Unifying Authentication & Delegated API Access (NDC Oslo 2014)

Transcript

1. Unifying  Authen-ca-on  and   delegated  API  Access     OpenID

    Connect  &  OAuth2   Dominick  Baier   h@p://leastprivilege.com   @leastprivilege   think mobile!

2. 2   @leastprivilege   Dominick  Baier   •  Security  consultant

    at  thinktecture   •  Focus  on   –  security  in  distributed  applica9ons   –  iden9ty  management   –  access  control   –  Windows/.NET  security   –  mobile  app  security     •  MicrosoI  MVP  for  Developer  Security   •  ASP.NET  Web  API  Advisor   •  [email protected]   •  h@p://leastprivilege.com   think mobile!

3. 3   @leastprivilege   Agenda   •  Why   • 

   How  

4. 4   @leastprivilege   Authen9ca9on  &     Trusted  Subsystem

    Design   Trusted  Subsystem  

5. 5   @leastprivilege   Authen9ca9on  &     Trusted  Subsystem

    Design   Trusted  Subsystem   SAML2p  &  WS-­‐Federa-on   T  

6. 6   @leastprivilege   Delegated  Service/API  Access   Trust  Boundary

     ?   ?  

7. 7   @leastprivilege   Delegated  Service/API  Access   Trust  Boundary

     T   T   T   OAuth2   WS-­‐Trust  

8. 8   @leastprivilege   What's  wrong  with  SAML  (&  WS-­‐Federa9on)

     Craig  Burton  (#CIS2012):   SAML  is  the  Windows  XP  of  Iden-ty.   No  funding.  No  innova-on.  People  s-ll   use  it.  But  it  has  no  future   SAML  is  dead  !=  SAML  is  bad.     SAML  is  dead  !=  SAML  isn’t  useful.     SAML  is  dead  means  SAML  !=  the  future.  

9. 9   @leastprivilege   What's  wrong  with  OAuth2  

10. 10   @leastprivilege   •  Authen-ca-on  protocol  on  top  of

     OAuth2   –  defines  iden9ty  tokens   –  defines  standard  token  type   –  defines  standard  cryptography   –  defines  valida9on  procedures   –  defines  standard  scopes   –  combines  authen9ca9on  with  short/long-­‐lived  delegated   API  access   –  defines  flows  for  na9ve,  browser  and  server-­‐based   applica9ons   "OpenID  Connect  1.0  is  a  simple  iden-ty  layer  on  top  of  the  OAuth  2.0  protocol."  

11. 11   @leastprivilege   h\p://openid.net/connect/  

12. 12   @leastprivilege   Flows   •  Implicit  Flow  

    –  na9ve/browser/web  applica9ons   –  no  explicit  client  authen9ca9on   •  Authoriza-on  Code  Flow   –  server-­‐based  applica9ons   –  stronger  authen9ca9on   –  long  lived  API  access   •  Hybrid  Flow   –  "in-­‐between"  

13. 13   @leastprivilege   Excursion:  Endpoints   Authorize   Endpoint

      Token   Endpoint   UserInfo   Endpoint  

14. 14   @leastprivilege   Implicit  Flow  –  Web  Applica9ons  

    GET  /authorize        ?client_id=app1      &scope=openid  email      &redirect_uri=h@ps://app.com/cb      &response_type=id_token      &response_mode=form_post  

15. 15   @leastprivilege   Excursion:  Scopes   Scope   Claims

      profile   name,  family_name,  given_name,  middle_name,   nickname,  preferred_username,  profile,  picture,   website,  gender,  birthdate,  zoneinfo,  locale,  and   updated_at   email   email,  email_verified   address   address   phone   phone_number,  phone_number_verified   offline_access   requests  refresh  token  

16. 16   @leastprivilege   Authen9ca9on  

17. 17   @leastprivilege   Consent  

18. 18   @leastprivilege   Response   <form>      

       <input  type="hidden"                                    name="id_token"                                    value="xjsj…aas"  />   </form>   POST  /callback  

19. 19   @leastprivilege   Excursion:  Iden9ty  Token   {  

       "typ":  "JWT",      "alg":  "HS256"   }   {      "iss":  "https://idsrv3",      "exp":  1340819380,      "aud":  "app1",            "sub":  "182jmm199",      "email":  "[email protected]",      "email_verified":  true,      "amr":  "password",      "auth_time":  12340819300   }   Header   Claims   eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt   Header   Claims   Signature  

20. 20   @leastprivilege   Excursion:  Discovery  

21. 21   @leastprivilege   Katana  Middleware  for     OpenID

     Connect   app.UseCookieAuthentication(new  CookieAuthenticationOptions          {                  AuthenticationType  =  "Cookies"          });       app.UseOpenIdConnectAuthentication(new  OpenIdConnectAuthenticationOptions          {                  Client_Id  =  "implicitclient",                  Authority  =  Constants.BaseAddress,                  Redirect_Uri  =  "http://localhost:2671/",                  Response_Type  =  "id_token  token",                  Scope  =  "openid  email",                      SignInAsAuthenticationType  =  "Cookies"          };  

22. 22   @leastprivilege   Implicit  Flow  for  Client-­‐side   Applica9ons

      GET  /authorize        ?client_id=app1      &scope=openid  email      &redirect_uri=oob://app1/cb      &response_type=id_token  

23. 23   @leastprivilege   Response   GET  /cb    

       #id_token=x12f…zsz        

24. 24   @leastprivilege   Combining  Authen9ca9on  with     API

     Access   GET  /authorize        ?client_id=app1      &scope=openid  email  api1  api2      &redirect_uri=oob://app1/cb      &response_type=id_token  token  

25. 25   @leastprivilege   Response   GET  /cb    

       #id_token=x12f…zsz      &token=32x…133      &expires_in=3600      &token_type=bearer  

26. 26   @leastprivilege   Accessing  the  API   Authoriza-on:  Bearer

     <token>  

27. 27   @leastprivilege   Authoriza9on  Code  Flow:   Long  lived

     API  Access   GET  /authorize        ?client_id=app1      &scope=openid  email  api1  api2      &redirect_uri=h@ps://app.com/callback      &response_type=code  

28. 28   @leastprivilege   Response   GET  /callback?code=xdf123  

29. 29   @leastprivilege   Back-­‐channel  Communica9on   code   (client_id:client_secret)

      {      access_token:  "xyz…123",      expires_in:  3600,      token_type:  bearer,      refresh_token:  "dxy…103"   }  

30. 30   @leastprivilege   Summary   •  OpenID  Connect  is

     the  future   •  Replaces   –  SAML2p  &  WS-­‐Federa9on   –  home-­‐grown  OAuth2  authen9ca9on  extensions   •  Combines  authen-ca-on  &  API  access   •  h@p://openid.net/developers/libraries/   •  h@p://osis.idcommons.net/wiki/Category:OC5_Par-cipant   •  h@ps://github.com/thinktecture/ Thinktecture.Iden-tyServer.v3  

31. 31   @leastprivilege   Excursion:  Session  Management   •  OpenID

     Connect  specifies  a  logout  endpoint   –  aka  end_session_endpoint   •  Cross-­‐client  cleanup  is  a  much  debated  topic  right  now   –  JS  iframe/even9ng  approach   –  back-­‐channel  cleanup   –  front-­‐channel  cleanup  

32. 32   @leastprivilege   Excursion:  Client  Registra9on  

33. 33   @leastprivilege   thank  you!