Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A technical Introduction to OAuth2, OpenID Conn...

A technical Introduction to OAuth2, OpenID Connect and JSON Web Tokens (NDC London 2013)

Dominick Baier

December 06, 2013
Tweet

More Decks by Dominick Baier

Other Decks in Programming

Transcript

  1. A  technical  Introduc0on  to     OAuth2,  OpenID  Connect  

      and  JSON  Web  Tokens     The  Security  Stack  for  modern   Applica0ons   Dominick  Baier   hCp://leastprivilege.com   @leastprivilege   think mobile!
  2. 2   @leastprivilege   Dominick  Baier   •  Security  consultant

     at  thinktecture   •  Focus  on   –  security  in  distributed  applica9ons   –  iden9ty  management   –  access  control   –  Windows/.NET  security   –  mobile  app  security     •  MicrosoL  MVP  for  Developer  Security   •  [email protected]   •  hCp://leastprivilege.com   think mobile!
  3. 3   @leastprivilege   Agenda   •  How  we  got

     there   •  OAuth2   •  OpenID  Connect   •  JSON  Web  Tokens  
  4. Scenario  2:  Business  to  Customer   §  Mobile web apps

    / app store deployment §  Reach and cross-platform becomes much more important Web  API  
  5. 9   @leastprivilege   (Delegated)  authoriza9on   Applica0ons   Security

      Service   use   Back  end  Services   access  
  6. 11   @leastprivilege   History   •  OAuth  started  circa

     2007     •  2008  -­‐  IETF  normaliza0on  started  in  2008     •  2010  -­‐  RFC  5849  defines  OAuth  1.0     •  2010  -­‐  WRAP  (Web  Resource  Authoriza0on  Profiles)  proposed  by   MicrosoL,  Yahoo!  And  Google     •  2010  -­‐  OAuth  2.0  work  begins  in  IETF   •  Working  deployments  of  various  draLs  &  versions  at  Google,   MicrosoL,  Facebook,  Github,  TwiCer,  Flickr,  Dropbox…   •  Mid  2012  –  Lead  author  and  editor  resigned  &  withdraws  his   name  from  all  specs       •  October  2012  –  RFC  6749,  RFC  6750  
  7. 18   @leastprivilege   Resource  Owner   Resource  Server  

    Authoriza0on  Server   Client   issues  access  token   Confiden9al/Public   Trusted/Untrusted   OAuth2:  The  Players   "owns"  a  resource   uses   trusts   is  registered  with   accesses  
  8. 19   @leastprivilege   OAuth2  Flows   •  Authoriza0on  Code

     Flow   –  front  +  back  channel   –  "confiden9al"  clients   •  Implicit  Flow   –  front  channel   –  na9ve  /  user  agent  based  clients   •  Resource  Owner  Password  Creden0al  Flow   –  back  channel   –  trusted  clients   •  Client  Creden0als  Flow   –  back  channel   –  service  to  service  communica9on  
  9. 20   @leastprivilege   Authoriza9on  Code  Flow     (Web

     Applica9on  Clients)   Web  Applica9on   (Client)   Resource  Server   Resource  Owner  
  10. 21   @leastprivilege   Step  1a:  Authoriza9on  Request   Web

     Applica9on   (Client)   Authoriza9on  Server   Resource  Owner   GET  /authorize?      client_id=webapp&      scope=resource&      redirect_uri=https://webapp/cb&      response_type=code&      state=123  
  11. 26   @leastprivilege   The  Consent  Screen  is  important!  

    hCp://zachholman.com/2011/01/oauth_will_murder_your_children/  
  12. 27   @leastprivilege   Step  1d:  Authoriza9on  Response   Web

     Applica9on   (Client)   Authoriza9on  Server   Resource  Owner   GET  /cb?      code=xyz&      state=123  
  13. 28   @leastprivilege   Step  2a:  Token  Request   Web

     Applica9on   (Client)   Authoriza9on  Server   Resource  Owner   POST  /token    Authorization:  Basic  (client_id:secret)     grant_type=authorization_code&   authorization_code=xyz  
  14. 29   @leastprivilege   Step  2b:  Token  Response   Web

     Applica9on   (Client)   Authoriza9on  Server   Resource  Owner   {      "access_token"  :  "abc",      "expires_in"  :  "3600",      "token_type"  :  "Bearer",      "refresh_token"  :  "xyz"       }  
  15. 30   @leastprivilege   Step  3:  Resource  Access   Web

     Applica9on   (Client)   Resource  Owner   GET  /resource      Authorization:  Bearer  access_token   Resource  Server  
  16. 31   @leastprivilege   (Step  4:  Refreshing  the  Token)  

