Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Single Sign-on & Authentication for Mobile, Web...

Single Sign-on & Authentication for Mobile, Web & Desktop Applications

from Microsoft Technical Summit 2014, Berlin

Dominick Baier

November 12, 2014
Tweet

More Decks by Dominick Baier

Other Decks in Programming

Transcript

  1. Authentication scenarios for mobile Applications* The Microsoft Technology Stack** Corporate

    vs Customer facing Applications *WS-Federation, OpenID Connect, OAuth2 **AD, ADFS, AAD, ADAL, Katana Agenda
  2. Protocols Browser Native app Server app Web application Web API

    Web API Web API WS-Fed, SAML 2.0, OpenID Connect OAuth2 OAuth2 OAuth2 OAuth2 OAuth2 OAuth2
  3. Browser WebApp ADFS / AAD WebApp Service Principal •  App

    ID URI •  Reply Url 1. Navigate to site 2. Redirect to token service 3. Sign in 4. Send security token to Reply URL 5. Set session Web Browser to Web App: WS-Federation, SAML 2.0, OpenID Connect SAML, WS-Fed, or OpenID Connect Endpoint Katana
  4. JSON Web Tokens (JWT) {      "typ":  "JWT",  

       "alg":  "HS256"   }   {      "iss":  "https://login.windows.net",      "exp":  1340819380,      "aud":  "app1",            "sub":  "182jmm199",      "email":  "[email protected]",      "email_verified":  true,      "amr":  "password",      "auth_time":  12340819300   }   Header Claims eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt   Header Claims Signature
  5. WebAPI ADFS / AAD 1. Request Authorization Code Native Client

    to Web API: OAuth 2.0 auth code grant, public client NativeApp NativeApp SP •  Client ID •  Redirect URI Authorize Endpoint Token Endpoint ADAL 2. Sign in 3. Return Authorization Code to Redirect URI User sees web pop up … Katana WebAPI SP •  App ID URI
  6.   GET  https://login/adfs/oauth2/authorize   ?response_type=code   &resource=https://myservice   &client_id=fb715b0e-­‐3ca9-­‐45b8-­‐9928-­‐2329a776b42d  

    &redirect_uri=http://myclient/      <<  Stuff  happens  here  to  sign  the  user  in...  >>     302  Found  http://myclient/   ?code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGCXIY6dQcQ-­‐_cqhsBff…   Authorization Code Request/Response
  7. NativeApp 4. Redeem Authorization Code Native Client to Web API:

    OAuth 2.0 auth code grant, public client Authorize Endpoint Token Endpoint ADAL 5. Return Access Token, Refresh Token 6. Send Access Token on Authorization Header WebAPI Katana ADFS / AAD NativeApp SP •  Client ID •  Redirect URI WebAPI SP •  App ID URI
  8. POST  https://login/adfs/oauth2/token   grant_type=authorization_code   &code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGCXIY6dQcQ_cqhsBffHFnGbeQHcm…   &client_id=fb715b0e-­‐3ca9-­‐45b8-­‐9928-­‐2329a776b42d   &redirect_uri=http://myclient/

      &resource=https://myservice       200  OK   {"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5…",   "token_type":"Bearer",   "expires_in":"3599",   "refresh_token":"AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMqzyrQrqeeZzKzwN…",   Token Request/Response
  9. {      "typ":  "JWT",  "alg":  "RS256",  "x5t":  "NGTFvdK-­‐fythEuLwjpwAJOM9n-­‐A”  

    }.   {    "aud":  "http://myService",    "iss":  "https://sts.windows.net/81aabdd2-­‐3682-­‐48fd-­‐9efa-­‐2cb2fcea8557/",    "iat":  1396468289,  "nbf":  1396468289,  "exp":  1396472189,  "ver":  "1.0",    "tid":  "81aabdd2-­‐3682-­‐48fd-­‐9efa-­‐2cb2fcea8557",    "oid":  "b3809430-­‐6c28-­‐4e43-­‐870d-­‐fa7d38636dcd",    "upn":  "[email protected]",    "sub":  "vl4OHydFcvAhqoncJsINb8E6KaAEzJH2D5iKKnZZy-­‐A",    "family_name":  "Baier",    "given_name":  "Dominick",    "appid":  "fb715b0e-­‐3ca9-­‐45b8-­‐9928-­‐2329a776b42d",   }   Example AAD JWT Access Token (shortened) http://jwt.io/
  10. Active Directory Authentication Library Open Source Client Library for Desktop

