OAuth2, OIDC & JWT - Important Basics!

Transcript

1. OAUTH2, OIDC & JWT NIKO KÖBLER (@DASNIKO) KEYCLOAK-EXPERTE.DE

2. Niko Köbler | keycloak-experte.de Keycloak IAM & SSO ABOUT ME

   ▸ Freelance Consultant/Architect/Developer/Trainer ▸ Doing stuff with & without Computers, Software, > 25 yrs ▸ "Mr. Keycloak" > 9 yrs (since 1.x) ▸ Co-Lead of JUG DA (https://www.jug-da.de / @JUG_DA) ▸ Author of „Serverless Computing in AWS Cloud“ serverlessbuch.de ▸ Web: www.n-k.de / Social: @dasniko ▸ YouTube: youtube.com/@dasniko

3. OAUTH2 OIDC JWT

4. AUTHORIZATION AUTHENTICATION

5. None
6. None
7. None
8. None
9. None
10. None
11. None

12. OAUTH2 AUTHORIZATION, NOT AUTHENTICATION! IETF, RFC 6749, 2012 The OAuth

    2.0 authorization framework enables a 3rd-party application to obtain limited access to an HTTP service.

13. OAUTH2 GRANT TYPES GRANT TYPE APPS Authorization Code Web, Apps

    Implicit JavaScript, etc. Resource Owner Password Credentials Apps Client Credentials Web Refresh Web, Apps

14. User (Resource Owner) Code Verifier ABC123 Application (Client) Login Code

    Challenge e0bebd22… SHA256 Hash Identity Provider (Authorization Server) HTTP Redirect with Code Challenge & Code Challenge Method Application (Client) HTTP Redirect with Authorization Code HTTP Response with Access Token HTTP POST with Authorization Code and Code Verifier Code Challenge Comparison PROOF KEY FOR CODE EXCHANGE PKCE

15. OAUTH2.1 IETF, OAUTH 2.1 DRAFT ‣ PKCE is required for

    all clients using the authz code flow ‣ Redirect URIs must be compared using exact string matching ‣ The Implicit grant is omitted from this specification ‣ The Resource Owner Password Credentials grant is omitted from this specification

16. OAUTH2 TERMS Resource Owner Client Authorization Server Resource Server Redirect

    URI Response Type Scope Consent Client ID Client Secret Authorization Code Access Token

17. ACCESS TOKEN { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "refresh_token":

    "e339b569-6d95-482d-9534-5c0147136ab0", "refresh_expires_in": 36000 }

18. OPEN ID CONNECT AUTHENTICATION LAYER ON TOP OF OAUTH 2.0

    ‣ verify the identity of an end-user ‣ obtain basic profile information about the user ‣ RESTful HTTP API, using JSON as data format ‣ allows clients of all types (web-based, mobile, JavaScript) OPENID FOUNDATION, 2014
19. None

20. OPEN ID CONNECT AUTHENTICATION LAYER ON TOP OF OAUTH 2.0

    ‣ verify the identity of an end-user ‣ obtain basic profile information about the user ‣ RESTful HTTP API, using JSON as data format ‣ allows clients of all types (web-based, mobile, JavaScript) OPENID FOUNDATION, 2014

21. OIDC { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "id_token": "???",

    "refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0", "refresh_expires_in": 36000 } OPENID CONNECT ADDS THE IDENTITY TOKEN

22. JWT JSON WEB TOKEN RFC 7519 STANDARD, 2015

23. JWT eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImQyM DM2MGU4LTgyOTUtNDlhNy1iOGQzLTMxOWU3MWI2OD k4MiJ9.eyJqdGkiOiJhYzMwYWM3Ni00NTQ5LTRiMWMtO TQwYi1hMGNjNjU1NTNkM2YiLCJpc3MiOiJodHRwOi8va 2V5Y2xvYWsuZGUiLCJzdWIiOiIxMjM0NTY3ODkwIiwibm FtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.H6T 2YmhH-7nsp3zUu9XE7Cs-62J6D38KsXcIO6ZmxDikJ… BASE64 ENCODED

24. JSON WEB TOKEN

25. JWT PAYLOAD { "jti": "b7f7b763-240c-4560-827b-d7635e4b2213", "sub": "c7bd0190-7fbd-42bd-8929-63f2a17473fb", "iss": "https://sso.myapi.com", "aud":

    "myApi", "exp": 1686767014, "iat": 1686763414, "nbf": 1686763414 } RESERVED CLAIMS: jti, sub, iss, aud, exp, iat, nbf

26. OPEN ID CONNECT STANDARD CLAIMS http://openid.net/specs/openid-connect-core-1_0.html

27. TOKEN RESPONSE { "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "token_type": "Bearer", "expires_in": 3600, "id_token":

    "eyJhbGciOiAiUlMyNTYiLCJ0eXAiOiAiSldUIn0...", "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "refresh_expires_in": 36000 }

28. OIDC OPENID CONNECT ADDS THE USERINFO ENDPOINT

29. THANK YOU. ANY QUESTIONS? Slides: https://speakerdeck.com/dasniko Niko Köbler | www.n-k.de

    | [email protected] | @dasniko OAUTH2, OIDC & JWT