Modern Applications need modern Identity (2016 Edition)

Transcript

1. Modern Applications need modern Identity OpenID Connect & OAuth 2.0

   Dominick Baier [email protected] http://leastprivilege.com @leastprivilege

2. 2 @leastprivilege Dominick Baier • Independent Consultant – Specializing on

   Identity & Access Control – Working with Software Development Teams (ISVs and in-house) • Creator and Maintainer of IdentityServer OSS Project – OpenID Connect & OAuth 2.0 Implementation for ASP.NET – .NET Foundation Advisory Board – http://identityserver.io [email protected] http://leastprivilege.com slides: https://speakerdeck.com/leastprivilege

3. 3 @leastprivilege In the Beginning… Web Applications

4. 4 @leastprivilege ..then came Federation Web Applications SAML, WS-Federation WS-Trust/Security

5. 5 @leastprivilege Then this happened… No SOAP No SAML No

   WS* No Windows No Enterprise HTTP JSON

6. 6 @leastprivilege Modern Applications Browser Native App Server App "Thing"

   Web App Web API Web API Web API Security Token Service

7. 7 @leastprivilege Security Protocols (I) Browser Native App Server App

   "Thing" Web App Web API Web API Web API WS-Fed, SAML 2.0, OpenID Connect* Security Token Service * *

8. 8 @leastprivilege Security Protocols (II) Browser Native App Server App

   "Thing" Web App Web API Web API Web API WS-Fed, SAML 2.0, OpenID Connect* OAuth 2.0 OAuth 2.0 OAuth 2.0 OAuth 2.0 OAuth 2.0 OAuth 2.0 Security Token Service * *

9. 9 @leastprivilege What's wrong with SAML (& WS-Federation) Craig Burton

   (#CIS2012): “SAML is the Windows XP of Identity.” “No funding. No innovation. People still use it. But it has no future SAML is dead != SAML is bad. SAML is dead != SAML isn’t useful. SAML is dead means SAML != the future.”

10. 10 @leastprivilege What’s wrong with OAuth 2.0

11. 11 @leastprivilege http://openid.net/connect/

12. 12 @leastprivilege Libraries & Implementations

13. 13 @leastprivilege

14. 14 @leastprivilege IdentityServer

15. 15 @leastprivilege OpenID Connect in a Nutshell Browser Native App

    Web App Web API Authenticate Users Request Access Tokens for APIs

16. 16 @leastprivilege Endpoints Authorize Endpoint Token Endpoint UserInfo Endpoint

17. 17 @leastprivilege Flows • Implicit Flow – browser-based applications –

    no explicit client authentication • Hybrid Flow – native/mobile applications – client authentication • Client Credentials Flow – server to server communication – headless devices / IoT

18. 18 @leastprivilege Authentication for Web Applications GET /authorize ?client_id=app1 &redirect_uri=https://app.com/cb

    &response_type=id_token &response_mode=form_post &nonce=j1y…a23 &scope=openid email

19. 19 @leastprivilege Authentication

20. 20 @leastprivilege Consent

21. 21 @leastprivilege Response <form> <input type="hidden" name="id_token" value="xjsj…aas" /> </form>

    POST /callback

22. 22 @leastprivilege Identity Token { "typ": "JWT", "alg": "RS256", "kid":

    "mj399j…" } { "iss": "https://idsrv3", "exp": 1340819380, "aud": "app1", "nonce": "j1y…a23", "sub": "182jmm199", "email": "[email protected]", "email_verified": true, "amr": [ "password" ], "auth_time": 12340819300 } Header Claims eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt Header Claims Signature

23. 23 @leastprivilege Discovery

24. 24 @leastprivilege ASP.NET Middleware for OpenID Connect app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions {

    Authority = "https://identityserver.io", Client_Id = "myapp", Redirect_Uri = "https://myapp.com", Response_Type = "id_token", Scope = "openid email", SignInAsAuthenticationType = "Cookies" }; app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = "Cookies" });

25. 25 @leastprivilege Accessing APIs client identity user identity user identity

26. 26 @leastprivilege Calling an API using Client Identity Authorization: Bearer

    <token> POST /token grant_type=client_credentials scope=api1 client_id=client client_secret=secret <token>

