Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Dex and OAUTH 2.0 / OIDC @ Golang SF

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Brandon Philips Brandon Philips
October 22, 2015
3
1.1k

Dex and OAUTH 2.0 / OIDC @ Golang SF

Avatar for Brandon Philips

Brandon Philips

October 22, 2015
Tweet

More Decks by Brandon Philips

See All by Brandon Philips
Node.js Workflow with Minikube and Skaffold
Avatar for Brandon Philips philips
0
280
Manage the App on Kubernetes
Avatar for Brandon Philips philips
0
360
Production Backbone Monitoring Containerized Apps
Avatar for Brandon Philips philips
0
210
KubeCon EU 2017: Dancing on the Edge of a Volcano
Avatar for Brandon Philips philips
1
820
rkt - KubeCon EU keynote - 2017
Avatar for Brandon Philips philips
1
300
FOSDEM_Keynote_2017-_.pdf
Avatar for Brandon Philips philips
0
160
Tectonic Summit Day 2 Keynote
Avatar for Brandon Philips philips
0
390
Kubernetes: Simple to Manage Anywhere (self-hosted, Tectonic upgrade demo)
Avatar for Brandon Philips philips
0
430
KubeCon Keynote 2016- Distributed Systems Simplified on Kubernetes
Avatar for Brandon Philips philips
2
580

Featured

See All Featured
Game over? The fight for quality and originality in the time of robots
Avatar for Wayne Barker wayneb77
1
150
How to Talk to Developers About Accessibility
Avatar for Jason CranfordTeague jct
2
170
Darren the Foodie - Storyboard
Avatar for Kevinho.art khoart
PRO
3
3.1k
Product Roadmaps are Hard
Avatar for C. Todd Lombardo iamctodd
PRO
55
12k
A Tale of Four Properties
Avatar for Chris Coyier chriscoyier
163
24k
DBのスキルで生き残る技術 - AI時代におけるテーブル設計の勘所
Avatar for soudai sone soudai
PRO
64
53k
Rails Girls Zürich Keynote
Avatar for Gregor Martynus gr2m
96
14k
State of Search Keynote: SEO is Dead Long Live SEO
Avatar for Ryan Jones ryanjones
0
160
Performance Is Good for Brains [We Love Speed 2024]
Avatar for Tammy Everts tammyeverts
12
1.5k
Paper Plane (Part 1)
Avatar for Katie Cordina Lindsey katiecoart
PRO
0
6.2k
Utilizing Notion as your number one productivity tool
Avatar for Mfonobong Umondia mfonobong
4
280
Building a Modern Day 
E-commerce SEO Strategy
Avatar for Aleyda Solis aleyda
45
9k

Transcript

  1. CoreOS Dex, OAUTH 2.0, and OIDC Web Authentication Adventures @coreoslinux

    @brandonphilips

  2. Brandon Philips CTO, CoreOS github.com/philips

  3. Demo Instructions github.com/philips/hacks 2015-dex-golangsf

  4. Slides speakerdeck.com/philips

  5. Identity Plumbing of the Web

  6. None

  7. Identity Our Needs

  8. None

  9. The smartest way to run your container infrastructure. tectonic.com @tectonicstack

  10. QUAY Secure hosting for private Docker repositories quay.io @quayio

  11. Why Dex? Solve our uses quay.io, tectonic.com

  12. Why Dex? Share Open Source Solution

  13. Why Dex? Leverage Well Understood Web Security

  14. Identity Open ID Connect (OIDC)

  15. OIDC Nothing to do with OpenID

  16. OIDC OAUTH 2.0 with Types

  17. OIDC Adopted by Google, Facebook, Amazon

  18. OIDC Lots of Language Libraries

  19. OIDC http://openid.net/connect/

  20. OAuth 2.0 Client (web app)

  21. OAuth 2.0 Resource Owner

  22. OAuth 2.0 Auth Server

  23. OAuth 2.0 1. User request protected page

  24. OAuth 2.0 2. User redirected to auth page

  25. OAuth 2.0 3. User authenticates (cookie/pw)

  26. OAuth 2.0 4. User given authz grant

  27. OAuth 2.0 5. User presents grant to client

  28. OAuth 2.0 6. Client exchanges grant for access token

  29. OAuth 2.0 7. ??? Do stuff

  30. OIDC Relying Party

  31. OIDC End User

  32. OIDC Identity Provider

  33. OIDC 0. Relying party periodically syncs public key from IdP

  34. 1. User request protected page OIDC

  35. 2. User redirected to auth page OIDC

  36. 3. User authenticates (cookie/pw) OIDC

  37. 4. User given authz grant OIDC

  38. 5. User presents grant to client OIDC

  39. 6. Relying party exchanges authz code for ID token OIDC

  40. 7. Client gets ID token and validate claims OIDC

  41. JOSE Javascript Object Signing and Encryption

  42. JWK Cryptographic Key Object

  43. JWS JSON Web Signature

  44. JWS <<base64 JOSE Header>>.<<base64 payload>>.<<base64 signature>>

  45. JWS <<base64 JOSE Header>>.<<base64 payload>>.<<base64 signature>>

  46. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJoZWxsbyI6IndvcmxkIn0. lnneNaoem98xYFES3mi2CJJjnMONuWAu- FTWB3XJN14

  47. { "alg": "HS256", "typ": "JWT" }

  48. { "hello": "world" }

  49. HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret )

  50. JWT JSON Web Token

  51. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIyNDgyODk3NjEwMDEiLCJuYW1lI joiSmFuZSBEb2UiL... mphbmVkb2VAZXhhbXBsZS5jb20iLCJwaWN 0dXJlIjoiaHR0cDovL2V4YW1wbGUuY29tL2ph bmVkb2UvbWUuanBnIn0. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeF ONFh7HgQ

  52. { "alg": "HS256", "typ": "JWT" }

  53. { "sub": "248289761001", "name": "Jane Doe", "preferred_username": "j.doe", "email": "[email protected]",

    "picture": "http://imgur.com/me.jpg" }

  54. JWT Security https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/

  55. None

  56. Connectors Delegation of Authentication

  57. Local Connector Email and Password Auth

  58. OIDC Connector Dex as relying party

  59. None

  60. Future Connectors

  61. SSH Agent Connector Login with your SSH public key

  62. LDAP Connector Login with your SSH public key

  63. Dex Features Automatic Key Rotation

  64. Dex Features Scalable Architecture

  65. Dex Features User Management API

  66. Roadmap • Grouping for Users

  67. Help Wanted • More Connectors • Alternative Storage Backends •

    U2F and Google Authenticator • > 1 Remote Identities per user

  68. coreos.com/careers work with us

  69. @coreoslinux @tectonicstack @brandonphilips thank you