    .NET Windows RT Windows Phone iOS/Android Native iOS/Android Xamarin ADAL https://github.com/AzureAD
  11. ADAL supports token caching (extensible) Token renewal via existing logon

    session Refresh tokens Token Lifetime Management
  12. Native Client to Web API: Refresh Tokens NativeApp Authorize Endpoint

    Token Endpoint ADAL 2. Access Token has Expired 3. Request new Access Token with Refresh Token 4. Return Access Token, Refresh Token 5. Call web API with Access Token in AuthZ Header 1. Call WebAPI (Access Token in AuthZ Header) WebAPI Katana ADFS / AAD NativeApp SP •  Client ID •  Redirect URI WebAPI SP •  App ID URI
  13. Brand new ADAL.js library (preview) familiar programming interface, AngularJS support..

    Support for OAuth2 “Implicit Flow” simplified flow – no server back-end required currently AAD only What about SPAs? http://www.cloudidentity.com/blog/2014/10/28/adal-javascript-and-angularjs-deep-dive/
  14. Web App calls Web API using own identity Trusted Subsystem

    design OAuth2 client credential flow or code flow Web App calls Web API using user identity OpenID Connect and/or OAuth2 code flow Options
  15. WebAPI Web App to Web API: OAuth 2.0 client credentials

    1. Signed in, using the web app… Browser WebApp 2. Request token (Client ID, Credential, App ID URI) 3. Return access token 4. Call web API with Access Token in AuthZ Header *The application’s credential can be a password, or it can be an assertion (a JWT token) signed with private key. AAD NativeApp SP •  Client ID •  Credential WebAPI SP •  App ID URI Authorize Endpoint Token Endpoint Katana ADAL Katana
  16. WebAPI Web App to Web API: Delegation with OpenID Connect

    Browser WebApp 1. Navigate to site 2. Redirect to sign in and request auth code (Client ID, Redirect URI) 3. Sign in 4. Return ID Token and Auth Code to Redirect URI 6. Set session Authorize Endpoint Token Endpoint Might require user consent AAD NativeApp SP •  Client ID •  Credential WebAPI SP •  App ID URI Katana ADAL Katana
  17. Web App to Web API: Delegation with OpenID Connect Browser

    WebApp WIF OWIN 7. Request access token 8. Return access token, refresh token 9. Call web API with Access Token in AuthZ Header Authorize Endpoint Token Endpoint ADAL WebAPI WebApp Katana ADAL Katana AAD NativeApp SP •  Client ID •  Credential WebAPI SP •  App ID URI
  18. AD traditionally geared towards corporate identities ADFS & AAD are

    protocol / infrastructure extensions What about customer identities & applications? Where to store identities? What about social logins? B2B vs B2C
  19. B2B & B2C Hybrid Architecture ADFS Customer Accounts AAD Thinktecture

    IdentityServer https://github.com/thinktecture/Thinktecture.IdentityServer.v3
  20. ADFS (2012R2) Azure AD IdentityServer v3 Type Domain joined SaaS

    Standalone WS-Federation yes yes yes WS-Trust yes no no OAuth2 Code Flow yes yes yes Resource Owner Flow no yes yes Implicit Flow no yes yes Client Credentials Flow no yes yes Social Logins no no yes OpenID Connect no yes yes Saml2p yes yes no Price Model Part of Windows Server Freemium Free (OSS) http://blogs.technet.com/b/ad/archive/2014/09/15/azure-active-directory-basic-is-now-ga.aspx Feature Matrix (non exhaustive)
  21. © 2014 Microsoft Corporation. All rights reserved. Because Microsoft must

    respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Vielen Dank [email protected] http://leastprivilege.com @leastprivilege