Вячеслав Михайлов «Как сделать Single Sign-On в веб-приложении в 10 строк кода»

Transcript

1. How to do SSO in ~10 lines of code Speaker

   Vyacheslav Mikhaylov ([email protected]) [ IT Talks | IT NotStop | .Net meetup ] 1

2. Today’s topics • Some theory and history • OAuth2 и

   Open ID Connect • IndentityServer/IdentityManager • Architecture • How to use 2

3. Terminology • Identification - login • Authentication – proof login

   is correct • Authorization – authenticated user can access to some resource 3

4. 4

5. 5

6. HTTP Basic Authentication 6

7. HTTP Digest Authentication 7

8. Forms Authentication 8

9. Token Authentication 9

10. Token Authentication 10

11. Token Authentication 11

12. Big picture 12

13. Big picture 13

14. Terminology 14 • OpenID Connect Provider (OP) - security token

    service, identity provider, authorization server, IP-STS and more. • Client • User - human • Scope • Identity scopes – openid, profile, email • Resource scopes – various API • Authentication/Token Request • Identity Token • Access Token

15. 15

16. Token structure (jwt.io) 16

17. Thinktecture Identity Server 17 • OpenID Connect and OAuth2 •

    Авторы • Dominick Baier • Brock Allen • Identity Server • Identity Manager • MembershipReboot

18. Features 18 • Authentication as a Service • Single Sign-on

    / Sign-out • Access Control for APIs • Federation • Customization everywhere

19. 19 Identity Manager Identity Server Membership Reboot User Storage MS

    SQL Token Service Storage MS SQL Store Users Auth Users Scope/Clients Storage MS SQL Scope/Clients Tokens/Sessions User Manage Users Login Show Login/Consent

20. 20 Server

21. 21 Server

22. 22 API

23. 23 API

24. 24 API

25. 25 Client

26. 26 Client

27. What is Identity Server 27 • Authorization/Authentication • Token •

    UserInfo • Discovery • Logout • Token Revocation • Token Introspection • Access Token Validation • Identity Token Validation

28. Customization 28 • AuthenticationSessionValidator, AuthorizationCodeStore • ClaimsProvider, ClientPermissionsService • ClientStore,

    ConsentService, ConsentStore • CorsPolicyService, CustomGrantValidators, CustomRequestValidator, CustomTokenResponseGenerator, CustomTokenValidator • EventService, ExternalClaimsFilter, LocalizationService, RedirectUriValidator • RefreshTokenService, RefreshTokenStore, ScopeStore • SecretParsers, SecretValidators, SigningKeyService • TokenHandleStore, TokenService, TokenSigningService, UserService • ViewService

29. Customization 29 • AuthenticationSessionValidator, AuthorizationCodeStore • ClaimsProvider, ClientPermissionsService • ClientStore,

    ConsentService, ConsentStore • CorsPolicyService, CustomGrantValidators, CustomRequestValidator, CustomTokenResponseGenerator, CustomTokenValidator • EventService, ExternalClaimsFilter, LocalizationService, RedirectUriValidator • RefreshTokenService, RefreshTokenStore, ScopeStore • SecretParsers, SecretValidators, SigningKeyService • TokenHandleStore, TokenService, TokenSigningService, UserService • ViewService

30. Customization 30 • ClientStore • ScopeStore • UserService • ViewService

31. What is Identity Manager 31 • Simple creating users, editing

    user information (passwords, email, claims, roles, etc.) and deleting users. • Replacement for the ASP.NET WebSite Administration tool User Management

32. What is MembershipReboot 32 • single- or multi-tenant account management

    • flexible account storage design (relational/SQL or object/NoSql) • claims-aware user identities • support for account registration, email verification, password reset, etc. • account lockout for multiple failed login attempts (password guessing) • extensible templating for email notifications • customizable username, password and email validation • notification system for account activity and updates (e.g. for auditing) • account linking with external identity providers (enterprise or social) • supports certificate based authentication • proper password storage (via PBKDF2) • configurable iterations • defaults to OWASP recommendations for iterations (e.g. 64K in year 2012) • two factor authentication support via mobile phone SMS messages or client certificates

33. Demo 33

34. Источники • https://habrahabr.ru/company/dataart/blog/262817/ • https://identityserver.github.io/Documentation/ • http://openid.net/connect/ • https://tools.ietf.org/html/rfc6749 34

35. Thank you To be continued…

36. Identity Server 36

37. 37 Identity Server