Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Dex and OAUTH 2.0 / OIDC @ Golang SF
Search
Brandon Philips
October 22, 2015
3
970
Dex and OAUTH 2.0 / OIDC @ Golang SF
Brandon Philips
October 22, 2015
Tweet
Share
More Decks by Brandon Philips
See All by Brandon Philips
Node.js Workflow with Minikube and Skaffold
philips
0
220
Manage the App on Kubernetes
philips
0
310
Production Backbone Monitoring Containerized Apps
philips
0
120
KubeCon EU 2017: Dancing on the Edge of a Volcano
philips
1
620
rkt - KubeCon EU keynote - 2017
philips
1
240
FOSDEM_Keynote_2017-_.pdf
philips
0
91
Tectonic Summit Day 2 Keynote
philips
0
310
Kubernetes: Simple to Manage Anywhere (self-hosted, Tectonic upgrade demo)
philips
0
290
KubeCon Keynote 2016- Distributed Systems Simplified on Kubernetes
philips
2
530
Featured
See All Featured
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
127
18k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.2k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
111
49k
Optimizing for Happiness
mojombo
376
70k
Documentation Writing (for coders)
carmenintech
66
4.5k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
How to Ace a Technical Interview
jacobian
276
23k
Building a Scalable Design System with Sketch
lauravandoore
460
33k
Building Applications with DynamoDB
mza
91
6.1k
Raft: Consensus for Rubyists
vanstee
137
6.7k
Transcript
CoreOS Dex, OAUTH 2.0, and OIDC Web Authentication Adventures @coreoslinux
@brandonphilips
Brandon Philips CTO, CoreOS github.com/philips
Demo Instructions github.com/philips/hacks 2015-dex-golangsf
Slides speakerdeck.com/philips
Identity Plumbing of the Web
None
Identity Our Needs
None
The smartest way to run your container infrastructure. tectonic.com @tectonicstack
QUAY Secure hosting for private Docker repositories quay.io @quayio
Why Dex? Solve our uses quay.io, tectonic.com
Why Dex? Share Open Source Solution
Why Dex? Leverage Well Understood Web Security
Identity Open ID Connect (OIDC)
OIDC Nothing to do with OpenID
OIDC OAUTH 2.0 with Types
OIDC Adopted by Google, Facebook, Amazon
OIDC Lots of Language Libraries
OIDC http://openid.net/connect/
OAuth 2.0 Client (web app)
OAuth 2.0 Resource Owner
OAuth 2.0 Auth Server
OAuth 2.0 1. User request protected page
OAuth 2.0 2. User redirected to auth page
OAuth 2.0 3. User authenticates (cookie/pw)
OAuth 2.0 4. User given authz grant
OAuth 2.0 5. User presents grant to client
OAuth 2.0 6. Client exchanges grant for access token
OAuth 2.0 7. ??? Do stuff
OIDC Relying Party
OIDC End User
OIDC Identity Provider
OIDC 0. Relying party periodically syncs public key from IdP
1. User request protected page OIDC
2. User redirected to auth page OIDC
3. User authenticates (cookie/pw) OIDC
4. User given authz grant OIDC
5. User presents grant to client OIDC
6. Relying party exchanges authz code for ID token OIDC
7. Client gets ID token and validate claims OIDC
JOSE Javascript Object Signing and Encryption
JWK Cryptographic Key Object
JWS JSON Web Signature
JWS <<base64 JOSE Header>>.<<base64 payload>>.<<base64 signature>>
JWS <<base64 JOSE Header>>.<<base64 payload>>.<<base64 signature>>
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJoZWxsbyI6IndvcmxkIn0. lnneNaoem98xYFES3mi2CJJjnMONuWAu- FTWB3XJN14
{ "alg": "HS256", "typ": "JWT" }
{ "hello": "world" }
HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret )
JWT JSON Web Token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIyNDgyODk3NjEwMDEiLCJuYW1lI joiSmFuZSBEb2UiL... mphbmVkb2VAZXhhbXBsZS5jb20iLCJwaWN 0dXJlIjoiaHR0cDovL2V4YW1wbGUuY29tL2ph bmVkb2UvbWUuanBnIn0. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeF ONFh7HgQ
{ "alg": "HS256", "typ": "JWT" }
{ "sub": "248289761001", "name": "Jane Doe", "preferred_username": "j.doe", "email": "
[email protected]
",
"picture": "http://imgur.com/me.jpg" }
JWT Security https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
None
Connectors Delegation of Authentication
Local Connector Email and Password Auth
OIDC Connector Dex as relying party
None
Future Connectors
SSH Agent Connector Login with your SSH public key
LDAP Connector Login with your SSH public key
Dex Features Automatic Key Rotation
Dex Features Scalable Architecture
Dex Features User Management API
Roadmap • Grouping for Users
Help Wanted • More Connectors • Alternative Storage Backends •
U2F and Google Authenticator • > 1 Remote Identities per user
coreos.com/careers work with us
@coreoslinux @tectonicstack @brandonphilips thank you