Single Sign-On und User Self Service für den Hausgebrauch

Transcript

1. SSO für den Hausgebrauch
   Christopher J. Ruwe
   selbstständiger IT-Consultant
   

   View Slide

2. Problem
   ●
   mehrere Services sollen dem gleichen
   Nutzerkreis zur Verfügung gestellt
   werden
   ●
   die Services sollen nicht öffentlich sein
   ●
   Berechtigungen sollen nicht separat
   gepflegt werden (müssen)
   

   View Slide

3. Lösungsskizze
   ●
   auf einer zentralen Instanz werden Nutzer
   und Berechtigungen gepflegt
   ●
   es existiert ein Vertrauensverhältnis von
   allen Services zu dieser zentralen Instanz
   ●
   es existiert ein Mechanismus, Identitäten
   und/oder Berechtigungen zu transportieren
   

   View Slide

4. Protokolle (Auswahl)
   ● SAML v2.0 (Security Assertion Markup
   Languange): authn / authz
   ●
   OAuth v2.0 (Open Authorization): authz
   ● OIDC (OpenIF Connect): authn
   

   View Slide

5. Lingo
   ●
   Resource Owner
   ●
   Client
   ●
   Authorization
   Server
   ●
   Resource Server
   ●
   Realm
   ●
   Relying Party
   ● OpenID Provider
   ● End-User
   ● User Agent
   ●
   Resource Server
   

   View Slide

6. Authorization Code Grant:
   OAuth2, § 4.1
   (three-legged)
   Anwendung:
   ●
   Authentifizierung und
   Zugriffssteuerung
   Wann / Wer?:
   ● Web-Applikationen mit
   Server Komponente
   ● Desktop / Mobile App
   (PKCE)
   ● time-scoped with refresh
   Resource Owner
   Resource Owner
   User Agent
   User Agent
   Client App
   Client App
   Authorization Server
   Authorization Server
   Resource Server
   Resource Server
   1 access
   2 redirect + params
   3 authenticates
   4 validates
   5 auth code + redirect
   6 auth code
   7 auth code + redirect
   8 validates
   9 access (+ refresh) token
   10 access token
   11 validates
   12 resource
   13 whatever
   

   View Slide

7. auth endpoint
   GET /authorize
   ?response_type=code
   &client_id=s6BhdRkqt3&state=xyz
   &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
   HTTP/1.1
   Host: server.example.com
   HTTP/1.1 302 Found
   Location: https://client.example.com/cb
   ?code=SplxlOBeZQQYbYS6WxSbIA
   &state=xyz
   

   View Slide

8. token endpoint
   POST /token HTTP/1.1
   Host: server.example.com
   Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
   Content-Type: application/x-www-form-urlencoded
   grant_type=authorization_code
   &code=SplxlOBeZQQYbYS6WxSbIA
   &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
   

   View Slide

9. token endpoint
   HTTP/1.1 200 OK
   Content-Type: application/json;charset=UTF-8
   Cache-Control: no-store
   Pragma: no-cache
   {
   "access_token":"2YotnFZFEjr1zCsicMWpAA",
   "token_type":"example",
   "expires_in":3600,
   "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
   "example_parameter":"example_value"
   }
   

   View Slide

10. Resource Owner
    Resource Owner
    User Agent
    User Agent
    Client App
    Client App
    Authorization Server
    Authorization Server
    Resource Server
    Resource Server
    1 access
    2 redirect + params
    3 authenticates
    4 validates
    5 access token + redirect
    6 extract access token
    7 access token
    8 access token
    9 validates
    10 resource
    11 whatever
    Implicit Grant:
    OAuth2, § 4.2
    (two-legged)
    Anwendung:
    ● Authentifizierung und
    Zugriffssteuerung
    Wann / Wer?:
    ● Single Page App
    Caveat:
    ●
    Exfiltrierung von Tokens
    ● deprecated!
    

    View Slide

11. auth endpoint
    GET /authorize
    ?response_type=token
    &client_id=s6BhdRkqt3
    &state=xyz
    &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
    HTTP/1.1
    Host: server.example.com
    HTTP/1.1 302 Found
    Location: http://example.com/cb
    #access_token=2YotnFZFEjr1zCsicMWpAA
    &state=xyz
    &token_type=example
    &expires_in=3600
    

    View Slide

12. Resource Owner Password
    Credentials Grant:
    OAuth2, § 4.3
    Anwendung:
    ● Authentifizierung und
    Zugriffssteuerung
    Wann / Wer?:
    ● trusted clients
    Resource Owner
    Resource Owner
    Client App
    Client App
    Authorization Server
    Authorization Server
    Resource Server
    Resource Server
    1 access
    2 prompt creds
    3 provide creds
    4 pass creds and params
    5 validates
    6 pass access token
    7 send access token
    8 validates
    9 resource
    10 whatever
    

    View Slide

13. Client Credentials Grant:
    OAuth2, § 4.4
    Anwendung:
    ● Authentifizierung und
    Zugriffssteuerung von
    autnomen Apps
    Wann / Wer?:
    ● trusted clients
    non interactive
    Client App
    Client App
    Authorization Server
    Authorization Server
    Resource Server
    Resource Server
    1 pass creds and params
    2 validates
    3 pass access token
    4 send access token
    5 validates
    6 whatever
    