27. 27 @leastprivilege Web Applications • OpenID Connect Hybrid Flow combines

    – user authentication (identity token) – access to APIs (access token) • Additional Security Features – access tokens not exposed to the browser – (optional) long-lived API access

28. 28 @leastprivilege Hybrid Flow Request GET /authorize ?client_id=app1 &redirect_uri=https://app.com/cb &response_type=code

    id_token &response_mode=form_post &nonce=j1y…a23 &scope=openid email api1 api2

29. 29 @leastprivilege Hybrid Flow Response <form> <input type="hidden" name="id_token" value="xjsj…aas"

    /> <input type="hidden" name="code" value="i8j1…jj19" /> </form> POST /cb

30. 30 @leastprivilege Retrieving the Access Token • Exchange code for

    access token – using client id and secret code (client_id:client_secret) { access_token: "xyz…123", expires_in: 3600, token_type: "Bearer" }

31. 31 @leastprivilege Access Token Lifetime Management • Access tokens have

    finite lifetimes – requesting a new token requires browser round trip to authorization server – should be as short lived as possible • Refresh tokens allow renewal semantics – no user interaction required – typically combined with a revocation feature

32. 32 @leastprivilege Requesting a Refresh Token GET /authorize ?client_id=app1 &redirect_uri=https://app.com/cb

    &response_type=code id_token &response_mode=form_post &nonce=j1y…a23 &scope=openid email api1 offline_access

33. 33 @leastprivilege Retrieving the Access Token (w/ Refresh Token) code

    (client_id:client_secret) { access_token: "xyz…123", refresh_token: "jdj9…192j", expires_in: 3600, token_type: "Bearer" }

34. 34 @leastprivilege Refreshing an Access Token refresh_token (client_id:client_secret) { access_token:

    "xyz…567", refresh_token: "jdj9…203j", expires_in: 3600, token_type: "Bearer" }

35. 35 @leastprivilege Revocation

36. 36 @leastprivilege Native/Mobile Applications • Applications with access to native

    OS services – e.g. secure data storage • Usage of "in-app browser tab" to show login UI – helps preventing key logging and spoofing attacks – cross app single sign-on – support for password managers • Requires inter-process communication – usage of reverse domain name redirect URIs – RFC 7636 (PKCE - Proof Key for Code Exchange)

37. 37 @leastprivilege Hybrid Flow w/ PKCE GET /authorize ?client_id=nativeapp &scope=openid

    email api1 api2 offline_access &redirect_uri=com.mycompany.nativeapp://cb &response_type=code id_token &code_challenge=x929..1921 code_verifier = random_number code_challenge = hash(code_verifier)

38. 38 @leastprivilege Response GET /cb #id_token=x12f…zsz &code=818…1299 callback

39. 39 @leastprivilege Retrieving Access Token code & code verifier (client_id:client_secret)

    { access_token: "xyz…123", refresh_token: "dxy…103" expires_in: 3600, token_type: "Bearer" }

40. 40 @leastprivilege Libraries for Native Apps • Native – https://github.com/openid/AppAuth-iOS

    – https://github.com/openid/AppAuth-Android • Portable / Xamarin – https://github.com/IdentityModel/IdentityModel.OidcClient

41. 41 @leastprivilege JavaScript Applications • OpenID Connect Implicit Flow designed

    for JS/Browser- based Applications – simplified flow – no secret required – limited features

42. 42 @leastprivilege Implicit Flow Request GET /authorize ?client_id=app1 &redirect_uri=https://app.com/cb.html &response_type=id_token

    token &nonce=j1y…a23 &scope=openid email api1 api2

43. 43 @leastprivilege Response GET /callback.html #id_token=x12f…zsz &token=32x…133 &expires_in=3600 &token_type=Bearer

44. 44 @leastprivilege JavaScript Client Library • https://github.com/IdentityModel/oidc-token-manager

45. 45 @leastprivilege Resources • http://openid.net/connect/ • http://openid.net/developers/libraries/ • http://oauth.net/articles/authentication/ •

    https://github.com/identityserver • https://github.com/identitymodel

46. 46 @leastprivilege thank you! http://leastprivilege.com [email protected]