Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Dex and OAUTH 2.0 / OIDC @ Golang SF
Search
Brandon Philips
October 22, 2015
3
1k
Dex and OAUTH 2.0 / OIDC @ Golang SF
Brandon Philips
October 22, 2015
Tweet
Share
More Decks by Brandon Philips
See All by Brandon Philips
Node.js Workflow with Minikube and Skaffold
philips
0
230
Manage the App on Kubernetes
philips
0
320
Production Backbone Monitoring Containerized Apps
philips
0
130
KubeCon EU 2017: Dancing on the Edge of a Volcano
philips
1
640
rkt - KubeCon EU keynote - 2017
philips
1
240
FOSDEM_Keynote_2017-_.pdf
philips
0
97
Tectonic Summit Day 2 Keynote
philips
0
310
Kubernetes: Simple to Manage Anywhere (self-hosted, Tectonic upgrade demo)
philips
0
320
KubeCon Keynote 2016- Distributed Systems Simplified on Kubernetes
philips
2
530
Featured
See All Featured
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.2k
Building Flexible Design Systems
yeseniaperezcruz
328
38k
GitHub's CSS Performance
jonrohan
1030
460k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
7
650
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
29
1k
The Art of Programming - Codeland 2020
erikaheidi
53
13k
Code Reviewing Like a Champion
maltzj
521
39k
Testing 201, or: Great Expectations
jmmastey
42
7.2k
Become a Pro
speakerdeck
PRO
26
5.2k
Faster Mobile Websites
deanohume
306
31k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
10
1.3k
Transcript
CoreOS Dex, OAUTH 2.0, and OIDC Web Authentication Adventures @coreoslinux
@brandonphilips
Brandon Philips CTO, CoreOS github.com/philips
Demo Instructions github.com/philips/hacks 2015-dex-golangsf
Slides speakerdeck.com/philips
Identity Plumbing of the Web
None
Identity Our Needs
None
The smartest way to run your container infrastructure. tectonic.com @tectonicstack
QUAY Secure hosting for private Docker repositories quay.io @quayio
Why Dex? Solve our uses quay.io, tectonic.com
Why Dex? Share Open Source Solution
Why Dex? Leverage Well Understood Web Security
Identity Open ID Connect (OIDC)
OIDC Nothing to do with OpenID
OIDC OAUTH 2.0 with Types
OIDC Adopted by Google, Facebook, Amazon
OIDC Lots of Language Libraries
OIDC http://openid.net/connect/
OAuth 2.0 Client (web app)
OAuth 2.0 Resource Owner
OAuth 2.0 Auth Server
OAuth 2.0 1. User request protected page
OAuth 2.0 2. User redirected to auth page
OAuth 2.0 3. User authenticates (cookie/pw)
OAuth 2.0 4. User given authz grant
OAuth 2.0 5. User presents grant to client
OAuth 2.0 6. Client exchanges grant for access token
OAuth 2.0 7. ??? Do stuff
OIDC Relying Party
OIDC End User
OIDC Identity Provider
OIDC 0. Relying party periodically syncs public key from IdP
1. User request protected page OIDC
2. User redirected to auth page OIDC
3. User authenticates (cookie/pw) OIDC
4. User given authz grant OIDC
5. User presents grant to client OIDC
6. Relying party exchanges authz code for ID token OIDC
7. Client gets ID token and validate claims OIDC
JOSE Javascript Object Signing and Encryption
JWK Cryptographic Key Object
JWS JSON Web Signature
JWS <<base64 JOSE Header>>.<<base64 payload>>.<<base64 signature>>
JWS <<base64 JOSE Header>>.<<base64 payload>>.<<base64 signature>>
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJoZWxsbyI6IndvcmxkIn0. lnneNaoem98xYFES3mi2CJJjnMONuWAu- FTWB3XJN14
{ "alg": "HS256", "typ": "JWT" }
{ "hello": "world" }
HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret )
JWT JSON Web Token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIyNDgyODk3NjEwMDEiLCJuYW1lI joiSmFuZSBEb2UiL... mphbmVkb2VAZXhhbXBsZS5jb20iLCJwaWN 0dXJlIjoiaHR0cDovL2V4YW1wbGUuY29tL2ph bmVkb2UvbWUuanBnIn0. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeF ONFh7HgQ
{ "alg": "HS256", "typ": "JWT" }
{ "sub": "248289761001", "name": "Jane Doe", "preferred_username": "j.doe", "email": "janedoe@example.com",
"picture": "http://imgur.com/me.jpg" }
JWT Security https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
None
Connectors Delegation of Authentication
Local Connector Email and Password Auth
OIDC Connector Dex as relying party
None
Future Connectors
SSH Agent Connector Login with your SSH public key
LDAP Connector Login with your SSH public key
Dex Features Automatic Key Rotation
Dex Features Scalable Architecture
Dex Features User Management API
Roadmap • Grouping for Users
Help Wanted • More Connectors • Alternative Storage Backends •
U2F and Google Authenticator • > 1 Remote Identities per user
coreos.com/careers work with us
@coreoslinux @tectonicstack @brandonphilips thank you