    Web  Applica9on   (Client)   Resource  Owner   POST  /token    Authorization:  Basic  (client_id:secret)     grant_type=refresh_token&   refresh_token=xyz   Authoriza9on  Server  
  17. 35   @leastprivilege   Summary  –  Code  Flow   • 

    Designed  for  "confiden0al"  clients   –  client  can  store  secret  securely   –  typically  server-­‐based  applica9ons   •  Accountability  is  provided   –  access  token  never  leaked  to  the  browser   •  Long-­‐lived  access  can  be  implemented  
  18. 36   @leastprivilege   JSON  Web  Token  (JWT)   {

         "typ":  "JWT",      "alg":  "HS256"   }   {      "iss":  "http://myIssuer",      "exp":  "1340819380",      "aud":  "http://myResource",      "sub":  "alice",        "client":  "xyz",      "scope":  ["read",  "search"]   }   Header   Claims   eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt   Header   Claims   Signature  
  19. 38   @leastprivilege   Step  1a:  Authoriza9on  Request   Resource

     Server   Resource  Owner   Client   GET  /authorize?      client_id=nativeapp&      scope=resource&          redirect_uri=http://localhost/cb&      response_type=token&      state=123   Authoriza9on  Server  
  20. 39   @leastprivilege   Step  1b:  Token  Response   Resource

     Owner   Client   GET  /cb#      access_token=abc&      expires_in=3600&      state=123   Authoriza9on  Server   Resource  Server  
  21. 40   @leastprivilege   Step  2:  Resource  Access   Resource

     Owner   Client   GET  /resource      Authorization:          Bearer  access_token   Resource  Server  
  22. 41   @leastprivilege   Summary  –  Implicit  Flow   • 

    Simplified  handshake   –  no  authoriza9on  code   •  Token  is  exposed  to  browser  /  local  OS   •  No  client  authen0ca0on   –  no  refresh  tokens   –  oeen  combined  with  cookies  and  web  views  or  OS  APIs  
  23. 42   @leastprivilege   Resource  Owner  Password  Creden9al   Flow

     (Trusted  Applica9on)   Resource  Owner   Client   Resource  Server  
  24. 43   @leastprivilege   Step  1a:  Token  Request   Resource

     Owner   Client   Authoriza9on  Server   POST  /token    Authorization:  Basic  (client_id:secret)     grant_type=password&   scope=resource&   user_name=owner&   password=password&   Resource  Server  
  25. 44   @leastprivilege   Step  1b:  Token  Response   Resource

     Owner   Client   Authoriza9on  Server   {      "access_token"  :  "abc",      "expires_in"  :  "3600",      "token_type"  :  "Bearer",      "refresh_token"  :  "xyz"       }   Resource  Server  
  26. 45   @leastprivilege   Step  2:  Resource  Access   Resource

     Owner   Client   GET  /resource      Authorization:          Bearer  access_token   Resource  Server  
  27. 46   @leastprivilege   Summary  –     Resource  Owner

     Creden9al  Flow   •  Resource  owner  creden0als  are  exposed  to  client   –  users  should  not  become  accustomed  to  that   •  S0ll  beCer  to  store  access/refresh  token  on  device  than   password   –  if  the  developer  is  using  that  feature   •  Typically  client  and  back  end  built  by  same  party  
  28. 47   @leastprivilege   Client  Creden9als  Flow  –   No

     human  involved  at  all   Client   Authoriza9on  Server   POST  /token    Authorization:  Basic  (client_id:secret)     grant_type=client_credentials&   scope=resource  
  29. 48   @leastprivilege   OAuth2  &  Authen9ca9on   •  OAuth2

     is  for  (delegated)  authoriza0on   –  authen9ca9on  is  part  of  that   –  …but  with  the  authoriza9on  server,  not  the  client   •  OAuth2  can  be  used  as  founda0on  for  authen0ca0on   –  many  "homegrown"  solu9on   hCp://www.thread-­‐safe.com/2012/01/problem-­‐with-­‐oauth-­‐for-­‐authen0ca0on.html   hCp://www.cloudiden0ty.com/blog/2013/01/02/oauth-­‐2-­‐0-­‐and-­‐sign-­‐in-­‐4/    
  30. 49   @leastprivilege   OAuth2  for  Authen9ca9on:  Request   UserInfo

     RS   Resource  Owner   Client   GET  /authorize?      client_id=nativeapp&      redirect_uri=http://localhost/cb&      scope=signin&      response_type=token&      state=123   Authoriza9on  Server  
  31. 50   @leastprivilege   OAuth2  for  Authen9ca9on:  Response   UserInfo

