Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Dex and OAUTH 2.0 / OIDC @ Golang SF
Search
Brandon Philips
October 22, 2015
3
1k
Dex and OAUTH 2.0 / OIDC @ Golang SF
Brandon Philips
October 22, 2015
Tweet
Share
More Decks by Brandon Philips
See All by Brandon Philips
Node.js Workflow with Minikube and Skaffold
philips
0
250
Manage the App on Kubernetes
philips
0
330
Production Backbone Monitoring Containerized Apps
philips
0
160
KubeCon EU 2017: Dancing on the Edge of a Volcano
philips
1
690
rkt - KubeCon EU keynote - 2017
philips
1
250
FOSDEM_Keynote_2017-_.pdf
philips
0
120
Tectonic Summit Day 2 Keynote
philips
0
330
Kubernetes: Simple to Manage Anywhere (self-hosted, Tectonic upgrade demo)
philips
0
370
KubeCon Keynote 2016- Distributed Systems Simplified on Kubernetes
philips
2
540
Featured
See All Featured
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
9
780
Code Review Best Practice
trishagee
70
19k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Imperfection Machines: The Place of Print at Facebook
scottboms
268
13k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
33
2.4k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Automating Front-end Workflow
addyosmani
1370
200k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
34
6k
Into the Great Unknown - MozCon
thekraken
40
2k
Navigating Team Friction
lara
189
15k
Why You Should Never Use an ORM
jnunemaker
PRO
59
9.5k
Transcript
CoreOS Dex, OAUTH 2.0, and OIDC Web Authentication Adventures @coreoslinux
@brandonphilips
Brandon Philips CTO, CoreOS github.com/philips
Demo Instructions github.com/philips/hacks 2015-dex-golangsf
Slides speakerdeck.com/philips
Identity Plumbing of the Web
None
Identity Our Needs
None
The smartest way to run your container infrastructure. tectonic.com @tectonicstack
QUAY Secure hosting for private Docker repositories quay.io @quayio
Why Dex? Solve our uses quay.io, tectonic.com
Why Dex? Share Open Source Solution
Why Dex? Leverage Well Understood Web Security
Identity Open ID Connect (OIDC)
OIDC Nothing to do with OpenID
OIDC OAUTH 2.0 with Types
OIDC Adopted by Google, Facebook, Amazon
OIDC Lots of Language Libraries
OIDC http://openid.net/connect/
OAuth 2.0 Client (web app)
OAuth 2.0 Resource Owner
OAuth 2.0 Auth Server
OAuth 2.0 1. User request protected page
OAuth 2.0 2. User redirected to auth page
OAuth 2.0 3. User authenticates (cookie/pw)
OAuth 2.0 4. User given authz grant
OAuth 2.0 5. User presents grant to client
OAuth 2.0 6. Client exchanges grant for access token
OAuth 2.0 7. ??? Do stuff
OIDC Relying Party
OIDC End User
OIDC Identity Provider
OIDC 0. Relying party periodically syncs public key from IdP
1. User request protected page OIDC
2. User redirected to auth page OIDC
3. User authenticates (cookie/pw) OIDC
4. User given authz grant OIDC
5. User presents grant to client OIDC
6. Relying party exchanges authz code for ID token OIDC
7. Client gets ID token and validate claims OIDC
JOSE Javascript Object Signing and Encryption
JWK Cryptographic Key Object
JWS JSON Web Signature
JWS <<base64 JOSE Header>>.<<base64 payload>>.<<base64 signature>>
JWS <<base64 JOSE Header>>.<<base64 payload>>.<<base64 signature>>
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJoZWxsbyI6IndvcmxkIn0. lnneNaoem98xYFES3mi2CJJjnMONuWAu- FTWB3XJN14
{ "alg": "HS256", "typ": "JWT" }
{ "hello": "world" }
HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret )
JWT JSON Web Token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIyNDgyODk3NjEwMDEiLCJuYW1lI joiSmFuZSBEb2UiL... mphbmVkb2VAZXhhbXBsZS5jb20iLCJwaWN 0dXJlIjoiaHR0cDovL2V4YW1wbGUuY29tL2ph bmVkb2UvbWUuanBnIn0. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeF ONFh7HgQ
{ "alg": "HS256", "typ": "JWT" }
{ "sub": "248289761001", "name": "Jane Doe", "preferred_username": "j.doe", "email": "
[email protected]
",
"picture": "http://imgur.com/me.jpg" }
JWT Security https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
None
Connectors Delegation of Authentication
Local Connector Email and Password Auth
OIDC Connector Dex as relying party
None
Future Connectors
SSH Agent Connector Login with your SSH public key
LDAP Connector Login with your SSH public key
Dex Features Automatic Key Rotation
Dex Features Scalable Architecture
Dex Features User Management API
Roadmap • Grouping for Users
Help Wanted • More Connectors • Alternative Storage Backends •
U2F and Google Authenticator • > 1 Remote Identities per user
coreos.com/careers work with us
@coreoslinux @tectonicstack @brandonphilips thank you