Login and Access-Control with Angular: Talk from ngPoland, Warsaw 2017

Login and Access-Control with Angular: Talk from ngPoland, Warsaw 2017

Login and Access-Control with Angular: Talk from ngPoland, Warsaw 2017

15934fa2aa7b2ce21f091e9b7cffa856?s=128

Manfred Steyer

November 21, 2017
Tweet

Transcript

  1. 2.

    About me … • Manfred Steyer • SOFTWAREarchitekt.at • Trainer

    & Consultant • Fokus: Angular • Google Developer Expert (GDE) Page ▪ 3 Manfred Steyer
  2. 3.

    Contents • Motivation • OAuth 2 • Single Sign on

    and OpenId Connect • Social Login • DEMO • Single Sign out
  3. 6.

    Requirements for Modern Apps Service delegates to other services Cross

    Origin Requests Using existing Identity Solutions Loosely Coupling to Identity Solution Single Sign on/ out Protect from XSRF
  4. 8.
  5. 10.

    Flow Folie▪ 11 Client Authorization-Server Resource-Server 1. Redirection 2. Redirection

    w/ Access-Token 3. Access-Token One central user account Only Auth-Svr. sees the Password Auth. decoupled from Client Tokens provide flexibility No Cookies: No XSRF
  6. 14.

    Lots of Auth Server out there … Active Directory Federation

    Services Identity Server (.NET) Readhad Keycloak (Java) Okta Auth0 Firebase Azure Active Directory … On Premise Identity as a Service
  7. 15.
  8. 16.

    What is OAuth 2? • Developed by Twitter and Ma.gnolia

    • Protocol to delegate restricted rights • Used by Companies like Google, Facebook, Flickr, Microsoft, Salesforce.com or Yahoo! • Several Flows for different use cases • Leverages HTTPS! Folie▪ 17
  9. 17.

    Implicit Flow for SPA Folie▪ 18 Client Authorization-Server Resource-Server 1.

    Redirection 2. Redirection w/ Access-Token 3. Access-Token
  10. 19.

    Implicit Flow for SPA Folie▪ 20 Client Authorization-Server Resource-Server 1.

    Redirection + Nonce 2. Redirection w/ Access-Token + Same Nonce 3. Access-Token
  11. 21.

    SSO with OAuth 2 Folie▪ 22 Client Authorization-Server Ressource- Server

    3. /user/profile + Token 1. Request Token { "user_name": "susi", "email": "susi@sorglos.at", … } 2. Token &scope=profile Not defined by OAuth 2.0
  12. 22.

    Implicit Flow w/ OIDC Folie▪ 23 Client Authorization-Server Resource-Server 1.

    Redirection 2. Redirection w/ Access-Token and Id-Token 3. Access-Token User Info Endpoint (OIDC) Format: JSON Web Token (JWT)
  13. 24.

    Implicit Flow Folie▪ 26 Client Google, Facebook, etc. Resource-Server 1.

    Redirection 2. Redirection w/ Access-Token and Id-Token 3. Access-Token Security Domain of Google, Facebook etc. Your Security Domain
  14. 25.

    Implicit Flow Folie▪ 27 Client Your Authorization Server Resource-Server Redirection

    w/ your Access-Token and your Id-Token Access-Token Google, Facebook, etc. Their Token
  15. 27.
  16. 30.

    Open channel to Client? • Websockets • Server Send Events

    • Hidden iframe (Forever-Frame) • OIDC Session Management
  17. 32.

    Fazit Token: Flexibility, Cross Origin … OAuth 2: Access to

    Service OpenId Connect: SSO at Client Token per Security Domain Implicit Flow Single Sign out