      Resource  Owner   Client   GET  /cb?      access_token=abc&      userid=123&      expires_in=3600&      state=123   Authoriza9on  Server  
  32. 51   @leastprivilege   OAuth2  for  Authen9ca9on:     Accessing

     User  Profile   UserInfo  RS   Resource  Owner   Client   GET  /userinfo      Authorization:          Bearer  access_token   Firstname,  Lastname,  Email…  
  33. 53   @leastprivilege   Another  Problem   1.  User  logs

     into  malicious  app   (app  steals  token)   access  token   2.  Malicious  developer  uses  stolen     access  token  in  legi0mate  app   access  token   Impersonated!
  34. 56   @leastprivilege   OpenID  Connect   •  OpenID  Connect

     builds  on  top  of  OAuth2   –  Authoriza9on  Code  Flow   –  Implicit  Flow   –  (and  some  varia9ons)   •  Specifies  addi0onal  concepts   –  ID  Token   –  UserInfo  endpoint   •  ..and  some  addi0onal  protocols,  e.g.   –  discovery  &  dynamic  registra9on   –  session  management  
  35. 57   @leastprivilege   OpenID  Connect:  The  Players   Identity

    Provider Authorization Endpoint Token Endpoint UserInfo Endpoint User Agent Client
  36. 58   @leastprivilege   Step  1a:  Authoriza9on  Request   Identity

    Provider Authorization Endpoint Token Endpoint UserInfo Endpoint User Agent Client GET  /authorize?      client_id=webapp&      redirect_uri=https://webapp/cb&      scope=openid  profile&      response_type=code&      state=123  
  37. 59   @leastprivilege   Scopes  &  Claims   •  OpenID

     defines  a  set  of  standard  scopes  and  claims   Scope   Claims   profile   name,  family_name,  given_name,  middle_name,   nickname,  preferred_username,  profile,  picture,   website,  gender,  birthdate,  zoneinfo,  locale,  and   updated_at.   email   email,  email_verified   address   address   phone   phone_number,  phone_number_verified   offline_access   requests  refresh  token  
  38. 60   @leastprivilege   Step  1b:  Authen9ca9on   Identity Provider

    Authorization Endpoint Token Endpoint UserInfo Endpoint User Agent Client
  39. 61   @leastprivilege   Step  1c:  Consent   Identity Provider

    Authorization Endpoint Token Endpoint UserInfo Endpoint User Agent Client Application WebApp asks for permission to access your profile
  40. 62   @leastprivilege   Step  1d:  Authoriza9on  Response   Identity

    Provider Authorization Endpoint Token Endpoint UserInfo Endpoint User Agent Client GET  /cb?      code=abc&      state=123  
  41. 63   @leastprivilege   Step  2a:  Token  Request   Identity

    Provider Authorization Endpoint Token Endpoint UserInfo Endpoint User Agent Client POST  /token    Authorization:  Basic  (client_id:secret)     grant_type=authorization_code&   authorization_code=abc&   redirect_uri=https://webapp/cb  
  42. 64   @leastprivilege   Step  2b:  Token  Response   Identity

    Provider Authorization Endpoint Token Endpoint UserInfo Endpoint User Agent Client {      "access_token"  :  "abc",      "id_token":  "uvw",      "expires_in"  :  "3600",      "token_type"  :  "Bearer",      "refresh_token"  :  "xyz"       }  
  43. 65   @leastprivilege   ID  Token   •  JWT  that

     contains  claims  about  the  authen0ca0on   event   –  Issuer  (iss)   –  Subject  (sub)   –  Audience  (aud)   –  Expira9on  (exp)   •  Client  must  validate  the  ID  token  at  this  point  
  44. 66   @leastprivilege   Step  3a:  UserInfo  Request   Identity

    Provider Authorization Endpoint Token Endpoint UserInfo Endpoint User Agent Client GET  /userinfo      Authorization:          Bearer  access_token  
  45. 67   @leastprivilege   Step  3b:  UserInfo  Response   Identity

    Provider Authorization Endpoint Token Endpoint UserInfo Endpoint User Agent Client {        "sub":  "248289761001",        "name":  "Jane  Doe",        "email":  "[email protected]"   }  
  46. 68   @leastprivilege   Summary   •  OAuth2  is  a

     founda0on  (or  framework)   –  least  common  denominator  technology   –  delegated  authoriza9on   –  extensible   •  OpenID  Connect  is  an  authen0ca0on  protocol   –  built  on  top  of  OAuth2  extensibility   –  interoperable   •  JSON  Web  Token  is  a  standardized  token  format   –  issuer,  life9me,  audience  +  other  claims   –  signatures  &  encryp9on