Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SAML, OAuth & OIDC

Niko Köbler
September 19, 2024

SAML, OAuth & OIDC

Niko Köbler

September 19, 2024
Tweet

More Decks by Niko Köbler

Other Decks in Programming

Transcript

  1. ABOUT ME ▸ Independent Consultant/Architect/Developer/Trainer ▸ Doing stuff with &

    without Computers, Software, > 25 yrs ▸ "Mr. Keycloak" since 2015 (v1.x) ▸ Organizer of Keycloak DevDay Conf (keycloak-day.dev) ▸ Co-Lead of JUG DA (www.jug-da.de / @JUG_DA) ▸ Author of „Serverless Computing in AWS Cloud“ ▸ Web: www.n-k.de / Social: @dasniko YouTube: youtube.com/@dasniko
  2. SAML, OAuth & OIDC SAML Security Assertion Markup Language The

    Security Assertion Markup Language (SAML) standard defines a framework for exchanging security information between online business partners.
  3. SAML, OAuth & OIDC SAML Security Assertion Markup Language [email protected]

    johndoe <NameIDFormat/> <NameIDFormat> urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress </NameIDFormat>
  4. SAML, OAuth & OIDC SAML SP METADATA <md:EntityDescriptor entityID="IAMShowcase" validUntil="2025-12-09T09:13:31.006Z">

    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:NameIDFormat> urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified </md:NameIDFormat> <md:NameIDFormat> urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress </md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sptest.iamshowcase.com/acs" index="0" isDefault="true"/> </md:SPSSODescriptor> </md:EntityDescriptor> https://sptest.iamshowcase.com/testsp_metadata.xml
  5. SAML, OAuth & OIDC SAML IDP METADATA <md:EntityDescriptor entityID="https://keycloak.de"> <md:IDPSSODescriptor

    WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"> <ds:KeyInfo> <ds:KeyName>Aqlqie2Iyp7r718C0SKfSN2b96UwQpcA501nwWOUjxY</ds:KeyName> <ds:X509Data> <ds:X509Certificate>MIICnTCC...trxAQ==</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keycloak.de/protocol/saml/resolve" index="0"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keycloak.de/protocol/saml"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak.de/protocol/saml"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://keycloak.de/protocol/saml"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keycloak.de/protocol/saml"/> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keycloak.de/protocol/saml"/> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak.de/protocol/saml"/> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keycloak.de/protocol/saml"/> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://keycloak.de/protocol/saml"/> </md:IDPSSODescriptor> </md:EntityDescriptor> https://lemur-7.cloud-iam.com/auth/realms/dasniko/protocol/saml/descriptor
  6. SAML, OAuth & OIDC SAML ▸ Metadata for SP and

    IDP ▸ SP-initiated or IdP-initiated ▸ SAMLRequest & SAMLResponse ▸ EntityID ▸ Issuer ▸ Assertions
  7. SAML, OAuth & OIDC OAUTH Open Authorization OAuth provides a

    method for clients to access server resources on behalf of a resource owner (such as a different client or an end-user). It also provides a process for end-user to authorize third-party access to their server resources without sharing their credentials (typically, a username and password pair), using user-agent redirections.
  8. SAML, OAuth & OIDC OAUTH2 TOKEN RESPONSE { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907",

    "token_type": "Bearer", "expires_in": 3600, "scope": "mail:send" "refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0", "refresh_expires_in": 36000 } No standardized and verifyable user information, even not with JWT, as access tokens should not contain personalized user information!
  9. SAML, OAuth & OIDC OAUTH ▸ no standard metadata document

    (OIDC config doc is co-used) ▸ Redirections ▸ ClientID/ClientSecret ▸ Scopes ▸ Token Introspection
  10. SAML, OAuth & OIDC OIDC OpenID Connect OpenID Connect 1.0

    is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
  11. SAML, OAuth & OIDC OIDC - IDENTITY ▸ ID-Token as

    JWT with verifyable signature ▸ User-Info endpoint ▸ Standard Claims (sub, name, given_name, family_name, nickname, preferred_username, profile, picture, website, email, email_verified, gender, birthdate, zoneinfo, locale, phone_number, phone_number_verified, address, updated_at)
  12. SAML, OAuth & OIDC OIDC TOKEN RESPONSE { "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",

    "token_type": "Bearer", "expires_in": 3600, "scope": "openid profile email", "id_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "refresh_token": "eyJhbGciOiAiUlMyNTYiLCJ0eXAiOiAiSldU...", "refresh_expires_in": 36000 }
  13. SAML, OAuth & OIDC OIDC ▸ .well-known/openid-configuration document ▸ Redirections

    ▸ ClientID/ClientSecret ▸ Scopes ▸ ID-Token ▸ Issuer
  14. SAML, OAuth & OIDC COMMON THINGS OF ALL 3… ▸

    SSO concept / Delegation / Tokens ▸ Signatures / Keys ▸ EntityID / ClientID / Issuer
  15. SAML, OAuth & OIDC COMMON PROBLEMS OF ALL 3… ▸

    Problems on Implementation on client / service provider side ▸ Insecure Libraries (parsing XML/JSON) ▸ Incomplete Verifications of Assertions/Attributes/Claims/Signatures ▸ Not compatible among each other / not interchangeable
  16. SAML, OAuth & OIDC SAML ▸ legacy, "enterprise", 3rd-party, off-the-shelve,

    … ▸ only for 3rd-party AUTHORIZATION! OAUTH ▸ greenfield, SPA, mobile, up-to-date, fancy… OIDC
  17. SAML, OAuth & OIDC SAML is to OIDC as SOAP

    is to REST. ! Joel Franusic (Developer@Okta)
  18. SAML, OAuth & OIDC NIKO KÖBLER | www.n-k.de | [email protected]

    | @dasniko THANK YOU. ANY QUESTIONS? Slides & Links: https://linktr.ee/dasniko
  19. SAML, OAuth & OIDC LINKS ▸ SAML Specifications, OASIS Open

    Foundation: https://wiki.oasis-open.org/security/FrontPage ▸ OAuth 2.0 Core, IETF, RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749 ▸ OIDC Core 1.0, OpenID Foundation: https://openid.net/specs/openid-connect-core-1_0.html