    View Slide

14. OIDC Authorization Code
    Flow
    OIDC v1.0, § 3.1
    Anwendung:
    ● User-Authentifizierung
    ● RP Authentifizierung
    ●
    SSO auf RP
    ● Authorisierung
    ● verschiedene Scopes
    Resource Owner User Agent
    Client App
    (Relying Party) OpenID Provider Resource Server
    1 access
    2 redirect + params
    3 authenticate at authorization endpoint
    4 validate
    5 auth code + redirect
    6 auth code
    7
    auth code to token
    endpoint
    8 validate
    9
    ID, access,
    (opt. refresh) token
    10 validate ID
    11 validate access
    12
    opt. request from
    userinfo endpoint)
    13 validate access
    14 additional claims
    

    View Slide

15. OIDC Authorization Code
    Flow
    OIDC v1.0, § 3.1
    Anwendung:
    ● User-Authentifizierung
    ● RP Authentifizierung
    ●
    SSO auf RP
    ● Authorisierung
    ● verschiedene Scopes
    Resource Owner User Agent Client App
    (Relying Party)
    OpenID Provider Resource Server
    8 validate
    9
    ID, access,
    (opt. refresh) token
    10 validate ID
    11 validate access
    12
    opt. request from
    userinfo endpoint)
    13 validate access
    14 additional claims
    15 access token
    16 validates
    17
    req add clains
    from user endpoint
    18 validate access
    19 return claims
    20 resource
    21 whatever
    

    View Slide

16. OIDC token
    {
    "sub" : "alice",
    "iss" : "https://openid.c2id.com",
    "aud" : "client-12345",
    "nonce" : "n-0S6_WzA2Mj",
    "auth_time" : 1311280969,
    "acr" : "c2id.loa.hisec",
    "iat" : 1311280970,
    "exp" : 1311281970
    }
    subject
    issuer
    audience
    authentication context class ref
    issued_at
    expires
    

    View Slide

17. Token
    eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzcyI6ICJodHRw
    Oi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAxIiw
    KICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZfV3pBMk1qIi
    wKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5NzAKfQ.ggW8hZ
    1EuVLuxNuuIJKX_V8a_OMXzR0EHR9R6jgdqrOOF4daGU96Sr_P6qJp6IcmD3HP9
    9Obi1PRs-cwh3LO-p146waJ8IhehcwL7F09JdijmBqkvPeB2T9CJNqeGpe-gccM
    g4vfKjkM8FcGvnzZUN4_KSP0aAp1tOJ1zZwgjxqGByKHiOtX7TpdQyHE5lcMiKP
    XfEIQILVq0pc_E2DzL7emopWoaoZTF_m0_N0YzFC6g6EJbOEoRoSK5hoDalrcvR
    YLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4XUVrWOLrLl0
    nx7RkKU8NXNHq-rvKMzqg
    

    View Slide

18. Auslassungen
    ● OIDC Implicit Flow (§ 3.2)
    ●
    OIDC Hybrid Flow (§ 3.3)
    

    View Slide

19. Anwendung
    ●
    Vertrauensverhältnis von Ressourcen-
    Konsument zu Authorization Server /
    Identity Provider
    ● sichere Kommunikation zwischen den
    Komponenten
    

    View Slide

20. Funktionen für ein SSO
    auf Basis von OAuth/OIDC
    IDP: Keycloak
    Web u. SSL: nginx
    Zertifikate: Let‘s Encrypt
    Zert-Mgmt: cert-manager
    Mailer: mailu
    Cluster-Manager: k8s
    

    View Slide

21. cert-manager
    $ kubectl get clusterissuers.certmanager.k8s.io cruwe-le-prod --output=yaml
    apiVersion: certmanager.k8s.io/v1alpha1
    kind: ClusterIssuer
    metadata:
    name: cruwe-le-prod
    spec:
    acme:
    email: [email protected]
    http01: {}
    privateKeySecretRef:
    name: issuer-cruwe-le-prod
    server: https://acme-v02.api.letsencrypt.org/directory
    

    View Slide

22. cert-manager
    apiVersion: networking.k8s.io/v1beta1
    kind: Ingress
    metadata:
    annotations:
    certmanager.k8s.io/cluster-issuer: cruwe-le-prod
    kubernetes.io/ingress.class: nginx
    name: www-cruwe-de
    namespace: www-cruwe-de
    spec:
    tls:
    - hosts:
    - www.cruwe.de
    secretName: www-cruwe-de-le-prod-certificate
    

    View Slide

23. keycloak
    

    View Slide

24. zum Einlesen
    ●
    RFC 6749: The OAuth 2.0 Authorization Framework
    ●
    https://medium.com/@robert.broeckelmann/saml-v2-0-vs-
    jwt-series-550551f4eb0d
    ●
    https://medium.com/@darutk/diagrams-and-movies-of-all-
    the-oauth-2-0-flows-194f3c3ade85 (Tahiko Kawasaki)
    ●
    https://openid.net/developers/specs/
    ●
    https://connect2id.com/learn/openid-connect
    ●
    RFC 7519: JSON Web Token (JWT)
    ●
    https://medium.com/@darutk/understanding-id-token-
    5f83f50fa02e
    

    View Slide