Client)
    HTTP Redirect with
    Authorization Code
    HTTP Response with Access Token
    HTTP POST with Authorization Code and Code Verifier
    Code
    Challenge
    Comparison
    PROOF KEY FOR CODE EXCHANGE
    PKCE

    View full-size slide

  8. OAUTH2.1
    IETF, OAUTH 2.1 DRAFT
    ‣ PKCE is required for all clients using the authz code flow
    ‣ Redirect URIs must be compared using exact string matching
    ‣ The Implicit grant is omitted from this specification
    ‣ The Resource Owner Password Credentials grant is omitted
    from this specification

    View full-size slide

  9. OAUTH2 TERMS
    Resource Owner
    Client
    Authorization Server
    Resource Server
    Redirect URI
    Response Type
    Scope
    Consent
    Client ID
    Client Secret
    Authorization Code
    Access Token

    View full-size slide

  10. ACCESS TOKEN
    {
    "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907",
    "token_type": "Bearer",
    "expires_in": 3600,
    "refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0",
    "refresh_expires_in": 36000
    }

    View full-size slide

  11. OPEN ID CONNECT
    AUTHENTICATION LAYER ON TOP OF OAUTH 2.0
    ‣ verify the identity of an end-user
    ‣ obtain basic profile information about the user
    ‣ RESTful HTTP API, using JSON as data format
    ‣ allows clients of all types (web-based, mobile, JavaScript)
    OPENID FOUNDATION, 2014

    View full-size slide

  12. OPEN ID CONNECT
    AUTHENTICATION LAYER ON TOP OF OAUTH 2.0
    ‣ verify the identity of an end-user
    ‣ obtain basic profile information about the user
    ‣ RESTful HTTP API, using JSON as data format
    ‣ allows clients of all types (web-based, mobile, JavaScript)
    OPENID FOUNDATION, 2014

    View full-size slide

  13. OIDC
    {
    "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907",
    "token_type": "Bearer",
    "expires_in": 3600,
    "id_token": "???",
    "refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0",
    "refresh_expires_in": 36000
    }
    OPENID CONNECT ADDS THE IDENTITY TOKEN

    View full-size slide

  14. JWT
    JSON WEB TOKEN
    RFC 7519 STANDARD, 2015

    View full-size slide

  15. JWT
    eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImQyM
    DM2MGU4LTgyOTUtNDlhNy1iOGQzLTMxOWU3MWI2OD
    k4MiJ9.eyJqdGkiOiJhYzMwYWM3Ni00NTQ5LTRiMWMtO
    TQwYi1hMGNjNjU1NTNkM2YiLCJpc3MiOiJodHRwOi8va
    2V5Y2xvYWsuZGUiLCJzdWIiOiIxMjM0NTY3ODkwIiwibm
    FtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.H6T
    2YmhH-7nsp3zUu9XE7Cs-62J6D38KsXcIO6ZmxDikJ…
    BASE64 ENCODED

    View full-size slide

  16. JSON WEB TOKEN

    View full-size slide

  17. JWT PAYLOAD
    {
    "jti": "b7f7b763-240c-4560-827b-d7635e4b2213",
    "sub": "c7bd0190-7fbd-42bd-8929-63f2a17473fb",
    "iss": "https://sso.myapi.com",
    "aud": "myApi",
    "exp": 1686767014,
    "iat": 1686763414,
    "nbf": 1686763414
    }
    RESERVED CLAIMS:
    jti, sub, iss, aud, exp, iat, nbf

    View full-size slide

  18. OPEN ID CONNECT STANDARD CLAIMS
    http://openid.net/specs/openid-connect-core-1_0.html

    View full-size slide

  19. TOKEN RESPONSE
    {
    "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "token_type": "Bearer",
    "expires_in": 3600,
    "id_token": "eyJhbGciOiAiUlMyNTYiLCJ0eXAiOiAiSldUIn0...",
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "refresh_expires_in": 36000
    }

    View full-size slide

  20. OIDC
    OPENID CONNECT ADDS THE
    USERINFO ENDPOINT

    View full-size slide

  21. THANK YOU.
    ANY QUESTIONS?
    Slides: https://speakerdeck.com/dasniko
    Niko Köbler | www.n-k.de | [email protected] | @dasniko
    OAUTH2, OIDC & JWT

    View full-size slide