SAML, OAUTH & OIDC 

ABOUT ME ▸ Independent Consultant/Architect/Developer/Trainer ▸ Doing stuff with & without Computers, Software, > 25 yrs ▸ "Mr. Keycloak" since 2015 (v1.x) ▸ Organizer of Keycloak DevDay Conf (keycloak-day.dev) ▸ Co-Lead of JUG DA (www.jug-da.de / @JUG_DA) ▸ Author of „Serverless Computing in AWS Cloud“ ▸ Web: www.n-k.de / Social: @dasniko YouTube: youtube.com/@dasniko 

No content

keycloak-day.dev 

SAML, OAuth & OIDC AUTH(N/Z) Authentication / Authorization 

SAML, OAuth & OIDC SSO Single Sign On 

SAML, OAuth & OIDC SAML Security Assertion Markup Language The Security Assertion Markup Language (SAML) standard defines a framework for exchanging security information between online business partners. 

SAML, OAuth & OIDC SAML Security Assertion Markup Language [email protected] johndoe 

SAML, OAuth & OIDC SAML Security Assertion Markup Language [email protected] johndoe urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress 

SAML, OAuth & OIDC SAML SP METADATA urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress https://sptest.iamshowcase.com/testsp_metadata.xml 

SAML, OAuth & OIDC SAML IDP METADATA Aqlqie2Iyp7r718C0SKfSN2b96UwQpcA501nwWOUjxY MIICnTCC...trxAQ== urn:oasis:names:tc:SAML:2.0:nameid-format:persistent urn:oasis:names:tc:SAML:2.0:nameid-format:transient urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress https://lemur-7.cloud-iam.com/auth/realms/dasniko/protocol/saml/descriptor 

SAML, OAuth & OIDC DEMO SAML IAM Showcase… 

SAML, OAuth & OIDC SAML ▸ Metadata for SP and IDP ▸ SP-initiated or IdP-initiated ▸ SAMLRequest & SAMLResponse ▸ EntityID ▸ Issuer ▸ Assertions 

SAML, OAuth & OIDC OAUTH Open Authorization OAuth provides a method for clients to access server resources on behalf of a resource owner (such as a different client or an end-user). It also provides a process for end-user to authorize third-party access to their server resources without sharing their credentials (typically, a username and password pair), using user-agent redirections. 

SAML, OAuth & OIDC OAUTH2 TOKEN RESPONSE { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907", "token_type": "Bearer", "expires_in": 3600, "scope": "mail:send" "refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0", "refresh_expires_in": 36000 } No standardized and verifyable user information, even not with JWT, as access tokens should not contain personalized user information! 

SAML, OAuth & OIDC OAUTH Authentication w/ OAuth (e.g. Social Provider) is PSEUDO AUTHENTICATION!!! 

SAML, OAuth & OIDC DEMO OAuth 

SAML, OAuth & OIDC OAUTH ▸ no standard metadata document (OIDC config doc is co-used) ▸ Redirections ▸ ClientID/ClientSecret ▸ Scopes ▸ Token Introspection 

SAML, OAuth & OIDC OIDC OpenID Connect OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. 

SAML, OAuth & OIDC OIDC - IDENTITY ▸ ID-Token as JWT with verifyable signature ▸ User-Info endpoint ▸ Standard Claims (sub, name, given_name, family_name, nickname, preferred_username, profile, picture, website, email, email_verified, gender, birthdate, zoneinfo, locale, phone_number, phone_number_verified, address, updated_at) 

SAML, OAuth & OIDC OIDC TOKEN RESPONSE { "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "token_type": "Bearer", "expires_in": 3600, "scope": "openid profile email", "id_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "refresh_token": "eyJhbGciOiAiUlMyNTYiLCJ0eXAiOiAiSldU...", "refresh_expires_in": 36000 } 

SAML, OAuth & OIDC DEMO OpenID Connect 

SAML, OAuth & OIDC OIDC ▸ .well-known/openid-configuration document ▸ Redirections ▸ ClientID/ClientSecret ▸ Scopes ▸ ID-Token ▸ Issuer 

SAML, OAuth & OIDC COMMONS 

SAML, OAuth & OIDC COMMON THINGS OF ALL 3… ▸ SSO concept / Delegation / Tokens ▸ Signatures / Keys ▸ EntityID / ClientID / Issuer 

SAML, OAuth & OIDC COMMON PROBLEMS OF ALL 3… ▸ Problems on Implementation on client / service provider side ▸ Insecure Libraries (parsing XML/JSON) ▸ Incomplete Verifications of Assertions/Attributes/Claims/Signatures ▸ Not compatible among each other / not interchangeable 

SAML, OAuth & OIDC WHEN TO USE WHAT? 

SAML, OAuth & OIDC SAML ▸ legacy, "enterprise", 3rd-party, off-the-shelve, … ▸ only for 3rd-party AUTHORIZATION! OAUTH ▸ greenfield, SPA, mobile, up-to-date, fancy… OIDC 

SAML, OAuth & OIDC SAML is to OIDC as SOAP is to REST. ! Joel Franusic (Developer@Okta) 

SAML, OAuth & OIDC USE HTTPS! Also and even more on localhost! 

SAML, OAuth & OIDC NIKO KÖBLER | www.n-k.de | [email protected] | @dasniko THANK YOU. ANY QUESTIONS? Slides & Links: https://linktr.ee/dasniko 

SAML, OAuth & OIDC LINKS ▸ SAML Specifications, OASIS Open Foundation: https://wiki.oasis-open.org/security/FrontPage ▸ OAuth 2.0 Core, IETF, RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749 ▸ OIDC Core 1.0, OpenID Foundation: https://openid.net/specs/openid-connect-core-1_0.html